In our 2018 End-of-the-Year Data Breach Report, the Identity Theft Resource Center reported 907 data breaches that impacted the business sector; these breaches equaled more than the amount reported for the banking, education, government and medical sectors combined. Of the five industry categories ITRC tracks for data breaches (banking/credit/financial; business; education; government/military; and medical/healthcare), business-related data breaches are the most common.

You can learn more by signing up for the ITRC Monthly Breach Newsletter.

That is just one reason why the ITRC has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999. Our mission is to help people proactively reduce their risk of becoming a victim of identity theft and to empower them if they become a victim. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. We’re continuing our 10,000 breaches blog series with a look at the top five business data breaches that impacted U.S. consumers and personal information compromised.

Starwood Hotels & Resorts Worldwide, LLC. (Marriott International)

In November 2018, Marriott announced that its Starwood guest reservation database had been accessed by an unauthorized user. Nearly 383 million records were accessed in this business data breach, which included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, birth dates and encrypted payment card numbers. Hotels are typically hot targets for data thieves due to the sheer volume of people’s data available.

Heartland Payment Systems

Payment processor Heartland Payment Systems announced in January 2009 that its processing systems had been breached one year prior, affecting thousands of businesses and banking institutions. Around 130 million consumers’ credit and debit card information had been stolen including cardholder names, card numbers and card expiration dates, putting all consumers at risk for fraud. An investigation into the business data breach began once Heartland received notifications from Visa and MasterCard about suspicious activity surrounding the payment systems processed card transactions.


Once again, Equifax makes the list. As many people know, in 2017 Equifax experienced a hack that exposed 148 million U.S. consumer’s personal information including names, dates of birth, Social Security numbers, addresses, phone numbers, Driver’s License numbers, email addresses, payment card information and Tax ID numbers. In July 2019, Equifax reached a $700 million settlement due to their business data breach and agreed to spend up to $425 million to help the victims of the breach. If you were affected, you can file a claim for cash or free credit monitoring services. You can also file a claim for a minor that has been impacted as well. If you have questions about the settlement and what it means, read more here.


In September 2015, Experian North America disclosed a breach of their computer systems that affected 15 million applicants for device financing from wireless provider T-Mobile. Names, birthdays, addresses, Social Security numbers, alternate forms of identification (such as Driver’s License numbers, passport numbers or military ID numbers) were some of the information exposed. While the business data breach impacted Experian’s services, it did not affect their consumer credit database. According to T-Mobile, Experian took full responsibility for the theft of data from its server and offered free credit monitoring services to all the consumers who were potentially at risk.

MyFitnessPal (Under Armour)

It was discovered that an unauthorized party acquired data associated with Under Armour’s MyFitnessPal user accounts in March of 2018. Approximately 150 million user accounts were compromised in the business data breach exposing usernames, email addresses and hashed passwords. MyFitnessPal released a notice of data breach stating they quickly took steps to determine the nature and scope of the issue and were working with data security firms and law enforcement authorities in an investigation. In the same statement, MyFitnessPal recommended users change their passwords for all their MyFitnessPal accounts, review their accounts for suspicious activity, be cautious of any unsolicited communications that ask for your personal data and to avoid clicking on links or downloading attachments from suspicious emails. (These are practices the ITRC encourages consumers to take with all of their accounts to reduce their risk of identity theft.)

Coming Up In 10,000 Breaches…

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers.

 As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top medical and healthcare breaches since 2005. For a look at all of the 10,000 breaches blogs, visit


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About