Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?


Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
930,526,448 RECORDS BREACHED
(Please see explanation about this total.)
from 4,427 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Publicsort icon Name Entity Type
May 19, 2006 Frost Bank
San Antonio, Texas
BSF HACK

9,300

Hackers accessed the credit and debit card accounts of around 100 Frost Bank customers after they took Visa and MasterCard debit card information from the database of a national retailer.  Banks across the nation were affected by the breach. Only 100 Frost Bank customers reported fraudulent charges.

 
Information Source:
Dataloss DB
records from this breach used in our total: 9,300

May 21, 2006 Columbus Bank & Trust
Columbus, Georgia
BSF HACK

2,000

A security problem may have exposed customer credit and check card information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 2,000

May 22, 2006 U.S. Department of Veterans Affairs
Washington, District Of Columbia
GOV PORT

26,500,000

(800) 827-1000

On May 3, data of all American veterans who were discharged since 1975 including names, Social Security numbers, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and computer storage device included data of 26.5 million veterans. The data did not contain medical or financial information, but may have disability numerical rankings.

UPDATE (6/29/06): The stolen laptop computer and the external hard drive were recovered.

UPDATE (7/14/06): FBI claims no data had been taken from stolen computer.

UPDATE(8/5/06): Two teens were arrested in the theft of the laptop.

UPDATE (8/25/06): In an Aug. 25 letter, Secretary Nicholson told veterans of the decision to not offer them credit monitoring services. Rather the VA has contracted with a company to conduct breach analysis to monitor for patterns of misuse.

UPDATE (11/23/07): A federal judge questioned the Veterans Affairs Department's computer security and ruled Friday that lawsuits can go forward over the theft of computer equipment containing data on 26.5 million veterans. The lawsuits have been filed as potential class-action cases representing every veteran whose data was released.

UPDATE (1/23/09): The Department of Veterans Affairs has agreed to pay $20 million to current and former military personnel to settle a class action lawsuit.

UPDATE (6/16/09): No less than $75 will be paid for any valid claim, up to a cap of $1,500. If your expenses were higher than that, you might want to opt out of the class-action portion so you can file for your actual damages. In that case, you need to file a letter so it is received by June 29, 2009. You have until Nov. 27, 2009, to mail your claim form to VA Settlement Claims, P.O. Box 6727, Portland, OR 97228-9767. Be sure to keep a copy of the claim form, along with your proof of mailing. To download the claim form and to get more information, go to www.veteransclass.com. Read the FAQ and note the particulars on out-of-pocket expenses and actual damages. You also can call (888) 288-9625.

UDPATE (10/19/12): An investigation into the VA revealed that encryption software has only been installed on 16% of VA computers since the 2006 breach. Six million dollars has been spent on encryption software since the 2006 breach. The investigation began after a 2011 anonymous tip.

 
Information Source:
Dataloss DB
records from this breach used in our total: 26,500,000

May 23, 2006 University of Delaware
Newark, Delaware
EDU HACK

1,076

A security breach of a Department of Public Safety computer server potentially exposed names, Social Security numbers and driver's license numbers. Individuals whose personal information was compromised were contacted.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,076

May 23, 2006 Butler County Department of Mental Retardation & Developmental Disabilities
Cincinnati, Ohio
NGO PORT

100 clients

In April, three laptop computers were stolen from the agency's office. They contained personal information on mental health clients, including Social Security numbers.  Those affected were contacted in May.

 
Information Source:
Dataloss DB
records from this breach used in our total: 100

May 23, 2006 Mortgage Lenders Network USA
Middletown, Connecticut
BSF INSD

231,000

A former employee was arrested for extortion for attempting to blackmail his former employer for $6.9 million. He threatened to expose company files containing sensitive customer information - including customers' names, addressess, Social Security numbers, loan numbers, and loan types - if the company didn't pay him. He stole the files over the 16 months he worked there.

 
Information Source:
Dataloss DB
records from this breach used in our total: 231,000

May 23, 2006 Liberty Mutual Insurance Company
Boston, Massachusetts
BSF PORT

384

Two company laptops were stolen in California in March and one company laptop was stolen in Kentucky in April. One incident exposed some customer names and Social Security numbers that were listed along with their claims. The other incident exposed names and Social Security numbers for employees of some of Liberty's commercial insureds.

 
Information Source:
Dataloss DB
records from this breach used in our total: 384

May 24, 2006 Sacred Heart University
Fairfield, Connecticut
EDU HACK

Unknown

It was discovered on May 8th that a computer containing personal information including names, addresses and Social Security numbers was breached.  The University did not immediately release information on who the breach affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 24, 2006 New York State Insurance Fund (NYSIF)
New York, New York
GOV PORT

37

An agency laptop computer was stolen from an employee's car. Names and Social Security numbers were on the laptop.

 
Information Source:
Dataloss DB
records from this breach used in our total: 37

May 25, 2006 VyStar Credit Union
Jacksonville, Florida
BSF HACK

34,400

Hacker gained access to member accounts a and stole personal information including names, addresses, birth dates, mother's maiden names, Social Security numbers and/or email addresses. Less than 10% of VyStar's 344,000 members were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 34,400

May 25, 2006 Security Savings Bank
Southport, North Carolina
BSF HACK

13

Security Saving's website host Goldleaf Technologies informed the bank that their website was down. The website had been phished for two hours. Thirteen customers visited the fraudulent website during that time. Passwords, user IDs, account numbers and card numbers could have fallen into the wrong hands.

 
Information Source:
Dataloss DB
records from this breach used in our total: 13

May 26, 2006 California State University Stanislaus
Turlock, California
EDU DISC

1,294

The University was informed that a file containing sensitive information remained in the Google cache and could be accessed by those with technological expertise. The file was first indexed in October of 2005. The file was deleted form the server, but it remained in the Google files cache. The file included names, addresses, Social Security numbers, and dates of birth of some current and former employees and their dependents.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,294

May 26, 2006 California Department of Financial Institutions
, California
GOV PORT

Unknown

The California Department of Financial Institutions has offices in Sacramento, San Francisco, Los Angeles and San Diego.

On May 26, an examiner's laptop was stolen from a car. The laptop contained the personal data of bank customers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 30, 2006 Florida International University
Miami, Florida
EDU HACK

Unknown

Hacker accessed a database that contained personal information on thousands of individuals, such as student and applicant names and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 31, 2006 Texas Guaranteed Student Loan Corp. via subcontractor Hummingbird
Round Rock, Texas
BSF UNKN

1,300,000 plus 400,000 for total of 1,700,000

Additional location: Toronto, Canada

Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers.

UPDATE (6/16/06):TG now says a total of 1.7 million people's information was compromised, 400,000 more than original estimate of 1.3 million.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,700,000

June 1, 2006 Miami University
Oxford, Ohio
EDU PORT

851

An employee lost a hand-held personal computer containing personal information of students who were enrolled between July 2001 and May 2006.

 
Information Source:
Dataloss DB
records from this breach used in our total: 851

June 1, 2006 Ernst & Young
New York, New York
BSO PORT

243,000

Additional locations: Throughout the US and UK. Breach occurred in Texas.

A laptop containing names, addresses and credit or debit card information of Hotels.com customers was stolen from an employee's car in Texas.

 
Information Source:
Media
records from this breach used in our total: 243,000

June 1, 2006 University of Kentucky
Lexington, Kentucky
EDU DISC

1,300

Personal information of current and former University of Kentucky employees including Social Security numbers was inadvertently accessible online for 19 days in May.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,300

June 1, 2006 YMCA of Greater Providence
Providence, Rhode Island
NGO PORT

65,000

A laptop computer containing personal information of members was stolen. The information included credit card and debit card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare programs and medical information about the children, such as allergies and the medicine they take, though the type of stolen information about each person varies.  Those affected were notified.

 
Information Source:
Dataloss DB
records from this breach used in our total: 65,000

June 2, 2006 Ahold USA, parent company of Stop & Shop, Giant stores and Tops stores via subcontractor Electronic Data Systems (EDS)
Landover, Maryland
BSR PORT

92,000

Additional location: Plano, TX

An EDS employee lost a laptop computer during a commercial flight that contained pension data of former employees of Ahold's supermarket chains including Social Security numbers, birth dates and benefit amounts.  The laptop was lost form the checked baggage of a domestic commercial airline flight on May 2, 2006.  The laptop was not recovered even though the incident was reported immediately.

 
Information Source:
Dataloss DB
records from this breach used in our total: 92,000

June 3, 2006 Buckeye Community Health Plan
Columbus, Ohio
MED PORT

72,000

Four laptop computers containing customer names, Social Security numbers, and addresses were stolen from the Medicaid insurance provider.

 
Information Source:
Dataloss DB
records from this breach used in our total: 72,000

June 3, 2006 Humana
Louisville, Kentucky
MED DISC

17,000 current and former Medicare enrollees

Personal information of Humana customers enrolled in the company's Medicare prescription drug plans could have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,000

June 5, 2006 U.S. Internal Revenue Service (IRS)
Washington, District Of Columbia
GOV PORT

291

A laptop computer containing personal information of employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth, was lost during transit on an airline flight

 
Information Source:
Security Breach Letter
records from this breach used in our total: 291

June 5, 2006 Kingsbrook Jewish Medical Center
Brooklyn, New York
MED PORT

34,863

A personal computer was stolen from the Hospital's outpatient billing office on December 26, 2005. It is likely that the computer contained spreadsheets with patient names and Social Security numbers embedded in insurance numbers. Those affected were notified May 26, 2006.

 
Information Source:
Dataloss DB
records from this breach used in our total: 34,863

June 6, 2006 University of Texas at El Paso
El Paso, Texas
EDU HACK

4,719

Students demonstrated that student body and faculty elections could be rigged by hacking into student information including Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 4,719

June 6, 2006 U.S. Department of Energy
Washington, District Of Columbia
GOV HACK

1,502

Names, Social Security numbers, security clearance levels and place of employment for mostly contract employees who worked for National Nuclear Security Administration may have been compromised when a hacker gained entry to a computer system at a service center in Albuquerque, NM eight months prior to press releases.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,502

June 6, 2006 ARAMARK Corporation
Atlanta, Georgia
BSO PORT

6,028

The May 5 theft of a laptop resulted in the exposure of personal information of current and former employees.  Social Security numbers and other personal information were lost.

 
Information Source:
Dataloss DB
records from this breach used in our total: 6,028

June 6, 2006 Empire State College
Saratoga Springs, New York
EDU INSD

16

On December 15 of 2005, an intruder installed key-logger was discovered on a computer that had been used to access Social Security numbers. The keystroke capture program was installed by a relative of an employee in order to capture and read email messages that the staff member was sending. The program was in operation from March 2004 to January 2005 and again from October 2005 to December 15. The affected PC was removed from the office and had its hard drive scanned and cleaned.

 
Information Source:
Dataloss DB
records from this breach used in our total: 16

June 6, 2006 Thomson West
Eagan, Minnesota
BSO PORT

Unknown

A laptop was discovered stolen on or around April 28. The information on the laptop included employee names, Social Security numbers, addresses and phone numbers. Notifications were sent in early June.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

June 7, 2006 Colorado Mental Health Institute Fort Logan
Denver, Colorado
GOV PHYS

69

A briefcase with paper files was taken from an employee's car while it was at a park on April 21. The briefcase contained paper files with the information of 40 employees and 247 patients. Only 29 employees and 40 patients had their Social Security numbers exposed. Other information included names, addresses, gender and birth dates. Those affected were notified in early June.

 
Information Source:
Dataloss DB
records from this breach used in our total: 69

June 8, 2006 University of Michigan Credit Union
Ann Arbor, Michigan
BSF PHYS

5,000

Paper documents containing personal information of credit union members were stolen from a storage room. The documents were supposed to have been digitally imaged and then shredded. Instead, they were stolen and used to perpetrate identity theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 5,000

June 10, 2006 Nationwide Retirement Solutions
Phoenix, Arizona
BSF PORT

Unknown

The office theft of several laptop computers resulted in the exposure of personal information. City and county employees in Southern Arizona may have had their names, Social Security numbers, birth dates and addresses exposed.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

June 11, 2006 Denver Election Commission
Denver, Colorado
GOV PHYS

150,000

Records containing personal information on more than 150,000 voters are missing at city election offices. The microfilmed voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new offices in February. The files contain voters' Social Security numbers, addresses and other personal information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 150,000

June 11, 2006 Adams State College
Alamosa, Colorado
EDU PORT

184 Upward Bound students

A laptop computer stolen from a locked closet at Adams State College contained personally identifiable data belonging to 184 high school students who participated in the college's Upward Bound program over the last four years. The theft occurred on August 14, but it was not until late September that staff realized the computer held students' data.

 
Information Source:
Dataloss DB
records from this breach used in our total: 184

June 12, 2006 Fish & Richardson
Boston, Massachusetts
BSO PORT

1,924

The June 12 home theft of a laptop resulted in the exposure of current and former employee information.  Names and Social Security numbers had once been saved on the laptop.  Three former employees were not notified because their contact information could not be found.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,924

June 12, 2006 Barnard College
New York, New York
EDU HACK

2,250

A hacking incident that was discovered on June 6 may have left the names and Social Security numbers of students and employees exposed.  The computer that was compromised may have allowed the hacker to access information for all students and employees.

 
Information Source:
Dataloss DB
records from this breach used in our total: 2,250

June 13, 2006 Minnesota State Auditor
St. Paul, Minnesota
GOV PORT

493

Three laptops possibly containing Social Security numbers of employees and recipients of housing and welfare benefits along with other personal information of local governments the auditor oversees have gone missing.

 
Information Source:
Dataloss DB
records from this breach used in our total: 493

June 13, 2006 Oregon Department of Revenue
Salem, Oregon
GOV HACK

2,200

Electronic files containing personal data of Oregon taxpayers may have been compromised by an ex-employee who downloaded a contaminated file from a porn site. The trojan attached to the file may have sent taxpayer information back to the source when the computer was turned on.

 
Information Source:
Dataloss DB
records from this breach used in our total: 2,200

June 13, 2006 U.S. Dept of Energy, Hanford Nucear Reservation
Richland, Washington
GOV UNKN

4,000

Current and former workers at the Hanford Nuclear Reservation were notified that their personal information may have been compromised, after police found a 1996 list with workers' names, Social Security numbers, birth dates, work titles, assignments, and telephone numbers in a home during an unrelated investigation.

 
Information Source:
Dataloss DB
records from this breach used in our total: 4,000

June 13, 2006 State of Minnesota
Minneapolis, Minnesota
GOV PORT

Unknown

Three laptops with sensitive information were lost or stolen from the office of a state auditor. The missing laptops may have contained Social Security numbers and other personal information on local government employees. There was no evidence of forced entry and the office is not normally accessible to the general public.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

June 14, 2006 American International Group (AIG), Indiana Office of Medical Excess, LLC
New York, New York
BSF STAT

930,000

The computer server was stolen on March 31 containing personal information including names, Social Security numbers, birth dates, and some medical and disability information.

UPDATE (1/12/2010) A 28-year-old Indianapolis man was sentenced today to two years in state prison for trying to extort $208,00 from an insurance company after stealing a computer server. In March 2006, the man burglarized the Indianapolis office of AIG Medical Excess, threatening to release clients' personal data on the Internet. The server contained the names of more than 900,000 insured persons, as well as their personal identifying information, and confidential medical information and e-mail communications. At the time of the burglary, the man was an employee of a private security firm that provided security services to the insurance company. On July 23, 2008, Stewart delivered a package to the insurance company. The package included a letter stating that he possessed the stolen server and its confidential data. He asked for $1,000 a week for four years, but the FBI and others intervened. The Indiana State Police, the Indiana Department of Natural Resources, Indianapolis Metropolitan Police Department, and Attorney General also were part of the investigation.

 
Information Source:
Dataloss DB
records from this breach used in our total: 930,000

June 14, 2006 Law Finance Group Holdings, LLC
Reno, Nevada
BSF STAT

1,237

On April 7, the organization discovered that a computer server had been stolen from its office.  The equipment stored information on customers, employees, and prospects.  The information included names, Social Security numbers and addresses.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,237

June 16, 2006 Union Pacific
Omaha, Nebraska
BSO PORT

30,000

On April 29th, an employee's laptop was stolen that contained data for current and former Union Pacific employees, including names, birth dates and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 30,000

June 16, 2006 New York State Controller's Office
Albany, New York
GOV PORT

1,300

A state controller data cartridge containing payroll data of employees who work for a variety of state agencies was lost during shipment. The data contained names, salaries, Social Security numbers and home addresses.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,300

June 16, 2006 California Department of Health Services (CDHS)
Sacramento, California
GOV PHYS

1,550

http://www.applications.dhs.ca.gov/pressreleases/store/PressReleases/06-41.html

CDHS documents were inappropriately emptied from an employee's cubicle on June 5 and 9 rather than shredded. The documents contained state employees and other individuals applying for employment with the state including names, addresses, Social Security numbers and home and work telephone numbers. They were mostly expired state employment certification lists, but also included requests for personnel action, copies of e-mail messages and handwritten notes.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,550

June 17, 2006 Western Illinios University
Macomb, Illinois
EDU HACK

180,000

http://www.wiu.edu/securityalert/

On June 5th, a hacker compromised a University server that contained names, addresses, credit card numbers and Social Security numbers of people connected to the University.

UPDATE (7/5/06): Number affected reduced from 240,000.

 
Information Source:
Dataloss DB
records from this breach used in our total: 180,000

June 17, 2006 Automatic Data Processing (ADP)
Roseland, New Jersey
BSO DISC

80

Personal and payroll information of workers were intended to be faxed between ADP offices and were mistakenly sent to a third party.

 
Information Source:
Dataloss DB
records from this breach used in our total: 80

June 17, 2006 California Department of Health Services (CDHS)
Sacramento, California
GOV PHYS

1,550

http://www.applications.dhs.ca.gov/pressreleases/store/PressReleases/06-41.html

On June 12, a box of Medi-Cal forms from December 2005 were found in the cubicle of a California Dept. of Health Services employee. The claim forms contained the names, addresses, Social Security numbers and prescriptions for beneficiaries or their family members.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,550

June 18, 2006 ING U.S. Financial Services, Jackson Health System
Miami, Florida
BSF PORT

13,000

Two ING laptops that carried sensitive data affecting Jackson Health System hospital workers were stolen in December 2005. The computers, belonging to financial services provider ING, contained information gathered during a voluntary life insurance enrollment drive in December and included names, birth dates and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 13,000

June 18, 2006 ING U.S. Financial Services
Washington, District Of Columbia
BSF PORT

13,000

A laptop was stolen from an employee's home.  It contained retirement plan information including Social Security numbers of D.C. city employees.

 
Information Source:
Dataloss DB
records from this breach used in our total: 13,000

Breach Total
930,526,448 RECORDS BREACHED
(Please see explanation about this total.)
from 4,427 DATA BREACHES made public since 2005
Showing 251-300 of 4427 results


X

Sign In!

Loading