Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?

Chronology of Data Breaches

Custom Sort
Select your desired results. Then click "Go!"

Click or unclick the boxes then select go.

Select features, then click GO.

Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
(Please see explanation about this total.)
from 4,488 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
January 20, 2009 Heartland Payment Systems
Princeton, New Jersey

Over 130 million,

After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, the company last week found evidence of malicious software that compromised card data that crossed Heartland's network. This incident may be the result of a global cyberfraud operation.

UPDATE (01/26/2009): Heartland Payment Systems has been sued. The lawsuit seeks damages and relief for the inexplicable delay, questionable timing, and inaccuracies concerning the disclosures with regard to the data breach, which is believed to be the largest in U.S. history.

UPDATE (02/12/2009): According to, the number of financial institutions that have come forward to say they have been contacted by their credit card companies Visa and MasterCard in relation to the breach has jumped from fewer than 50 to more than 200.

UPDATE (06/04/2009): While it's hard to get a handle on just how many consumers were affected by the Heartland Payment Systems (HPY) data breach, the total number of institutions now reporting card compromises is at 656.

UPDATE (06/16/2009): Heartland lawsuits to be heard in Texas. The Judicial Panel on Multidistrict Litigation in Louisville, KY issued its decision to consolidate the class action suits. The lawsuits will be heard in the Southern District Court of Texas in Houston. Thirty-one separate lawsuits, on behalf of consumers, investors, banks and credit unions, have been filed against Princeton,N.J.-based Heartland.

UPDATE (07/06/2009): Heartland Payment Systems successfully completed the first phase of an end-to-end encryption pilot project designed to enhance its security.

UPDATE (08/20/2009): Albert Segvec Gonzalez has been indicted by a federal grand jury in New Jersey - along with two unnamed Russian conspirators - on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack.

Total records breached: 100 million transactions per month. It is unclear how many account numbers have been compromised, and how many are represented by multiple transactions. The number of records breached is an estimate, subject to revision.

UPDATE (08/20/2009): According to the court document, hackers stole more than 130 million credit and debit card numbers from Heartland and Hannaford combined.

UPDATE (05/12/2010): The costs to Heartland Payment Systems Inc. from the massive data breach that it disclosed in January 2009 appear to be steadily adding up. Quarterly financial results released by Heartland last week show that the card payment processor has accrued $139.4 million in breach-related expenses. The figure includes a settlement totaling nearly $60 million with Visa, another of about $3.5 million with American Express and more than $26 million in legal fees. That total also includes $42.8 million that Heartland has set aside to fund proposed settlements with several other litigants over the breach. One example of what the fund is set up for is Heartland's offer to settle several consumer class action lawsuits against it for four million. So far, Heartland has recovered about $30 million from insurance companies.

UPDATE (06/02/2010): Heartland Payment Systems has made a third settlement deal, this time with MasterCard, related to a massive data breach two years ago at the card payments processor. As part of the deal, Heartland has agreed to pay as much as US$41.1 million to MasterCard issuers that lost money as a result of the data breach. The deal is contingent on financial institutions representing 80 percent of the affected MasterCard accounts accepting the offer by June 25. MasterCard is recommending that issuers accept the offer.

UPDATE (09/01/2010): Heartland Payment Systems has agreed to settle with Discover for five million dollars.  Discover will use the money to cover costs of fraud incidents and reissuing cards.

UPDATE (09/19/2010): Jerome Abaquin Gonzales is expected to surrender to police and serve jail time for participating in a credit card forgery ring which used information from the Heartland breach.  The information came from the 4.2 million Discover credit card customers who used their cards at Hannaford Brothers.

UPDATE (09/22/2010): Thomas Michio Taniguchi was sentenced to prison for his role in the forgery ring in which Jerome Abaquin Gonzales also participated.

UPDATE (12/07/2011): Heartland legal representatives were able to successfully argue that most of the claims against Heartland that were filed by nine banks should be dismissed. All but one claim was dismissed.

UPDATE (02/12/2012): The nine banks may have had their claims against Heartland dismissed because Heartland reported that sharing a contractual relationship with the banks defeats their appeal. However, the credit-card-issuing banks are arguing that a New Jersey economic loss rule only bars claims for foreseeable economic losses when the parties are in a contractual relationship and does not bar their negligence claim against Heartland.

UPDATE (07/25/2013): Five more foreign hackers were charged for their role in stealing information from Heartland Payment Systems, NASDAQ, Dow Jones, JetBlue, and J.C. Penney.

Information Source:
Dataloss DB
records from this breach used in our total: 130,000,000

January 17, 2007 TJ stores (TJX), including TJMaxx, Marshalls, Winners, HomeSense, AJWright, KMaxx, and possibly Bob's Stores in U.S. & Puerto Rico -- Winners and HomeGoods stores in Canada -- and possibly TKMaxx stores in UK and Ireland
Framingham, Massachusetts


U.S.: Call (866) 484-6978, Canada: (866) 903-1408, U.K. & Ireland: 0800 77 90 15,

The TJX Companies Inc. experienced an unauthorized intrusion into its computer systems that process and store customer transactions including credit card, debit card, check, and merchandise return transactions. It discovered the intrusion mid-December 2006. Transaction data from 2003 as well as mid-May through December 2006 may have been accessed. According to its Web site, TJX is the leading off-price retailer of apparel and home fashions in the U.S. and worldwide.

Note on our total: included in this breach are 45,700,000 credit and debit card account numbers; 455,000 merchandise return records containing customer names and driver's license numbers; recovery of about 200,000 stolen credit card account numbers; records then 1indicated an additional 48 million people have been affected. Totals were estimated at 94 million but now seem to have affected over 100 million accounts.

UPDATE  (2/22/2007):TJX said that while it first thought the intrusion took place from May 2006 to January 2007, it now thinks its computer system was also hacked in July 2005 and on various subsequent dates that year.

UPDATE (3/21/2007): Information stolen from TJX's systems was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials.

UPDATE  (3/29/2007): The company reported in its SEC filing that 45.7 million credit and debit card numbers were hacked, along with 455,000 merchandise return records containing customers' driver's license numbers, Military ID numbers or Social Security numbers.

UPDATE (4/22/2007): Initially, TJX said the break-in started seven months before it was discovered. Then, on Feb. 18, the company noted the perpetrators had access to data for 17 months, and apparently began in July 2005.

UPDATE (04/26/2007): Three states' banking associations (MA, CT, and ME) filed a class action lawsuit against TJX to recover the costs of damages totaling tens of millions of dollars incurred for replacing customers' debit and credit cards.

UPDATE (05/04/2007): An article in the WSJ notes that because TJX had an outdated wireless security encryption system, had failed to install firewalls and data encryption on computers using the wireless network, and had not properly install another layer of security software it had bought, thieves were able to access data streaming between hand-held price-checking devices, cash registers and the store's computers. 21 U.S. and Canadian lawsuits seek damages from the retailer for reissuing compromised cards.

UPDATE (07/10/2007): U.S. Secret Service agents found TJX customers' credit card numbers in the hands of Eastern European cyber thieves who created high-quality counterfeit credit cards. Victims are from the U.S., Europe, Asia and Canada, among other places, Several Cuban nationals in Florida were arrested with more than 200,000 credit card account numbers.

UPDATE (08/31/2007): The U.S. Secret Service Agency earlier this week said it has arrested and indicted four members of an organized fraud ring in South Florida, charging each of them with aggravated identity theft, counterfeit credit-card trafficking, and conspiracy.

UPDATE (09/21/2007): A ring leader in the TJX Cos.-linked credit card fraud, was sentenced to five years in prison and has been ordered to pay nearly $600,000 in restitution for damages resulting from stolen financial information.

UPDATE (09/25/2007): TJX announced the terms of a settlement for customers affected by the data breach -- with strings attached. Credit monitoring will be offered to about 455,000 of the 46 million affected. TJX will reimburse customers who had to replace driver's licenses as a result of the breach if they submit documentation for the time and money spent on replacing licenses. The company will give a $30 store voucher to those customers who submit documentation about their lost time and money. And TJX will hold a special 3-day sale with a 15% discount sometime in 2008. The settlement still needs to be approved by the court.

UPDATE (10/23/2007): Court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million.

UPDATE (10/23/2007): The total number of records increased from 167 million to 215 million. Recent court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million, up considerably from 45,7 million credit and debit card account numbers initially thought to be compromised. Breach costs have been estimated at $216 million.

UPDATE (11/30/2007): Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc.

UPDATE (12/05/2007): An article estimates TJX expenses at $500 million to $1 billion. In a settlement with VISA USA, TJX will pay a maximum of $40.9 million to fund an alternative recovery payments program for customers affected by the breach. At least 19 lawsuits have been filed, and there are investigations underway by the Federal Trade Commission and 37 state Attorneys General.

UPDATE (12/18/2007): TJX has settled the lawsuit for an undisclosed amount.Although both sides said the settlement total would remain confidential, TJX said the costs were covered by a $107 million reserve that it set aside against its second-quarter earnings.TJX also has said that $107 million would cover the costs of another breach agreement: a Nov. 30 deal with Visa Inc. to help pay a maximum $40.9 million to help the network's card-issuing banks recover expenses to replace customers' Visa cards.

UPDATE (2/10/2008): Notices are going out to millions of customers who may have had credit card information compromised in a data breach. The notices contain information about eligibility for compensation such as vouchers and credit monitoring to be provided under a proposed settlement.

UPDATE (4/2/2008): TJX Cos. reached a settlement with MasterCard Inc. in which it will pay up to $24 million to banks and other institutions to cover fraud losses stemming from a massive data breach disclosed last year. They also struck a similar deal with rival card network Visa in which it agreed to pay up to $40.9 million. As in that deal, TJX said the costs of its MasterCard settlement are included in the $256 million the company has set aside to pay for computer work and other costs associated with the breach.

UPDATE (5/14/2008): The TJX Companies, Inc. today announced that it completed its previously announced settlement with MasterCard International Incorporated and its issuers. Financial institutions representing 99.5% of eligible MasterCard accounts worldwide claimed to have been affected by the unauthorized computer intrusion(s) at TJX accepted the alternative recovery offer under TJX's previously announced Settlement Agreement with MasterCard.

UPDATE (8/5/2008): Eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft. This is the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. An indictment was returned on Aug. 5, 2008. Conspirators obtained the credit and debit card numbers by wardriving and hacking into the wireless computer networks of major retailers -- including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. The indictments are the result of a three-year undercover investigation conducted out of the San Diego Field Office of the U.S. Secret Service.

UPDATE (8/30/2008): TrustCo BankCorp NY sued TJX in August 2008 to recoup costs it incurred from reissuing an estimated 4,000 customer MasterCard debit cards after hackers accessed the TJX computer network. The bank stated its cost for the breach was up to $20 per affected account, explaining that it suffered losses from administrative expenses and lost interest and transaction fees. Later in the month, TJX in turn claimed that Trustco failed to implement policies or procedures that would have enabled the bank to avoid canceling and replacing customer debit cards.

UPDATE (9/22/2008):One of the 11 people arrested last month in connection with the massive data theft at T JX Companies Inc., BJ Wholesale Clubs Inc. and several other retailers pleaded guilty yesterday to four felony counts, including wire and credit card fraud and aggravated identity theft. Many of the Internet attacks that he facilitated were SQL injection attacks, according to court documents. The stolen data was sold to cyber criminals in Eastern Europe and the U.S. or used to make fraudulent credit and debit cards.

UPDATE (6/26/2009): TJX has agreed to pay $9.75 million to 41 states and to implement and maintain a comprehensive information security program, designed to safeguard consumer data and address any weaknesses in TJX's systems in place at the time of the breach. Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation. Further, $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the state Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers’ personal information.

UPDATE (7/28/2009): Pennsylvania and 40 other states reached a $9.75 million settlement.

UPDATE (9/4/2009): TJX settles for $525K with four banks. As part of the settlement with AmeriFirst Bank, Trustco Bank, HarborOne Credit Union and SELCO Community Credit Union, the Framingham, Mass.-based retailer paid $525,000. The money primarily will be used to cover the banks' expenses in pursuing the legal action.

UPDATE (12/15/2009):A Miami hacker who had already pleaded guilty to computer fraud and identity theft for breaches at retailers T.J. Maxx, OfficeMax, and many other merchants, pleaded guilty on Tuesday to similar charges related to breaches at Heartland Payment Systems, 7-11, Hannaford Brothers supermarkets, and two other companies. Albert Gonzalez, 28, reiterated terms of a plea agreement in U.S. District Court in Boston. A week earlier, co-conspirator Stephen Watt of New York, appeared in that same court and was ordered to serve two years in prison and pay $171.5 million in restitution for developing a sniffing program used to grab payment card data in the breach at the TJX companies between 2003 and 2008.

UPDATE (3/17/2010): Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking. Zaman was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts. Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers. Zaman is the second conspirator in the TJX case to be charged. Former Morgan Stanley coder, Stephen Watt, was sentenced in December to two years in prison for his role in the TJX case, which involved supplying Gonzalez with a sniffer program used to siphon card data from the TJX network. 

UPDATE (3/29/2010): A 28-year-old college dropout who became the world’s biggest credit card hacker on Thursday was sentenced to 20 years in prison for stealing millions of credit union and bank account records from TJX Cos., BJ’s Wholesale Club, Office Max, Dave & Busters, Barnes & Noble and a string of other companies – even as he was working as a $75,000-a-year undercover informant for the U.S. government in identity theft cases. But that’s not the end of it, as Albert Gonzalez is scheduled to be sentenced again to additional years behind bars for additional data thefts at Heartland Payment Systems, Hannaford Bros. supermarkets and 7-Eleven convenience stores. The theft of credit card data cost financial institutions, insurers and cardholders an estimated $200 million, according to law enforcement. JC Penney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August that $17 billion JC Penney chain was one of Gonzalez.s victims, even though JC Penney's media representatives were denying it. But the $561 million chain Wet Seal, which has 504 stores in 47 states, Washington, D.C. and Puerto Rico, had kept their identity secret. No more and that.s the way Woodlock wanted it. 

UPDATE (4/16/2010): Damon Patrick Toey, the 'trusted subordinate' of TJX hacker Albert Gonzalez, was sentenced in Boston to 5 more years in prison. He also received a $100,000 fine and three years. supervised release, according to the Justice Department.

UPDATE (7/8/2010): TJX has settled another lawsuit.  The Louisiana Municipal Police Employees' Retirement System, a shareholder of TJX stock, settled with TJX for $595,000 in legal fees and enhanced oversight of customer files.

UPDATE (4/8/2011): Albert Gonzalez is appealing his conviction for his role in a large data breach by claiming that his actions were authorized by the Secret Service.  The government acknowledged that Gonzalez was a key undercover Secret Service informant at the time of the breaches.  In a 25-page petition, Gonzalez faulted one of his attorney's for failing to prepare a "Public Authority" defense, which would have argued that he committed crimes with the approval of government authorities.

Information Source:
Dataloss DB
records from this breach used in our total: 100,000,000

February 5, 2015 Anthem
Indianapolis, Indiana

80 million

Anthem, the second largest health insurance company operating under Anthem Blue Cross, Anthem Blue Cross and Blue Shield Amerigroup and Healthlink has suffered a massive data breach.

The company announced that they have been the victim of a "very sophisticated external cyber attack" on their system. The information compromised includes names, birthdays, medical ID's, Social Security Numbers, street addresses, e-mail addresses, employment and income information.

Over the next several weeks, those who were affected will be receiving some form of identity theft protection.

For those members with questions regarding the breach, the company has set up a toll- free line at 1-877-263-79951-877-263-7995 FREE.

More Information: For the statement by Anthem's CEO Joseph R. Swedish and the dedicated website created for customer information, click here.

Additional Information:

UPDATE (2/10/2015): As further investigations are pursued regarding the Anthem breach, research by Brian Krebs and others show that the hacking began as early as April 2014 and is pointing to Chines hacker group known as "Deep Panda". 

At the time, Anthem was called Wellpoint, and upon further investigation Krebs "discovered a series of connected domain names that appear to imitate actual Wellpoint sites, including and"

Because these sites were contructed almost 10 months prior, the question has now been raised as to why it took the company such a long time to uncover the hacking.

More Information:

Information Source:
records from this breach used in our total: 80,000,000

October 2, 2009 U.S. Military Veterans
Washington, District Of Columbia

76 Million

The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn't be fixed, and ultimately passed it to another firm to be recycled. The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, when the military began using individuals' Social Security numbers as their service numbers.

Information Source:
Dataloss DB
records from this breach used in our total: 76,000,000

September 2, 2014 The Home Depot
Atlanta, Georgia


The Home Depot appears to be another victim of a data breach of their POS systems, reportedly by the same Russian hacking group that hit Target, Michaels, Neiman Marcus and P.F. Chang's.

Brian Krebs of Krebs on Security reported that a significantly large amount of debit and credit card information went up for sale on the underground cybercrime sites, all leading back to purchases made at Home Depot stores across the US.

Home Depot is currently investigating the potential breach. Updated postings will follow as more information comes in.

More Information:

UPDATE (9/10/2014): The Home Depot has now confirmed that their credit card processing systems were compromised in 2,200 of its stores across the U.S and Canada. Currently, no information has been released as to the number of individuals affected. Authorities are predicting this could surpass the 40 million individuals affected by the Target hacking.

More Information:

UPDATE (9/16/2014): "A group of attorneys general have opened a multistate investigation into the recently confirmed data breach at Home Depot Inc."

Attorneys General in Connecticut, Illinois and California will be leading the investigation to uncover the cause of the data breach and how the retailer has handled the breach with their affected customers.

More Information:

UPDATE (9/18/2014): The Home Depot has announced the data breach they suffered earlier this month has affected approximately 56 million credit and debit cards. This makes this breach the second largest breach ever, just behind TJX'x co's breach of 90 million records. The also announced that they see no evidence of any breach of their stores in Mexico or for those who shopped at their online store,

More Information:

UPDATE (9/26/2014): At least 15 law suits have been filed against The Home Depot for the recent data breach that occurred in US and Canadian stores. The lawsuit alleges that The Home Depot neglected to secure customers' financial and personal information. Most of the cases were filed by customers, however two credit unions and one bank have also filed suit.

UPDATE (9/29/2014): The Home Depot has posted a page on their website regarding the recent data breach, for consumers who were affected. This page will advise you on what to do and how to obtain information to take advantage of the free 12 month credit monitoring services. Make sure to scroll down past the photo.

More Information:
UPDATE (11/14/2014): The Home Depot has now announced that on top of the 56 million customers who had financial information compromised in the breach, the hackers also made off with 53 million email addresses of customers as well.
More Information:
UPDATE (11/25/2014): The Home Depot is facing 44 civil lawsuits in the U.S and Canada as a result of the data breach that occured across the organizations retail stores.
Currently the company "has been working to deploy EuroPay MasterCard Visa (EMV) chip-and-pin security at each of its U.S. and Canadian stores. The breach compromised the financial details of customers who shopped at any of Home Depot's 2,266 stores in the U.S. and Canada".

Information Source:
records from this breach used in our total: 56,000,000

June 16, 2005 CardSystems
Tucson, Arizona


The motion to dismiss by Savvis:

Over 40 million card accounts were exposed to potential fraud due to a security breach that occurred at a third-party processor of payment card transactions. Of the more than 40 million accounts exposed, information on 68,000 Mastercard accounts, 100,000 Visa accounts and 30,000 accounts from other card brands are known to have been exported by the hackers. The data exported included names, card numbers and card security codes.

UPDATE (2/23/2006) CardSystems agreed to settle Federal Trade Commission charges that it failed to take appropriate security measures to protect sensitive personal information. The company must implement a comprehensive security program and obtain audits every 2 years for 20 years.

UPDATE (5/12/2006) CardSystems filed for bankruptcy.

UPDATE (5/28/2009) Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations less than a year before the payment processor's systems were hacked, compromising up to 40 million credit card accounts. Less than a year later the security breach occurred. Hackers were able to get hold of the data because CardSystems kept unencrypted card information on its servers - in contravention of the regulations for which Savvis certified it.

Information Source:
Dataloss DB
records from this breach used in our total: 40,000,000

December 13, 2013 Target Corp.
Minneapolis, Minnesota

40 million

A notice from Target Corp. can be found here: Target's CEO with a message to consumers

Customers with questions may call Target at 866-852-8680866-852-8680 or visit Target's main website.

Target discovered that hackers may have accessed customer debit and credit card information during the Thanksgiving and Christmas shopping season. Customers who used a payment card at any of Target's stores nationwide between November 27, 2013 and December 15, 2013 may have had their payment card information copied for fraudulent purposes. Credit card companies and banks have been notifying customers of the issue and advising them to watch for suspicious charges. Customer names, credit or debit card numbers, card expiration dates, and card security codes were taken and have appeared on the black market.

UPDATE (12/24/2013): Target now faces at least three class-action lawsuits as a result of the breach. A wave of scam artists are attempting to profit from the breach by posing as Target or bank representatives addressing the breach. People who shopped at Target are being warned not to give their information out over the phone. Target is working with the U.S. Department of Justice and the Secret Service to investigate the breach.

UPDATE (12/27/2013): Target customers are also being warned to be suspicious of emails claiming to be from Target or banks that request personal information. It is estimated that the breach may cost Target up to $3.6 billion. It appears that online customers were not affected.

UPDATE (12/28/2013): Target confirmed that PINs associated with payment cards were also exposed.

UPDATE (1/2/2014): East-West bank has issued a letter to their card holders warning that some of their accounts may have been compromised due to the Target data breach. East-West bank has issued new credit cards to their customers who shopped at any Target stores to reduce any potential unauthorized use of a card. (Source CA Attorney Generals' Office)

UPDATE (1/10/2014): Target Corp. says that up to 70 million people were affected by the data breach, significantly more than was originally suspected. Experts predict the numbers could climb even higher than 70 million once the company completes its investigation.

UPDATE (1/13/2014): Target Corp. has confirmed that malware was found on the Point of Sale devices. The malware has been removed. The number of individuals affected are now said to be 110 million individuals, 70 million more than originally thought.

UPDATE (1/13/2014): Security experts are stating that Target may not be alone in the data breach. Neiman Marcus and at least 3 other unnamed retailers (these retailers are thought to be located in Eastern Europe) may also have been compromised as federal investigators track what they believe to be an international crime ring.

UPDATE (1/14/2014): Companies that help Target process payments could be facing millions of dollars in fines and costs as a result of the data breach.

UPDATE (1/16/2014): The malware that infected in the Target POS systems has been found and is known as the Trojan.POSRAM, according to new report by investigators. "The malware is a memory-scraping tool that grabs card data directly from point-of-sale terminals and then stores it on the victims system for later retrieval". The malware was originally thought to have been developed in Russia, known as BlackPOS. This new version is considered to be highly customized so that current anitvirus programs would not have detected it as reported by investigative agencies.

UPDATE (1/20/2014): "A 17 year-old Russian national from St. Petersburg is thought to be responsible for the malicious programming that allowed for data from Target and Neiman Marcus to be compromised," according to a California based security firm.

UPDATE (1/21/2014): Two Mexican citizens were arrested at the border in South Texas for the purchase of thousands of dollars worth of merchandise with information stolen during the Target security breach, as reported by a South Texas police chief.

A spokesman with the Secret Service announced that the investigation is ongoing into the possibility of a link between the Target breach and the two arrested in Texas.

UPDATE (1/29/2014): The malware used in the Target attack could suggest a poorly secured feature built into a popular IT management software product that was running on the retailers internal newtork.

UPDATE (1/29/2014): A Target Corp. investor filed suit in Minnesota federal court Wednesday, against the retailers Executives holding them liable for damage caused by the holiday season data breach that saw hackers steal personal and financial information from tens of millions of customers.

Shareholder Maureen Collier filed the suite with a complaint alleging that Target's board and top executives harmed the company financially by failing to take adequate steps to prevent the cyberattack then by subsequently providing customers with incomplete and misleading information about the extent of the data theft.

"The suit brings claims of breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control, and seeks monetary damages on behalf of the company from the 14 named officers and directors".

UPDATE (2/5/2014): Hackers who broke into Target's computer network and stole customers' financial and personal data used credentials alledgedly  were stolen from a heating and air conditioning subcontractor in Pennsylvania, according to digital security journalist Brian Krebs.

It appears as though the air conditioning company was given access to Target's computer network in order for the vendor to make remote changes to the system to  cut heating and cooling costs. Target has not confirmed the accuracy of this report.

UPDATE (2/6/2014): Target Corporation announced they are fast tracking new credit card security technology in their stores, 6 months earlier than originally planned. Target's CFO announced it is moving up its goal to utilize chip-enabled smart cards, and now plans to have them in stores by early 2015. These cards encrypt point of sale data, rendering the credit card number less useful if stolen. Currently this technology is more prevalent outide of the US, but have resulted in lower card number thefts in other countries, notably Canada and the United Kingdom.

UPDATE (2/15/2014): The breach at the Target Copr. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at the HVAC contractor Fazio Mechanical in Sharpsburg Pennsylvania. According to Krebs on Security, "multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers."

UPDATE (5/5/2014): Target's CEO has resigned in the wake of the data breach over the holiday season. He is claiming the breach was his fault. He is the second major executive to resign. Earlier in the year the company's Chief Technology Office resigned as well. The CFO of the company will take over as the interim CEO.

UPDATE (8/7/2014): Target has announced that the data breach will cost it's shareholders $148 million.

UPDATE (12/9/2014): A Minnesota ruled that a lawsuit put forth by several banks could proceed as the court stated that Target failed to adequately defend against the massive data breach they suffered. This is the first time a data breach case of this size has moved forward based on a companies failure to respond to warnings from security software/experts.

More Information:

Information Source:
records from this breach used in our total: 40,000,000

November 10, 2011 Steam (The Valve Corporation)
Bellevue, Washington

35 million

The November 6 defacement of Steam forums led to an investigation that revealed hackers had accessed a Steam database with sensitive user information. The database contained user names, hashed and salted passwords, game purchases, email addresses, billing addresses, and encrypted credit card information.  Users were prompted to change their Steam forum passwords and encouraged to change their Steam account passwords.  Anyone using their Steam forum password for other websites should change their password since hackers could have obtained email address and password combinations. Steam is the Valve Corporation's social-distribution network.  People who use the company's online gaming content were affected.

UPDATE (11/16/2012): A judge dismissed a class action lawsuit related to the November 6, 2011 breach.  The plaintiffs of the lawsuit used Steam to purchase and access online gaming content. They alleged present and future harm as a result of the breach.  According to the judge who dismissed the lawsuit, the plaintiffs did not prove that they were harmed by the Steam breach.

Information Source:
records from this breach used in our total: 35,000,000

May 22, 2006 U.S. Department of Veterans Affairs
Washington, District Of Columbia


(800) 827-1000

On May 3, data of all American veterans who were discharged since 1975 including names, Social Security numbers, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and computer storage device included data of 26.5 million veterans. The data did not contain medical or financial information, but may have disability numerical rankings.

UPDATE (6/29/06): The stolen laptop computer and the external hard drive were recovered.

UPDATE (7/14/06): FBI claims no data had been taken from stolen computer.

UPDATE(8/5/06): Two teens were arrested in the theft of the laptop.

UPDATE (8/25/06): In an Aug. 25 letter, Secretary Nicholson told veterans of the decision to not offer them credit monitoring services. Rather the VA has contracted with a company to conduct breach analysis to monitor for patterns of misuse.

UPDATE (11/23/07): A federal judge questioned the Veterans Affairs Department's computer security and ruled Friday that lawsuits can go forward over the theft of computer equipment containing data on 26.5 million veterans. The lawsuits have been filed as potential class-action cases representing every veteran whose data was released.

UPDATE (1/23/09): The Department of Veterans Affairs has agreed to pay $20 million to current and former military personnel to settle a class action lawsuit.

UPDATE (6/16/09): No less than $75 will be paid for any valid claim, up to a cap of $1,500. If your expenses were higher than that, you might want to opt out of the class-action portion so you can file for your actual damages. In that case, you need to file a letter so it is received by June 29, 2009. You have until Nov. 27, 2009, to mail your claim form to VA Settlement Claims, P.O. Box 6727, Portland, OR 97228-9767. Be sure to keep a copy of the claim form, along with your proof of mailing. To download the claim form and to get more information, go to Read the FAQ and note the particulars on out-of-pocket expenses and actual damages. You also can call (888) 288-9625.

UDPATE (10/19/12): An investigation into the VA revealed that encryption software has only been installed on 16% of VA computers since the 2006 breach. Six million dollars has been spent on encryption software since the 2006 breach. The investigation began after a 2011 anonymous tip.

Information Source:
Dataloss DB
records from this breach used in our total: 26,500,000

August 2, 2008 Countrywide Financial Corp.
Calabasas, California


The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers. The breach occurred over a two-year period though July. The insider was a senior financial analyst at Full Spectrum Lending, Countrywide's subprime lending division. The alleged data thief was said to have downloaded about 20,000 customer profiles each week and sold files with that many names for $500, according to the affidavit. He typically would e-mail the data in Excel spreadsheets to his buyers, often using computers at Kinko's copying and business center stores. Some, perhaps most, and possibly all the names were being sold to people in the mortgage industry to make new pitches.

UPDATE (1/30/2009): Bank of America will pay Connecticut $350,000 as part of a settlement. The bank will also provide at least $25,000 to reimburse Connecticut residents forced to pay for freezing and unfreezing their credit reports.

UPDATE (4/09/2010): Employees of Countrywide Financial stole and sold "tens of thousands, or millions" of customers' personal financial information, invading their privacy and exposing them to identity theft, according to class action claims in Ventura County Court, CA. Sixteen named plaintiffs sued Countrywide Financial, Countrywide Home Loans, and Bank of America, which bought Countrywide, the poster boy for the subprime mortgage crisis.

UPDATE (5/08/2010): For information about the settlement, visit or call (866) 940-3612.

UPDATE (8/24/2010): Bank of America has settled over 30 lawsuits involving Countrywide Financial customer data theft.  As many as 17 million customers who received a mortgage or used Countrywide to service a mortgage before July 1, 2008 will receive reimbursement and identity theft insurance.  Identity theft claims can be filed after September 6.

UPDATE (9/28/2011): A former employee responsible for the breach was sentenced to eight months in prison and ordered to repay $1.2 million in costs.

UPDATE (7/13/2012): A small group of people objected to a proposed settlement and decided to split from a larger class action lawsuit.  A court dismissed their claim because they could not sufficiently prove an out of pocket loss.

Information Source:
Dataloss DB
records from this breach used in our total: 17,000,000

March 26, 2008 Bank of New York Mellon
Pittsburgh, Pennsylvania

Originally 4.5 million customer records, raised to 12.5 million

(877) 278-3451, (877) 278-346,

The company lost a box of computer data tapes storing personal information including names, Social Security numbers and possibly bank account numbers.

UPDATE (5/07/08): On February 27, Bank of New York Mellon gave the unencrypted backup tape containing information on about 4.5 million consumers -- hundreds of thousands of them People's United Bank customers and investors -- and nine other tapes to a storage firm, Archive Systems, Inc., for transportation to a storage facility. When the storage company vehicle arrived at the storage facility, the tape was missing. The other nine tapes reached the facility safely.

UPDATE (5/31/08): The Hartford Courant reports the following figures regarding the number of Connecticut shareholders affected by the lost computer tape: 403,894 People's United Bank 33,586 John Hancock Financial 18,361 Walt Disney Co. 10,000 the remaining shareholders

UPDATE (8/30/08): The estimated number of people affected by a data breach at Bank of New York Mellon Corp has been raised from 4.5 million to 12.5 million.

UPDATE (2/19/09): The Bank of New York Mellon will pay Connecticut $150,000 as part of a settlement. The bank will continue to provide those affected by the breach with credit monitoring and fraud alerts for a total of 36 months of protection. It will also reimburse anyone for funds stolen from their accounts as a direct result of the data breach.

Information Source:
records from this breach used in our total: 12,500,000

April 27, 2011 Sony, PlayStation Network (PSN), Sony Online Entertainment (SOE)
New York, New York

101.6 million (12 million unencrypted credit card numbers)

The location listed is the U.S. headquarters of Sony. Additional information reveals that a Sony data center in San Diego was attacked by cyber criminals.

Sony discovered an external intrusion on PSN and its Qriocity music service around April 19. Sony placed an outage to block users from playing online games or accessing services like Netflix and Hulu Plus on Friday April 22. Sony says the outage will continue until the situation is addressed, which will likely be within the next week. Sony believes an unauthorized person has obtained names, addresses, email addresses, dates of birth, PlayStation Network/Qriocity password and login, and handle/PSN online IDs for multiple users. The attacker may have also stolen users' purchase history, billing address, and password security questions. User credit card numbers may have also been obtained. Sony has hired a security firm to investigate the incident and strengthen the network infrastructure by re-building their system to provide greater protection of personal information.

An individual filed a class action lawsuit on behalf of all PSN users following seven days of a Sony PlayStation Network outage. The lawsuit alleges that Sony "failed to encrypt data and establish adequate firewalls to handle a server intrusion contingency, failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed in bringing the PSN service back on line." It also accused Sony of violating the Payment Card Industry (PCI) security standard, which prohibits companies from storing cardholder data.

UPDATE (5/3/2011): A review of Sony's network breach revealed that it was larger than first thought. Sony turned the SOE system off.  Hackers may have taken personal information from an additional 24,600,000 user accounts in Austria, Germany, the Netherlands and Spain. Names, addresses, genders, email addresses, login name and associated password, phone numbers and birth dates of SOE gaming customers, as well as data from about 12,700 credit card accounts and 10,700 bank accounts from an outdated 2007 database could have been accessed.  The outdated account information that may have been obtained by hackers includes credit card numbers, debit card numbers, expiration dates, bank account numbers, customer names, account names and customer addresses. 

The SOE network hosts games that are played over the Internet on personal computers and is separate from the PlayStation network.  Sony has not clearly indicated if credit card numbers were compromised.  At least one report indicates that the numbers were encrypted.  These breached records will not be added to the total until more is known.

UPDATE (5/6/2011): Sony now indicates that some credit card numbers were compromised.  Twelve million credit card numbers were unencrypted and could easily be read.

UPDATE (5/7/2011): Sony discovered that hackers had placed customer information online. Sony removed the information.  It included customer names and addresses from a 2001 Sony database.

Service restoration for the PlayStation network was indefinitely delayed. Additionally, the CEO issued an apology letter.

UPDATE (5/17/2011): Hackers began changing user passwords by using PSN account emails and dates of birth within two days of the partial restoration of the PlayStation Network.  Sony failed to alter the password reset system to account for hackers having obtained user email addresses and dates of birth.  Users who changed their passwords, but not the email associated with their PlayStation Network accounts, were vulnerable to the hacker exploit. Sony shut down the PlayStation Network again and released a short statement about the incident.

UPDATE (5/23/2011): Sony headquarters expects to spend about $171 million on its personal information theft protection program, welcome back programs, customer support, network security enhancements and legal costs associated with the breach.

UPDATE (6/2/2011): Sony fully restored all Playstation Network services in all areas except Japan.  The Playstation Store and Qriocity divisions are now functioning properly.  

UPDATE (6/4/2011): A concise history of the Sony hacks can be found here.

UPDATE (7/21/2011): Zurich American, one of Sony's insurers, is suing to deny releasing data breach coverage funds to Sony.  Sony expects the breach to lower operating profit by $178 million in the current financial year.  A total of 55 class action complaints have been filed.

UPDATE (10/11/2011): Sony Online Entertainment became aware of a large number of unauthorized sign-in attempts.  The attempts took place between October 7 and 10.  About 93,000 PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment services accounts may have been compromised.  The unauthorized parties appear to have verified valid sign-in IDs and passwords after a number of failed attempts.  Sony temporarily locked those accounts. It is unclear if the email addresses were obtained from a previous breach.

UPDATE (10/19/2012): A federal judge found that Sony users signed a privacy policy informing them that Sony's security was not perfect.  Sony was cleared of negligence, unjust enrichment, bailment, and violations of California consumer protection statutes. The judge ruled that plaintiffs could not claim that Sony violated consumer-protection laws because PSN services were free of cost.  This dismissed much of the lawsuit.

UPDATE (12/16/2013): Sony agreed to drop an insurance claim over litigation related to the 2011 breach.

UPDATE (7/30/2014): "Sony recently offered to settle a class action lawsuit over the 2011 breach of its PlayStation Network. According to the terms of the proposed $15 million settlement, the money will be paid out in the form of games. Class members who didn't take advantage of initial "Welcome Back" package of games and memberships offered in 2011 will receive on of the 14 PlayStation 3 or PlayStation Portable games, as well as three of six PS3 themes or a three-month PlayStation Plus subscription. Qriocity users will get one month of free access."

Information Source:
records from this breach used in our total: 12,000,000

July 3, 2007 Fidelity National Information Services/Certegy Check Services Inc.
Jacksonville, Florida


A worker at one of the company's subsidiaries (Certegy Check Services, Inc.) stole customer records containing credit card, bank account and other personal information.
UPDATE (8/27/07):
The company first estimated that about 2.3 million records were affected but quickly boosted that number to 8.5 million in filings with the U.S. Securities and Exchange Commission. A California law firm has filed a class-action suit charging Fidelity National Information Services (FIS) and one of its subsidiaries with negligence in connection with a data breach.
UPDATE (11/23/07): A former database analyst at Certegy Check Services Inc., has agreed to enter a guilty plea to federal fraud and conspiracy charges in connection with the theft of data.
UPDATE (7/7/08):A man has been sentenced to four years and nine months in jail and fined US $3.2 million for his part in the theft of consumer records from Certegy Check Services.
UPDATE (7/7/08): A new settlement provides that all class members whose personal or financial information was stolen can get compensated up to $20,000 if they were not reimbursed for certain identity theft losses caused by the data theft. The losses covered could have occurred from Aug. 24, 1998, to Dec. 31, 2010.
UPDATE (4/26/10): As part of a class action settlement in U.S. District Court in Tampa, consumers were given the opportunity to elect credit monitoring for one year or bank account monitoring for two years and were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses. Consumers also were able to request credit monitoring at the company's expense immediately after the thefts were announced. The settlement with the Attorney General's office ensures that Certegy will maintain a comprehensive information-security program. This program will assess internal and external risks to consumers' personal information, implement safeguards to protect that consumer information, and will regularly monitor and test the effectiveness of those safeguards. Certegy and its related entities also agree to adhere to payment card industry data security standards as those standards continue to evolve. As part of the settlement, Certegy is donating $125,000 to the Attorney General's Seniors vs. Crime Program for educational, investigative and crime prevention programs for the benefit of senior citizens and the community and will pay $850,000 for the state's investigative costs and attorney's fees related to the case.

Information Source:
Dataloss DB
records from this breach used in our total: 8,500,000

March 30, 2012 Global Payments Inc.
Atlanta, Georgia


Global Payments discovered a massive breach of their systems in early March 2012.  Global Payments processes credit and debit cards for banks and merchants and a number of credit and debit cards issued to businesses were determined to be compromised.  The breach was discovered when Global Payments' security systems detected unusual activity.

UPDATE (04/02/2012): Global Payments created a breach information website for consumers. Global Payments claimed that only a few of their North American servers were affected by the breach.  They also claimed that around 1.5 million users had Track 2 data (card expiration date and credit card number) exposed. Media reports that up to 10 million consumers had their names, addresses, and Social Security numbers credit exposed were denied by Global Payments.  Visa has removed Global Payments from their list of compliant service providers as a result of the breach.  

UPDATE (04/05/2012): The breach occurred sometime between January 21 and February 25 of 2012 (REVISED TO JUNE OF 2011).  Fraudulent activity has already been detected on around 800 cards.

UPDATE (05/01/2012): It appears that a hacker or hackers were first able to access Global Payments Inc. in June of 2011.  Global Payments revised their initial estimate and believe that card holders and banks were affected at least as far back as June 2011. This could mean that at least seven million card accounts are vulnerable; though Global Payments still believe that only 1.5 million were affected.

UPDATE (07/26/2012): In addition to being dropped from Visa and Mastercard's lists of compliant companies, Global Payments spent nearly $85 million on security repairs and upgrades.

UPDATE (07/30/2012: Global Payments informed Comerica Bank in June that their ongoing investigation revealed a potential unauthorized access to its servers that contain merchant application data.

UPDATE (01/10/2013): Global Payments has incurred $94 million in fees associated with the breach.  A total of $60 million was paid for professional fees and other costs associated with investigating the breach and remediation for its effects.  The $60 million was also used to cover incentive payments to business partners and the cost of providing credit monitoring and identity protection insurance.  An additional $35.9 million went towards estimated fraud losses, fines, and charges imposed on Global Payments by card networks.  Global Payments received $2 million from insurance recoveries.

Global Payments also reported that it has now paid all fines related to non-compliance and has updated its systems and processes in order to be returned to the payment card network list of PCI-DSS compliant service providers.

UPDATE (04/15/2013): An April 2012 class action lawsuit related to the breach was dismissed on March 6.  Global Payments also confirmed that the expenses associated with the breach totaled $92.7 million.  A total of $20 million in breach losses was recuperated through insurance recoveries.  In April 2013, Global Payments closed its investigation of the breach.

Information Source:
records from this breach used in our total: 7,000,000

April 27, 2012 Office of the Texas Attorney General
Austin, Texas

6.5 million

Lawyers responsible for challenging a voter ID law in Texas requested the Texas voter database for analysis.  The Texas Attorney General's office released encrypted discs with the personal records of 13 million Texas voters, but half still contained Social Security numbers.  A state police officer was dispatched to New York, Washington D.C., and Boston to retrieve the encrypted discs when the opposing lawyers revealed that a mistake had occurred.

Information Source:
records from this breach used in our total: 6,500,000

October 26, 2012 South Carolina Department of Revenue
Columbia, South Carolina

6.4 million 

Citizens concerned about exposure may visit and enter the code SCDOR123 or call 1-866-578-5422.

South Carolina Department of Revenue's website was hacked by a foreign hacker.  The hack most likely began on August 27, was discovered on October 10, and was neutralized on October 20.  Around 3.6 million Social Security numbers and 387,999 credit card and debit card numbers were exposed. A total of 16,000 payment card numbers were not encrypted.

UPDATE (10/31/2012): Tax records dating back to 1998 were exposed.  A lawsuit alleging that South Carolina failed to protect citizens of South Carolina and failed to disclose the breach quickly enough was announced on October 31.

UPDATE (11/05/2012): Trustwave was named as the data security contractor who handled the South Carolina website and added to the group being sued over the breach.  Trustwave is an international company based in Chicago.

UPDATE (11/15/2012): Over 4.5 million consumers and businesses may have had their tax records stolen by hackers.  It appears that Trustwave focused on helping the Southern Carolina Department of Revenue comply with regulations regarding how credit card information is handled.  Neither Trustwave nor the Southern Carolina Department of Revenue detected the breach.

UPDATE (11/29/2012): The total number of people or businesses affected was updated to 6.4 million. Approximately 3.8 million taxpayers and 1.9 million of their dependents had their information exposed.  Additionally, 3.3 million tax payers had bank account information obtained.  It is unclear how much overlap there is between the 3.8 million taxpayers and the 3.3 million tax payers who had bank account information obtained.

UPDATE (01/11/2013): A State IT division director reported that the SCDOR's former chief information officer and current computer security chief were notified on August 13 that 22 computers were infected with malicious code.  The State's division of IT recommended that passwords be reset after the discovery, but they were not reset.

UPDATE (03/01/2013): A lawsuit brought against TrustWave and SCDOR by a former state senator has been dismissed by a judge.  The former senator accused the agencies of conspiring to hide the fact that a massive breach had occurred and failing to adequately protect taxpayers from a potential hack.

UPDATE (04/02/2013): About 1,448,798 people signed up for free individual credit monitoring and 41,446 signed up for free family credit monitoring.

UPDATE (10/25/2013): It is estimated that South Carolina taxpayers will pay at least $8.5 million to pay for one year's worth of free credit monitoring to those affected by the data breach.  Over 650,000 businesses had their tax information exposed.

Information Source:
records from this breach used in our total: 6,400,000

September 14, 2007 TD Ameritrade Holding Corp.
Omaha, Nebraska

6.3 million

FAQ at For links to key legal documents, see

One of TD Ameritrade's databases was hacked and contact information for its more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based company said more sensitive information in the same database, including Social Security numbers and account numbers, does not appear to have been taken. "We were able to conclude that while Social Security numbers are stored in this particular database, your SSN were not retrieved." The company said names, e-mail addresses, phone numbers, and home addresses were taken in the data breach. Company customers received unwanted spam because of this breach.

UPDATE (4/28/09):TD Ameritrade sent a mass email on September 14, 2007 to its customers admitting SSNs had been compromised:" [W]e recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases ... to be retrieved by an external source [and] Social Security Numbers are stored in this particular database."

UPDATE (10/27/09): TD Ameritrade was nearing a settlement in the case of more than six million stolen records when the judge, who previously seemed to agree with the proposal, rejected it today. The federal judge handling the case has decided the proposed settlement provides no discernible benefit to the victims and he rejected the proposed settlement.

UPDATE (11/16/10): Pending approval by a U.S. District Judge, TD Ameritrade will offer between $0 and $2,500 to customers who were affected by the breach.  Customers who received spam, or were victims of criminal identity theft because a criminal who was arrested posed as them, will get $0 unless they were also victims of account-fraud-based identity theft. This settlement will cost between $2,500,000 and $6,500,000. 

UPDATE (10/07/2011): The settlement was approved.  Ameritrade will pay between $2,500,000 and $6,500,000.

Information Source:
Dataloss DB
records from this breach used in our total: 6,300,000

September 30, 2011 TRICARE Management Activity (formerly Civilian Health and Medical Program of the Uniformed Services, CHAMPUS), Science Applications International Corporation (SAIC)


SAIC may be contacted at (855) 366-0140 for domestic calls and (952) 556-8312 for international calls.  SAIC's website is

The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics.  Uniformed Service members, retirees and their families were affected.  Patient data from the military health system that dates from 1992 to September 7, 2011 could have been exposed.  The personally identifiable and protected health information of those who received care in the San Antonio area military treatment facilities and others whose laboratory workups were processed in these facilities was exposed.  It includes Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions, and other medical information.  The information was stolen from the car of an SAIC employee, along with a stereo system and a GPS device on September 13.

UPDATE (10/16/2011): Four people have filed a $4.9 billion lawsuit over the improper disclosure of active and retired military personnel and family data.  The lawsuit would give $1000 to each of the 4.9 million affected individuals.

UPDATE (11/4/2011): SAIC reported that 5,117,799 people were affected by the breach.

UPDATE (01/06/2012): A second class action lawsuit filed in the Superior Court of California in San Diego seeks unspecified monetary damages related to the theft of the computer tapes targets SAIC.  The suit was filed in December and seeks certification as a class action for all TRICARE beneficiaries in California whose personal identity and health care information were compromised by the September 2011 theft of the tapes.

UPDATE (03/14/2012): Some of the people affected by the breach have become victims of identity theft.  The class action lawsuit against the Department of Defense and SAIC was amended to reflect the new information about fraudulent charges appearing on credit cards.

UPDATE (04/08/2012): SAIC's insurance will most likely be enough to cover any judgments or settlements that result from the data breach.  SAIC also revealed that the Office for Civil Rights in the Health and Human Services Department opened an investigation into the tape theft on November 17, 2011.

UPDATE (07/10/2012): Eight class action lawsuits have been consolidated into one case alleging that personal information was mishandled.  The case will be handled by the U.S. District Court in Washington, D.C.

UPDATE (5.13.2014): On Friday, "a federal district judge dismissed the majority of a consolidated class-action lawsuit filed against the Department of Defense, its TRICARE health insurance program and a contractor following a 2011 data breach that affected over 4.7 million individuals.

In his ruling, U.S. District Judge James Boasberg wrote that the case raises "thorny standing issues regarding ... when is a consumer actually harmed by a data breach -- the moment data [are] lost or stolen or only after the data [have] been accessed or used by a third party?

He noted that most courts "have agreed that the mere loss of data -- without evidence that [the information] has been either viewed or misused -- does not constitute an injury sufficient to confer standing," adding, "This court agrees" (Kolbasuk McGee, GovInfoSecurity, 5/13)".

Information Source:
records from this breach used in our total: 5,117,799

January 6, 2009 CheckFree Corp.
Atlanta, Georgia


CheckFree Corp. and some of the banks that use its electronic bill payment service say that criminals took control of several of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine. The company believes that about 160,000 consumers were exposed to the Ukrainian attack site. However, because the company lost control of its Web domains, it doesn't know exactly who was hit. It has warned a much larger number of customers. This breach was reported back in Dec. 3, 2008.

Information Source:
Dataloss DB
records from this breach used in our total: 5,000,000

August 18, 2014 Community Health Systems
Franklin, Tennessee

4.5 million

Community Health Systems out of Franklin Tennessee has announced a large data breach of their medical system. The breach occured when hackers infiltrated the server of the health system compromising Social Security numbers, names and addresses for 4.5 million patients. Authorities believe that the hackers were based out of China and the attacks happened from April 2014 through June 2014.

The company operates 206 hospitals in 29 states and is currently doing further investigations regarding the attack.


More Information:


UPDATE (8/26/2014): Five Alabama residents have filed a class-action lawsuit against Community Health Systems following last week's announcement of the data breach of 4.5 million patients.


Information Source:
records from this breach used in our total: 4,500,000

March 17, 2008 Hannaford Bros. Supermarket chain
Portland, Maine

4.2 million

 (866) 591-4580

This security breach affects all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. The company is currently aware of about 1,800 cases of reported fraud related to the security breach. Credit and debit card numbers were stolen during the card authorization transmission process. It's unclear if personal information was exposed.

UPDATE (4/2/2009): An April 2, 2009, news story indicated that between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. About 1,800 fraudulent charges had been made.

UPDATE (5/14/2009): A federal appeals court has revived a Tampa class-action suit seeking money for Florida shoppers whose credit and debit card numbers were swiped in a data breach that hit 109 Sweetbay Supermarkets. The suit seeks free credit monitoring, credit repair if necessary and undetermined money damages to be split up among victims of the breach, including those unaware they were victims.

UPDATE (5/22/2009): A Maine U.S. District Court dismissed most of a class action lawsuit against Hannaford, finding that there is no way to value the time and effort that consumers spent in correcting fraudulent activity resulting from the breach. The case of one named plaintiff was not dismissed. That plaintiff suffered actual monetary damages for unreimbursed fraudulent charges.

UPDATE (11/2/2011): Federal Appeals Court Holds Identity Theft Insurance/Credit Monitoring Costs Constitute "Damages" in Hannaford Breach Case (Oct. 24, 2011)

UPDATE (3/29/2013): A United States District Court for the District of Maine has denied a motion that would have allowed a lawsuit to proceed as a class action.  The plaintiffs originally moved to certify the proposed class on September 4, 2012.

Information Source:
Dataloss DB
records from this breach used in our total: 4,200,000

August 28, 2013 Advocate Medical Group, Advocate Health
Park Ridge, Illinois

4 million

The July 15 office theft of four unencrypted desktop computers resulted in the exposure of patient information. Approximately four million patients who were seen by Advocate Medical Group physicians between the early 1990s and July of 2013 were affected.  Names, Social Security numbers, addresses, and dates of birth were exposed.  Diagnoses, medical record numbers, medical service codes, and health insurance information was also exposed in some circumstances.

UPDATE (09/06/2013): A class-action lawsuit on behalf of patients in the Chicago area has been filed.  It claims that Advocate Medical Center should have done more to protect patient information.

Information Source:
records from this breach used in our total: 4,000,000

June 6, 2005 Citigroup, UPS
New York, New York


Customers are being notified that backup tapes containing their account information were lost or stolen while being shipped by UPS.

Information Source:
Dataloss DB
records from this breach used in our total: 3,900,000

April 11, 2011 Texas Comptroller's Office
Austin, Texas

3.5 million

The data came from the Teacher Retirement Center of Texas, the Texas Workforce Commission and the Employees Retirement System of Texas.

Those who have questions about the breach may call 1-855-474-2065.

The information from three Texas agencies was discovered to be accessible on a public server. Sometime between January and May of 2010, data that was not encrypted was transferred from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas. It ended up on a state-controlled public server as early as April 2010 and was not discovered until March 31, 2011. Sensitive information such as names, Social Security numbers, addresses, dates of birth and driver's license numbers could have been exposed.  A spokesperson from the Texas Comptroller's Office claims that the breach occurred because numerous procedures were not followed.  Some employees were fired for their roles in the incident.

UPDATE (4/13/2011): Approximately two million of the 3.5 million possibly affected are unemployed insurance claimants who may have had their names, Social Security numbers and mailing addresses exposed.  The birth dates and driver's license numbers of some of these people were also exposed. The information was accidentally disclosed on a Comptroller's publicly accessible server. TWC provided uninsured claimant records from December 31, 2006 December 31, 2009 to the Comptroller's office in April of 2010 to assist in identifying individuals who may have unclaimed property.  The information was sent in a protected manner using Secure File Transfer Protocol (SFTP), which encrypts the data during transmission over a state controlled network used by state agencies and universities.

UPDATE(5/6/2011): Two class action lawsuits have been filed on behalf of 3.5 million Texans who had their information exposed by the breach. The second class action lawsuit seeks a $1,000 statutory penalty for each affected individual.

UPDATE (2/13/2012): The cost of the credit monitoring services provided to those affected has passed $600,000. Currently, no taxpayers have linked fraudulent charges to the breach.

Information Source:
records from this breach used in our total: 3,500,000

July 9, 2008 Division of Motor Vehicles Colorado
, Colorado

3.4 million

The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit. At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers.

Information Source:
records from this breach used in our total: 3,400,000

March 26, 2010 Educational Credit Management Corporation
ST. Paul, Minnesota


ECMC, a guarantor of federal student loans, said that a theft has occurred from its headquarters involving portable media with personally identifiable information. The data was in two stolen safes and contained information on approximately 3.3 million individuals and included names, addresses, dates of birth and Social Security numbers. No bank account or other financial account information was included in the data.


UPDATE (4/16/10): The information was recovered shortly after the theft and discovered weeks later in a police evidence room.

Information Source:
Dataloss DB
records from this breach used in our total: 3,300,000

October 21, 2013 Court Ventures
Anaheim, California


Between October 2010 and December 2012, Court Ventures, a public records aggregator, provided access to US Info Search data to a foreign criminal posing as a legitimate private investigator.

Court Ventures had a contract with US Info Search where customers of Court Ventures had access to US Info Search data which included records on more than 200 million Americans, including individuals' Social Security numbers, dates of birth, and other records.

Experian purchased the assets of Court Ventures in March 2012, and the criminal's access to the US Info Search data was shut down in December 2012. Experian has publicly stated that no Experian databases were breached in this situation.

UPDATE (3/10/2014): According to Krebs on Security, in March 2014, Hieu Minh Ngo pled guilty to running an identity theft business called out of his home in Vietnam.  Ngo posed as a private investigator when he contracted with Court Ventures to gain access to consumer records. Ngo was then able to provide access to the US Info Search database to his clients.

Krebs on Security states, "The government alleges that the service's customers used the information for a variety of fraud schemes, including filing fraudulent tax returns on Americans, and opening new lines of credit and racking up huge bills in the names of unsuspecting victims. The transcript shows government investigators found that over an 18-month period ending Feb.2013, Ngo's customers made approximately 3.1 million queries on Americans."

Krebs adds, "That means that if Ngo's clients conducted 3.1 million individual queries, the sheer number of records exposed by Ngo's service is likely to have been many times that number - potentially as many as 30 million records."

More Information:

UPDATE (2/23/2015): The total number of records indicated here has been changed to 3.1 million by PRC to reflect the approximate number of records queried by Ngo's customers according to the court transcript. [This 3/10/14 UPDATE was amended on 2/23/15 to include additional content from the Krebs on Security blog post of March 10, 2014, related to the Court Ventures breach.]

Information Source:
records from this breach used in our total: 3,100,000

April 10, 2007 Georgia Department of Community Health, Affiliated Computer Services (ACS)
Atlanta, Georgia

2,900,000, (866) 213-3969

A computer disk containing personal information including addresses, birthdates, dates of eligibility, full names, Medicaid or children's health care recipient identification numbers, and Social Security numbers went missing from a private vendor, Affiliated Computer Services (ACS), contracted to handle health care claims for the state.

Information Source:
Dataloss DB
records from this breach used in our total: 2,900,000

October 4, 2013 Adobe, PR Newswire, National White Collar Crime Center
San Jose, California

2.9 million (38 million user emails and passwords exposed)

Hackers obtained the customer information of nearly 3 million Adobe custoemrs who used Photoshop, InDesign, Premiere, and other Adobe software products.  Customer IDs, encrypted passwords, names, encrypted credit or debit card numbers, expiration dates, and other information related to customer orders were exposed.  Anyone who bought software directly from Adobe's website is advised to change their Adobe account passwords.

UPDATE (10/11/2013): Hackers kept the source code on a hidden, but unencrypted server.

UPDATE (10/21/2013): A second breach related to the initial one in early October caused Adobe to reset client passwords.

UPDATE (10/29/2013): An investigation revealed that the encrypted passwords of approximately 38 million active users were also exposed.  Adobe IDs were also compromised and were reset by Adobe after the breach.

UPDATE (11/20/2013): Around 42 million passwords for the Australian-based online dating service Cupid Media were also found on the same server that contained stolen Adobe, PR Newswire, and National White Collar Crime Center information.

UPDATE (11/25/2013): Some estimate that 152 million Adobe ID accounts were in a file that began circulating the internet in late October.  Adobe systems Inc has encountered delays in trying to notify all customers of the issue since it was discovered 10 weeks ago. 


Information Source:
records from this breach used in our total: 2,900,000

September 7, 2006 Circuit City and Chase Card Services, a division of JP Morgan Chase & Co.
Wilmington, Delaware

2.6 million past and current Circuit City credit cardholders

Chase Card Services mistakenly discarded 5 computer data tapes in July containing Circuit City cardholders' personal information.

Information Source:
Security Breach Letter
records from this breach used in our total: 2,600,000

January 25, 2014 Michaels Stores Inc.
Irving, Texas

2.6 million cards

On January 25, 2014, Michaels Stores Inc. communicated with customers as to the possibility of a security breach regarding customers payment cards. They have not confirmed as of yet, that a breach did occur, however based on a preliminary investigation and in light of the recent Target and Neiman Marcus breaches, the company felt it was important to warn customers of the possibility of a breach.

Michaels is currently working with investigators as to the potential of this breach. No additional detailed information has been supplied by the company.

UPDATE (2/11/2014): A class action lawsuit has been filed against Michaels by an individual. The suit claims that "the arts and crafts supplier failed to secure and safeguard customers’ private financial information".  The suit also alleges that "Michaels failed to adequately monitor its payment systems in such a manner that would enable the retailer to detect fraud or other signs of tampering so that the breach of security and diversion of customer information was able to continue unnoticed for a period of time".

It has also been reported that Michaels failed to disclose a data breach that occurred in May of 2011. A lawsuit was filed for the 2011 breach, but was settled. 

The company has not yet released the total number of individuals affected by the breach or when the breach might have taken place.

UPDATE (7/22/2014): "A federal court in Illinois held July 14 that an elevated risk of identity theft from a Michaels Stores Inc. breach provides standing, but without evidence of specific monetary damages that risk is insufficient to support statutory or common law claims (Moyer v. Michaels Stores, Inc., N.D. Ill., No. 1:14-cv-00561,dismissed 7/14/14).

Judge Elaine E. Bucklo of the U.S. District Court for the Northern District of Illinois dismissed the case against the arts and crafts retailer, finding that the plaintiffs failed to plead monetary damages".


Information Source:
records from this breach used in our total: 2,600,000

November 27, 2013 Maricopa County Community College District
Phoenix, Arizona

2.49 million

An unspecified data breach may have exposed the information of current and former students, employees, and vendors.  Names, Social Security numbers, bank account information, and dates of birth may have been viewed by unauthorized parties.

UPDATE (12/02/2013): Student academic information may have also been exposed.  The Maricopa County Community College District's governing board will spend as much as $7 million to notify and offer credit monitoring to those who may have been affected.

UPDATE (12/07/2013): Estimations for the cost of the breach are as high as $14 million.

UPDATE (4/22/2014): Maricopa County Community College District waited seven months to inform 2.5 millions individuals (students, staff, graduates) of the security breach. The District is now in a class action lawsuit. The lawsuit claims that the "FBI warned the Maricopa County Community College District in January of 2011 that a number of its databases had been breached and made available for sale on the Internet". It was also reported that "the district's Information Technology Services employee also became aware of the security breach in January 2011, and repeatedly reported their findings to Vice Chancellor George Kahkedjian".

Information Source:
records from this breach used in our total: 2,490,000

April 17, 2008 University of Miami
Miami, Florida


  (866) 628-4492

Computer tapes containing confidential information of Miami patients was stolen last month when thieves took a case out of a van used by a private off-site storage company. The data included names, addresses, Social Security numbers or health information.

Information Source:
Dataloss DB
records from this breach used in our total: 2,100,000

March 2, 2006 Los Angeles County Department of Social Services
Los Angeles, California

Potentially 2,000,000

It is unclear if this is the same incident that involved the information of 94,000 people being left next to a recycling bin outside of the Department of Public Social Services in January of 2006.

File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W-2, and date of birth were left unattended for at least one month.  This affects employees and clients.

Information Source:
Dataloss DB
records from this breach used in our total: 2,000,000

March 15, 2011 Health Net Inc., International Business Machines (IBM)
Rancho Cordova, California

1.9 million

Customers with questions may call (855) 434-8081.

Health Net's statement about the breach can be read here.

Nine disc drives that contained sensitive health information went missing from Health Net's data center in Rancho Cordova, California.  The drives contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information. The 1.9 million victims include 622,000 California residents enrolled in Health Net HMOs, 223,000 Californians enrolled in Health Net PPOs and people enrolled in Medicare and other plans. The drives were discovered missing on January 21, but affected individuals were not notified until March 14.

UPDATE (06/07/2011): A class-action lawsuit seeks $5 million from Health Net Inc. and its vendor IBM.  The complaint alleges that Health Net and IBM breached their duty of confidentiality and negligently allowed the release of highly personal and confidential information. The complaint alleges violation of California's Confidentiality of Medical Information Act, Cal. Civ. Code § 56; Cal. Civ. Code § 1798.2, which concerns the unauthorized disclosure of customer records; Cal. Bus. & Prof. Code § 17200, California's unfair-competition law; and public disclosure of private facts.  The lawsuit is seeking injunctive relief, compensatory damages, declaratory relief, and attorney fees and costs.  The citation is Bournas v. Health Net Inc., No.2_11-CV-01262, complaint filed (E.D. Cal. May 11, 2011).

UPDATE (08/09/2011): Health Net's chief operating officer apologized to customers after it was discovered that the original analysis of the breach was flawed.  Around 124,000 Oregon residents who were current members, former members, or employees were believed to have been affected.  Health Net discovered that an additional 6,300 Oregonians had their personal information on the stolen computer drives.  

Information Source:
records from this breach used in our total: 1,900,000

May 31, 2006 Texas Guaranteed Student Loan Corp. via subcontractor Hummingbird
Round Rock, Texas

1,300,000 plus 400,000 for total of 1,700,000

Additional location: Toronto, Canada

Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers.

UPDATE (6/16/06):TG now says a total of 1.7 million people's information was compromised, 400,000 more than original estimate of 1.3 million.

Information Source:
Dataloss DB
records from this breach used in our total: 1,700,000

February 12, 2011 Jacobi Medical Center, North Central Bronx Hospital, Tremont Health Center, and Gunhill Health Center
New York, New York

1.7 million

Health and Hospital Corporation is the group that runs the affected hospitals and clinics.  

The New York City Health & Hospitals Corporation's North Bronx Healthcare Network experienced a breach.  Backup tapes were stolen from an unsecured and unlocked van during transport by GRM Information Management Services.  The theft occurred during December of 2010.  The information on the tapes was from patients, staff members and associated employees and dated back to 1991.  Names, Social Security numbers, addresses, patient health information and other patient and employee information may have been exposed.

Information Source:
records from this breach used in our total: 1,700,000

October 7, 2011 The Nemours Foundation
Wilmington, Delaware

1.6 million

Three unencrypted computer backup tapes were reported missing on September 8.  The tapes were stored in a locked cabinet, which had been temporarily relocated on or around August 10 for a facility remodeling project.  The cabinet was not found.  The tapes had been stored in the cabinet since 2004 and contained patient information stored between 1994 and 2004.  Names, Social Security numbers, addresses, dates of birth, insurance information, medical treatment information, and direct deposit bank account information were exposed.

UPDATE (10/12/2011): Patients and their guarantors, vendors, and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey, and Florida were affected.  In addition to medical treatment information, the payroll information of current and former employees was exposed.  Nemours took steps to encrypt all computer backup tapes and move non-essential computer backup tapes to a secure, off-site storage facility after the breach.

Information Source:
records from this breach used in our total: 1,600,000

November 18, 2009 Health Net
Shelton, Connecticut


The personal information for almost half a million Connecticut residents could be at risk after a portable disk drive disappeared from Health Net in May of 2009. Health Net is a regional health plan and the drive included health information, Social Security number and bank account numbers for all 446,000 Connecticut patients, 1.5 million nationally. The information had been compressed, but not encrypted, although a specialized computer program is required to read it. Patients in Arizona, New Jersey and New York were also affected.

UPDATE (1/22/2010): Connecticut Attorney General (AG) Richard Blumenthal is suing Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers exposed by the security breach. The AG is seeking a court order blocking Health Net from continued violations of HIPAA by requiring that any protected health information contained on a portable electronic device be encrypted. This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorized state attorneys general to enforce HIPAA.

UPDATE (7/7/2010): Health Net and the Connecticut AG reached a $250,000 settlement in connection with this incident.

UPDATE (10/8/2010): Health Net faces an additional $375,000 fine for failing to safeguard the personal information of its members from misuse by third parties.

UPDATE (1/20/2011): The Vermont Attorney General filed a complaint and proposed settlement with Health Net, Inc. and Health Net of the Northeast, Inc. It would require Health Net to pay $55,000 in state fees, submit to a data-security audit and submit reports about the company's information security programs throughout the next two years.

Information Source:
Dataloss DB
records from this breach used in our total: 1,500,000

March 8, 2005 DSW Shoe Warehouse, Retail Ventures
Columbus, Ohio


Credit card information from customers in 25 states was compromised.

UPDATE (04/19/2005): An additional 1,300,000 customers were added to the initial estimate of 100,000.

UPDATE (08/23/2012): DSW was locked in a dispute with National Union over insurance coverage.  A federal appellate court ruled that DSW was entitled to insurance coverage of more than $6.8 million in stipulated losses and prejudgment interest.

Information Source:
Dataloss DB
records from this breach used in our total: 1,400,000

November 2, 2006 Colorado Department of Human Services via Affiliated Computer Services (ACS)
Dallas, Texas

Up to 1.4 million

For questions, call ACS at (800) 350-0399

On Oct. 14, a desktop computer was stolen from a state contractor who processes Colorado child support payments for the Dept. of Human Services. Computer also contained the state's Directory of New Hires.

UPDATE (12/07/2006) When initially posted to this list, the number 1.4 million was not added to the total because we could not confirm if SSNs were exposed. The PRC was contacted by an affected individual today who confirmed that names, addresses, SSNs and dates of birth were exposed.

Information Source:
Dataloss DB
records from this breach used in our total: 1,400,000

October 23, 2006 Chicago Voter Database
Chicago, Illinois

1.35 million Chicago residents

An official from the not-for-profit Illinois Ballot Integrity Project says his organization hacked into Chicago's voter database, compromising the names, SSNs and dates of birth of 1.35 million residents. The Chicago Election Board is reportedly looking into removing SSNs from the database. Election officials have patched the flaw that allowed the intrusion.

Information Source:
Dataloss DB
records from this breach used in our total: 1,350,000

January 22, 2007 Chicago Board of Election
Chicago, Illinois

1.3 million

About 100 computer discs (CDs) with 1.3 million Chicago voters' SSNs were mistakenly distributed to aldermen and ward committeemen. The CDs also contain birth dates and addresses.

Information Source:
Dataloss DB
records from this breach used in our total: 1,300,000

June 10, 2008 University of Utah Hospitals and Clinics
Salt Lake City, Utah

2.2 million

Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take the eight data tapes to a storage center. The records, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years.

UPDATE (2/5/09): The data tapes were found within a month after being stolen.

UPDATE (6/9/10): An Englewood, Colo., insurance company has filed a federal lawsuit contending that it isn't responsible for reimbursing the University of Utah for $3.3 million in costs related to a 2008 data breach caused by a third-party service provider.

The lawsuit filed in a Utah federal court by Colorado Casualty Insurance Co. contends that the insurer is not obligated to cover the costs sought by the University. Colorado Casualty was providing breach insurance to the University at the time of the breach.

The nine-page complaint, which seeks a declaratory judgment from the court, offers little explanation as to why exactly the insurer believes it is not obligated to pay the breach-related costs sought by the University.

Information Source:
Dataloss DB
records from this breach used in our total: 1,300,000

January 24, 2012 New York State Electric & Gas (NYSEG), Rochester Gas and Electric (RG&E), Iberdrola USA
Rochester, New York

878,000 NYSEG customers and 367,000 RG&E customers

Affected customers may call 1-877-736-4495. More information can be found on the websites of the companies and

An employee at a software development consulting firm that was contracted by Iberdrola USA, the parent company of both NYSEG and RG&E, allowed the information systems of clients to be accessed by an unauthorized party.  Customer Social Security numbers, birth dates, and in some cases, financial institution account numbers were exposed.  A total of 878,000 NYSEG customers and 367,000 RG&E electricity customers were affected.  An unknown number of additional customers from both companies who signed up for gas services, but not electricity services were also affected.

UPDATE (07/12/2012): The Department of Public Service reviewed the NYSEG/FG&E incident and concluded that there was no evidence that any confidential customer information was misused.  In addition, the Department of Public Service recommended that both companies further refine their policies, processes, and procedures regarding confidentiality safeguards.  The companies were ordered to send plans for handling the costs incurred in responding to the breach and progress reports about the implementation of recommendations.

Information Source:
records from this breach used in our total: 1,245,000

February 6, 2010 AvMed Health Plans
Gainesville, Florida


Additional 860,000 added June 3rd; (11/16/10) Estimate reaches 1.22 million

AvMed Health Plans announced that personal information of some current and former subscribers may have been compromised by the theft of two company laptops from its corporate offices in Gainesville. The information included names, addresses, phone numbers, Social Security numbers and protected health information. The theft was immediately reported to local authorities but attempts to locate the laptops have been unsuccessful. AvMed determined that the data on one of the laptops may not have been protected properly, and approximately 80,000 of AvMed's current subscribers and their dependents may be affected. An additional approximate 128,000 former subscribers and their dependents, dating back to April 2003, may also have been affected.

UPDATE (06/03/2010): The theft of the laptops compromised the identity data of 860,000 more Avmed members than originally thought.  The total now nears 1.1 million.

UPDATE (11/17/2010): Five AvMed Health Plans customers filed a class-action lawsuit against the health insurer on behalf of the 1.2 million people who were affected by the breach.  At least two of them believe that their personal information was misused as a result of this particular breach.

UPDATE (09/24/2012): An appeals court ruled that the plaintiffs were "explicitly" able to prove a link between the breach and ID theft they incurred.  The case had been thrown out by a lower court in August 2011, but the appeal ruling may allow victims of identity theft to make it easier to prove that the identity theft was caused by a data breach.

UPDATE (09/05/2013): AvMed Inc. agreed to settle with customers who were affected by the 2009 data breach on September 3, 2013.

UPDATE (10/29/2013): AvMed will pay $3 million.

UPDATE (3/6/2014): "Last week, a judge for the Southern District of Florida gave final approval  to a settlement between health insurance provider AvMed and plaintiffs in a class action stemming from a 2009 data breach of 1.2 million sensitive records from unencrypted laptops. The settlement requires AvMed to implement increased security measures, such as mandatory security awareness training and encryption protocols on company laptops. More notably, AvMed agreed to create a $3 million settlement fund from which members can make claims for $10 for each year that they bought insurance, subject to a $30 cap (class members who experienced identity theft are eligible to make additional claims to recover their monetary losses)".

Information Source:
records from this breach used in our total: 1,220,000

February 25, 2005 Bank of America Corp.
Charlotte, North Carolina


Computer tapes with credit card information, Social Security numbers, addresses and account numbers were lost.  Bank of America began monitoring the customer accounts on the lost tapes and said it would contact cardholders if unusual activity was detected.  Around 900,000 of the account holders affected were Defense Department employees.

Information Source:
Dataloss DB
records from this breach used in our total: 1,200,000

January 14, 2010 Lincoln National Corporation (Lincoln Financial)
Radnor, Pennsylvania


Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers. In a disclosure letter sent to the Attorney General of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source. The unidentified source sent FINRA a username and password to the portfolio management system. "This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies," the letter says. "The sharing of usernames and passwords is not permitted under the LNC security policy."

UPDATE (2/17/2011): Lincoln National Corporation was fined $600,000 by the Financial Industry Regulatory Authority for failing to adequately protect customer information.  Failing to require brokers working remotely to install security software on personal computers led to the fine.

Information Source:
records from this breach used in our total: 1,200,000

October 20, 2014 Staples Inc.
Framingham, Massachusetts

1.2 million

Several large banks notified Staples Inc. of unusual activity on credit and debit cards used at several locations in Northeastern United States. According to Brian Krebs, Krebs on Security "According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey". Staples Inc. has more than 1800 stores nationwide and is currently investigating the potential breach.

More Information:

UPDATE (11/17/2014): It appears that the breach that happened at Staples was conducted by the same cyber criminals that infiltrated Michaels stores. According to Krebs On Security "Multiple banks interviewed by this author say they’ve received alerts from Visa and MasterCard about cards impacted in the breach at Staples, and that to date those alerts suggest that a subset of Staples stores were compromised between July and September 2014."

More Information:

UPDATE (12/19/2014): After an investigation, Staples Inc. said that nearly 1.2 million customers payment cards. "Staples said Friday that the investigation revealed that the hackers used malware that provided access to information for transactions at 115 of its stores. The hackers stole cardholder names, payment card numbers, expiration dates and card verification codes.  The company is offering free identity theft protection services.

More Information:

Information Source:
records from this breach used in our total: 1,200,000

December 29, 2008 RBS WorldPay
Atlanta, Georgia

1.1 million,

RBS WorldPay belatedly admitted that hackers broke into their systems. In the US up to 1.1 million Social Security numbers were exposed as a result of the breach. Pre-paid cards including payroll cards and open-loop gift cards were affected. RBS stated that PINs for all PIN-enabled cards have been reset.

UPDATE (2/3/09): Hackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering $9 million from ATMs in 49 cities worldwide. Alleged hackers are still at large and could orchestrate another attack.

UPDATE (2/10/09): "Certain personal information" of 1.5 million card holders and Social Security numbers of 1.1 million people were compromised. A class action law suit has been filed against RBS WorldPay.

UPDATE (5/28/09): RBS WorldPay says it has returned to Visa's and MasterCard's lists of validated service providers. It was recently certified as compliant with Payment Card Industry Data Security Standard (PCI DSS) version 1.2.

UPDATE (4/05/10): Russian authorities have nabbed the man accused of masterminding a coordinated global ATM heist of $9.5 million from Atlanta-based card processing company RBS WorldPay.

UPDATE (8/09/10): Sergei Tsurikov of Estonia was brought to Atlanta by the FBI.  He pleaded not guilty to computer fraud, conspiracy to commit computer fraud, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.  The FBI is in the process of extraditing others involved in the international hack.

UPDATE (8/31/10): Another person has been charged with participating in the computer fraud attack.  Vladislav Anatolievich Horohorin is alleged to have used a prepaid payroll card to conduct fraudulent attacks on ATMs in Moscow.

UPDATE (9/15/10): A previously unnamed member of the hacking group will be tried in a Russian court for his involvement in the RBS breach. Eugene Anikin's criminal case was forwarded to Zaeltsovskiy District Court in Novosibirsk for consideration.

UPDATE (2/7/2011): Yevgeny Anikin, 27, pleaded guilty to participating in a hacking ring that stole $10 million from former Royal Bank of Scotland division WorldPay.

UPDATE (8/21/2012): Sonya Martin was sentenced to 2.5 years in federal prison for fraudulently obtaining over $9 million from an Atlanta payroll company.  She was a cell leader in the plan that involved organized computer hacking and ATM cashout schemes. She worked with other members of the network to target 2,100 ATMs in 280 cities around the world.

Information Source:
Dataloss DB
records from this breach used in our total: 1,100,000

Breach Total
(Please see explanation about this total.)
from 4,488 DATA BREACHES made public since 2005
Showing 1-50 of 4488 results


Sign In!