Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?

Chronology of Data Breaches

Custom Sort
Select your desired results. Then click "Go!"

Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
872,715,019 RECORDS BREACHED
(Please see explanation about this total.)
from 4,391 DATA BREACHES made public since 2005
Date Made Publicsort icon Name Entity Type
March 16, 2006 Mortgage Institute of Michigan
Southfield, Michigan
BSF UNKN

67

The Mortgage Institute of Michigan has multiple locations throughout Michigan.

Someone used the Mortgage Institute of Michigan's account to make credit report requests. Most of the requests were for Experian credit reports. Equifax suspended the organization's access codes and an FBI investigation began. The unauthorized user would have had access to customer names, Social Security numbers, home addresses, account numbers, creditor names and payment histories.

 
Information Source:
Dataloss DB
records from this breach used in our total: 67

March 15, 2006 Ernst & Young, IBM
New York, New York
BSF PORT

84,000

A laptop with sensitive information was stolen from an employee's car in January. IBM employees who may have been stationed overseas during their careers were affected. Names, Social Security numbers, dates of birth, genders, family sizes and tax identifiers for employees were exposed. Those affected were notified in March.

 
Information Source:
Dataloss DB
records from this breach used in our total: 84,000

March 14, 2006 General Motors (GM)
Detroit, Michigan
BSO INSD

100

A former security guard kept Social Security numbers of co-workers to perpetrate identity theft. The disgruntled former employee sent harassing emails to employees after gaining access to personal information including the types of cars they drove.

 
Information Source:
Dataloss DB
records from this breach used in our total: 100

March 14, 2006 Buffalo Bisons and Choice One Online
Buffalo, New York
BSO HACK

Unknown

A hacker accessed sensitive financial information including the credit card numbers names, and passwords of customers who ordered items online. The Bisons mailed letters to affected customers and notified American Express, MasterCard, Discover, and Visa.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 11, 2006 California Department of Consumer Affairs (DCA)
Sacramento, California
GOV PHYS

Unknown

Mailed applications of DCA licensees or prospective licensees for CA state boards and commissions were stolen. The forms include full or partial Social Security numbers, driver's license numbers, and potentially payment checks.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 10, 2006 Long Island University, Alpha Chi National Honors Society
Brooklyn, New York
EDU DISC

51

Students who applied to join Alpha Chi had their Social Security numbers and other personal information sent to an Honors student email list. The email was recalled immediately, but anyone who opened it right away would have been able to access the applicant information. The advisor responsible for the mistake asked the National Office to consider abandoning the use of Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 51

March 8, 2006 Verizon Communications
New York, New York
BSO PORT

Unknown

Two laptops containing employees' personal information including Social Security numbers were stolen.  Verizon is offering affected employees free use of a credit monitoring service.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 8, 2006 iBill [disputed]
Deerfield Beach, Florida
BSF UNKN

17,781,462 (SSNs and financial information not involved)

A dishonest insider or possibly malicious software linked to iBill was used to post names, phone numbers, addresses, e-mail addresses, Internet IP addresses, login names and passwords, credit card types and purchase amount online. Credit card account numbers, expiration dates, security codes, and Social Security numbers were NOT included, but in our opinion the affected individuals could be vulnerable to social engineering to obtain such information. Whether iBill is the source of the breach has been disputed

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 7, 2006 Audiolink LLC (Audio Link)
Orlando, Florida
BSR HACK

25

A hacker may have accessed customer names, addresses, telephone numbers, email addresses and credit card information from the company's website.  Audiolink disabled the credit card functions on their website and updated web security.

 
Information Source:
Dataloss DB
records from this breach used in our total: 25

March 6, 2006 First Horizon Home Loans
Lake Oswego, Oregon
BSF STAT

8

A desktop computer was stolen from one of First Horizon's financial centers. The desktop contained customer and client files with names, addresses, phone numbers, Social Security numbers and mortgage account numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 8

March 5, 2006 Georgetown University
Washington, District Of Columbia
EDU HACK

41,000

A server was attacked that housed personal information including names, birthdates and Social Security numbers of District seniors served by the Office on Aging.  Georgetown managed the server as part of a grant to manage information services provided by the D. C. Office of Aging. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 41,000

March 3, 2006 Metropolitan State College of Denver (MSCD)
Denver, Colorado
EDU PORT

93,000

http://www.mscd.edu/securityalert/

A laptop containing student information was stolen.  The information included names and Social Security numbers of students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 93,000

March 3, 2006 PayDay OK LLC
Ruidoso, New Jersey
BSF HACK

88

The company's website was breached sometime around February 19 by a hacker in an attempt to gain access to certain customers' private information. Social Security numbers, names, addresses, bank account names and bank account numbers may have been compromised. At least 88 individuals were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 88

March 2, 2006 Olympic Funding
Chicago, Illinois
BSF UNKN

Unknown

Three hard drives containing clients' names, Social Security numbers, addresses and phone numbers stolen during a break in.  Information on the drives was protected via password and security software.  The business owner sent letters to his clients alerting them of the theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 2, 2006 Los Angeles County Department of Social Services
Los Angeles, California
GOV PHYS

Potentially 2,000,000

It is unclear if this is the same incident that involved the information of 94,000 people being left next to a recycling bin outside of the Department of Public Social Services in January of 2006.

File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W-2, and date of birth were left unattended for at least one month.  This affects employees and clients.

 
Information Source:
Dataloss DB
records from this breach used in our total: 2,000,000

March 2, 2006 Hamilton County Clerk of Courts
Cincinnati, Ohio
GOV DISC

[1,300,000] Not included in number below.

Social Security numbers, and other personal data of residents was posted on the County's website.  Some information was stolen and used to commit identity theft.

UPDATE (9/28/06):An identity thief was sentenced to 13 years in prison for the crimes. She stole 100 identities and nearly $500,000. The Web site now blocks access to court documents containing personal information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 100

March 1, 2006 Medco Health Solutions
Columbus, Ohio
MED PORT

4,600

A laptop containing Social Security numbers for State of Ohio employees and their dependents, as well as their birth dates and, in some cases, prescription drug histories was stolen from an employee. The theft occurred in December and Medco contacted Ohio officials in February.  The company agreed to provide free credit monitoring and fraud alert services for the affected families for one year.

 
Information Source:
Dataloss DB
records from this breach used in our total: 4,600

February 23, 2006 Deloitte & Touche, McAfee
,
BSO PORT

9,290

Deloitte & Touche is an international organization with multiple locations throughout the United States.

An external auditor lost a CD with names, Social Security numbers and stock holdings in McAfee of current and former McAfee employees.  Three thousand current employees and 6,000 former employees were affected.  Current and former employees received two years of free credit monitoring services from Equifax.

 
Information Source:
Dataloss DB
records from this breach used in our total: 9,290

February 22, 2006 New Hampshire Department of Motor Vehicles
, New Hampshire
GOV HACK

Unknown

Malware was discovered on the DMV server during a routine security check. Though there is no evidence of misuse, credit card information could have been accessed. It is unknown how the malware application got onto the computer. The FBI confiscated the computer.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

February 22, 2006 University of Texas M.D. Anderson Cancer Center
Houston, Texas
MED PORT

4,000

A laptop containing insurance information for patients was stolen from a PricewaterhouseCoopers employee's home in November. Patients and patient families were notified in January that their private health information, policy numbers, dates of birth, ZIP codes and Social Security numbers may have been exposed.

 
Information Source:
Dataloss DB
records from this breach used in our total: 4,000

February 20, 2006 Alltel Corporation
Little Rock, Arkansas
BSR PHYS

Unknown

Customer files with cell phone records, Social Security numbers, addresses and phone numbers were found in a dumpster. A landscaper discovered the files and alerted a news crew. A spokesperson for the company said that this is against their official electronic policy.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

February 20, 2006 Capital Computer Associates, Spencerport School District
Albany, New York
BSF DISC

17

Seventeen employees of Spencerport School District had their Social Security numbers and names posted on a website that could be viewed by any office staff at Capital Computer's client sites in New York State school districts and Boards of Cooperative Educational Services (BOCES). The information was supposed to be fictitious and used to notify users of changes to the software they use to process accounting and human resource data. The posting occurred on February 14 and was removed at the end of the day on February 16.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17

February 18, 2006 University of Northern Iowa
Cedar Falls, Iowa
EDU HACK

6,000

A laptop computer holding W-2 forms of student employees and faculty was illegally accessed.  The University warned students and faculty to monitor their bank accounts.

 
Information Source:
Dataloss DB
records from this breach used in our total: 6,000

February 17, 2006 California Department of Corrections, Pelican Bay State Prison
Sacramento, California
GOV INSD

Unknown

Inmates gained access to files stored in a warehouse.  The files contained employees' Social Security numbers, birth dates and pension account information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

February 17, 2006 Mount St. Mary's Hospital
Lewiston, New York
MED PORT

17,000

Two laptops containing dates of birth, addresses and Social Security numbers of patients were stolen in an armed robbery in New Jersey.  The laptops and sensitive files were password protected.  The Hospital contacted those whose information may have been compromised.  St. Mary's is just one of ten hospitals that were affected by the theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,000

February 16, 2006 Blue Cross and Blue Shield
Jacksonville, Florida
MED INSD

27,000

A contractor sent names and Social Security numbers of current and former employees, vendors and contractors to his home computer in violation of company policies.  A judge ordered the former computer consultant to reimburse the Jacksonville-based health insurer $580,000 for expenses related to his theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 27,000

February 16, 2006 University of Washington Medical Center
Seattle, Washington
MED HACK

Unknown

The hacked system serves users at Harborview Medical Center, University of Washington Medical Center, University of Washington School of Medicine, UW Medicine Neighborhood Clinics and UW Physicians.

A hacker broke into the UW Medicine computer system in June of 2004. The incident was not discovered until December of 2005. The hacker may have accessed and copied patient and business records for 18 months. The goal of the hacker appears to have been to use the system for its computing power and data storage.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

February 16, 2006 The Princeton Review
New York, New York
BSR DISC

Unknown

An unauthorized user attempted to obtain the IDs and passwords of a small number of account holders. A small number of the accounts may have contained names, Social Security numbers, dates of birth, email addresses, mailing addresses and information from college applications. The unauthorized user may have had access to the information before the February 10 incident was discovered. At least 35 New York residents were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

February 15, 2006 U.S. Department of Agriculture (USDA)
Washington, District Of Columbia
GOV DISC

350,000

The Social Security numbers of tobacco farmers were accidentally released when the U.S. Department of Agriculture attempted to comply with the Freedom of Information Act.  Those who received the information agreed to destroy any copies and return the original discs, which also contained tax identification numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 350,000

February 15, 2006 Old Dominion University
Norfolk, Virginia
EDU DISC

601

An instructor posted a class roster containing names and Social Security numbers to a publicly accessible website.  The information was posted during the spring semester of 2004.  Letters were sent to affected students which contained websites where the students could check to see if they had been victims of identity theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 601

February 15, 2006 Suffolk County Clerk's Office
Long Island, New York
GOV DISC

7,000

Between 7,000 and 8,000 homeowners had their Social Security numbers accidentally posted online. After realizing the mistake, County officials realized that they could not remove the information. People who pay to access the County's public records online will be able to see the Social Security numbers associated with people and addresses in the system that date back to 2001. The county could not alter public records in any way, but a new program will be implemented to block the Social Security numbers from newly recorded documents.

 
Information Source:
Dataloss DB
records from this breach used in our total: 7,000

February 13, 2006 Ernst & Young
New York, New York
BSO PORT

38,000

Additional locations: Throughout the US and UK

38,000 BP employee in U.S. In addition to Sun, Cisco and IBM employees.

A laptop containing the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees was stolen from a locked car. While Ernst and Young waited until pressured to inform a majority of those affected about the breach, at least one CEO from the affected companies was contacted immediately.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 38,000

February 9, 2006 OfficeMax
Naperville, Illinois
BSR HACK

200,000, although total number is unknown.

The location listed is Office Max's headquarters.  Sam's Club and other businesses may have also been affected.

Debit card accounts and pin numbers from bank and credit union accounts nationwide (including CitiBank, BofA, WaMu, Wells Fargo) were exposed. The crooks created counterfeit cards to make fraudulent purchases and withdrawals from card-holder accounts. 

UPDATE (3/14/06) New Jersey law enforcement arrested 14 people connected to the crime spree. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 200,000

February 6, 2006 Prudential Financial Inc.
Newark, New Jersey
BSF DISC

1,000

A health insurer claims data were erroneously faxed to a company in Canada by doctors and clinics across the U.S.. Data included the patients' Social Security numbers, bank account details and health care information.

 
Information Source:
Media
records from this breach used in our total: 1,000

February 4, 2006 FedEx
Los Angeles, California
BSO DISC

1,100

Up to 1,100 workers in Los Angeles and Orange Counties could be affected.

Eighty-five hundred W-2 forms including other workers' tax information such as Social Security numbers and salaries were sent out to employees. Fewer than 1,100 employees had their information exposed.  The company suspects that their internal processing center may have misaligned the forms and caused them to be cut in the wrong place. Workers were asked not to open their W-2s, but many had already done so before the notification. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,100

February 2, 2006 Presbyterian Healthcare Service
Albuquerque, New Mexico
MED STAT

450

The theft of a computer may have exposed patient and physician information. Names, Social Security numbers, addresses, phone numbers and credit card numbers were on the computer. The computer may have been stolen for the purpose of committing identity theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 450

February 1, 2006 Blue Cross and Blue Shield of North Carolina
Durham, North Carolina
BSO DISC

629

Social Security numbers of members were printed on the mailing labels of envelopes with information about a new insurance plan.  Those who were affected were contacted immediately.

 
Information Source:
Dataloss DB
records from this breach used in our total: 629

February 1, 2006 University of Colorado, Colorado Springs (UCCS)
Colorado Springs, Colorado
EDU HACK

2,500

Names, Social Security numbers, addresses and birth dates of current and former employees were accessed.  A computer in the Personnel Department was hacked and infected with a virus.  People employed by the University at anytime between the attack and 2004 are at risk.  The virus infected other computers at the University and was part of a worldwide attack.

 
Information Source:
Dataloss DB
records from this breach used in our total: 2,500

January 31, 2006 Boston Globe (The New York Times Company) and The Worcester Telegram & Gazette
Boston, Massachusetts
BSO DISC

240,000

Recycled paper used in wrapping newspaper bundles for distribution turned out to contain credit and debit card information along with routing information for personal checks of subscribers.

 

 
Information Source:
Dataloss DB
records from this breach used in our total: 240,000

January 31, 2006 Honeywell International
Morristown, New Jersey
BSO UNKN

19,000

Personal information of current and former employees including Social Security numbers and bank account information was posted on an Internet Web site. It was not known whether this was the result of a malicious insider or an administrative error.  Current and former employees whose information was compromised were informed immediately and offered free credit monitoring and identity theft insurance.

 
Information Source:
Dataloss DB
records from this breach used in our total: 19,000

January 27, 2006 State of Rhode Island website (www.RI.gov)
Providence, Rhode Island
GOV HACK

4,118

Hackers obtained credit card information in conjunction with names and addresses. The credit card companies were notified of the breach, but not the customers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 4,118

January 26, 2006 College of St. Scholastica
Duluth, Minnesota
EDU STAT

12,000

A computer was stolen from a locked office in the College's information Technology Department on or around December 24. The computer had Social Security numbers and names of current and former students. The thief was caught and claims that none of the personal information was used.

 
Information Source:
Dataloss DB
records from this breach used in our total: 12,000

January 25, 2006 Providence Home Services
Portland, Oregon
MED PORT

365,000

Backup tapes, laptops and disks containing Social Security numbers, clinical and demographic information were stolen from the car of an employee. In a small number of cases, patient financial data was stolen.

UPDATE (9/26/06) Providence Health System and the Oregon Attorney General have filed a settlement agreement. Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its security programs.

UPDATE (7/15/08) Providence Health will pay $100,000 and adhere to a compliance plan under the first ever Resolution Agreement negotiated by CMS (Centers for Medicare and Medicaid Services of the U.S. Dept. of Health and Human Services) under the HIPAA Privacy and Security Standards. The Corrective Action Plan requires Providence to revamp its security policies to include physical protections for portable devices and off-site transport and storage of backup media. Further, it must implement technical safeguards, such as encryption and password protection. And it must conduct random compliance audits and submit compliance reports to HHS for the next three years.

UPDATE (4/16/2012): The Oregon Supreme Court struck down a class-action suit against Providence Health Systems.  The Oregon Supreme Court claimed that there was no evidence that any of the 365,000 patients who were affected by the breach suffered any financial loss or other adverse consequences.

 
Information Source:
Dataloss DB
records from this breach used in our total: 365,000

January 25, 2006 University of Delaware
Newark, Delaware
EDU STAT

159

Two separate breaches occurred on the campus during November and December. A computer from the School of Urban Affairs and Public policy was hacked and a back-up hard drive was stolen from the Department of Entomology and Wildlife Ecology. The hacking incident occurred between November 22 and 26 and exposed the Social Security numbers of 159 graduate students. The hard drive theft occurred between December 16 and 18 and the personal information of an unknown number of people was exposed.

 
Information Source:
Dataloss DB
records from this breach used in our total: 159

January 24, 2006 University of Washington Medical Center
Seattle, Washington
MED PORT

1,600

Laptops containing names, Social Security numbers, maiden names, birth dates, diagnoses and other personal data were stolen from a UW office.  The information was password protected and the affected patients were notified.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,600

January 23, 2006 University of Notre Dame
Notre Dame, Indiana
EDU HACK

Unknown

Hackers may have accessed Social Security numbers, credit card information and check images of people who donated to the University between November 22 of 2005 and January 12 of 2006.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

January 21, 2006 California Army National Guard
Sacramento, California
GOV PHYS

Hundreds (at least 200)

A briefcase with personal information of National Guardsmen including a seniority roster, Social Security numbers and dates of birth was stolen from the car of an employee.  A memo was sent to National Guard soldiers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 200

January 20, 2006 Indiana University, University Place Conference Center & Hotel
Indianapolis, Indiana
BSO HACK

Unknown

The computer housing the reservations data base was compromised. Data included credit card account numbers and names.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 0

January 20, 2006 University of Kansas (Kansas University)
Lawrence, Kansas
EDU DISC

9,200

A computer file with sensitive personal information was accessible to the public.  Students who applied and paid an application fee online between April 29, 2001 and December 16, 2005 had their names, Social Security numbers, birth dates, addresses, phone numbers and credit card numbers exposed.

 
Information Source:
Dataloss DB
records from this breach used in our total: 9,200

January 17, 2006 City of San Diego, Water & Sewer Department
San Diego, California
GOV INSD

Unknown

A dishonest employee accessed customer account files, including Social Security numbers, and stole the identities of two individuals.

 
Information Source:
Media
records from this breach used in our total: 0

Showing 4201-4250 of 4391 results


X

Sign In!

Loading