Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?


Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
930,642,074 RECORDS BREACHED
(Please see explanation about this total.)
from 4,404 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
October 25, 2012 Waipahu Aloha Clubhouse
Waipahu, Hawaii
MED HACK

600 (No SSNs or financial information exposed)

An employee noticed unusual activity on a computer on September 25, 2012.  It is possible that former and current members of the Waipahu Aloha Clubhouse had information on the computer that was remotely accessed by an unauthorized party.  Names, Social Security numbers, dates of birth, addresses, phone numbers, and consumer record numbers dating back to 1997 may have been exposed. Though the Clubhouse services people living with severe and persistent mental illness, no medical records were exposed.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

January 7, 2014 Risk Solutions International LLC, Loudoun County Public Schools
Ashburn, Virginia
EDU DISC

Unknown

Loudoun County school officials have responded to a data breach that made publicly available personal information about students and staff members, along with detailed emergency response plans for each school.

More than 1,300 links could be accessed through a Google search, thought to be password protected, unveiled thousands of detailed documents as to how each school in the district will respond to a long list of emergencies, which included the staging areas for response teams as well as where the students and staff would be located during an emergency.

Additional documents that could be accessed included students' courrse schedules, locker combinations, home addresses, phone numbers and birthdates along with the address and cell phone numbers for many school administrators.

The contractor Risk Solution International acknowledged that the breach was caused by "human error" on their part, which is said to be the cause of the data breach.

 

UPDATE: Loudoun County Public Schools administrators released a more detailed statement about the information made publicly available on the Internet due to errors committed by the contractor Risk Solutions International (RSI).

According to school officials, the investigation is continuing as to how the webpage, which was made accessible through online search engines without any password protection happened. The page included 1,286 links detailing information on 84 Loudoun schools. It is unknown how long the information was exposed or how many links were opened by unauthorized individuals.

Locker combinations were revealed for one school and only one parent contact information was revealed for fewer than 10 schools according to the spokesperson for the district. The statement also made clear that RSI's website was not hacked and that it never lost its password security. Instead, the breach occurred when RSI employees were doing technical testing on November 4th , December 19th and December 24th 2013. (1/9/2014)

 
Information Source:
Media
records from this breach used in our total: 0

July 4, 2014 St. Vincent Breast Center
Indianapolis, Indiana
MED DISC

63,000

St. Vincent Breast Center have announced that patient's health information may have been breached after the center sent around 63,000 letters to the wrong patients. The letters included patient names, addresses and in certain references to scheduled appointments. Reportedly no Social Security numbers, financial information or clinical information.

"St.Vincent Breast Center entered into an agreement with Indianapolis Breast Center P.C. and Solis Women’s Health Breast Imaging Specialists of Indiana P.C. after they both closed last year.

On May 5, St.Vincent Breast Center mailed letters intended for prior patients of the Indianapolis Breast Center and Solis Women’s Health to inform them that St.Vincent was available to provide care. Some letters also welcomed patients who had previously scheduled healthcare services.

Officials said on May 15, people who had accidentally received another person’s letter began calling St.Vincent".

For those affected they can call 1-877-216-3862 from Monday through Friday 9:00 a.m. to 7:00 p.m.

 
Information Source:
Media
records from this breach used in our total: 0

July 21, 2014 Dominion Resources Inc.
Richmond, Virginia
BSO HACK

1,700

Personal information of more than 1,700 people at Dominion Resources Inc. were compromised when unauthorized parties hacked the employee wellness plan. The hacker gained access via a subcontractor's system, StayWell Health Management LLC who runs Dominions "Well on Your Way" program which includes a health screening, to gain the information hacked.

The hacking actually occurred at a vendor Stay Well uses, Onsite Health Diagnostics, based in Irvine, Texas, that provideds the sign-up mechanism for "Well on Your Way's" health-screening appointments.

The information included individuals' names, addresses, email addresses, phone numbers, gender and dates of birth of employees, spouses and domestic partners who went online to schedul a health-screening appointment going back to 2012.

"Dominion Resources said the company was notified of the breach on June 24 but didn't learn the identities of those affected until July 7th. Dominion Resources is investigating why it took so long for the company to be notified. They are no longer using Onsite Health Diagnostics for scheduling".

 
Information Source:
Media
records from this breach used in our total: 0

March 25, 2005 Purdue University
West Lafayette, Indiana
EDU HACK

1,200 (not included in total because news stories are not clear if SSNs or financial information were exposed)

Computers in the College of Liberal Arts' Theater Dept. were hacked, exposing personal information of employees, students, graduates, and business affiliates.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

June 4, 2005 Duke University Medical Center
Durham, North Carolina
EDU HACK

14,000 (No reports of full SSNs or financial information)

A hacker broke into the computer system, stealing thousands of passwords and fragments of Social Security numbers.  Fourteen thousand affected people were notified, including 10,000 employees of Duke University Medical Center.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 30, 2005 Motorola
Schaumburg, Illinois
BSO STAT

Unknown

Two computers were stolen from third party vendor Affiliated Computer Services (ACS).  They had security safeguards and contained names and Social Security numbers of Motorola employees.  Motorola notified affected staff by email and offered fraud insurance coverage.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 6, 2005 City National Bank, Iron Mountain
Los Angeles, California
BSF PORT

Unknown

Two tapes containing Social Security numbers, account numbers, and other customer information were lost or stolen during transportation.  The tapes have been missing since April.  City National Bank notified its customers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

August 30, 2005 JP Morgan Chase & Co.
Dallas, Texas
BSF PORT

Unknown

A laptop was stolen on August 8th.  It contained personal and financial account information of customers.  Those affected were contacted.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

September 23, 2005 Bank of America
Charlotte, North Carolina
BSF PORT

Not disclosed

A laptop was stolen from a Bank of America service provider.  Information such as names, account numbers, routing transit numbers, and credit card numbers were compromised by the theft.  An unspecified number of Visa Buxx users were contacted by Bank of America.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

November 11, 2005 Scottrade Troy Group
Santa Ana, California
BSF HACK

Unknown

A hacker compromised a server containing names, Social Security numbers, driver's licenses, state ID numbers, dates of birth, phone numbers, bank names, bank codes, bank account numbers and Scottrade account numbers.  Scottrade alerted all affected customers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

December 7, 2005 Idaho State University, Office of Institutional Research
Pocatello, Idaho
EDU HACK

Unknown

Contact: Information Technology Services (208) 282-2872, http://www.isu.edu/announcement/

ISU discovered a security breach in a server containing archival information about students, faculty, and staff, including names, Social Security numbers, birth dates, and grades. Anyone who was a student or employee between 1995 and 2005 could be affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

December 12, 2005 Sam's Club, a division of Wal-Mart Stores, Inc
Bentonville, Arkansas
BSR UNKN

Unknown

Note: location is corporate headquarters, not necessarily the location of the breach.

Customers who used credit cards at the wholesaler's gas stations discovered fraudulent activity on their credit accounts.  Sam's Club is unaware of how the information was stolen.  Visa alerted the affected financial institutions and asked them to provide fraud monitoring services for the affected customers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

December 16, 2005 La Salle Bank, ABN AMRO Mortgage Group, DHL
Ann Arbor, Michigan
BSF PORT

[2,000,000] Not included in total below.

A backup tape with residential mortgage customers' information was lost in shipment by DHL.  It contained Social Security numbers and account information.

UPDATE (12/20/05): DHL found the lost tape.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 0

January 2, 2006 H&R Block
Kansas City, Missouri
BSO DISC

Unknown

H&R Block included Social Security numbers in a 40-digit number string on mailing labels.  Affected individuals were contacted.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

January 17, 2006 City of San Diego, Water & Sewer Department
San Diego, California
GOV INSD

Unknown

A dishonest employee accessed customer account files, including Social Security numbers, and stole the identities of two individuals.

 
Information Source:
Media
records from this breach used in our total: 0

January 20, 2006 Indiana University, University Place Conference Center & Hotel
Indianapolis, Indiana
BSO HACK

Unknown

The computer housing the reservations data base was compromised. Data included credit card account numbers and names.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 0

January 23, 2006 University of Notre Dame
Notre Dame, Indiana
EDU HACK

Unknown

Hackers may have accessed Social Security numbers, credit card information and check images of people who donated to the University between November 22 of 2005 and January 12 of 2006.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

February 17, 2006 California Department of Corrections, Pelican Bay State Prison
Sacramento, California
GOV INSD

Unknown

Inmates gained access to files stored in a warehouse.  The files contained employees' Social Security numbers, birth dates and pension account information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 2, 2006 Olympic Funding
Chicago, Illinois
BSF UNKN

Unknown

Three hard drives containing clients' names, Social Security numbers, addresses and phone numbers stolen during a break in.  Information on the drives was protected via password and security software.  The business owner sent letters to his clients alerting them of the theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 8, 2006 Verizon Communications
New York, New York
BSO PORT

Unknown

Two laptops containing employees' personal information including Social Security numbers were stolen.  Verizon is offering affected employees free use of a credit monitoring service.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 8, 2006 iBill [disputed]
Deerfield Beach, Florida
BSF UNKN

17,781,462 (SSNs and financial information not involved)

A dishonest insider or possibly malicious software linked to iBill was used to post names, phone numbers, addresses, e-mail addresses, Internet IP addresses, login names and passwords, credit card types and purchase amount online. Credit card account numbers, expiration dates, security codes, and Social Security numbers were NOT included, but in our opinion the affected individuals could be vulnerable to social engineering to obtain such information. Whether iBill is the source of the breach has been disputed

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 11, 2006 California Department of Consumer Affairs (DCA)
Sacramento, California
GOV PHYS

Unknown

Mailed applications of DCA licensees or prospective licensees for CA state boards and commissions were stolen. The forms include full or partial Social Security numbers, driver's license numbers, and potentially payment checks.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 14, 2006 Buffalo Bisons and Choice One Online
Buffalo, New York
BSO HACK

Unknown

A hacker accessed sensitive financial information including the credit card numbers names, and passwords of customers who ordered items online. The Bisons mailed letters to affected customers and notified American Express, MasterCard, Discover, and Visa.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

April 28, 2006 Ohio Secretary of State
Cleveland, Ohio
GOV DISC

Potentially millions of registered voters

The names, addresses, and Social Security numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to 20 political campaign operations for spring primary election races. The records of about 7.7 million registered voters are listed on the CDs, but it's unknown how many records contained Social Security numbers, which were not supposed to have been included on the CDs.

UPDATE (9/15/06): A news report said that some Social Security numbers still remain on the agency's Web site.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 2, 2006 Georgia State Government
Atlanta, Georgia
GOV STAT

Unknown

Government surplus computers that sold before their hard drives were erased contained credit card numbers, birth dates, and Social Security numbers of Georgia citizens.  The State stopped selling the computers after being notified by a buyer.  Thousands of patient records from a psychiatric hospital in Rome, Georgia were found on one computer's hard drive.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 4, 2006 Idaho Power Company
Boise, Idaho
BSO PORT

Unknown

Four company hard drives were sold on eBay containing hundreds of thousands of confidential company documents, employee names and Social Security numbers, and confidential memos to the company's CEO.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

June 22, 2006 Ohio University
Athens, Ohio
EDU HACK

Unknown

http://www.ohio.edu/datasecurity/

A computer was compromised that hosted a variety of Web-based forms, including some that processed online business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration.

 
Information Source:
Media
records from this breach used in our total: 0

May 5, 2006 Wells Fargo
San Francisco, California
BSF STAT

Unknown

A computer containing names, addresses, Social Security numbers and mortgage loan deposit numbers of existing and prospective customers may have been stolen while being delivered from one bank facility to another.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 17, 2006 M &T Bank via contractor PFPC
Buffalo, New York
BSF PORT

Unknown

A laptop computer, owned by PFPC, a third party company that provides record keeping services for M & T's Portfolio Architect accounts was stolen from a vehicle. The laptop contained clients' account numbers, Social Security numbers, last name and the first two letters of their first name.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 0

May 24, 2006 Sacred Heart University
Fairfield, Connecticut
EDU HACK

Unknown

It was discovered on May 8th that a computer containing personal information including names, addresses and Social Security numbers was breached.  The University did not immediately release information on who the breach affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 30, 2006 Florida International University
Miami, Florida
EDU HACK

Unknown

Hacker accessed a database that contained personal information on thousands of individuals, such as student and applicant names and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 1, 2006 American Red Cross, Farmers Branch
Dallas, Texas
NGO PORT

Unknown

Sometime in May, three laptops were stolen, one of them containing encrypted personal information including names, SSNs, dates of birth, and medical information of all regional donors. They also report losing a laptop with encrypted donor information in June 2005.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 6, 2006 Automatic Data Processing (ADP)
Roseland, New Jersey
BSO UNKN

0

Payroll service company ADP gave scam-artist names, addresses, and number of shares held of investors, although apparently not SSNs or account numbers. The leak occurred from Nov. '05 to Feb. '06 and involved individual investors with 60 companies including Fidelity, UBS, Morgan Stanley, Bear Stearns, Citigroup, Merrill Lynch. Hundreds of thousands of investors may have been affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 7, 2006 Montana Public Health and Human Services Department
Helena, Montana
MED STAT

Unknown

A state government computer was stolen from the office of a drug dependency program during a 4th of July break-in. It was not known if sensitive information such as SSNs was compromised.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 14, 2006 Hampton Circuit Court Clerk - Treasurer's computer
Hampton, Virginia
GOV DISC

Over 100,000 records (The number containing SSNs is not known yet and not included in total below.)

Public computer in city government building containing taxpayer information was found to display SSNs of many residents -- those who paid personal property and real estate taxes. It was shut down and confiscated by the police on July 12th.

UPDATE (7/27/2006) Investigation concluded that the data was exposed due to software problem.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 17, 2006 Vassar Brothers Medical Center
Poughkeepsie, New York
MED PORT

257,800 (revised to 0)

(845) 483-6990

An analysis by Kroll later determined that the laptop contained no personal information, though 257,800 patients were initially notified.  This number is not included in the total below.

Laptop was stolen from the emergency department between June 23-26. It contained information on patients dating back to 2000, including SSNs and dates of birth.

UPDATE (10/5/06) Private investigators determined the laptop did not contain personally identifiable patient information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 26, 2006 West Virginia Division of Rehabilitation Services
Beckley, West Virginia
GOV PORT

Unknown

A laptop was stolen July 24 containing clients' names, addresses, SSNs, and phone numbers. Data was password protected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 27, 2006 Kaiser Permanente Northern California Office
Oakland, California
MED PORT

160,000 records. Because the data file did not include SSNs, this number is not added to the total below.

(866) 453-3934

A laptop was stolen containing names, phone numbers, and the Kaiser number for each HMO member. The data file did not include SSNs. The data was being used to market Hearing Aid Services to Health Plan members.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 27, 2006 Los Angeles County Department Community Senior Services
Los Angeles, California
GOV PORT

Unknown

In May, a laptop was stolen from the home of a community and senior services employee. It contained information on LA County employees.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 27, 2006 Los Angeles County, Community Development Commission (CDC)
Monterey Park, California
GOV HACK

4,800 records (No SSNs or financial information reported)

Earlier in July, a computer hacker located in Germany gained access to the CDC's computer system, containing personal information on 4,800 public housing residents.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 27, 2006 Los Angeles County, Adult Protective Services
Burbank, California
GOV PORT

Unknown

Last weekend 11 laptops were stolen from the Burbank office. It is not clear what type of personal information was included.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 28, 2006 Matrix Bancorp Inc.
Denver, Colorado
BSF PORT

Unknown

(877) 250-7742

Two laptop computers were stolen during daytime while staffers were away from their desks. One computer contained customers' account information. The bank says data is encrypted and password protected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

August 31, 2006 CoreLogic for ComUnity Lending
Sacramento, California
BSO STAT

Unknown

(877) 510-3700, identityprotection@corelogic.com. Exact date in August 2006 unknown.

In early August, CoreLogic notified customers of ComUnity Lending that a computer with customers' data was stolen from its office. Data included names, SSNs, and property addresses related to an existing or anticipated mortgage loan.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 0

August 1, 2006 US Bank
Covington, Kentucky
BSF PHYS

Unknown

A bank employee's briefcase was stolen from the employee's car with documents containing names, phone numbers, and SSNs of customers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

August 1, 2006 Wichita State University
Wichita, Kansas
EDU HACK

40 (not included in total below because it is not known if SSNs were included in breached data)

An intrusion into a WSU Psychology Department's server was discovered July 16. It contained information on about 40 applicants to the doctoral program.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

August 1, 2006 Dollar Tree
Carmichael, California
BSR HACK

Unknown

Additional locations: Modesto, CA and Ashland, OR. Other locations may also be involved.

Customers of the discount store have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. Data may have been intercepted by a thief's use of a wireless laptop computer with the thief then creating counterfeit ATM cards and using them to withdraw money.

UPDATE (10/5/06): Parkev Krmoian was indicted by a federal grand jury for allegedly using phony ATM cards made from gift cards. The case is tied to the Dollar Tree customer bank account thefts.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

August 6, 2006 American Online (AOL)
New York, New York
BSO DISC

650,000 (Unknown number of high-risk personal records)

Other locations: nationwide

In late July AOL posted on a public web site data on 20 million web queries from 650,000 users. Some search records exposed SSNs, credit card numbers, or other pieces of sensitive information.

UPDATE (9/26/06): Three individuals whose data were exposed have filed a lawsuit against AOL.

UPDATE (9/27/06): Six men were charged with creating and executing the phishing scheme.  The men collected AOL email addresses and infected the computers of users with a program that asked for their credit card and bank account numbers during the AOL login process. AOL users were also spammed with phony email messages that asked for payment on AOL charges. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

August 8, 2006 Virginia Bureau of Insurance
Richmond, Virginia
GOV DISC

Unknown

(804) 726-2630

The Bureau has advised insurance agents in the state that their SSN may have been exposed on its web site from June 13 through July 31, 2006, due to a programming error. The SSNs were not shown on any web page, but could have been found by savvy computer users using the source code tool of a web browser.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

August 15, 2006 U.S. Department of Transportation
Orlando, Florida
GOV PORT

Unknown

On April 24, a DOT employee's laptop computer was stolen from an Orlando hotel conference room. It contained several unencrypted case files. Investigators are determining if it contained sensitive personal information.

 
Information Source:
Media
records from this breach used in our total: 0

Breach Total
930,642,074 RECORDS BREACHED
(Please see explanation about this total.)
from 4,404 DATA BREACHES made public since 2005
Showing 1-50 of 4404 results


X

Sign In!

Loading