Biggest data breaches of 2019 so far (Toyota, Capital One, AMCA and more)

Susan Morrow
September 9, 2019 by
Susan Morrow


2019 is a case of “here we go again” in terms of data breaches. According to Verizon’s Data Breach Investigations Report (DBIR) for 2019, financial gain is behind 75% of attacks. And to add more concern, a World Economic Forum report has identified cyberattacks and data theft as being likely to be “higher than average” in 2019.

Data exposure is now a fact of corporate and daily life. However, forewarned is forearmed: being cybersecurity-aware of cyberattacks and how they happen can help prevent them.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

With this in mind, here are some of the largest data breaches, to mid-year 2019.

8 of the biggest data breaches of 2019

The following are in order of date, showing the name of the organization breached and the numbers of user accounts affected:

Evite: 10 million

Social platform Evite was hacked in February of 2019 with the exposure of names, usernames, email addresses, passwords and, potentially also, dates of birth, phone numbers and mailing addresses. The breach involved unauthorized access to an inactive data storage file associated with user accounts.

Toyota: 3.1 million

February and March of 2019 saw two separate data breaches at the car manufacturer Toyota. Although the jury is still out on how the attack happened, it is suspected to be a highly targeted data breach.

Industry sources are pointing to a Vietnamese hacking group who used an advanced persistent threat (APT) known as APT32 or the OceanLotus group. The group has allegedly been associated with supporting Vietnam’s interest in the automotive industry.

American Medical Collection Agency (AMCA): 20+ million

Between February 2018 and March 2019, medical data and financial information, including bank account details, were exposed in a data breach at a number of organizations, including healthcare billing company Optum360.

The initial breach was discovered by Gemini Advisory when payment card details of around 200,000 patients were found for sale on a darknet marketplace. The patient data was traced to Optum360 and several other healthcare organizations.

In total, over 20 million patient data have been exposed, with 11.5 million at Optum360 and over 10 million at LabCorp. Details of the breach are still being worked out, but it is thought to be an external and targeted attack.

Capital One: 106 million

In March 2019, a data breach at Capital One resulted in the exposure of customer personal data. This data included names, addresses, dates of birth, credit scores, Social Security numbers and bank account numbers.

Capital One became aware of the breach when hacker Paige Thompson alerted them to the data being made available on GitHub. A server misconfiguration was blamed for the breach.

MongoDB: 275 million

In April this year, the data of 275 million Indian citizens was exposed. The data included name, sex, date of birth, email, mobile phone number, education details, salary and more.

The vulnerability, a scraping operation affecting multiple organizations, was discovered by security researcher Bob Diachenko. The data was stored on unsecured MongoDB instances.

Canva: 139 million

May brought another database breach involving personal data such as email addresses, geographic locations, names, passwords, usernames and at least partial exposure of financial data. In the case of password exposure, for those users not using social logins, passwords were stored as bcrypt hashes.

This time it was the turn of Canva, a design app. The attack was targeted and performed by a group called the GnosticPlayers. Interestingly, the hackers behind the attack contacted the media, taking the blame for the attack. It is believed they did this to promote the sale of the stolen data on the darknet.

Desjardins: 2.9 million

In June of 2019, the Canadian credit union Desjardins was involved in insider-instigated data theft, i.e., the data was exposed by deliberate employee action. The data exposed included first and last name, date of birth, social insurance number, address, phone number, email address and details about banking habits. In addition, business customer data was also exposed. The employee has since been fired.

Suprema: 27.8 million

Suprema is a security company with government and financial clients, and has a biometric product known as Biostar. In August, Suprema announced a data breach involving biometric data. The breach likely exposed fingerprints, facial images, usernames and passwords, employee records and entry logs to secure areas.

The vulnerability was identified by cybersecurity experts Noam Rotem and Ran Locar. The pair found the Suprema database was unprotected and mostly unencrypted and that a manipulation of the URL used with ElasticSearch allowed them to access the data.

Conclusion: Will 2019 be the year of the data breach?

So far, data breaches are up 54% from the same period in 2018. If we look at many of the data breaches chosen to spotlight here, we see a common pattern — poor security awareness.

Many of the very large breaches could have been prevented by having good security hygiene. In particular, understanding how to correctly configure databases and cloud repositories is crucial. A number of data breaches involved hacking groups specifically targeting an organization.

If we do not close gaps and resolve to protect our resources with the correct procedures, then we may as well give the cybercriminals people’s personal data directly. More must be done to ensure that our staff, across every department and including IT, are fully aware of security and how cybercriminals operate. Only through being aware of the web of vulnerabilities that our highly-connected workspaces now operate in can we hope to bring the data breach figures down in 2020.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.



  1. 2019 Data Breach Investigations Report, Verizon
  2. The Global Risks Report 2019 14th Edition, World Economic Forum
  3. Data Incident, Evite
  4. Notice on a Cyberattack Targeting Toyota, Toyota
  5. Toyota announces second security breach in the last five weeks, ZDNet
  6. Unsurprisingly, big numbers from the AMCA breach are starting to be revealed,
  8., Bob Diachenko
  9. Australian tech unicorn Canva suffers security breach, ZDNet
  10. Desjardins statement concerning unauthorized access to some member information, Desjardins
  11. Biometric data of a million users leaked, TechRadar
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.