Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?


Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
930,642,074 RECORDS BREACHED
(Please see explanation about this total.)
from 4,404 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
June 1, 2006 YMCA of Greater Providence
Providence, Rhode Island
NGO PORT

65,000

A laptop computer containing personal information of members was stolen. The information included credit card and debit card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare programs and medical information about the children, such as allergies and the medicine they take, though the type of stolen information about each person varies.  Those affected were notified.

 
Information Source:
Dataloss DB
records from this breach used in our total: 65,000

February 9, 2007 East Carolina University
Greenville, North Carolina
EDU DISC

65,000 students, alumni, and staff members

http://www.ecu.edu/incident/, 877-328-6660

A programming error resulted in personal information of 65,000 individuals being exposed on the University's Web site. The data has since been removed. Included were names, addresses, SSNs, and in some cases credit card numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 65,000

June 27, 2007 Milwaukee PC
Milwaukee, Wisconsin
BSR DISC

65,000

(414) 258-2275

Credit card information for 65,000 was possibly compromised. A service center noticed a file in their server and was concerned that file could contain customers' credit card numbers and personal information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 65,000

May 28, 2009 Aetna
Hartford, Connecticut
MED HACK

65,000

Aetna has contacted 65,000 current and former employees whose Social Security numbers may have been compromised in a Web site data breach. The breach was a spam campaign showing that the intruders successfully harvested e-mail addresses from the Web site, although it's not clear if SSNs were also obtained. The spam purported to be a response to a job inquiry and requested more personal information. Aetna sent letters last week notifying the 65,000 people whose SSNs were on the site of the breach.

UPDATE (6/11/09): Hartford health insurer Aetna Inc. is being sued. The class-action suit was filed in a Pennsylvania District Court and demands credit monitoring, punitive damages, costs and other relief for current, former and potential employees.

 
Information Source:
Dataloss DB
records from this breach used in our total: 65,000

September 7, 2012 University of Miami Health System
Miami, Florida
MED INSD

64,846

Two University of Miami Hospital employees were using patient registration sheets to inappropriately access patient information.  Anyone who was seen at University of Miami Hospital between October 2010 and July 2012 may have been affected.  Patient names, addresses, dates of birth, insurance policy numbers, and reasons for visits were exposed.  The last four digits of patients' Social Security numbers, were exposed in many cases and full Social Security numbers were exposed in some cases. The dishonest employees were terminated immediately and may have sold some of the information to unauthorized parties.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 64,846

March 24, 2006 California State Employment Development Division
Sacramento, California
GOV DISC

64,000

A computer glitch sent state Employment Development Division 1099 tax forms containing Social Security numbers and income information to the wrong addresses, potentially exposing those taxpayers to identity theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 64,000

September 15, 2006 University of Texas San Antonio
San Antonio, Texas
EDU HACK

64,000

A hacker may have gained access to student and staff names, addresses and Social Security numbers.  Students who received financial aid or worked at the University were affected.  The breach was discovered during a routine risk assessment of the University's computer servers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 64,000

April 14, 2011 Social Security Administration (SSA)
Baltimore, Maryland
GOV DISC

63,587

The Social Security numbers of living people were made available on the Social Security Administration's Death Master File.  This happened twice.  Between July of 2006 and January 0f 2009 26,930 people had their Social Security numbers and other identifying information exposed. A warning from the SSA's Office of the Inspector General about privacy risks associated with the report was not enough to prevent the second incident. Between May 2007 and April of 2010 36,657 people had their full names, Social Security numbers, dates of birth, and last known ZIP code exposed.

 
Information Source:
Databreaches.net
records from this breach used in our total: 63,587

October 13, 2011 Neurological Institute of Savannah and Center for Spine (NIOS)
Savannah, Georgia
MED PORT

63,425

Patients with questions may call 1 (888) 613-3688.

The July 2 car theft of a computer hard drive may have exposed patient information.  Patients who visited NIOS between January 1, 2006 and July 2, 2011 could have had their names, Social Security numbers, addresses, dates of birth, telephone numbers, and billing account data obtained. 

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 63,425

February 23, 2007 ADC Telecommunications Inc., Flex Compensation
St. Louis Park, Minnesota
BSR PORT

63,400

A laptop was stolen from ADC's benefits administrator. Current and former employee names, Social Security numbers, bank account numbers, dates of birth, addresses and other private information were on the laptop.  It is not clear if employees from other companies that use Flex Compensation for benefits administration are among the 63,400 affected individuals.

 
Information Source:
Dataloss DB
records from this breach used in our total: 63,400

December 14, 2006 Electronic Registry Systems
Atlanta, Georgia
MED PORT

63,000

Additional locations: Danville, Pennsylvania, Nashville, TN

On Nov. 23, 2006, two computers (one desktop, one laptop) were stolen from Electronic Registry Systems, a business contractor in suburban Springdale, OH, that provides cancer patient registry data processing services. It contained the personal information (name, date of birth, Social Security number, address, medical record number, medical data and treatment information) of cancer patients from hospitals in Pennsylvania, Tennessee, Ohio and Georgia, dating back to 1977 at some hospitals. Hospitals include Emory Hospital, Emory Crawford Long Hospital, Grady Memorial Hospital, as well as Geisinger Health System (PA) and Williamson Medical Center (TN).

UPDATE(1/14/07): The number of affected patients was increased from 25,000 to over 63,000.

 
Information Source:
Dataloss DB
records from this breach used in our total: 63,000

March 12, 2009 Dezonia Group
Chicago, Illinois
BSO PORT

63,000

The city of Chicago bills people for ambulance rides -- $600 and up. It uses a third party, Dezonia Group, for billing. An employee's laptop, containing patient names, addresses and Social Security numbers, was stolen from the company. Reports differ as to whether or not the data was encrypted.

 
Information Source:
Dataloss DB
records from this breach used in our total: 63,000

August 9, 2005 Sonoma State University
Rohnert Park, California
EDU HACK

61,709

Hackers broke into a computer system and may have accessed the names and Social Security numbers of people who applied, attended, or worked at the University between 1995 and 2002.  University officials attempted to notify those who were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 61,709

July 5, 2006 Bisys Group Inc.
Roseland, New Jersey
BSF PORT

61,000

Personal details about 61,000 hedge fund investors were lost when an employee's truck carrying backup tapes was stolen. The data included SSNs of 35,000 individuals. The tapes were being moved from one Bisys facility to another on June 8 when the theft occurred.

 
Information Source:
Dataloss DB
records from this breach used in our total: 61,000

November 3, 2006 Starbucks Corp.
Seattle, Washington
BSR PORT

60,080

1-800-453-1048

Starbucks lost track of four laptop computers. Two held employee names, addresses, and Social Security numbers. Current and former U.S. employees and about 80 Canadian workers and contractors were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 60,080

April 4, 2008 Harley-Davidson, Inc. (HOG)
Milwaukee, Wisconsin
BSO PORT

60,000

A laptop computer containing certain HOG members' personal information was determined to be missing from their facilities. The personal information stored on the computer included names, addresses, credit card numbers, their expiration dates, and driver's license numbers.

 
Information Source:
Media
records from this breach used in our total: 60,000

December 10, 2010 University of Wisconsin - Madison
Madison, Wisconsin
EDU HACK

60,000

Some records of people affiliated with UW Madison were hacked into. The University discovered the breach on October 26 and sent notification to many former students, faculty and staff on November 30. One of the files had the photo ID of former students with their Social Security numbers embedded in the ID numbers and cardholder names. Only students enrolled prior to 2008 would have had their Social Security numbers exposed. It is unclear how far back the records date.

 
Information Source:
Databreaches.net
records from this breach used in our total: 60,000

November 26, 2008 Luxottica Group, Things Remembered
Mason, Ohio
BSR HACK

59,419

A routine check by the information technology department discovered that a hacker had been inside a computer mainframe and downloaded the personal information of former workers. The victims lost names, addresses and Social Security numbers to the hacker.

 
Information Source:
Dataloss DB
records from this breach used in our total: 59,419

March 16, 2005 California State University, Chico
Chico, California
EDU HACK

59,000

A university housing and food service computer server containing names and Social Security numbers of faculty, staff, students, former students, and prospective students was hacked.

 
Information Source:
Dataloss DB
records from this breach used in our total: 59,000

March 7, 2009 Idaho National Laboratory
Idaho Falls, Idaho
GOV PORT

59,000

Idaho's Congressional Delegation this week announced a potential identity theft threat involving information from 59,000 present and former workers at the Idaho National Laboratory at Idaho Falls. DOE notified delegation members that an encoded disc containing personal data from the employees was either lost or stolen in transit via United Parcel Service. The package, originally shipped from New York to Maryland, was found damaged.

 
Information Source:
Dataloss DB
records from this breach used in our total: 59,000

July 12, 2010 Connecticut Department of Education, State Teachers' Retirement Board
Hartford, Connecticut
GOV PORT

58,000

An encrypted flash drive containing 2007-2008 Connecticut Teachers' Retirement Board member annual statement data has been lost or stolen. It is unlikely that outside parties could read the pension and employment credit.

UPDATE (8/5/10): The total number of retirees exposed to ID theft is reported as 58,000.

 
Information Source:
Databreaches.net
records from this breach used in our total: 58,000

June 19, 2008 Aon Consulting
Chicago, Illinois
BSF PORT

57,160

Verizon Inc. applicants were affected.

A laptop used to collect pre-employment screening information for Verizon Inc. employees was stolen from a restaurant in May of 2008.  The personal information included names and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 57,160

July 13, 2005 Arizona Biodyne
Phoenix, Arizona
MED PORT

57,000

Arizona Biodyne is an affiliate of Magellan Health Services and manages behavioral health for Blue Cross of Arizona.

A safe with computer backup tapes containing financial, personal and medical records was stolen from Arizona Biodyne.  Policyholders' addresses, phone numbers, dates of birth and Social Security numbers were among the personal information lost.  Partial treatment histories and doctor information for some patients was also lost.  

 
Information Source:
Dataloss DB
records from this breach used in our total: 57,000

March 31, 2008 Advance Auto Parts
Roanoke, Virginia
BSR HACK

56,000

The retailer reported that a network intrusion had exposed financial information and was the subject of a criminal investigation. Fourteen of the retailer's stores, including locations in Georgia, Ohio, Louisiana, Tennessee, Mississippi, Indiana, Virginia and New York, are believed to have been affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 56,000

October 28, 2010 Emergency Medical Services Bureau
Baton Rouge, Louisiana
GOV HACK

56,000

The Louisiana Department of Health and Hospitals notified emergency medical technicians that a hacker may have had access to their names, Social Security numbers and other personal information. The incident occurred on September 17 and a lack of funding for letters and postage caused a delay in notification.

 
Information Source:
Databreaches.net
records from this breach used in our total: 56,000

May 31, 2013 RentPath, Inc. (Primedia)
Norcross, Georgia
BSO INSD

56,000

An independent contractor with access to Primedia's network operations group was found to have stolen hardware.  The issue was discovered on June 20, 2012.  Applicants, employees, and former employees may have had several different types of personal information stolen. Approximately 56,000 Social Security numbers were discovered among the various types of information.  Approximately 30,000 former employees, employees, and applicants were identified and notified of the breach.  The other 26,000 have yet to be identified.

 
Information Source:
California Attorney General
records from this breach used in our total: 56,000

May 16, 2008 Chester County School District
Downingtown, Pennsylvania
EDU HACK

55,000

A 15-year-old student gained access to files on a computer at Downingtown West High School. Private information, including names, addresses and Social Security numbers, of more than 50,000 people were accessed. The student apparently used a flash drive to save the personal data of about 40,000 taxpayers and 15,000 students.

 
Information Source:
Media
records from this breach used in our total: 55,000

July 7, 2008 Florida Agency for Health Care Administration
Tallahassee, Florida
GOV DISC

55,000

A computer flaw in the Organ and Tissue Donor Registry database may have exposed thousands of donors' personal information, including their Social Security numbers. Other data included donors' names, addresses, birth dates and drivers' license numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 55,000

August 28, 2012 Cancer Care Group
Indianapolis, Indiana
MED PORT

55,000

An employee's computer bag was stolen on July 19.  The bag contained a computer server back-up that had patient and employee names, Social Security numbers, dates of birth, insurance information, medical record numbers, limited clinical information, and addresses.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 55,000

April 11, 2014 Veterans Of Foreign Wars Of The United States
Kansas City, Missouri
NGO HACK

55,000

The office of The Veterans Of Foreign Wars Of The United States notified members that an unauthorized party accessed VFW's webserver through the use of a trojan and malicious code. The hacker, thought to be in China, was able to download tables containing the names, addresses, Social Security numbers of approximately 55,000 VFW members.

The motivation of the hacker, according to IT experts, was to gain access to information regarding military plans or contracts and not for purposes of identity theft, although they have not ruled that out.

VFW is providing 12 months free of AllClearID. Members can call 1-855-398-6437 with any questions. A security code must be provided and was provided in the letter sent to those affected.

 
Information Source:
California Attorney General
records from this breach used in our total: 55,000

September 10, 2014 Bartell Hotels
San Diego, California
BSO HACK

55,000

Bartell Hotels, who operates several hotels in San Diego, has announced that they have suffered a data breach of customer credit card information.

The Best Western Plus Island Palms Hotel & Marina, The Dana on Mission Bay, Humphreys Half Moon Inn & Suites, Pacific Terrace Hotel and Days Hotel – Hotel Circle had names, credit card numbers and credit card expiration dates of customers who stayed at these hotels between February 16, 2014 and May 13, 2014 breached. 

The breach could have affected up to 55,000 individuals.

For those affected, they can contact a representative at  877-437-4010 Monday through Saturday 8 a.m. to 8 p.m. CT with questions or concerns.


More Information
: http://www.nbcsandiego.com/news/local/Data-Security-Breach-Reported-at-San-Diego-Hotels-274421341.html#ixzz3CvzjLpSG

 
Information Source:
Media
records from this breach used in our total: 55,000

July 7, 2010 University of Hawai'i
Honolulu, Hawaii
EDU STAT

53,000

53,000 people may have had their personal information exposed after a breach to the University of Hawai'i computer system was discovered. The university released statement  that more than 40,000 Social Security numbers and 200 credit card numbers were part of the exposed information that was housed on a computer server used by the Mānoa campus parking office.

 
Information Source:
Dataloss DB
records from this breach used in our total: 53,000

October 15, 2010 University of North Florida
Jacksonville, Florida
EDU HACK

106,884 (52,853 SSNs reported)

A hacker from outside of the country may have accessed applicant information sometime between September 24 and September 29.  The information was mostly recruiting information and may have involved names, ACT and SAT scores, dates of birth and Social Security numbers.

 
Information Source:
Databreaches.net
records from this breach used in our total: 52,853

September 5, 2009 Mitsubishi Corp.
New York, New York
BSR HACK

52,000

A Mitsubishi Corp. Internet shopping unit lost credit card details on 52,000 customers after its servers were hacked from overseas. The company has informed customers and relevant authorities of the leaks and has suspended the Web site until it can improve the system.

 
Information Source:
Dataloss DB
records from this breach used in our total: 52,000

August 4, 2006 PSA HealthCare
Norcross, Georgia
MED PHYS

51,000 current and former patients

(866) 752-5259

A company laptop was stolen from an employee's vehicle in a public parking lot July 15. It contained names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims.

 
Information Source:
Dataloss DB
records from this breach used in our total: 51,000

July 24, 2007 St. Vincent Hospital, Verus, Inc.
Indianapolis, Indiana
MED DISC

51,000

Saint Vincent used subcontractor Verus Inc. to set up an online bill payment for patients.  For a "brief" period of time, personal information was left unprotected and available online.  The security lapse compromised names, addresses and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 51,000

March 22, 2008 Agilent Technologies
Santa Clara, California
BSO PORT

51,000

A laptop containing sensitive and unencrypted personal data on current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor. The data includes employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards. Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data - in violation of the contracted agreement.

 
Information Source:
Dataloss DB
records from this breach used in our total: 51,000

June 27, 2008 Montgomery Ward
Cedar Rapids, Iowa
BSR HACK

51,000

Hackers extracted information from an online database that held credit card account information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 51,000

December 17, 2009 North Carolina Libraries
Raleigh, North Carolina
EDU HACK

51,000

Library users at 25 campuses were the victims of a security breach in August. The libraries collect driver's license and Social Security numbers to help identify computer users. The information is stored on a central server in Raleigh. Other campuses affected are Alamance, Beaufort, Bladen, Blue Ridge, Brunswick, Central Carolina, College of the Albemarle, Gaston, Halifax, Haywood, Lenoir, Martin, Nash, Pamlico, Piedmont, Richmond, Roanoke-Chowan, Rowan-Cabarrus, Sandhills, Southwestern, Tri-County, Vance Granville and Wilson.

 
Information Source:
Dataloss DB
records from this breach used in our total: 51,000

June 29, 2006 Minnesota Department of Revenue
St. Paul, Minnesota
GOV PORT

50,400

http://www.taxes.state.mn.us/taxes/publications/press_releases/content/taxpayer_information.shtml

On May 16, a package containing a data tape used to back up the regional office's computers went missing during delivery. The tape contained personal information including individuals' names, addresses, and Social Security numbers.

UPDATE (7/20/06): The package was reported delivered 2 months later, but apparently had been temporarily lost by the U.S. Postal Service.

 
Information Source:
Dataloss DB
records from this breach used in our total: 50,400

November 4, 2005 Keck School of Medicine, University of Southern California (USC)
Los Angeles, California
EDU STAT

50,000

A computer server containing names and Social Security numbers of patients, donors and employees was stolen from a campus computer room.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 50,000

September 25, 2006 General Electric (GE)
Fairfield, Connecticut
BSO PORT

50,000 employees

An employee's laptop computer holding the names and Social Security numbers of approximately 50,000 current and former GE employees was stolen from a locked hotel room while he was traveling for business.

 
Information Source:
Dataloss DB
records from this breach used in our total: 50,000

January 26, 2007 WellPoint's Anthem Blue Cross Blue Shield
Richmond, Virginia
MED PORT

50,000

(800) 284-9779

Cassette tapes containing customer information were stolen from a lock box held by one of its vendors. Data included names and SSNs.

 
Information Source:
Dataloss DB
records from this breach used in our total: 50,000

February 9, 2010 California Department of Health Care Services
Sacramento, California
GOV DISC

50,000

The personal security of nearly 50,000 people may have been breached by the California Department of Health Care Services. Social Security numbers were printed on the address labels of letters that were mailed by the department. State employees mistakenly included the numbers in a list of patient addresses. The list was sent to an outside contractor, who printed and mailed the envelopes.

 
Information Source:
Dataloss DB
records from this breach used in our total: 50,000

February 25, 2012 Piedmont Behavioral Healthcare (PBH), Alamance-Caswell LME (AC LME)
Concord, North Carolina
MED DISC

50,000

A miscommunication caused AC LME to lose access to servers containing sensitive health information.  An Alamance County employee mistakenly changed a lock on the facility that housed data servers for AC LME.  It appears that AC LME forgot to inform the county that AC LME was extending a contract for server maintenance.  Former consumers of AC LME, including those who became PBH consumers on October 1, 2011, may have had their personal health information stored on these servers. The servers are now in the possession of the county and could contain the names, Social Security numbers, medical record identification numbers, addresses, and diagnoses of AC LME consumers. LME officials have not had access to the server room without being monitored by a county employee or with the forensics team assigned to examine the servers.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 50,000

May 30, 2014 Arkansas State University College of Education and Behavioral Science's Department of Childhood Services
Jonesboro, Arkansas
EDU HACK

50,000

Arkansas State University was notified by the Arkansas Department of Human Services of a data breach in their College of Education and Behavioral Science's Department of Childhood Services database, potentially exposing personally identifiable information.

According to A-State's Chief Information Officer Henry Torres,  “we have confirmed unauthorized access to data, but we have no reports regarding illegal use of the information in these files,” Torres said. “We took immediate measures to address this issue after being notified by DHS. We are cooperating with DHS and working with programmers to assess and resolve the situation.”

The breached involved a database related to the "Traveling Arkansas Professional Pathways (TAPP) Registry, which is a professional development system designed to track and facilitate training and continuing education for early childhood practictioners in Arkansas."

To date, the university has stated that Social Security numbers were compromised in the database, no other information as to the specific data was provided by the university.

 
Information Source:
Media
records from this breach used in our total: 50,000

April 11, 2008 New York-Presbyterian Hospital, Weill Cornell Medical Center
New York, New York
MED INSD

49,841

An admissions employee is accused of selling 2,000 patients' data in an identity theft scheme and accessing nearly 50,000 records illegitimately. Records contained names, phone numbers and, in some cases, Social Security numbers of patients. The employee has since been charged with one count of conspiracy involving computer fraud, identity document fraud, transmission of stolen property and sale of stolen property.

 
Information Source:
Dataloss DB
records from this breach used in our total: 49,841

July 21, 2005 University of Colorado, Boulder
Boulder, Colorado
EDU HACK

49,000

Prospective students, current students, staff, faculty and University health care service recipients may have had their data exposed in a campus server breach.  The information included names, Social Security numbers, addresses, student ID numbers, birth dates, and lab test information. The University mailed letters and sent emails to the individuals affected.

UPDATE (08/20/2005) The number of students affected was increased from an estimate of 42,000 to 49,000.

 
Information Source:
Dataloss DB
records from this breach used in our total: 49,000

August 19, 2005 University of Colorado
Denver, Colorado
EDU HACK

49,000

A hacker may have gained access to personal information from June of 1999 to May of 2001, and fall of 2003 to summer of 2005.  The information included current and former student names, Social Security numbers, addresses and phone numbers.  The University contacted individuals who were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 49,000

August 14, 2013 Michigan Department of Community Health, Michigan Cancer Consortium
Lansing, Michigan
MED HACK

49,000

A server for the Michican Cancer Consortium that housed names, Social Security numbers, dates of birth, cancer screening test results, and testing dates was hacked.  The Michigan Department of Community Health claimed that the breach should not fall under strict HIPAA regulations because testing records, rather than medical records, were affected.

 
Information Source:
Media
records from this breach used in our total: 49,000

Breach Total
930,642,074 RECORDS BREACHED
(Please see explanation about this total.)
from 4,404 DATA BREACHES made public since 2005
Showing 301-350 of 4404 results


X

Sign In!

Loading