The 10 Biggest Data Breaches Of 2022

By Daniel Young | December 15, 2022 | 3 min read

Data breaches continued to be a considerable threat in the last year.

While 2022 has so far seen 1,291 reported breaches, down from 1862 breaches in 2021, the breaches themselves are getting bigger—this year may have seen the biggest data breach in history.

There have also been some definite trends. According to Verizon’s Data Breach Investigations Report (DBIR), 2022 was a big year for ransomware, state-sponsored actors, and human error, which was present in 82% of breaches.

Many of those trends are reflected in the breaches below, particularly the human element: 2022’s most notable breaches include a social engineering teenager from England, misconfigured servers, a drunk government contractor in Japan, and an angry U.S. insider who had recently been fired. Read on for the 10 biggest and most notable breaches in 2022.

In January 2022,, one of the largest cryptocurrency exchanges in the world became aware of a series of unauthorized transactions impacting 483 users. Cybercriminals bypassed 2-factor authentication (2FA) to withdraw $34 million in funds from users’ digital wallets. The users were reimbursed and moved from 2FA to Multi-Factor Authentication (MFA).

The Red Cross

The International Committee for the Red Cross (ICRC) disclosed in January that it had been attacked. The network intrusion led to the theft of the personal records of more than 500,000 people receiving assistance from the group. The criminal who hacked the group is suspected to be a state-sponsored bad actor from Iran.


In March, Sri Lankan fintech company PayHere suffered a 65GB data breach exposing more than 1.5 million users’ data. The exposed data includes email addresses, IP and physical addresses, names, phone numbers, purchase histories and partially obfuscated credit card data.


This is an unverified breach. In March, the Russian courier service CDEK was allegedly hacked by Ukrainian hacker group "IT Army" exposing 19 million unique email addresses as well as names and phone numbers.

Cash App

In April, Cash App reported that a former employee had downloaded reports containing the personal information of U.S. users, potentially exposing the information of more than 8 million users of the mobile payment app. The data downloaded included full names and brokerage account numbers for Cash App users. The former employee downloaded the information in December as revenge for having been fired.

City of Amagasaki, Japan

In June, the personal information of every one of Amagaski’s 500,000 citizens was exposed when a government contractor lost his bag after a night of drinking. The contractor passed out in the street and when he awoke, the bag was gone. It contained a USB stick with names, birth dates, addresses, tax details, banking information, and social security records for city residents. The USB stick was encrypted and passworded, and was later recovered by the police.

The Shanghai Police

This is potentially one of the largest data breaches in history, although details are unconfirmed due to the Chinese media’s censorship and repression of online discussion of the breach. In July, a database containing records of more than a billion Chinese civilians was allegedly stolen from the Shanghai Police. The database allegedly included addresses, police records and national ID numbers.


15 million Plex users’ usernames, passwords, and email addresses were compromised in August 2022 as part of a hack on the video streaming service.


In September, a server misconfiguration at Microsoft inadvertently exposed the information of more than 65,000 organizations in 111 countries. The exposure consists of 2.4 terabytes of companies’ data, including invoices, product orders, signed customer documents and partner ecosystem details, according to SOCRadar, the company that detected the breach.


In September, a social engineering campaign against Uber workers and contractors led to a network intrusion and a takeover of Uber’s internal systems, including AWS, Google Drive, Slack, and other tools. A 17-year-old hacker from the United Kingdom convinced an Uber contractor to disclose login credentials. The teenage hacker has been arrested.

Cyber threats are a considerable risk to your organization. Schedule a demo now and assess your company’s cyber risk for 2023.

Are you ready to improve your organization’s risk management?

See Circadian Risk In Action Now
Schedule FREE Demo