Almost every month in 2024 came with its own shattering cybersecurity headline. We round up 10 of the biggest cyber attacks, data breaches and ransomware attacks from the year gone by. You'll also find at the end of this blog a table of 25 other noteworthy attacks that you should know about.
2024 was one of the most significant years for the global IT and Security landscape. Attacks that ravaged critical service delivery, disrupted daily life and those whose impact continues to unravel well into 2025 grabbed eyeballs everywhere. If you so much as glance at our monthly compilations of biggest cyber attacks, data breaches and ransomware attacks, you'll know what we're talking about.
Here are some additional statistics to help you understand the urgency of enhancing your cybersecurity measures in 2025. The 2024 SonicWall Cyber Threat Report noted an approximate 107% surge in IoT malware attacks during the year. According to the "The State of Ransomware 2024" report by Sophos, ransomware impacted 59% of respondents. Phishing attacks skyrocketed by 4,151% since the public release of ChatGPT in late 2022, as reported by SlashNext in "The State of Phishing 2024." Netscout recorded around 8 million DDoS attacks in the first half of 2024. The IBM/Ponemon Institute report stated that the average total cost of data breaches in 2024 was $4.88 million.
We've compiled a list of the top 10 Biggest Cyber Attacks, Cybersecurity Events, Data Breaches and Ransomware Attacks for 2024. In our opinion, these attacks made it to the top 10 list either thanks to their impact (financial or operational) or the massive scale at which they affected global services. Don't forget to check out the table at the end of the other 25 big attacks you should know about!
1. Change Healthcare Ransomware Attack
2. Snowflake Ransomware Attack
3. UK MoD Data Breach
4. Ascension Ransomware Attack
5. MediSecure Data Breach
6. Synnovis-NHS UK Ransomware Attack
7. CrowdStrike-Microsoft Outage
8. TfL Cyber Attack
9. Ivanti Mass Zero-Day Exploits
10. Salt Typhoon Attacks
Go to Table of 25 Other Major Cyber Attacks, Data Breaches and Ransomware Attacks in 2024
1. Change Healthcare: In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group and a major processor of U.S. medical claims, fell victim to a ransomware attack. The attackers, the BlackCat (ALPHV) group, infiltrated the company's systems. They exfiltrated sensitive data and deployed ransomware that crippled operations.
This breach led to significant disruptions in healthcare services nationwide, as electronic payments and medical claims processing were halted. This forced patients to pay out-of-pocket for medications and services.
This attack is deemed as one of the biggest in 2024 because of the impact it had on healthcare delivery and also because of the huge financial impact it had. UnitedHealth Group estimates the cost of response added up to approximately $2.87 billion in 2024. The company also provided over $6 billion in assistance to affected healthcare providers.
But this was not all. The attack made headlines the world over as UnitedHealth CEO Andrew Witty confirmed that the organisation paid $22 million in ransom. The attack exposed the massive vulnerabilities in healthcare cybersecurity. It underscored the critical need for robust defences in healthcare as the impact of any cyber crisis in this industry goes far beyond business bottomline.
Read all about this massive attack of 2024 in our Change Healthcare Ransomware Attack Timeline.
2. Snowflake: Snowflake, the prominent cloud data platform, experienced a significant data breach in May 2024. The data exfiltration activity via Snowflake affected over 100 of its customers, including major corporations like AT&T, Ticketmaster, and Santander Bank.
The breach was orchestrated by hackers associated with the Scattered Spider group, who exploited compromised credentials of a Snowflake employee account. This unauthorised access led to the exfiltration of vast amounts of sensitive data. Billions of call records from AT&T and personal information from Ticketmaster and Santander Bank customers was stolen.
The attackers employed extortion tactics, demanding ransoms ranging from $300,000 to $5 million from affected companies to prevent the public release of the stolen data.
The breach not only caused substantial financial losses but also highlighted critical security lapses, particularly the absence of MFA and inadequate credential management among Snowflake's clientele.
Get all the details from our Snowflake Ransomware Attack Timeline.
3. UK Ministry of Defence: In May 2024, the UK's Ministry of Defence (MoD) experienced a significant data breach when a contractor-operated payroll system was compromised by a cyber attack. This system contained personal information—including names, bank details, and, in some cases, home addresses—of approximately 270,000 current and former UK military personnel.
Defence Secretary Grant Shapps informed Parliament that the attack was likely orchestrated by a "malign actor". There were suggestions of involvement by a potential foreign state. While the government did not officially attribute the breach to a specific nation, multiple media outlets reported suspicions of Chinese involvement.
This incident underscored the critical importance of robust cybersecurity measures, particularly concerning third-party service providers. Vulnerabilities within the supply chain were yet again exploited to catalyse far-reaching implications for national security.
4. Ascension: The leading U.S. healthcare system experienced a crippling ransomware attack in May 2024. As is usually the case with attacks on the healthcare industry, this one too disrupted operations across multiple states. The attack made the MyChart electronic health record (EHR) system inaccessible.
This forced healthcare workers to rely on manual documentation, severely delaying and disrupting critical patient care. Hospitals had to divert emergency services to manage urgent cases safely. Routine surgeries and appointments were postponed, leaving patients with chronic conditions in limbo. The incident not only highlighted the sector's technological vulnerabilities but also emphasised the cascading effects of cyber crisis on patient safety and care delivery.
Get all the details in this headline-making attack in our Ascension Cyber Attack Timeline.
5. MediSecure Australia Data Breach: May 2024 was clearly not a good month for healthcare service providers. In Australia, MediSecure, a prominent electronic prescription service provider, suffered a significant ransomware attack. This resulted in the theft of personal and health information of approximately 12.9 million individuals. The compromised data included names, dates of birth, addresses, phone numbers, Medicare numbers, prescription details, and reasons for medication.
Despite extensive efforts, MediSecure was unable to identify specific individuals affected due to the complexity and volume of the 6.5 terabytes of data involved. This breach stands as one of the largest in Australian history, surpassing previous incidents such as the 2022 Optus hack, which impacted 10 million Australians.
6. Synnovis-NHS Cyber Attack: On June 4, 2024, the NHS in the UK declared a ‘critical incident’. Its pathology services provider, Synnovis, had become victim of a ransomware attack by Qilin Ransomware Gang. What followed was utter chaos and a direct impact on human life and wellbeing.
Blood transfusions, test results, operations related to cancer treatments and even C-sections had to be rescheduled. Over 1,100 elective procedures and more than 2,000 outpatient appointments across major London hospitals were postponed.
The Russian-speaking attackers stole and leaked 400GB worth of sensitive data and attempted to extort money from Synnovis. They allegedly demanded a $50 million ransom, and upon non-payment, published the stolen data online.
The attack, once again, underscored the pressing need for robust cybersecurity protocols within the NHS supply chain to safeguard patient data and maintain uninterrupted healthcare services.
7. CrowdStrike-Microsoft Outage: On July 19, 2024, a faulty update from CrowdStrike's Falcon Sensor software caused widespread disruptions for Microsoft Windows users globally.
Users worldwide were greeted with the “Blue Screen of Death”. Approximately 8.5 million systems crashed across the world. This outage severely impacted various critical sectors, including aviation, banking, hospitals, and manufacturing. Even TV stations, grocery stores and petrol pumps were hit. This incident, although not a cyber attack, showed just how far-reaching the impact of vulnerabilities in interconnected digital systems can be.
CrowdStrike's CEO, George Kurtz, promptly apologised, clarifying that the incident was due to a software bug. Although a fix was quickly deployed, many organisations faced prolonged recovery periods, with some systems requiring manual intervention to restore full functionality. This event once again highlighted the critical need for robust risk management strategies for organisations worldwide.
We mapped this incident exactly as it unfolded in our Blue Screen of Death Live Timeline.
8. Transport for London: In September 2024, Transport for London (TfL) experienced a sophisticated cyber attack that disrupted services. The greatest impact was on differently-abled passengers who relied on TfL's Dial-A-Ride service, yet again highlighting the huge impact cyber attacks can have on daily life.
Initially, TfL believed that no data had been compromised; however, further investigation revealed the extent of the breach. The attack had allegedly compromised the personal data of approximately 5,000 customers, including sensitive information such as home addresses and banking details. A 17-year-old individual was identified as the perpetrator of the attack and was subsequently released on bail.
Concerned that this could be a ransomware attack, the IT security teams at TfL took swift action by shutting down and restricting access to several systems to contain the damage. However, this resulted in significant operational disruptions and financial losses. TfL reported that the incident cost the organisation £30 million, with £5 million spent in the last three months alone on response efforts, investigations, and implementing enhanced cybersecurity measures.
This cyber attack on TfL served as another stark reminder in 2024 of the critical importance of safeguarding national infrastructure against digital threats. The fallout from such incidents can be severe, underscoring the need for substantial investment in proactive measures, including robust cyber incident response planning and professionally conducted cyber tabletop exercises, to ensure resilience and preparedness.
Initially exploited by a suspected Chinese state-sponsored group known as UNC5221, these vulnerabilities allowed attackers to deploy custom malware, including web shells and credential harvesters, compromising numerous organisations worldwide.
Despite Ivanti's release of mitigations and patches, the situation escalated quickly. Multiple threat actors began mass exploitation, leading to over 1,700 ICS VPN appliances being compromised with the GIFTEDVISITOR web shell by mid-January.
The exploitation intensified with the discovery of additional vulnerabilities, such as CVE-2024-21893, a server-side request forgery flaw, and CVE-2024-21888, a privilege escalation issue. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by directing federal agencies to disconnect affected Ivanti appliances until they were secured.
10. Salt Typhoon Telecom Attacks: 2024 ended with a bang for the US and global telecom sector. Alleged Chinese-backed state hackers, Salt Typhoon, intensified their cyber espionage efforts targetting major U.S. telecommunications companies, including AT&T, Verizon, T-Mobile, and Lumen Technologies in December 2024.
The chair of the Senate Intelligence Committee, Senator Mark Warner, has called these attacks the “worst telecom hack in our nation’s history”. These intrusions granted the hackers access to sensitive data, such as call and text metadata, geolocation information, and, in certain cases, actual audio recordings of phone conversations. Notably, high-profile individuals, including political figures like Donald Trump and J.D. Vance, were among those affected.
The U.S. government has responded by implementing measures to bolster cybersecurity defences and mitigate the impact of these breaches. National Security Adviser Jake Sullivan confirmed that specific actions have been taken in response to the Salt Typhoon incidents. CISA has issued guidance to telecommunications providers, urging the adoption of robust security protocols, including encryption and continuous monitoring.
|
Date of the Event |
Victim |
Incident |
Threat Actor |
Impact |
|
January 2, 2024 |
Blockchain platform Orbit Chain |
Orbit Chain loses $86 million in fintech hack |
Sophisticated state-sponsored attackers believed to be based out of North Korea |
Orbit Chain experienced a security breach that resulted in a loss of $86 million in cryptocurrency, particularly Ether, Dai, Tether, and USD Coin as Orbit Chain's balance went from $115M to $29M instantly, meaning that the losses were estimated to be about $86,000,000. |
|
January 4, 2024 |
KyivStar Telecommunication |
Russian hackers wipe thousands of systems in KyivStar attack |
Solntsepek group (believed to be linked to the Sandworm Russian military hacking group) |
The Russian hackers behind a December breach of Kyivstar, Ukraine's largest telecommunications service provider, wiped all systems on the telecom operator's core network as Kyivstar's mobile and data services went down, leaving most of its 25 million mobile and home internet subscribers without an internet connection. |
|
January 8, 2024 |
loanDepot |
US mortgage lender loanDepot confirms ransomware attack |
Unknown |
Mortgage lender loanDepot said that approximately 16.6 million people had their personal information stolen in a ransomware attack. The attack caused the company to take its IT systems offline, preventing online payments against loans. |
|
January 21, 2024 |
Majorca city Calvià |
Majorca city Calvià hit by ransomware attack |
Unknown |
The Calvià City Council in Majorca announced it was targeted by a ransomware attack, which impacted municipal services. A source learned that the ransom set by the cybercriminals was allegedly €10,000,000, approximately $11M. |
|
January 29, 2024 |
Energy company Schneider |
Energy giant Schneider Electric hit by Cactus ransomware attack. Cactus ransomware claim to steal 1.5 TB of data |
Cactus ransomware |
Energy management and automation giant Schneider Electric suffered a Cactus ransomware attack leading to the theft of corporate data. The attack hit the company's Sustainability Business division, and disrupted some of Schneider Electric's Resource Advisor cloud platform. The ransomware gang reportedly stole terabytes of corporate data and threatened to leak the stolen data if the ransom demand was not paid. |
|
February 1, 2024 |
Lurie Children's Hospital |
Rhysida ransomware demands $3.6 million for children’s stolen data |
Rhysida Ransomware |
The cyber attack forced Lurie Children's Hospital to take its IT systems offline as the attack disrupted normal operations and delayed medical care in some instances. The healthcare provider said that the incident impacted the hospital's internet, email, phone services, and ability to access the MyChat platform. |
|
February 22, 2024 30/03/2024 |
AT & T |
Cell Phone outage hits AT&T customers nationwide; Verizon and T-Mobile users also affected AT&T confirms data of 73 million customers leaked on hacker forum |
ShinyHunters |
AT&T finally confirmed it was impacted by a data breach affecting 73 million current and former customers after initially denying the leaked data originated from them. It said in a statement: "Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders". Source: Bleeping Computer |
|
March 05, 2024 |
Duvel Moortgat Brewery |
Duvel says it has "more than enough" beer after ransomware attack |
Stormous Ransomware group |
Duvel Moortgat Brewery was hit by a ransomware attack, bringing to a halt the beer production in the company's bottling facilities. The company said the production was immediately stopped as some Beer enthusiasts on Reddit responded to the incident with humour, calling the situation a "national emergency" and asking for the actual number of "strategic reserves." The threat actors who claimed the attack said they hold 88 GB data stolen from the brewery's systems, threatening to leak it if a ransom isn't paid until March 25, 2024. |
|
March 12, and 22, 2024 |
Boat Dealer MarineMax |
Boat Dealer MarineMax hit by cyber attack |
Rhysida Ransomware |
The ransomware group posted numerous samples of the alleged stolen data including MarineMax earnings reports, balance sheets, bank account wire transfers, customer databases etc. The gang priced the luxury yacht dealer’s “exclusive, unique, and impressive data” at a “bargain” price of 15 BTC equivalent to $774,415.65. |
|
March 15, 2024 |
NHS Dumfries and Galloway |
Ransomware group allegedly leaks stolen data from the Scottish health service |
INC Ransom |
NHS Dumfries and Galloway, part of the Scottish healthcare system, announced that it was the target of a focused and ongoing cyber attack. Subsequently, cyber extortionists published sensitive patient data stolen allegedly from NHS Dumfries and Galloway to their darkweb blog, in a bid to demand money from the local health board. |
|
April 04 and 11, 2024 |
Hoya Corporation |
Hoya’s optics production and orders disrupted by ransomware attack with a demand of $10 million |
Hunters International ransomware |
Hoya said in a statement: “We learned that the Group's headquarters and several of its business divisions have experienced an IT system incident" as hackers demanded a $10 million ransom for a file decryptor and to not release files stolen during the attack. |
|
May 08, 2024 |
Dell |
Dell warns of data breach, 49 million customers allegedly affected |
A BreachForum user named Menelik |
Dell warned customers of a data breach after a threat actor claimed to have stolen information for approximately 49 million customers as the computer maker began emailing data breach notifications to customers, stating that a Dell portal containing customer information related to purchases was breached. |
|
June 03, 2024 |
American Radio Relay League (ARRL) |
ARRL says it was hacked by an "international cyber group" |
An unnamed malicious international cyber group. |
The cyber attack on the American Radio Relay League (ARRL) took its Logbook of the World offline and caused some members to become frustrated over the lack of information. ARRL confirmed paying the ransom of $1 million to access a decryptor to restore encrypted systems. |
|
June 24, 2024 |
Neiman Marcus |
Neiman Marcus confirms data breach after Snowflake account hack |
Sp1d3r |
Luxury retailer Neiman Marcus confirmed it suffered a data breach after hackers attempted to sell the company's database stolen in recent Snowflake data theft attacks. |
|
July 15, 2024 |
Rite Aid Pharmacy |
Rite Aid says June data breach impacted 2.2 million people |
RansomHub |
Rite Aid said that 2.2 million customers' personal information was stolen in what it described as a "data security incident." "While having access to the Riteaid network we obtained over 10 GB of customer information equating to around 45 million lines of people's personal information. This information includes name, address, rewards number etc.," RansomHub said on their dark web leak site. |
|
July 18, 2024 |
Indian crypto platform WazirX |
Indian crypto platform WazirX confirms $230 million stolen during cyber attack |
Suspected North Korean Hackers (Lazarus) |
At least $230 million worth of cryptocurrency was stolen from an India-based cryptocurrency platform named WazirX. Blockchain security companies including Elliptic, Arkham and BlockSec said there was clear evidence of millions worth of cryptocurrency being syphoned out of WazirX. Elliptic pegged the losses at $235 million and broke down the currencies stolen, which include ETH, some U.S. dollar-pegged stablecoins and more. |
|
August 04, 2024 |
Keytronic |
Keytronic reports losses of over $17 million after ransomware attack |
Black Basta Ransomware |
Electronic manufacturing services provider Keytronic revealed that it suffered losses of over $17 million due to a May ransomware attack. In a filing with the U.S. Securities and Exchange Commission (SEC), Keytronic said it detected the incident on May 6 after disruptions at its Mexico and U.S. sites impacted business applications supporting both operations and corporate functions. |
|
August 08, 2024 |
ADT Alarm |
Home alarm company ADT says hackers obtained ‘limited’ customer data |
Unknown |
The home security systems company ADT Inc. announced that unauthorised hackers unlawfully broke into some databases storing customer order information as attackers made off with “limited” customer information, including email addresses, phone numbers and home addresses. |
|
August 23 and 29, 2024 |
Halliburton |
Halliburton forced to take systems offline to contain cyber attack |
RansomHub Gang |
Oil field giant Halliburton provided details to regulators about the cyber attack that necessitated the shut-down of certain systems. The company said that it was hit by a cyber attack that affected operations at its headquarters in Houston. |
|
October 10, 2024 |
Casio |
Casio confirms customer data stolen in a ransomware attack |
Underground Ransomware |
Casio confirmed it suffered a ransomware attack, warning that the personal and confidential data of employees, job candidates, and some customers was also stolen. The attack was disclosed on October 07, 2024 when Casio warned that it was facing system disruption and service outages due to unauthorised access to its networks. |
|
November 1, 2024 |
Los Angeles Housing Agency |
Los Angeles Housing Agency confirms another cyber attack after 2023 ransomware incident |
Cactus Ransomware |
The Housing Authority of the City of Los Angeles (HACLA) said it was dealing with a cyber attack following claims of data theft made by a ransomware gang. The statement came after the Cactus ransomware gang claimed it stole 861 GB of data that included personal information, backups, financial documents and more. |
|
November 3, 2024 |
Schneider Electric |
Schneider Electric says hackers accessed internal project execution tracking platform |
HellCat Ransomware |
Schneider Electric confirmed that it is investigating a cyber attack following reports of a breach as the HellCat ransomware gang took credit for the most recent attack, claiming it accessed Schneider Electric’s Atlassian Jira system, allowing them to allegedly steal about 40GB worth of project data and user information, and the gang threatened to leak the information if it was not paid a $125,000 ransom. |
|
November 21, 2024 |
Blue Yonder |
Retailers struggle after ransomware attack on supply chain tech provider Blue Yonder |
Termite Ransomware |
A major technology provider for hundreds of large retailers, Blue Yonder struggled to recover from a ransomware attack. The company warned customers that the “Blue Yonder team is working around the clock to respond to this incident and continues to make progress.” Its customers range from supermarket chains like Morrisons to consumer goods companies like Amway, Anheuser-Busch, Dole and Gap. Other customers include Microsoft, Ford, Lenovo, Mitsubishi and Nestle. The Termite group claimed responsibility through its Tor-based website, posting that it has exfiltrated 680 gigabytes of data from Blue Yonder, including sensitive information such as databases, email addresses, and over 200,000 insurance documents. |
|
December 3, 2024 |
BT |
BT unit took servers offline after Black Basta ransomware breach |
Black Basta ransomware |
UK's telecommunications giant BT Group confirmed that its BT Conferencing business division shut down some of its servers following a Black Basta ransomware breach. A company spokesperson said that the security incident didn't impact BT Group's operations or BT Conferencing services. It was unclear if any systems were encrypted or only data stolen. Black Basta ransomware gang claimed they breached the company's servers and allegedly stole 500 GB of data, including financial and organisational data, "users data and personal docs," NDA documents, confidential information, and more. |
|
December 16, 2024 |
Texas Tech University |
Texas Tech University System data breach impacts 1.4 million patients |
Interlock Ransomware |
The Texas Tech University Health Sciences Center and its El Paso counterpart suffered a cyber attack that disrupted computer systems and applications, potentially exposing the data of 1.4 million patients. The threat actors leaked 2.1 million files totaling 2.6 TB of data allegedly stolen from HSCs, and the entire package is available for download from their extortion portal on the dark web. |
|
December 30, 2024 |
Cisco |
Cisco confirms authenticity of data after second leak |
IntelBroker |
A hacker leaked more data stolen from a Cisco DevHub instance and the tech giant confirmed its authenticity and that it originated from a recently disclosed security incident. The hacker known as IntelBroker announced on October 14 that he and others had breached Cisco systems and obtained source code, certificates, credentials, confidential documents, encryption keys and other types of information. The hacker initially claimed to have obtained 800 Gb of files, but later said 4.5 Tb of data was taken from the DevHub environment. In mid-December the hacker made available roughly 3 Gb of the data and on Christmas Day another batch of files, totaling more than 4 Gb, were leaked. |