Not All Data Breaches Are Equal: The 3 Worst Offenders

Not all data breaches are created equal. While any security incident can damage your organisation’s reputation and bottom line, three critical factors determine whether a breach becomes a minor setback or a company-ending catastrophe. Understanding these severity indicators isn’t just about damage control—it’s about survival in an increasingly connected world where customer trust and regulatory compliance can make or break your business.

Let’s examine the three most devastating types of data breaches and why some breaches fade from memory, while others leave lasting scars on trust and security.

1. Scale

When it comes to data breaches, size matters. The most attention-grabbing incidents are those that impact staggering numbers of people, where millions or even billions of records are exposed in one strike.

Take Yahoo, for example. The search and email giant suffered two breaches in 2013 and 2014, compromising up to 3.5 billion accounts. The stolen records included names, email addresses, phone numbers, and dates of birth. While passwords were mostly absent, Yahoo’s delayed disclosure until 2016 and subsequent public fallout with data posted on a hacker forum, led to lawsuits and $153 million in settlements and fines.

Other massive breaches tell a similar story. MySpace, a mostly defunct social media website’s 2008 breach exposed around 360 million accounts, most likely the largest password-containing breach of all time, many with weakly protected passwords that fuelled password reuse attacks across other services. Wattpad, a creative writing and book reading website, breached in 2020, arguably the second largest breach of all time with 269 million leaked user records, including names, dates of birth, and partially protected passwords.

Combined, MySpace and Wattpad alone account for more than half a billion compromised accounts. Add in other giants like NetEase (235M), Zynga (173M), LinkedIn (165M), and Dubsmash (162M), and the top 10 breaches together approach 2 billion records. These numbers highlight why scale is such a critical severity indicator—because the bigger the breach, the bigger the damage whether it be reputational, financial (from fines), business continuity or cybersecurity.

2. Personally Identifiable Information (PII)

While large-scale breaches dominate headlines, some of the most dangerous incidents involve far fewer records. Breaches that expose highly sensitive personally identifiable information (PII) can put lives at risk, making them among the most severe of all.

One example came after the Taliban’s takeover of Afghanistan in 2021. In February 2022, a UK official accidentally leaked a spreadsheet with a hidden tab containing the personal details of 19,000 Afghans who had applied in secrecy to relocate to the UK. The file potentially exposed up to 100,000 individuals including family members, revealing information that, if exploited, could have endangered lives. Later revelations suggested the breach also included details about UK Special Forces and intelligence personnel, underscoring just how devastating a single mishandled document can be.

A similar incident occurred in August 2023, when the Police Service of Northern Ireland (PSNI) mistakenly published a file deanonymising all 10,000 employees. Names, ranks, initials, locations, and departments, including those tied to MI5 were exposed, and the data was quickly circulated among dissident republican groups. The fallout was immediate: over 1,200 officers feared for their safety, and the government faced costs ranging from millions to hundreds of millions of pounds in compensation, fines, and protective measures.

These breaches demonstrate that when PII is involved, the stakes extend far beyond financial fraud. The wrong exposure can threaten safety, compromise national security, and permanently alter lives.

3. Controversy

Another key severity indicator is the controversy tied to the breached service itself. In some cases, simply being identified as a user of a particular platform can be socially or professionally devastating, even if no financial data is exposed.

The most infamous example is the 2015 breach of Ashley Madison, an infidelity-focussed dating site. Around 36 million users were exposed, with records including names, email addresses, hashed passwords, sexual preferences, and physical addresses. Because the data was searchable, it revealed the identities of politicians, media figures, and even military personnel. To make matters worse, Ashley Madison never fully deleted “deleted” accounts, so individuals who thought they had erased their digital footprints still saw their information exposed. For many, the mere presence of an email address in that database was enough to cause lasting personal damage.

A year later, another controversial dating platform, Adult FriendFinder, suffered two major breaches in 2015 and 2016. Together, these incidents exposed 170 million accounts, including usernames, emails, and passwords. As with Ashley Madison, accounts thought to be deleted were only disabled, meaning around 15 million people had their information compromised against their will. For users, the stigma attached to these platforms amplified the fallout, showing how reputational harm can sometimes rival financial or technical risks in terms of severity.

Conclusion

Not every data breach is measured the same way. Some stand out because of their scale, exposing billions of records at once. Others are severe because of the personally identifiable information involved, where even a small leak can threaten lives and national security. Then there are breaches steeped in controversy, where the damage comes not from what is stolen, but from the reputational and personal fallout of simply being linked to a service.

Taken together, these examples show that the impact of a breach goes far beyond numbers. Scale, sensitivity, and context all play critical roles in determining severity and why some incidents remain cautionary tales years after they occur.

For organisations, the message is clear: prevention isn’t optional—it’s essential. The cost of a breach goes far beyond fines; it erodes trust, damages reputation, and can take years to repair. A modern credential management system or a password security system closes the door on weak, reused, and insecure passwords, while multi-factor authentication (MFA) ensures that even stolen credentials can’t be easily exploited. Together, they form a powerful defence that stops attackers in their tracks. By investing in these safeguards now, businesses don’t just reduce risk, they demonstrate leadership, resilience, and a commitment to protecting both their people and their customers.