and two that changed how we should perceive our data…

Since 1999, the Identity Theft Resource Center has been hard at work empowering identity theft victims with the resources and tools to resolve their cases, as well as helping people proactively reduce their risk of becoming a victim of identity theft. One of the most common ways consumers have their information misappropriated is through data breaches. Since 2005, we have recorded over 10,000 publicly notified breaches. Let’s look at the top three major data breaches with the biggest impact to consumers based on our new risk assessment tool, Breach Clarity, developed in partnership with Futurion and its creator Jim Van Dyke.

Based on ITRC’s database of data breach notifications and Breach Clarity’s proprietary processing, Van Dyke says consumers can be better educated on the significance of which breaches rank as the all-time riskiest to the individual consumer in terms of both size and scope.   The new tool includes the potential impact on the affected individual identity-holder, what types of identity theft could occur based on the records exposed and what steps that person needs to take to minimize his/her risk. Here is a look at the top five major data breaches that impacted individuals in the United States:

The U.S. Office of Personal Management

In June 2015, The U.S. Office of Personal Management (OPM) was the target of two separate hacking events exposing background investigation records of 21.5 million Federal government employees and contractors. Some of the information impacted was Social Security numbers (SSN), fingerprint data and security clearance information. Additionally, it also exposed PII of dependents including SSNs, date of birth and other information.

OPM was one of most significant major data breaches in memory, with it ranking a ten in severity on Breach Clarity. Van Dyke says it created a risk through the exposure of security clearance and biometric data for those working in service of our country.


Credit reporting agency, Equifax, experienced a hack in 2017 that exposed 146.6 million U.S. consumer’s personal information. “Equifax has been regarded by many to be the worst of all data breaches because this hack generally exposed Social Security numbers for a massive amount of individuals,” Van Dyke said. The information exposed included names, birthdays, SSNs, addresses, phone numbers, Driver’s License numbers, email addresses, payment card information and Tax ID numbers.

While this major data breach ranked ten in severity and exposed so much information, it is not among the worst in terms of per-victim impact. As we learn more about the settlement process <link> for this breach, each individual consumer will need to assess the impact based on their circumstances.

Anthem, Inc.

In 2015 Anthem, Inc. had a major data breach, exposing nearly 79 million sensitive records. Van Dyke says it created a dangerous risk, receiving an overall risk level of eight. Breach Clarity shows that it created a unique pattern of risk that included new financial account creation and tax refund fraud.

There were two other breaches that really changed how consumers viewed their data and how companies should secure it. No two breaches have the same impact, but Facebook and Yahoo brought the spotlight on how companies could manage their users’ data security better. It also reminded users that they are ultimately responsible for the information that is being housed in any particular platform. When all else fails, don’t share it if you don’t want it to be potentially exposed publicly.


In 2018, hackers were able to tap into the ever-popular social media landscape stealing account access tokens from Facebook and then using them to access user names, contact details and profile information like usernames, birthdays and device types used to access to access additional information.

“The Facebook breach represents a particularly unique type of breach,” Van Dyke said. “It represents behavioral data that victims may not be prepared to respond to. It is unlikely that even a social media behemoth like Facebook will earn a top risk score in Breach Clarity, yet again we need to continue understanding how personal relationships and behavioral data increase risk of a variety of crimes.”

The security hack affected 50 million accounts and led to tokens being stolen from 30 million of them, resulting in the major data breach getting a risk score of five on Breach Clarity.


After experiencing a major data breach affecting 500 million users in September 2016, Yahoo announced a second breach just months later in December that affected more than one billion user accounts. “Yahoo was one of the biggest data breaches ever,” Van Dyke said. “Both in sheer number of victims and the duration of exposure during which criminals had access to private data.”

An unauthorized third party stole information like names, email addresses, phone numbers, birthdays, passwords and security questions and answers from users. Van Dyke says users who emailed private documents like tax returns may be at particular risk because criminals may have also had access to personal email records. He says Breach Clarity cannot predict all of the possible identity theft and fraud risks because of the varying nature of private data exposed while the criminals had access. This particular major data breach received a risk score of four.

Also, you can use Breach Clarity to see the actionable steps you can take after a data breach. If you think you might have identity theft, speak to one of our advisors for free assistance at 888.400.5530.

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top retail breaches since 2005. To stay up to date on the latest news in identity theft and data breaches, sign-up for our newsletters.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

Should You Consider Credit Monitoring Services as Part of a Breach? 

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches