By 2021, over 2.14 billion people worldwide are expected to buy goods and services online, up from 1.66 billion global digital buyers in 2016. That means retail data breaches will also be on the rise as point-of-sale (POS) systems, e-commerce sites and other store servers are major targets for hackers looking for large volumes of personally identifiable information (PII) and behavioral data.

Sign up for the ITRC Monthly Breach Newsletter

That is one reason why the Identity Theft Resource Center has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999., including helping people proactively reduce their risk of becoming a victim of identity theft. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year report published.

Read next: 2018 End-of-Year Data Breach Report

ITRC currently tracks five industry categories: banking/credit/financial; business; education; government/military and medical/healthcare. ITRC is a leader in reporting new data breach trends. We’re continuing our 10,000 breaches blog series with a look at the five most impactful retail data breaches for consumers.


Retail giant Target makes the list for their 2013 data breach that exposed the payment card information of 40 million people and the personal information of 70 million. Hackers were able to infect Target’s POS systems with malware, disrupting holiday shopping for millions of consumers. Between Black Friday and Christmas shopping, anyone who shopped at Target from November 27 to December 15, 2013 was at risk for fraud. In a public statement to customers, Target said they moved swiftly to address the issue and that they regret any inconvenience it might have caused.

TJX Companies

In January 2007, TJX Companies Inc., operator of stores like T.J. Maxx, Marshalls and HomeGoods, experienced a retail data breach that affected 94 million customers. Payment card information and customer return records, which included driver’s license numbers, military I.D. numbers or Social Security numbers, were stolen by hackers who were able to gain access to TJX’s computer systems that process and store transaction information. TJX reached settlements with a majority of entities in 2007 and 2008.

Home Depot

Target is not the only retailer that experienced a breach of their POS systems. In 2014, Home Depot announced that they had experienced a retail data breach affecting their payment card processing systems. The hackers were able to steal the payment card information of 40 million customers and emails of 54 million. Since the incident, there have been 57 lawsuits filed against the large retailer. While the company did not admit any wrongdoing, they say they settled so they could move forward and put the incident behind them without incurring further costs.

Hudson Bay

Hudson Bay, parent company of Saks Fifth Avenue and Lord & Taylor, experienced a retail data breach that affected the payment card information of five million customers in 2018. Most of the stores affected were located in New York and New Jersey. It is reported that the retail data breach only affected in-store purchases and did not affect its e-commerce sites. In a statement, Hudson Bay said they deeply regretted any inconvenience or concern the breach may have caused. They also said there was no indication that Social Security or driver’s license numbers were stolen.

Hannaford Brothers

In 2008, supermarket company Hannaford Brothers was breached. It affected just over four million customers. Malware was placed on 300 Hannaford servers as part of the retail data breach which allowed hackers to steal customers’ payment card details as they were used at the check-out. Of the just over four million customers who were affected, more than 1,800 reported their credit cards had been used.

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both consumers and business fall victim to the nefarious acts of fraudsters – understand how to minimize their risk and mitigate their data compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to us to discuss how we can provide assistance to your impacted customers.

As part of this series, in our next 10,000 Breaches Later blog  we will take a look at some of the biggest business breaches since 2005 and what they meant for consumers. For a look at all of the ITRC’s 10,000 breaches blogs, visit

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches