By Charmaine Tan
Last year, there were 425.7 million breaches globally in email accounts alone, reported SurfShark; meanwhile, each data breach carries a hefty price tag of around USD$4.44 million on average globally.
Listed below is a spotlight on the 5 most significant data breaches of last year, in order of the number of individuals affected.
1. The largest data leak of 2025
The biggest breach last year - and history’s largest credential leak - exposed 16 billion login records from a host of large companies, including Apple, Facebook, Google and Telegram.
Surfacing in June 2025, the Cybernews team discovered the leaked datasets, which included session tokens, as well as username and password combinations for various online services. “Infostealer” malware was found to have siphoned sensitive data from infected devices.
As a result, many organisations have urged the public to take steps to minimise the damage. For example, Forbes proposed ditching passwords for passkeys. Proven Data suggests Multi-Factor Authentication (MFA) or professional password managers for more secure browsing.
2. The Chinese Surveillance Network Breach
Also in June, China faced its largest single-source leak of Chinese personal data, comprising over 4 billion records related to Chinese citizens, translating to nearly 3 exposed data sets per citizen.
Beyond login records, the disclosed data also included WeChat IDs, bank details, Alipay Data, home addresses, and behavioural profiles, stated CSO.
The information cache was found in an unsecured 631-gigabyte, publicly-accessible dataset on the internet in May 2025. However, due to the lack of identifiable data controllers, victims have few fixes. Nonetheless, they are still encouraged to update passwords regularly or run malware scans to ensure they have not been compromised.
3. Change Healthcare’s 192.7M breach
One of the largest breaches that began in 2024, with a fallout that extended into 2025, was the Change Healthcare ransomware attack. The company, a subsidiary of theUnitedHealth Group (UHG), compromised the data of over 190 million individuals - marking one of the largest health data breaches in US history, said Reuters.
Attackers used compromised credentials to gain remote access to a Change Healthcare Citrix portal that lacked multi-factor authentication, prompting a ransom of US$22 million.
The cyberattack exposed protected health information and personal information, including social security numbers.
Investigations highlighted several critical failures, including unpatched legacy systems and an ineffective incident response, among other factors, according to Cybersecurity Dive. UHG rolled out mandatory MFA across all external-facing systems and built a new, cloud-based infrastructure from scratch to improve its servers.
4. SoundCloud’s 29.8M Data Compromise
In December last year, online audio-streaming platform and social networking site, Soundcloud, exposed 20% of its user base’s - nearly 30 million user accounts - email addresses, usernames, and geographic locations.
Although no passwords were leaked, the stolen data allows attackers to engage in convincing phishing scams targeting creators and users.
SoundCloud took action quickly - the company shut down the access point immediately after detecting unauthorised activity, prioritising security even at the expense of blocking its innocent users. Subsequently, they chose to engage external cybersecurity experts to investigate the breach and increase their data protection.
5. French Interior Ministry Data Breach
In December 2025, a significant data breach hit the French Interior Ministry, specifically targeting internal email systems at Place Beauvau. A 22-year-old suspect was arrested for allegedly using stolen credentials to access dozens of confidential files. Police databases such as the judicial records system, which holds 17 million records on various crime victims and perpetrators, were at risk, Le Monde revealed.
Coined as “one of Europe’s most shocking cyber breaches”, it was reported that hackers stole numerous confidential files - all due to the simple lack of digital hygiene, stated Debug Lies.
While public-facing services remained unaffected, the breach compromised internal communications involving law enforcement and national security. Exposed data potentially includes sensitive records from criminal databases and "wanted persons" files. In response, French authorities implemented forced password resets and enhanced multi-factor authentication. Investigations are ongoing to determine if any data was leaked or sold on the dark web, highlighting the vulnerability of high-level government infrastructure.
Singapore’s largest cases
Closer to home, Singapore experienced a number of breaches as well, with a reported near-42 million breached accounts in the last year, SurfShark uncovered. According to a report by SecurityScorecard in July 2025, all of Singapore’s top 100 publicly listed companies had a third-party cyber breach within the year.
Most notably, Marina Bay Sands (MBS) faced the largest data breach in October 2025, when over 660,000 members’ data was leaked, reported CNA. With names, emails and phone numbers among the particulars found for sale on the dark web after MBS did not properly secure their data or set up secondary checks during a software migration in late 2023, the company was slapped with a SGD$315,000 fine.
In July last year, major automotive distributor Cycle & Carriage also fell victim to a data breach, which affected almost 150,000 customers, according to Straits Times. Names, emails and phone numbers were exposed, and more sensitive data, such as some NRIC numbers, was also disclosed. Hackers had managed to gain unauthorised access to the company’s system, where they downloaded the data. However, the company was praised by companies such as Cyber Cover for its quick response and prompt reporting of the incident to PDPC.
Recent cases involve the following organisational pitfalls, according to PDPC:
1. Using outdated software
2. Skipping security updates
3. Operating without digital safeguards
4. Failure to appoint a data protection officer
As data today is the lifeblood of organisations, the issue is no longer ‘if a data breach occurs’ but rather ‘when a data breach occurs’. With Gen AI in the fray, it is more essential than ever for data professionals to stay abreast of new risks and ensure that data hygiene practices are top-notch. Should a breach occur, it is important to remember that the C.A.R.E model remains relevant:
1. Contain: First, isolate the threat and limit further exposure.
2. Assess: Next, find out the “why” and “how”.
3. Report: Then, alert regulators (PDPC) and affected victims immediately.
4. Evaluate: Lastly, review the vulnerability and implement strengthened security protocols.
Many newly-appointed DPOs don’t know what they don’t know. Sign up for a course to make sure you are not putting your organisation at risk.
Sources: SurfShark, IBM, Cybernews, Forbes, Proven Data, CSO, Cybernews, Reuters, Cybersecurity Dive, Arizona Department of Insurance & Financial Institutions, Fox News, Cyber Press, Eye World, Le Monde, Medium, Debug Lies News, SurfShark, SecurityScorecard, CNA, The Straits Times, Cyber Insure, Cybercover, PDPC
