6 major credit card data breaches since Equifax

Patrick Whatman

Published on May 21, 2019


Remember the Equifax data breach? It happened in September 2017, and hit 143 million Americans. Among the data stolen were Social Security numbers, addresses, and dates of birth.

And also 209,000 credit cards.

Equifax was one of the higher-profile data breaches in recent memory. But it definitely wasn't the last.

Banks are reporting ever-growing fraud losses. And surveys indicate that up to one in five Britons experienced credit card fraud in 2018.

In this post, we look at six of the most impactful credit card data breaches since the Equifax attack in 2017. These are by no means the only data breaches, mind you. There have been plenty of other costly and concerning personal data leaks in recent years.

We're choosing to focus on credit card details, because that's something you can actually protect against. And at the end of the post, we'll show you how.

So let's get into it.

1. British Airways

All of the breaches below are well-known, but what happened to British Airways is perhaps the highest-profile such event from 2018. In August/September, more than 380,000 card payments to the airline were compromised.


The hack affected customers who made online bookings, and also included passengers’ names and home addresses.

It was initially unclear how the breach occurred in the first place. But it was later discovered that a script had been changed on the company’s site that forwarded customer details to an external database.

In short, this all happened because of a tiny change that should have been spotted.

And British Airways isn’t the only one. In a similar incident, fellow carrier Cathay Pacific experienced a breach in March 2018.

This hack resulted in more than 850,000 passport numbers being stolen, as well as a relatively small number of credit cards.

We’ll look at what these breaches have in common shortly. But the main takeaway is that huge service providers deal with millions of online purchases every year. And it only takes a small security oversight to expose an enormous amount of data.

2. Saks and Lord & Taylor

It’s not only online payments that can be risky. Every in-store purchase puts your credit card at risk. And if that’s the same credit card that you use online, the effects of a hack can be even more painful.

A major data breach was announced in early April 2018 involving Hudson’s Bay Co, the parent company of retailers Saks and Lord & Taylor. Details of more than 5 million credit and debit cards were put up for sale by a group named JokerStash.

These card details actually came from physical, in-store payments at locations including the famous Saks Fifth Avenue.


While online payment details were apparently not included, this incident highlights the potential risks involved with having your credit card details in so many different databases.

And what can you do? You can’t realistically expect to stop using credit cards altogether.

We’ll look at one easy and effective solution shortly. For now, on to number three.

3. Marriott Hotels

Up to half a billion people had their personal information stolen due to security issues with the Marriott hotel chain. What’s more, this wasn’t a one-off event. In fact, the data in question leaked over a four-year period from 2014 to 2018.

The victims were customers who had stayed at the company’s Starwood Hotels and Resorts, which includes Westin, Sheraton, St. Regis, and W Hotels.


The hack was so extensive, and the inaction of the hotels so glaring, that a class action lawsuit has now been brought by more than 150 of those affected. The suit focuses both on the level of security that the hotels used, but also on how long it took Marriott to inform users that something was wrong.

This particular breach highlights just how difficult it can be to know when your card details have been breached. You’re only likely to find out if:

  1. The company announces publicly that a breach has occurred

  2. If you keep a particularly close eye on your credit card purchases

More and more, people are relying on the latter. We know that hacks take place all the time, and private citizens do need to watch out for their money.

But this is much harder for businesses. You likely have a handful of company cards being used all over the world, both online and off. It’s tricky to know for sure why a purchase was made, and by whom.

This is one of the main reasons why the company credit card is a broken concept. Further down in this post we’ll show you a far better option.

4. Orbitz

Orbitz is a travel booking aggregator, similar to Skyscanner and Kayak. It was purchased by another well-known travel site Expedia to increase the latter’s range of products.


“The breach took place between 1st October 2017 to December 2017 when hackers accessed a legacy travel booking platform and stole two years worth of data from January 2016 and December 2017.” This includes 880,000 credit cards.

The company notified media and customers in March 2018, stating that the website in question was not the Orbitz.com live at the time of notification.

Perhaps more worryingly, the hack also impacted American Express and other companies which used the Orbitz platform. This is a reminder that so many of the tools and services we use are connected in one way or another.

Thus, simply changing your bank account or credit card details on one platform may not protect your business information from being used or stolen.

5. Panera

You probably don’t think of bakeries and cafés as typical targets for data hacks. But that’s exactly what Panera suffered in August 2017.

In fact, this was more accurately described as a “data leak” than a hack. The Panera website exposed millions of customers’ data in plain text format for an extended period of time. Any smart developer was able to see it.

The information in question appeared to belong to any user who used panerabread.com to order food online:


Image: KrebsOnSecurity

What makes this all worse is the way the company handled this fact. “They represent a masterclass in how not to behave when confronted with a cybersecurity predicament,” according to Fortune.

Panera was warned about the potential for a data breach in August 2017, but it took more than eight months for the site’s security flaws to be acknowledged and addressed. It initially accused the cyber security expert who reported the issue of being a scammer, and doesn’t appear to have taken any short-term steps to fix things.

And the real icing on the cake was the public response it released. It initially said that only 10,000 customers were affected. But investigations by journalist Brian Krebs suggests the true number could be 37 million customers.

This whole incident is particularly ugly for Panera, and it goes to show that the companies with your credit card details aren’t always particularly interested in protecting them.

6. Newegg

Newegg was also subject to an ongoing data breach. In mid-August 2018, hackers inserted a credit card skimming code into its site:


For the next month, every time a transaction occurred on Newegg, the card details were automatically passed on to the hackers’ database.

Interestingly, the attackers seem to be the same as the ones in the British Airways breach above. They also appear to have breached Ticketmaster’s website in 2018.

Unlike some of the other breaches in this post, this hack was relatively difficult to detect. And to Newegg’s credit, the site seems to have disclosed the attack as soon as it was discovered. But the fact that the same technique (and apparently the same hackers) could be successful on three major sites in a short period of time is certainly worrying.

It’s also unclear just how many customers were affected. In theory, any purchase made during the one-month period would have been compromised, and the card details skimmed. The site receives 50 million visitors per month. A lot of those won’t have actually made a purchase, but the number of potential victims is high.

Common themes for online credit card data breaches

Obviously, all of these hacks were different. They happened to different companies in various industries - we saw airlines, bakeries, ecommerce stores, and more.

But there are a few recurring themes that kept coming up.

1. Companies can be slow to take action

We talked about Panera above. Its hack was found by a third party data security expert who immediately notified the company. And yet it took months before Panera took even basic steps.

The fact is, companies place different levels of emphasis on cyber security. For some, it's paramount. They have the skills and knowledge in-house to avoid pretty much any intrusion, and to make quick changes if necessary.

But others just don't have the expertise. It's nobody's chief responsibility to ensure that your credit card details are safe. And if something doesn't look right, the first instinct can be to worry about other things first.

If your goal is to avoid serious credit card fraud, this has to be a worry.

2. It often takes significant time before customers are alerted

In the famous Cambridge Analytica case, Facebook originally became aware of its serious data breach in 2015. Yet it wasn’t until April 2018 that users were notified and the scandal truly broke.

The same is true of Chegg. In this case, the intrusion occurred in April 2018, but the news didn’t become public until September of the same year.

Frankly, companies are incentivized to keep bad news quiet - at least in the short term. Good businesses recognize that it's usually better to get ahead of a scandal and let customers know what went wrong. But you can't rely on this happening every time.

3. Online information is easily exposed

Online shopping and travel booking are a wonderful thing for consumers. They’re unbelievably convenient, quick, and often the best ways to get good deals.

But because this new economy is changing so quickly, even large multinationals are easily caught out. British Airways and Marriott Hotels aren’t tech companies. Even though they probably hire good people to run their servers and build their websites, they’re always going to be vulnerable to the latest hacking techniques.

Which means that sooner or later, your credit card information is likely to be leaked.

A simple way to protect your credit card information

A lot of these issues stem from the way that we pay for things. Credit cards are now pretty much universal, thanks an amazing network of card providers and retailers.

Our lives are so much easier as a result. But hackers’ lives are too. One small breach can net hundreds of thousands, even billions of users’ private details.

And traditional credit cards are a pain to cancel and replace. This is annoying when it’s your personal credit card, but for businesses this can be debilitating. You often can’t afford to wait for a new card, and you also can’t afford to leave a compromised card active.

The simplest solution is to switch to using virtual cards for online payments. The concept is so clean and elegant, it’s a surprise that everyone’s not already on-board.

In short, virtual cards are unique payment details for every payment you make online. So rather than using the same credit card on Amazon, Skyscanner, and Deliveroo, you can have a different “card” for each one.

Normally if one of these retailers is hacked, the intruders have your company credit card details. You’d have to cancel the card(s), which then voids all the payments you make on every other platform.

But if you have different virtual card details for each platform, you only need to cancel one virtual card. All the other payments can keep running without interruption, and you don’t have to wait for a new company card to be delivered.

And that’s just the beginning. Virtual cards also let you have:

  • Different card details for every single payment if you want them

  • Recurring cards for ongoing payments (like subscriptions, social ads, or even rent)

  • Individual limits set by you, which can be changed at any time for each individual card

On top of this, each team member has their own unique details. You’ll always know who was responsible for a payment, and the employee can keep tabs on what should be spent.

And perhaps the most important thing? Virtual cards aren’t connected to your bank account. Instead, you load up your platform with however much money you need. So even if your whole virtual card platform is hacked (which isn’t going to happen), the intruders don’t have access to the whole bank account.

All of this gives you a smart, flexible way to keep company money safe online, without getting security experts involved. You don’t have to share the same credit card details on every single website, and your credit fraud risk becomes negligible.

Want to try this out for yourself? Test out Spendesk’s virtual cards (and other smart payment methods):

New call-to-action