Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?


Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
864,188,052 RECORDS BREACHED
(Please see explanation about this total.)
from 4,252 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
March 12, 2009 Dezonia Group
Chicago, Illinois
BSO PORT

63,000

The city of Chicago bills people for ambulance rides -- $600 and up. It uses a third party, Dezonia Group, for billing. An employee's laptop, containing patient names, addresses and Social Security numbers, was stolen from the company. Reports differ as to whether or not the data was encrypted.

 
Information Source:
Dataloss DB
records from this breach used in our total: 63,000

August 9, 2005 Sonoma State University
Rohnert Park, California
EDU HACK

61,709

Hackers broke into a computer system and may have accessed the names and Social Security numbers of people who applied, attended, or worked at the University between 1995 and 2002.  University officials attempted to notify those who were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 61,709

July 5, 2006 Bisys Group Inc.
Roseland, New Jersey
BSF PORT

61,000

Personal details about 61,000 hedge fund investors were lost when an employee's truck carrying backup tapes was stolen. The data included SSNs of 35,000 individuals. The tapes were being moved from one Bisys facility to another on June 8 when the theft occurred.

 
Information Source:
Dataloss DB
records from this breach used in our total: 61,000

November 3, 2006 Starbucks Corp.
Seattle, Washington
BSR PORT

60,080

1-800-453-1048

Starbucks lost track of four laptop computers. Two held employee names, addresses, and Social Security numbers. Current and former U.S. employees and about 80 Canadian workers and contractors were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 60,080

April 4, 2008 Harley-Davidson, Inc. (HOG)
Milwaukee, Wisconsin
BSO PORT

60,000

A laptop computer containing certain HOG members' personal information was determined to be missing from their facilities. The personal information stored on the computer included names, addresses, credit card numbers, their expiration dates, and driver's license numbers.

 
Information Source:
Media
records from this breach used in our total: 60,000

December 10, 2010 University of Wisconsin - Madison
Madison, Wisconsin
EDU HACK

60,000

Some records of people affiliated with UW Madison were hacked into. The University discovered the breach on October 26 and sent notification to many former students, faculty and staff on November 30. One of the files had the photo ID of former students with their Social Security numbers embedded in the ID numbers and cardholder names. Only students enrolled prior to 2008 would have had their Social Security numbers exposed. It is unclear how far back the records date.

 
Information Source:
Databreaches.net
records from this breach used in our total: 60,000

November 26, 2008 Luxottica Group, Things Remembered
Mason, Ohio
BSR HACK

59,419

A routine check by the information technology department discovered that a hacker had been inside a computer mainframe and downloaded the personal information of former workers. The victims lost names, addresses and Social Security numbers to the hacker.

 
Information Source:
Dataloss DB
records from this breach used in our total: 59,419

March 16, 2005 California State University, Chico
Chico, California
EDU HACK

59,000

A university housing and food service computer server containing names and Social Security numbers of faculty, staff, students, former students, and prospective students was hacked.

 
Information Source:
Dataloss DB
records from this breach used in our total: 59,000

March 7, 2009 Idaho National Laboratory
Idaho Falls, Idaho
GOV PORT

59,000

Idaho's Congressional Delegation this week announced a potential identity theft threat involving information from 59,000 present and former workers at the Idaho National Laboratory at Idaho Falls. DOE notified delegation members that an encoded disc containing personal data from the employees was either lost or stolen in transit via United Parcel Service. The package, originally shipped from New York to Maryland, was found damaged.

 
Information Source:
Dataloss DB
records from this breach used in our total: 59,000

July 12, 2010 Connecticut Department of Education, State Teachers' Retirement Board
Hartford, Connecticut
GOV PORT

58,000

An encrypted flash drive containing 2007-2008 Connecticut Teachers' Retirement Board member annual statement data has been lost or stolen. It is unlikely that outside parties could read the pension and employment credit.

UPDATE (8/5/10): The total number of retirees exposed to ID theft is reported as 58,000.

 
Information Source:
Databreaches.net
records from this breach used in our total: 58,000

June 19, 2008 Aon Consulting
Chicago, Illinois
BSF PORT

57,160

Verizon Inc. applicants were affected.

A laptop used to collect pre-employment screening information for Verizon Inc. employees was stolen from a restaurant in May of 2008.  The personal information included names and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 57,160

July 13, 2005 Arizona Biodyne
Phoenix, Arizona
MED PORT

57,000

Arizona Biodyne is an affiliate of Magellan Health Services and manages behavioral health for Blue Cross of Arizona.

A safe with computer backup tapes containing financial, personal and medical records was stolen from Arizona Biodyne.  Policyholders' addresses, phone numbers, dates of birth and Social Security numbers were among the personal information lost.  Partial treatment histories and doctor information for some patients was also lost.  

 
Information Source:
Dataloss DB
records from this breach used in our total: 57,000

March 31, 2008 Advance Auto Parts
Roanoke, Virginia
BSR HACK

56,000

The retailer reported that a network intrusion had exposed financial information and was the subject of a criminal investigation. Fourteen of the retailer's stores, including locations in Georgia, Ohio, Louisiana, Tennessee, Mississippi, Indiana, Virginia and New York, are believed to have been affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 56,000

October 28, 2010 Emergency Medical Services Bureau
Baton Rouge, Louisiana
GOV HACK

56,000

The Louisiana Department of Health and Hospitals notified emergency medical technicians that a hacker may have had access to their names, Social Security numbers and other personal information. The incident occurred on September 17 and a lack of funding for letters and postage caused a delay in notification.

 
Information Source:
Databreaches.net
records from this breach used in our total: 56,000

May 31, 2013 RentPath, Inc. (Primedia)
Norcross, Georgia
BSO INSD

56,000

An independent contractor with access to Primedia's network operations group was found to have stolen hardware.  The issue was discovered on June 20, 2012.  Applicants, employees, and former employees may have had several different types of personal information stolen. Approximately 56,000 Social Security numbers were discovered among the various types of information.  Approximately 30,000 former employees, employees, and applicants were identified and notified of the breach.  The other 26,000 have yet to be identified.

 
Information Source:
California Attorney General
records from this breach used in our total: 56,000

May 16, 2008 Chester County School District
Downingtown, Pennsylvania
EDU HACK

55,000

A 15-year-old student gained access to files on a computer at Downingtown West High School. Private information, including names, addresses and Social Security numbers, of more than 50,000 people were accessed. The student apparently used a flash drive to save the personal data of about 40,000 taxpayers and 15,000 students.

 
Information Source:
Media
records from this breach used in our total: 55,000

July 7, 2008 Florida Agency for Health Care Administration
Tallahassee, Florida
GOV DISC

55,000

A computer flaw in the Organ and Tissue Donor Registry database may have exposed thousands of donors' personal information, including their Social Security numbers. Other data included donors' names, addresses, birth dates and drivers' license numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 55,000

August 28, 2012 Cancer Care Group
Indianapolis, Indiana
MED PORT

55,000

An employee's computer bag was stolen on July 19.  The bag contained a computer server back-up that had patient and employee names, Social Security numbers, dates of birth, insurance information, medical record numbers, limited clinical information, and addresses.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 55,000

April 11, 2014 Veterans Of Foreign Wars Of The United States
Kansas City, Missouri
GOV HACK

55,000

The office of The Veterans Of Foreign Wars Of The United States notified members that an unauthorized party accessed VFW's webserver through the use of a trojan and malicious code. The hacker, thought to be in China, was able to download tables containing the names, addresses, Social Security numbers of approximately 55,000 VFW members.

The motivation of the hacker, according to IT experts, was to gain access to information regarding military plans or contracts and not for purposes of identity theft, although they have not ruled that out.

VFW is providing 12 months free of AllClearID. Members can call 1-855-398-6437 with any questions. A security code must be provided and was provided in the letter sent to those affected.

 
Information Source:
California Attorney General
records from this breach used in our total: 55,000

July 7, 2010 University of Hawai'i
Honolulu, Hawaii
EDU STAT

53,000

53,000 people may have had their personal information exposed after a breach to the University of Hawai'i computer system was discovered. The university released statement  that more than 40,000 Social Security numbers and 200 credit card numbers were part of the exposed information that was housed on a computer server used by the Mānoa campus parking office.

 
Information Source:
Dataloss DB
records from this breach used in our total: 53,000

October 15, 2010 University of North Florida
Jacksonville, Florida
EDU HACK

106,884 (52,853 SSNs reported)

A hacker from outside of the country may have accessed applicant information sometime between September 24 and September 29.  The information was mostly recruiting information and may have involved names, ACT and SAT scores, dates of birth and Social Security numbers.

 
Information Source:
Databreaches.net
records from this breach used in our total: 52,853

September 5, 2009 Mitsubishi Corp.
New York, New York
BSR HACK

52,000

A Mitsubishi Corp. Internet shopping unit lost credit card details on 52,000 customers after its servers were hacked from overseas. The company has informed customers and relevant authorities of the leaks and has suspended the Web site until it can improve the system.

 
Information Source:
Dataloss DB
records from this breach used in our total: 52,000

August 4, 2006 PSA HealthCare
Norcross, Georgia
MED PHYS

51,000 current and former patients

(866) 752-5259

A company laptop was stolen from an employee's vehicle in a public parking lot July 15. It contained names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims.

 
Information Source:
Dataloss DB
records from this breach used in our total: 51,000

July 24, 2007 St. Vincent Hospital, Verus, Inc.
Indianapolis, Indiana
MED DISC

51,000

Saint Vincent used subcontractor Verus Inc. to set up an online bill payment for patients.  For a "brief" period of time, personal information was left unprotected and available online.  The security lapse compromised names, addresses and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 51,000

March 22, 2008 Agilent Technologies
Santa Clara, California
BSO PORT

51,000

A laptop containing sensitive and unencrypted personal data on current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor. The data includes employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards. Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data - in violation of the contracted agreement.

 
Information Source:
Dataloss DB
records from this breach used in our total: 51,000

June 27, 2008 Montgomery Ward
Cedar Rapids, Iowa
BSR HACK

51,000

Hackers extracted information from an online database that held credit card account information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 51,000

December 17, 2009 North Carolina Libraries
Raleigh, North Carolina
EDU HACK

51,000

Library users at 25 campuses were the victims of a security breach in August. The libraries collect driver's license and Social Security numbers to help identify computer users. The information is stored on a central server in Raleigh. Other campuses affected are Alamance, Beaufort, Bladen, Blue Ridge, Brunswick, Central Carolina, College of the Albemarle, Gaston, Halifax, Haywood, Lenoir, Martin, Nash, Pamlico, Piedmont, Richmond, Roanoke-Chowan, Rowan-Cabarrus, Sandhills, Southwestern, Tri-County, Vance Granville and Wilson.

 
Information Source:
Dataloss DB
records from this breach used in our total: 51,000

June 29, 2006 Minnesota Department of Revenue
St. Paul, Minnesota
GOV PORT

50,400

http://www.taxes.state.mn.us/taxes/publications/press_releases/content/taxpayer_information.shtml

On May 16, a package containing a data tape used to back up the regional office's computers went missing during delivery. The tape contained personal information including individuals' names, addresses, and Social Security numbers.

UPDATE (7/20/06): The package was reported delivered 2 months later, but apparently had been temporarily lost by the U.S. Postal Service.

 
Information Source:
Dataloss DB
records from this breach used in our total: 50,400

November 4, 2005 Keck School of Medicine, University of Southern California (USC)
Los Angeles, California
EDU STAT

50,000

A computer server containing names and Social Security numbers of patients, donors and employees was stolen from a campus computer room.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 50,000

September 25, 2006 General Electric (GE)
Fairfield, Connecticut
BSO PORT

50,000 employees

An employee's laptop computer holding the names and Social Security numbers of approximately 50,000 current and former GE employees was stolen from a locked hotel room while he was traveling for business.

 
Information Source:
Dataloss DB
records from this breach used in our total: 50,000

January 26, 2007 WellPoint's Anthem Blue Cross Blue Shield
Richmond, Virginia
MED PORT

50,000

(800) 284-9779

Cassette tapes containing customer information were stolen from a lock box held by one of its vendors. Data included names and SSNs.

 
Information Source:
Dataloss DB
records from this breach used in our total: 50,000

February 9, 2010 California Department of Health Care Services
Sacramento, California
GOV DISC

50,000

The personal security of nearly 50,000 people may have been breached by the California Department of Health Care Services. Social Security numbers were printed on the address labels of letters that were mailed by the department. State employees mistakenly included the numbers in a list of patient addresses. The list was sent to an outside contractor, who printed and mailed the envelopes.

 
Information Source:
Dataloss DB
records from this breach used in our total: 50,000

February 25, 2012 Piedmont Behavioral Healthcare (PBH), Alamance-Caswell LME (AC LME)
Concord, North Carolina
MED DISC

50,000

A miscommunication caused AC LME to lose access to servers containing sensitive health information.  An Alamance County employee mistakenly changed a lock on the facility that housed data servers for AC LME.  It appears that AC LME forgot to inform the county that AC LME was extending a contract for server maintenance.  Former consumers of AC LME, including those who became PBH consumers on October 1, 2011, may have had their personal health information stored on these servers. The servers are now in the possession of the county and could contain the names, Social Security numbers, medical record identification numbers, addresses, and diagnoses of AC LME consumers. LME officials have not had access to the server room without being monitored by a county employee or with the forensics team assigned to examine the servers.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 50,000

April 11, 2008 New York-Presbyterian Hospital, Weill Cornell Medical Center
New York, New York
MED INSD

49,841

An admissions employee is accused of selling 2,000 patients' data in an identity theft scheme and accessing nearly 50,000 records illegitimately. Records contained names, phone numbers and, in some cases, Social Security numbers of patients. The employee has since been charged with one count of conspiracy involving computer fraud, identity document fraud, transmission of stolen property and sale of stolen property.

 
Information Source:
Dataloss DB
records from this breach used in our total: 49,841

July 21, 2005 University of Colorado, Boulder
Boulder, Colorado
EDU HACK

49,000

Prospective students, current students, staff, faculty and University health care service recipients may have had their data exposed in a campus server breach.  The information included names, Social Security numbers, addresses, student ID numbers, birth dates, and lab test information. The University mailed letters and sent emails to the individuals affected.

UPDATE (08/20/2005) The number of students affected was increased from an estimate of 42,000 to 49,000.

 
Information Source:
Dataloss DB
records from this breach used in our total: 49,000

August 19, 2005 University of Colorado
Denver, Colorado
EDU HACK

49,000

A hacker may have gained access to personal information from June of 1999 to May of 2001, and fall of 2003 to summer of 2005.  The information included current and former student names, Social Security numbers, addresses and phone numbers.  The University contacted individuals who were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 49,000

August 14, 2013 Michigan Department of Community Health, Michigan Cancer Consortium
Lansing, Michigan
MED HACK

49,000

A server for the Michican Cancer Consortium that housed names, Social Security numbers, dates of birth, cancer screening test results, and testing dates was hacked.  The Michigan Department of Community Health claimed that the breach should not fall under strict HIPAA regulations because testing records, rather than medical records, were affected.

 
Information Source:
Media
records from this breach used in our total: 49,000

September 28, 2007 Wal-Mart Stores Inc.
Bentonville, Arkansas
BSR INSD

48,686

A Wal-Mart associate took confidential information relating to a group of associates. The former associate was not authorized to retain the information after ending his employment with Wal-Mart. Associate names, Social Security numbers, Wal-Mart job codes and compensation information were exposed. The incident occurred on August 15.

 
Information Source:
Dataloss DB
records from this breach used in our total: 48,686

May 12, 2006 Mercantile Potomac Bank
Gaithersburg, Maryland
BSF PORT

48,000

A laptop containing confidential information about customers, including Social Security numbers and account numbers was stolen when a bank employee removed it from the premises, in violation of the bank's policies. The computer did not contain customer passwords, personal identification numbers (PIN numbers) or account expiration dates. The bank contacted affected customers and offered them one year of free credit monitoring services.

 
Information Source:
Dataloss DB
records from this breach used in our total: 48,000

February 9, 2009 Federal Aviation Administration
Washington, District Of Columbia
GOV HACK

43,000 Total increased to 48,000

Hackers broke into the Federal Aviation Administration's computer system, accessing the names and Social Security numbers of employees and retirees.

 
Information Source:
Dataloss DB
records from this breach used in our total: 48,000

May 1, 2007 JP Morgan
Chicago, Illinois
BSF PORT

47,000

A computer tape containing personal information of wealthy bank clients and some employees was delivered to a secure off-site facility for storage but was later reported missing.

 
Information Source:
Dataloss DB
records from this breach used in our total: 47,000

July 16, 2008 Greensboro Gynecology Associates
Greensboro, North Carolina
MED PORT

47,000

A backup tape of patient information was stolen from an employee who was taking the tape to an off-site storage facility for safekeeping. The stolen information included patients' names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members.

 
Information Source:
Dataloss DB
records from this breach used in our total: 47,000

June 24, 2013 Florida State University, Florida Department of Education
Tallahassee, Florida
EDU DISC

47,000

The information of 47,000 Florida teachers was publicly accessible for 14 days after a data transfer at Florida State University.  The information was from teachers participating in state prep programs.  The Department of Education used Florida State University as the contractor for the transfer of teacher data.

UPDATE (06/26/2013): People who participated in Florida teacher preparation programs during the 2009 -2010 and 2011-2012 academic years were affected.

 
Information Source:
Media
records from this breach used in our total: 47,000

April 4, 2007 University of California, San Francisco (UCSF)
San Francisco, California
EDU HACK

46,000

(415) 353-8100, isecurity@ucsf.edu

An unauthorized party may have accessed the personal information including names, Social Security numbers, and bank account numbers of students, faculty, and staff associated with UCSF or UCSF Medical Center over the past two years by compromising the security of a campus server.

 
Information Source:
Dataloss DB
records from this breach used in our total: 46,000

February 8, 2012 West Virginia Chiefs of Police Association, Alabama Department of Public Safety, Texas Department of Public Safety, City of Mobile Police Department, Texas Police Chiefs Association, Texas Police Association
, West Virginia
BSR HACK

46,943 (46,000 SSNs reported)

No city is listed.  Board members, members, and organization officers live throughout West Virginia. People in Mobile, Alabama and Texas were also affected.

A hacker obtained and revealed 156 home addresses, phone numbers, cell phone numbers, email addresses, and usernames of police officers associated with the West Virginia Chiefs of Police Association. Retired police chiefs, and every current police chief in West Virginia had their information exposed. The hacker was associated with Anonymous.

UPDATE (08/24/2012): A hacker associated with the attack on West Virginia Chiefs of Police Association and several other law enforcement associations was caught and sentenced to 27 months in federal prison.  He was also ordered to pay $14,062.17 in restitution.  Alabama Department of Public Safety spreadsheets with information on sex crimes and a database listing descriptions of offenders' cars were posted online. Over 46,000 citizens in the state of Alabama may have had their names, Social Security numbers, license plate numbers, dates of birth, phone numbers, addresses, and criminal records accessed by hackers who attacked the City of Mobile Police Department. A total of 787 police officer names, usernames, plain text passwords, addresses, and other agency information from The Texas Police Association was posted online.  The Wisconsin Chiefs of Police Association, the Texas Department of Public Safety, the Dallas Police Department, and the Texas Police Chiefs Association also experienced hack attacks.

 
Information Source:
Databreaches.net
records from this breach used in our total: 46,000

August 13, 2010 Holyoke Medical Center, Caritas Carney Hospital, Milton Hospital, Milford Hospital
Georgetown, Massachusetts
MED PHYS

45,600

At least 32,750 files were found at the Georgetown Transfer Station in Georgetown, MA. Holyoke Medical Center is located in Holyoke, MA. Carney Hospital is located in Dorchester, MA. Milton Hospital is located in Milton, MA. Milford Hospital is located in Milford, MA.

 

A large pile of medical records was found at Georgetown Transfer Station public dump. The reports contained names, addresses, diagnosis, Social Security numbers, and insurance information. A medical billing company known as Goldthwait Associates is believed to be responsible. The medical records are mostly from pathology patients served at the hospitals between 2007 and March of 2010.

UPDATE (9/2/10): Holyoke reported that 24,750 patients were affected.  The exact number of patients affected from other medical centers is still unknown. Between 8,000 and 12,000 patients of Milton Hospital were affected.

UPDATE (10/11/10): Milton Pathology Associates, P.C. reported that a prior owner of Goldthwait Associates improperly disposed of patient information. Eleven thousand patients were affected.  Milford Regional Medical Center reports that the incident affected 19,750 patients.

UPDATE (01/07/2013): People associated with Goldthwait Associates, Chestnust Pathology Services, Milford Pathology Associates, Milton Pathology Associates, and Pioneer Valley Pathology Associates agreed to collectively pay $140,000 to settle allegations related to the breach.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 45,600

May 29, 2008 State Street Corp, Investors Financial Services
Boston, Massachusetts
BSF STAT

45,500

Computer equipment containing personal information on customers and employees of a State Street unit was stolen. The computer equipment was stolen from a vendor hired by Investors Financial Services to provide legal support services. The personal information included names, addresses and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 45,500

June 23, 2009 Cornell University
Ithaca, New York
EDU PORT

45,277

A stolen Cornell University computer has compromised the personal information of thousands of members of the University community. The computer contains the names and Social Security numbers of current and former students as well as current and former faculty and staff members.

 
Information Source:
Dataloss DB
records from this breach used in our total: 45,277

February 12, 2005 Science Applications International Corp. (SAIC)
San Diego, California
BSO STAT

45,000 employees

On January 25 thieves broke into a SAIC facility and stole computers containing personal information of past and current employees. Stolen information included names, Social Security numbers, addresses, phone numbers and records of financial transactions.

 
Information Source:
Dataloss DB
records from this breach used in our total: 45,000

May 22, 2007 University of Colorado, Boulder
Boulder, Colorado
EDU HACK

45,000

 Hotline: (303) 492-1655

A hacker launched a worm that attacked a University computer server used by the College of Arts and Sciences. Information for 45,000 students enrolled at UC-B from 2002 to the present was exposed, including SSNs. The breach was discovered May 12. Apparently anti-virus software had not been properly configured.

 
Information Source:
Dataloss DB
records from this breach used in our total: 45,000

Breach Total
864,188,052 RECORDS BREACHED
(Please see explanation about this total.)
from 4,252 DATA BREACHES made public since 2005
Showing 301-350 of 4252 results


X

Sign In!

Loading