Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?

Chronology of Data Breaches

Custom Sort
Select your desired results. Then click "Go!"

Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
930,526,448 RECORDS BREACHED
(Please see explanation about this total.)
from 4,427 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
September 2, 2009 Naval Hospital Pensacola
Pensacola, Florida
MED PORT

38,000

Naval Hospital Pensacola will be notifying thousands of beneficiaries who use its pharmacy services, following the disappearance of a laptop computer. The computer's database contains a registry of 38,000 pharmacy service customers' names, Social Security numbers and dates of birth on all patients that used the pharmacy in the last year. It does not contain any personal health information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 38,000

April 29, 2005 Oklahoma State University
Stillwater, Oklahoma
EDU PORT

37,000

A laptop used for student job placement seminars was lost or stolen.  It contained the Social Security numbers of current and former students.

 
Information Source:
Dataloss DB
records from this breach used in our total: 37,000

February 14, 2008 Tenet Healthcare Corporation
Dallas, Texas
MED INSD

37,000

A ex-employee worked at a Frisco, Texas, billing center for less than two years, and is confirmed to have stolen the names, Social Security numbers and other personal information of about 90 patients. The employee also had access to 37,000 other accounts.

 
Information Source:
Dataloss DB
records from this breach used in our total: 37,000

February 13, 2009 University of Alabama
Tuscaloosa, Alabama
EDU HACK

37,000

Seventeen of 400 databases were tapped by hackers. Personal information may have been stolen. One of those computers contained lab results for people tested at the campus medical center. The servers had a database containing 37,000 records of lab data. They contain the names, addresses, birthdates and Social Security numbers of each person who has had lab work, such as a blood or urine test, done on the UA campus since 1994.

 
Information Source:
Dataloss DB
records from this breach used in our total: 37,000

April 12, 2010 Kern County Employee's Retirment Association
Bakersfield, California
GOV INSD

37,000

A former employee was convicted of using the Social Security number of a member to create a false identity. The county employee opened a line of credit and had committed felonies before being hired at KCERA in a position with access to retirees' personal information.

 
Information Source:
Databreaches.net
records from this breach used in our total: 37,000

August 2, 2005 University of Colorado
Denver, Colorado
EDU HACK

36,000

Hackers accessed files containing names, photographs, Social Security numbers, and University meal card information.  Around 7,000 staff members, 29,000 current students, and some former students were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 36,000

July 7, 2006 University of Tennessee
Knoxville, Tennessee
EDU HACK

36,000

(866) 748-1680, http://security.tennessee.edu.  Additional locations: Chattanooga, Martin, Tullahoma and Memphis, TN

Hacker broke into a UT computer containing names, addresses and SSNs of about 36,000 past and current employees. The intruder used the computer from Aug. '05 to May '06 to store and transmit movies.

 
Information Source:
Dataloss DB
records from this breach used in our total: 36,000

October 23, 2008 Medical Mutual of Ohio
Columbus, Ohio
MED PORT

36,000

Eleven computer disks containing personal information on Ohio retirees and employees are missing, disks are most likely somewhere in the postal system. It seems insufficient postage was placed on the envelopes [containing the disks], therefore they are believed that they are likely to still be safe within the postal system.

 
Information Source:
Dataloss DB
records from this breach used in our total: 36,000

February 18, 2009 Rio Grande Food Project
Albuquerque, New Mexico
NGO PORT

36,000

A food pantry is warning its clients that tens of thousands of them are at risk for identity theft after a laptop computer containing their personal information was stolen. The computer contained sensitive personal data including addresses, birth dates and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 36,000

November 16, 2011 Bright Directions College Savings Program, Illinois State Treasurer's Office
Springfield, Illinois
GOV DISC

36,000

A mailing error led to the Social Security numbers of over 36,000 people to be visible from the outside of envelopes mailed in October.  Those who were enrolled in the Illinois Treasurer's Office Bright Directions college savings program were affected.

 
Information Source:
Databreaches.net
records from this breach used in our total: 36,000

December 29, 2012 US Army Fort Monmouth
Oceanport, New Jersey
GOV HACK

36,000

Those with questions may call (443) 861-6571.

Hackers were able to access database information from Command, Control, Communications, Intelligence, Surveillance and Reconnaissance as well as nongovernmental personnel and people who visited Fort Monmouth.  The breach was discovered and addressed on December 6.  names, Social Security numbers, dates of birth, places of birth, home addresses, and salaries were exposed.

 
Information Source:
Media
records from this breach used in our total: 36,000

June 16, 2014 Riverside Community College
Riverside, California
EDU DISC

35,212

Riverside Community College has suffered a data breach affecting 35,212 students. On May 30th, a district employee emailed a file containing information about all students who were enrolled in the spring term to a colleague working at home due to illness, for a research report that was on a deadline. The district employee used a personal email account to send the data because the file was too large for the district's secure email to send. The employee then typed in the incorrect email address.

The information contained in the file included names, addresses, birth dates, Social Security numbers, email addresses, student ID numbers, and telephone numbers.

The district has set up a Call Assistance Center at 1-888-266-9438 for affected students. The center will be open from 6 a.m to 6 p.m Monday through Friday for 90 days.

 
Information Source:
records from this breach used in our total: 35,212

December 12, 2006 University of Texas, Dallas
Dallas, Texas
EDU HACK

35,000

Affected individuals can call (972) 883-4325, http://www.utdallas.edu/datacompromise/form.html

The University discovered that personal information of current and former students, faculty members, and staff may have been exposed by a computer network intrusion -- including names, SSNs, home addresses, phone numbers and e-mail addresses.

UPDATE (12/14/06): The number of people affected was first thought to be 5,000, but was increased to 6,000.

UPDATE (01/19/07): Officials now say 35,000 individuals may have been exposed.

 
Information Source:
Dataloss DB
records from this breach used in our total: 35,000

February 22, 2007 Speedmark
Woodlands, Texas
BSO STAT

35,000

Thieves stole several computers, one of which contained a database with personally identifying information including names, addresses, e-mail accounts, and Social Security numbers of Speedmark's mystery shopper employees and contractors.

 
Information Source:
Dataloss DB
records from this breach used in our total: 35,000

August 26, 2007 American Ex-Prisoners of War
, Texas
NGO UNKN

35,000

Personal records including addresses and Social Security numbers of more than 35,000 veterans and their families were stolen this month from the offices of a POW support organization in Texas. Digital and paper records included information on the group's entire membership, including addresses, dates of birth, Social Security numbers and VA claims data.

 
Information Source:
Dataloss DB
records from this breach used in our total: 35,000

January 28, 2008 T. Rowe Price Retirement Plan Services, CBIZ Benefits and Insurance Services Inc.
Baltimore, Maryland
BSF STAT

35,000

Names and Social Security numbers of current and former participants in several hundred retirement plans were compromised when several computers were stolen. The machines were taken from the office of CBIZ Benefits and Insurance Services Inc.

 
Information Source:
Dataloss DB
records from this breach used in our total: 35,000

March 5, 2010 Arkansas Army National Guard
Camp Robinson, Arkansas
GOV PORT

35,000

An external hard drive has gone missing. Approximately 35,000 current and former members of the Arkansas Army National Guard are affected by the loss. The drive included names, Social Security numbers and other personal information which potentially places the affected soldiers at risk for identity theft.

UPDATE (5/18/10): The external hard drive containing personal information on over 32,000 current and former Arkansas Guardsmen that was reported missing on February 22 has now been recovered and destroyed. The drive was reported missing by an Arkansas Soldier who used the device as a personal backup of his work related information. This included a copy of the Guard's personnel database which contained personal information on all Soldiers who have served in the Arkansas Army National Guard since 1991.

 
Information Source:
Dataloss DB
records from this breach used in our total: 35,000

October 14, 2010 Accomack County Virginia residents
Accomac, Virginia
GOV PORT

35,000

The theft occurred in Las Vegas, NV and affects residents of Accomack County. Citizens are advised to call one of the three credit bureaus at 888-397-3742, 888-766-0008 or 800-680-7289 for a credit report fraud alert.

A stolen laptop contained the names and Social Security numbers of Accomack County, Virginia residents. Full addresses of some residents were also exposed. The laptop was county property and was stolen from an employee's car during a vacation to Las Vegas. The incident happened on October 7; as of October 14, residents had not been notified.

 
Information Source:
Databreaches.net
records from this breach used in our total: 35,000

May 22, 2014 Lowes Corporation
Mooresville, North Carolina
BSR DISC

35,000

Lowes Corporation had to issue a data breach notice to current and former drivers for the company due to a security breach with one of the third party vendors they use.

Information breached included including names, addresses, birthdays, Social Security numbers, driver's license numbers, and other driving record information with a company called E-DriverFile, an online database provided by SafetyFirst, a driver safety firm headquartered in New Jersey.

The third party vendor unintentionally backed up the data to an unsecure server that was accessible via the Internet. The information may have been exposed from July 2014 through April 2014 before it was discovered.

Lowes is offering their current and former employees one year free of AllClearID. Those affected can call 1-877-322-8228

 
Information Source:
Media
records from this breach used in our total: 35,000

May 19, 2014 Safety First
Parsippany, New Jersey
BSO DISC

35,000

SafetyFirst has come forward to announce a data breach of their E-DriverFile service. The company is connected to the announcement that Lowe's current and former employees were involved in a data loss.

"A new filing with the California Attorney General’s Office obtained today indicates that a server containing a wealth of information about client vehicle operators was unprotected and accessible via the Internet for a period that exceeded six months. SafetyFirst reported that the breach dated back to September 27, 2013. It was not discovered until April 2, 2014 according to those records".

SafetyFirst unintentionally backed up data to an unsecured computer server that was accessible from the Internet.  The information breached included Social Security numbers, and driver license numbers.

 
Information Source:
Media
records from this breach used in our total: 35,000

June 5, 2006 Kingsbrook Jewish Medical Center
Brooklyn, New York
MED PORT

34,863

A personal computer was stolen from the Hospital's outpatient billing office on December 26, 2005. It is likely that the computer contained spreadsheets with patient names and Social Security numbers embedded in insurance numbers. Those affected were notified May 26, 2006.

 
Information Source:
Dataloss DB
records from this breach used in our total: 34,863

May 25, 2006 VyStar Credit Union
Jacksonville, Florida
BSF HACK

34,400

Hacker gained access to member accounts a and stole personal information including names, addresses, birth dates, mother's maiden names, Social Security numbers and/or email addresses. Less than 10% of VyStar's 344,000 members were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 34,400

September 4, 2007 Pfizer
New York, New York
BSO INSD

34,000

(866) 274-3891

A security breach may have caused employees' names, Social Security numbers, addresses, dates of birth, phone numbers, bank account numbers, credit card information, signatures and other personal information to be publicly exposed. The breach occurred late last year when a Pfizer employee removed copies of confidential information from a Pfizer computer system without the company's knowledge or approval. Pfizer didn't become aware of the breach until July 10.

 
Information Source:
Dataloss DB
records from this breach used in our total: 34,000

December 21, 2006 Goal Financial, LLC
San Diego, California
BSF STAT

34,000

The location listed is the headquarters. It is not clear where the incident took place.

A portion of borrowers' names and Social Security numbers were on four hard drives that were accidentally sold before being wiped clean. Employees transferred more than 7,000 files with consumer information to third parties without authorization, and one employee sold the hard drives to the public surplus. The hard drives were retrieved after the mistake was realized on June 13. Affected individuals were notified in June. The student loan company agreed to settle FTC charges in December. The company violated the FTC's Privacy Rule by failing to take reasonable and appropriate measures to protect personal information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 34,000

July 7, 2011 Morgan Stanley Smith Barney, New York State Department of Taxation and Finance
Albany, New York
BSF PORT

34,000

Two CD-ROMs were lost after being mailed from Morgan Stanley to the New York State Department of Taxation and Finance.  It is not clear if the CDs were never shipped, fell out of the packaging during shipping, or were lost after being received by the New York State Department of Taxation and Finance. The affected Morgan Stanely clients had their names, addresses, account and tax identification numbers, and income earned on Morgan Stanley investments in 2010 exposed.  Some clients also had their Social Security numbers exposed.  

 
Information Source:
Databreaches.net
records from this breach used in our total: 34,000

August 22, 2005 U.S. Air Force
Washington, District Of Columbia
GOV HACK

33,300

A hacker used a legitimate user ID and password to access career information, birth dates, and Social Security numbers.  Those affected were notified several months after the breach was discovered.

 
Information Source:
Dataloss DB
records from this breach used in our total: 33,300

August 22, 2014 Cedars-Sinai Medical Center, Los Angeles
Los Angeles, California
MED PORT

33,136

Cedars-Sinai Medical Center in Los Angeles California has reported a data breach of at least 500 patients at the facility when an employees laptop computer was stolen from their home during a burglary in June 2014. The laptop was password protected.

The records on the laptop included specific patient data such as lab testing, treatment and diagnosis, Social Security numbers and other personal information.

More Information: http://www.latimes.com/business/la-fi-cedars-breach-20140823-story.html

UPDATE (10/3/2014): The data breach that occurred when an employee laptop was stolen, contained many more files than what was originally reported by the hospital. When the breach was made public, Cedars-Sinai hospital reported that 500 patient files were on the stolen laptop. After an investigation, the laptop actually contaned personal information on  33,136 patients.

More Information: http://www.latimes.com/business/la-fi-cedars-data-breach-20141002-story....

 
Information Source:
Media
records from this breach used in our total: 33,136

July 30, 2005 San Diego County Employees Retirement Association
San Diego, California
GOV HACK

33,000

Two computers that contained personal information for current and retired San Diego County employees were hacked.  The information included names, addresses, Social Security numbers, and dates of birth.  The San Diego Retirement Association mailed warnings to members.

 
Information Source:
Dataloss DB
records from this breach used in our total: 33,000

August 7, 2007 Merrill Lynch
Hopewell, New Jersey
BSF UNKN

33,000

A computer device apparently was stolen containing sensitive personal information, including Social Security numbers, about some 33,000 employees.

 
Information Source:
Dataloss DB
records from this breach used in our total: 33,000

August 5, 2008 The Clear Program Fast-pass Registered Travel program for airline passengers, operated by Verified Identity Pass for the U.S. Transportation Security Admin.
New York, New York
BSO PORT

33,000

A laptop containing personal information for about 33,000 people was reported stolen in a possible security breach for the Clear Program. The laptop was stolen at San Francisco International Airport. The stolen information included names, addresses, dates of birth, and driver's license numbers or passport numbers.

 
Information Source:
Media
records from this breach used in our total: 33,000

October 15, 2009 Halifax Health
Daytona Beach, Florida
MED PORT

33,000

A laptop computer from a Halifax Health employee's vehicle in Orange County was stolen -- which might have contained password protected patient information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 33,000

July 30, 2010 FIrst Advantage Tax Consulting Services (TCS)
Indianapolis, Indiana
BSF PORT

32,842

A laptop that contained personal information was lost or stolen during an airport layover.  The Social Security numbers of people who were employed by companies that used TCS for tax help were on the laptop. The laptop did have a password and after it was lost its access to TCS's network was blocked.

 
Information Source:
Databreaches.net
records from this breach used in our total: 32,842

January 10, 2005 George Mason University
Fairfax, Virginia
EDU HACK

32,000

Names, photos, and Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the University's main ID server.

 
Information Source:
Dataloss DB
records from this breach used in our total: 32,000

April 12, 2006 Ross-Simons
Providence, Rhode Island
BSR HACK

32,000

A security breach exposed account and personal information of those who applied for Ross-Simons' private label credit card. Information exposed includes private label credit card numbers and other personal information of applicants.

 
Information Source:
Dataloss DB
records from this breach used in our total: 32,000

August 8, 2013 M2ComSys, Cogent Healthcare, Inc.
Brentwood, Tennessee
MED DISC

32,000

Cogent Healthcare offices across the country, Cogent Medical Care, Endion Medical Healthcare (Endion SeniorCare), Parkview Community Hospital Medical Center, Inpatient Specialists of Southwest Florida, and Comprehensive Hospital Physicians of Florida were affected.

M2ComSys (M2), a medical transcription company, stored physicians' notes for Cogent Healthcare.   It was discovered that the online system that stored the notes could be accessed.  Patient care notes with names, physician names, dates of birth, diagnosis descriptions. summary of treatment, medical history, medical record numbers, and other medical information were exposed.  The notes could have been accessed on May 5, 2013 and improper access to the site ended on June 24, 2013.  M2 no longer provides services for Cogent Healthcare.

UPDATE (9/17/2013): At least 32,000 patients were affected across all medical centers.  

 
Information Source:
California Attorney General
records from this breach used in our total: 32,000

October 13, 2011 The Social Security Administration
Washington, District Of Columbia
GOV DISC

31,931

It appears that the Social Security Administration accidentally releases the names, Social Security numbers, and birth dates of thousands of living U.S. citizens each year in a database called the "Death Master File".  Social Security officials revealed that the number of U.S. citizens mistakenly listed each year is about 14,000, while 90 million are accurately reported.  A Scripps Howard News Service review of three recent copies revealed 31,931 living U.S. citizens who'd had their Social Security numbers released to U.S. business groups.

 
Information Source:
Databreaches.net
records from this breach used in our total: 31,931

February 8, 2007 District Council 37 Health and Security Plan of New York City
New York, New York
GOV PORT

31,500

A CD containing prescription drug data was discovered missing from the organization's files.  People who had their prescription drugs filled through DC 37's prescription drug benefits plan may have had their names and Social Security numbers exposed.  Prescription information from between February 13 and February 22 of 2006 (the previous year) was also exposed.

 
Information Source:
Dataloss DB
records from this breach used in our total: 31,500

May 13, 2011 Anthem Blue Cross
Westlake Village, California
BSF DISC

31,125

Letters soliciting dental and vision coverage were mailed to current Anthem customers.  A priority code composed of the customer's Social Security number and two extra digits was printed on the outside of each envelope.  One customer noticed the error and contacted the media.  Anthem admits that an error occurred, but did not reveal the cause. Anthem is working to prevent this type of breach from happening again and was in the process of notifying customers of the error as of May 12. 

UPDATE (10/01/2012): Anthem experienced the marketing mailer error on April 27, 2011.  The State of California settled with Anthem in September of 2012. Anthem agreed to pay $150,000 and to make significant improvements to its data security procedures to prevent future errors of a similar type..

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 31,125

July 31, 2005 California State Polytechnic University (Cal PolyPomona)
Pomona, California
EDU HACK

31,077

Hackers gained access to two computers containing names, Social Security numbers and transfer records.  Applicants, current students, current and former faculty, and staff were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 31,077

March 23, 2007 Group Health Cooperative Health Care System
Seattle, Washington
MED PORT

31,000

http://www.ghc.org/news/news.jhtml?reposid=/common/news/news/20070323-missing_laptops.html

Two laptops containing names, addresses, Social Security numbers and Group Health ID numbers of local patients and employees have been reported missing.

 
Information Source:
Dataloss DB
records from this breach used in our total: 31,000

September 22, 2009 Sagebrush Medical Plaza/Kern Medical Center
Bakersfield, California
MED PHYS

31,000

Thousands of patients at a Kern County health clinic have been warned their personal information could have been stolen. A break-in happened at the Sagebrush Medical Plaza in July, and Kern Medical Center officials have notified 31,000 patients to take precautions against possible identity theft. One or more unknown individuals broke into a locked storage area that contained confidential patient information. All patient information has now been moved to a location inside the clinic building.

 
Information Source:
Dataloss DB
records from this breach used in our total: 31,000

March 4, 2011 University of South Carolina
Sumter, South Carolina
EDU HACK

31,000

A computer security problem may have exposed the information of faculty, staff, retirees and students on eight University system campuses. Social Security numbers and other private information could end up on the internet.

 
Information Source:
Databreaches.net
records from this breach used in our total: 31,000

May 18, 2005 University of Iowa
Iowa City, Iowa
EDU HACK

30,000

A computer containing credit card numbers and campus ID numbers for University Book Store customers was breached by a hacker.

 
Information Source:
Dataloss DB
records from this breach used in our total: 30,000

June 16, 2006 Union Pacific
Omaha, Nebraska
BSO PORT

30,000

On April 29th, an employee's laptop was stolen that contained data for current and former Union Pacific employees, including names, birth dates and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 30,000

January 13, 2007 North Carolina Department of Revenue
Raleigh, North Carolina
GOV PORT

30,000 taxpayers

A laptop computer containing taxpayer data was stolen from the car of a NC Dept. of Revenue employee in mid-December. The files included names, SSNs or federal employer ID numbers , and tax debt owed to the state.

 
Information Source:
Dataloss DB
records from this breach used in our total: 30,000

August 15, 2007 Sky Lakes Medical Center, Verus Inc.
Klamath Falls, Oregon
MED DISC

30,000

The company that maintained the hospital's online bill payment system, transferred patient information from one server to another to perform maintenance but didn't take security measures, leaving information such as names, addresses and Social Security numbers exposed.

 
Information Source:
Dataloss DB
records from this breach used in our total: 30,000

February 12, 2008 Long Island University
Brookville, New York
EDU PHYS

30,000

Students tax forms mailed to them last week in were in defective mailers. The mailers containing each student's annual 1098-T Tuition Statement were supposed to have adhesive on all four sides. But one side of each envelope was missing adhesive. The statement contains the student's name, address and Social Security number.

 
Information Source:
Dataloss DB
records from this breach used in our total: 30,000

March 20, 2008 Pennsylvania Department of State
Harrisburg, Pennsylvania
GOV DISC

30,000

The state was forced to pull the plug on a voter registration Web site after it was found to be exposing sensitive data about voters. Because of a Web programming error, the Web site was allowing anyone on the Internet to view data such as the voter's name, date of birth, driver's license number, and political party affiliation. On some forms, the last four digits of Social Security numbers could also be seen.

 
Information Source:
Media
records from this breach used in our total: 30,000

July 16, 2009 Moores Cancer Center
San Diego, California
MED HACK

30,000

A hacker breached the Center's computers and gained access to patients' personal information.  A letter was sent to 30,000 patients informing them that their personal information may have been in the compromised databases.  Types of information in breach included names, dates of birth, medical record number, diagnosis and treatment dates and some Social Security numbers.  The majority of patients' information did not include Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 30,000

December 23, 2009 Penn State University
University Park, Pennsylvania
EDU HACK

30,000

The University sent out letters notifying those potentially affected by malware infections, which are believed responsible for breaches. The areas and extent of the records involved in the malicious software attack included Eberly College of Science, 7,758 records; the College of Health and Human Development, 6,827 records; and one of Penn State's campuses outside of University Park, approximately 15,000 records.

 
Information Source:
Dataloss DB
records from this breach used in our total: 30,000

Breach Total
930,526,448 RECORDS BREACHED
(Please see explanation about this total.)
from 4,427 DATA BREACHES made public since 2005
Showing 401-450 of 4427 results


X

Sign In!

Loading