Data Breach GDPR Requests

Meta has been involved in multiple major data incidents affecting hundreds of millions of EU residents. Under GDPR, you have the right to find out exactly what data they hold — and to request its deletion.

LinkedIn has suffered multiple large-scale data incidents. The 2021 scraping breach exposed the data of approximately 700 million users — around 92% of LinkedIn's total user base at the time.

Twitter (now X) has experienced multiple data incidents since 2022, exposing private contact details of millions of users. EU residents have full GDPR rights over data held by Twitter International in Dublin.

Uber suffered a major data breach in 2016 that exposed the personal data of 57 million riders and drivers — and then paid hackers to hide it. The cover-up was only revealed in 2017. EU residents can demand to know exactly what Uber still holds.

TikTok has been under sustained regulatory scrutiny across Europe for collecting extensive personal data, processing children's data without consent, and transferring EU user data to servers in China accessible to ByteDance employees.

Marriott International suffered one of the largest ever hotel data breaches — a compromise of the Starwood reservation system that ran undetected from 2014 to 2018 and exposed up to 500 million guest records.

LastPass suffered a serious two-stage breach in 2022: first, attackers stole source code in August; then in December, they accessed customer data including encrypted password vaults. Every LastPass customer's data was potentially exposed.

In 2018, attackers injected malicious JavaScript into the British Airways booking website and app, silently skimming payment card details from customers as they completed purchases. Up to 500,000 customers were affected over roughly two months. The UK ICO fined British Airways £20 million for failing to implement adequate security measures.

Ticketmaster has suffered two major data breaches: a 2018 Magecart attack that exposed financial details of 9.4 million European customers, and a 2024 attack via its Snowflake cloud environment that exposed data on approximately 560 million customers globally. The UK ICO fined Ticketmaster UK £1.25 million over the 2018 breach.

T-Mobile has suffered a series of serious data breaches, most notably in 2021 — when attackers accessed records of over 76 million people, including Social Security numbers and driver's licence data for more than 54 million — and in 2023, when an API vulnerability exposed data on 37 million current customers. EU and UK residents who use T-Mobile services may invoke GDPR rights.

In 2023, 23andMe suffered a credential-stuffing attack that exposed the genetic ancestry and health data of approximately 6.9 million users — including highly sensitive inferred ethnicity and health predisposition information. Genetic data is special category data under Article 9 GDPR, attracting the highest level of legal protection. 23andMe filed for bankruptcy in March 2025, making it urgent to exercise your rights before your data changes hands.

Clearview AI scraped over 10 billion facial photographs from social media platforms, news sites, and other public web sources — without consent — to build a biometric identification database sold to law enforcement and commercial clients. French, Italian, and Greek data protection authorities each fined Clearview AI €20 million. If you have ever posted a photograph of yourself online, your facial biometric data may be in their database.

In May 2020, easyJet disclosed a 'highly sophisticated' cyberattack that exposed the email addresses and travel details of approximately 9 million customers. For 2,208 of those customers, full credit card details — including CVV security codes — were stolen. The attack is believed to have begun in January 2020 but was not disclosed until May. easyJet processes extensive personal data including booking history, passport details for checked-in passengers, and payment records.

In 2017, Equifax — one of the three largest credit reference agencies — suffered one of the most damaging data breaches in history, exposing the financial and personal data of 147.9 million Americans and 15.2 million UK residents. Credit reference agencies hold especially sensitive data because it is used by banks, landlords, and employers to make decisions about you. The UK ICO fined Equifax £500,000 — the maximum fine possible under the pre-GDPR Data Protection Act 1998.

Yahoo suffered two of the largest data breaches in history: a 2014 state-sponsored attack on 500 million accounts, and a 2013 breach that ultimately affected all 3 billion Yahoo accounts — disclosed years after the events. Although both breaches predate GDPR, the Regulation applies to Yahoo's ongoing processing of your data. If you have an old Yahoo, Flickr, or Tumblr account, exercising your right to erasure is particularly worthwhile.