How Secure is Your Data?: Repeated Data Breaches by Major Companies—Facebook, Equifax, Citigroup, AOL

Fool me once, shame on you; fool me twice, shame on me; fool me…eight times? Seriously?

Data breaches are a serious problem, and they are getting worse.

As we move more and more of our lives online, especially now with the pandemic, chances are that your personal information has been compromised. This is concerning for a number of reasons:

1) this exposes you to potential identity theft,

2) many of these companies are collecting your personal information without your knowledge and then are not accountable for keeping your data secure,

3) the consequences of data breaches are often unknowable or unknown for a long time, and

4) many view the breach of privacy as a problem itself no matter the consequences.

Unfortunately, the problem of data breaches is increasing both in frequency and in magnitude. 2005 marked the first year that a data breach involved more than one million records. Fifteen years later, data breaches in the first quarter of 2020 exposed at least 8.4 billion records, reflecting a 273% increase from the first quarter of 2019.

These breaches are widespread, spanning across every industry, from the financial sector to healthcare to social media. There are four major companies that have experienced multiple data breaches ultimately affecting their customers and odds are that you are among them. They are AOL, Citigroup, Equifax, and Facebook.

First . . . What is a Data Breach?

A data breach can be defined narrowly as access to personal data by hackers or more broadly as any kind of unauthorized exposure regardless of the cause or source. Here, we will rely on the broad definition because in our view, there is no meaningful difference between "exposure" and "access." Both result in a violation of an individual's privacy, which is concerning for the reasons listed above, and both are a problem. Any attempt to separate the two by "consequences" is a nonstarter. Data can be "accessed" without adverse impact, while unauthorized exposure can result in negative effects.


You may know AOL as your parents’ or grandparents’ email provider.

AOL’s reputation of being a little out-of-date is not unfounded – they have been around for a long time by the internet’s standards. They were, in fact, an early pioneer of the internet. In the mid-1990s and early 2000s, they provided dial-up services, email, instant messaging, and even a web browser. They were so big that at one point they acquired Time Warner, which was the largest merger in U.S. history at the time. But then their popularity quickly waned; Time Warner spun off, and Verizon Communications acquired AOL in 2015.

Unfortunately, AOL also has a reputation as the most insecure email service around. In 2019, an experiment was conducted by running hundreds of thousands of emails through, a website that allows you to check across multiple breaches to see if your email has been compromised.  The study found that 99.83% of the email addresses had been breached. That means that nearly every single AOL email account has been compromised. Perhaps even more shocking is that other email providers didn’t fare much better. Gmail was the most secure with a breach rate of 74.09 percent. By any standard, that would be considered a failure.

To top it off, AOL has also had their share of large data breaches.

In 2003, an AOL employee stole 92 million AOL screen names and sold the information to a spammer for $28,000. He was later sentenced to over a year in prison and fined. The theft resulted in up to 7 billion unsolicited emails.

Then, in 2006, AOL published search data on 605,000 of its users. Although the circumstances surrounding this incident are unclear, what is clear is that the data included 20 million search queries containing some very private user information (such as personal identifiers, porn searches, and potentially illegal activity). AOL admitted to the mistake and took down the file, but it had already been downloaded hundreds of times. On an interesting side note, the breach spawned a theatrical production called User 927.

As if their internal problems were not enough, AOL experienced a cyber-attack in 2014. Hackers stole email and postal addresses, passwords, and answers to security questions from “a significant number of user accounts.” The full extent of the breach is unclear, but it underscores the recurring issue of repeated data breaches.


Whether you bank with them or not, most people have heard of Citigroup. It is a multinational financial institution that is consistently ranked as one of the largest in the U.S. and worldwide. It has almost $2 trillion in assets and hundreds of millions of customer accounts.

And it lost 3.9 million customer records in the mail. Well, technically, UPS did. In 2005, Citigroup mailed computer tapes containing information on 3.9 million customers to a credit reporting agency. The tapes never got the there. Why or how the tapes were lost is unknown but it was one of the largest breaches of data security at the time.

Then, in 2011, Citigroup was hacked and the personal banking information from 360,000 accounts was stolen. The hackers accessed names, account numbers, and other contact information after entering through Citigroup’s website and apparently, spent months playing around inside of Citigroup’s vault of data/financial information. Experts claim it was a “simple job” and that the hackers would not have succeeded if Citigroup had used professionals to audit the website. Adding insult to injury, Citigroup waited a full week before notifying users about the breach.

In 2013, Citigroup failed to redact sensitive information from 150,000 individuals in court documents. The documents included information (such as social security numbers) about individuals who filed for bankruptcy between 2007 and 2011. Citigroup blamed the software it used for the oversight but failed to disclose the particular software.

Citigroup’s mistakes were not hugely flagrant: losing a package, overlooking website maintenance, and failing to redact documents. But when you are a giant financial institution with sensitive information, such errors can result in egregious consequences for millions of people.


You may know Equifax as the company that tracks your credit. You may also recognize it as the company that experienced a gigantic data breach in 2017 that affected nearly 150 million Americans. What you may not know is that the 2017 breach was actually a series of breaches spanning from March to July.

Even worse, the 2017 breaches were preceded by several previous data breaches that should have put Equifax on notice.

  • April 2013 to January 2014 – credit reports were obtained using guessed personal information
  • May 2016 – 430,000 names, addresses, and social security numbers associated with Kroger were stolen
  • January 2017 – credit information for a “small number” of LifeLock users was stolen

Afterwards security researchers examined Equifax’s cyber infrastructure and found severely outdated sections. One researcher found code that pointed to Netscape (a web browser that was discontinued in 2008) and another found a patchwork of decade-old software and likened the experience to “stepping back in time.” In the ever-evolving realm of cyber-security where staying current is absolutely essential, these are appalling findings.

Equifax then waited six weeks to inform consumers about the data breach. During that timeframe, several Equifax executives sold company stock (the stock dropped dramatically in value after the breach was announced). Ultimately, the multiple breaches resulted in an enormous class action lawsuit and settlement. You can check if your data was affected and make a claim to the settlement HERE.


You may know Facebook as the company that knows you.

Everything about you, really. Seriously, Facebook knows so much about you.

That is why they are probably the last company you want to have a data breach. Or eight. That’s right, between 2013 and 2019, Facebook experienced eight major data breaches. Guess how many happened in 2019 alone? Five. Yes, more than half of Facebook’s major data breaches happened in 2019 alone. And each breach affected millions of people. Here is a list:

  • June 2013 – affected 6 million users (a bug was discovered harvesting information)
  • May 2018 – affected 3 million users (Facebook exposed users’ personality test results)
  • September 2018 – affected 30 million users (hackers took control of user accounts)
  • March 2019 – affected 600 million users (Facebook exposed user passwords)
  • April 2019 – affected 540 million users (personal data was posted publicly on Amazon cloud servers)
  • April 2019 – affected 1.5 million users (Facebook harvested email contacts of users without their knowledge or consent)
  • September 2019 – affected 419 million users (database containing personal information was left unprotected)
  • December 2019 – affected over 267 million users (an unprotected database was left open on the dark web for nearly two weeks)

As you can see above, Facebook is single-handedly responsible for the most data leaked in 2019. Sadly, this list of breaches isn’t even exhaustive.

There is also the well-publicized Cambridge Analytica scandal where the personal data of 87 million user profiles was harvested without permission for political purposes. Then there are the data breaches that only affected Facebook’s subsidiaries (like in 2019, when 49 million Instagram users had their biodata exposed through a social media marketing firm), and the various class action settlements, fines, or penalties that have been levied against Facebook by government agencies for unscrupulous data practices (like the recent $650 million settlement Facebook has to pay Illinois residents for collecting biometric data without permission). By the way, you can make a claim HERE for the Facebook Illinois settlement.


These are only a few companies. Notably, two of the four waited to inform their users of data breaches. Unfortunately, there are probably dozens of other companies experiencing breaches that are not publicized.

All of these facts and figures highlight the need for user advocates to protect personal information and to keep companies accountable.

Enter DDP. Sign up, spread the word, and give us the leverage to protect your personal data and to hold companies accountable.