It's the dark side of technology: bigger and bigger data flows mean ever more spectacular cybercrimes. This week, InterContinental Hotels Group (IHG), which owns hotel chains like Holiday Inn, clarified that it's previously announced credit card malware attack between last September and December was much bigger than first disclosed. “Approximately 1,200 IHG-branded franchise hotel locations in the Americas were affected,” a company spokesperson told The Verge. That's an order of magnitude more than the company's initial disclosure
According to the non-profit Identity Theft Report Center (ITRC), data breaches that have led to exposure of credit or debit card information decreased last year compared to 2015. But that's no measure of the actual damage such hacks can cause. In 2014, while the number of such attacks was lower than that in 2015, they exposed card details of more than 64.4 million cards.
The IHG breach is by no means the largest breach, not only in terms of the amount of data stolen but also how much it cost the company. Here’s a look at some of the largest credit card breaches in the U.S.
1. Heartland Payment Systems (HPY): 130 Million Cards
To date, the Heartland Payments Systems hack remains the largest data breach in history when it comes to credit or debit cards. A lone hacker broke into the systems of the payment processing company in 2009 and was later caught and jailed. In 2013, five people, including this hacker, were indicted for attacking a number of retailers, financial institutions and payment processing firms and stealing personal identification and credit/debit card data. The total mentioned in that indictment was 160 million cards. Other companies affected included NASDAQ, 7-Eleven, Carrefour, JC Penney, Hannaford, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard. (See Also: Wendy's Credit Card Hack Worse Than It Thought.)
2. TJX Companies (TJX): 94 Million Cards
The company that own retailers like TJMaxx and Marshall's was a target of a cyber-attack in 2006, reported the Associated Press. While data for both Visa (V) and MasterCard (MA) credit cards was stolen, the AP reported that for Visa alone, the fraud related losses could be to the tune of $68 million to $83 million, spread across 13 countries. Consumer Affairs reported that the company ended up paying $41 million to Visa, $24 million to MasterCard and another $9.75 million in consumer protection settlement to 41 states. (See also: Noodles & Company Reveals a Massive Credit Card Hack.)
3. TRW/Sears: 90 Million Cards
Almost thirty-three years ago, the New York Times reported that the password for a leading credit union TRW was stolen from a Sears (SHLD) store on the West Coast. That password unlocked the credit histories and personal information that could subsequently be used to obtain credit card numbers. (See also: Will Vera Bradley's Credit Card Breach Hurt Sales?)
4. The Home Depot (HD): 56 Million Cards
This 2014 attack on the do-it-yourself retailers was perpetrated through a "unique, custom-built malware” according to the Wall Street Journal. Fortune magazine reported that Home Depot ended up paying $25 million to banks, $134.5 million to card companies like Visa and MasterCard and $19.5 million to affected customers.(See also: Credit Card Breach: How To Stay Safe.)
5. Target Corp. (TGT): 40 Million Cards
Customer credit and debit card data was compromised at Target during the 2013 Black Friday weekend, WSJ reported. The breach was not just loss of reputation for the discount retailer but also big financial loss. A 2015 Reuters report says that the company spent $290 million related to the breach and expected insurance to cover close to $90 million out of that amount. The money spent by the company included $10 million settlement with shoppers, $67 million payment to Visa, $20.25 million to banks and credit unions and $19.11 million to MasterCard.