Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?


Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
929,676,448 RECORDS BREACHED
(Please see explanation about this total.)
from 4,419 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
April 28, 2005 Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp
Hackensack, New Jersey
BSF INSD

676,000

Note: location listed is the corporate headquarters of Bank of America, not necessarily where the breach occurred.

Bank employees illegally sold account information to someone posing as a collection agency. Customers affected were notified and received one year of free credit monitoring services.

 
Information Source:
Dataloss DB
records from this breach used in our total: 676,000

April 19, 2008 Central Collection Bureau
Indianapolis, Indiana
BSO STAT

700,000

A computer server containing Social Security numbers and other personal information was stolen last month from a Southside debt-collection bureau. The information includes customer-billing records for Indiana businesses, including Citizens Gas & Coke Utility, St. Vincent Health and Methodist Medical Group.

 
Information Source:
Dataloss DB
records from this breach used in our total: 700,000

November 6, 2008 Express Scripts
St. Louis, Missouri
BSO UNKN

700000

Express Scripts has received a letter demanding money from the company under the threat of exposing records of millions of patients. The letter, included personal information on 75 people covered by Express Scripts, including birth dates, Social Security numbers and prescription information. Express manages prescription benefits for roughly 50 million people.

UPDATE 10/1/09: Express Scripts notified about 700,000 consumers that their records may have been breached.

 
Information Source:
Dataloss DB
records from this breach used in our total: 700,000

May 12, 2012 Hewlett, Packard, California Department of Social Services
Riverside, California
GOV PORT

701,000

Around 700,000 caregivers and care recipients had their information lost or stolen during transit between Hewlett Packard and the State Compensation Insurance Fund in Riverside, California.  A package that originally contained microfiche with payroll data entries and possibly other sensitive information arrived via U.S. Postal Service damaged and missing thousands of payroll data entries. Names, wages, Social Security numbers, and state identification numbers were exposed. A total of 375,000 In-Home Supportive Services workers were affected and 326,000 recipients of In-Home Supportive Services care were affected.

UPDATE (05/30/2013): A total of 748,902 elderly home care recipients and their caretakers were affected.

 
Information Source:
Databreaches.net
records from this breach used in our total: 701,000

July 18, 2006 CS Stars, subsidiary of insurance company Marsh Inc.
Chicago, Illinois
BSF STAT

722,000

On May 9, CS Stars lost track of a personal computer containing records of more than a half million New Yorkers who made claims to a special workers' comp fund. The lost data includes SSNs and date of birth but apparently no medical information.

UPDATE (7/26/06): Computer was recovered.

UPDATE (04/26/07): The New York Attorney General's office found that CS Stars violated the state's security breach law. CS Stars must pay the Attorney General's office $60,000 for investigation costs. It was determined that the computer had been stolen by an employee of a cleaning contractor, the missing computer was located and recovered, and that the data on the missing computer had not been improperly accessed.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 722,000

December 15, 2010 Ohio State University
Columbus, Ohio
EDU HACK

750,000 (Unknown numbers of SSNs and financial information)

Affected individuals can find more information at www.osu.edu/creditsafety

Students, professors and other University affiliates were notified that their information may have been accessed by a hacker.  University officials discovered the breach in late October.  Unauthorized individuals logged into an Ohio State server and had access to names, Social Security numbers, dates of birth and addresses of current and former students, faculty, staff, University consultants and University contractors.

UPDATE (1/14/11): 517,729 former students and 65,663 current students were affected.  Exact numbers for current and former faculty, staff, consultants and contractors were not given.

UPDATE (2/22/2011): As of February 22, OSU was still attempting to find and inform affected individuals of the breach.  Around 226,000 notification letters were mailed to alumni in February.

 
Information Source:
Databreaches.net
records from this breach used in our total: 750,000

December 12, 2006 University of California at Los Angeles (UCLA)
Los Angeles, California
EDU HACK

800,000

Affected individuals can call UCLA at (877) 533-8082, http://www.identityalert.ucla.edu

Hacker(s) gained access to a UCLA database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants, including those who did not attend. Exposed records contained names, SSNs, birth dates, home addresses, and contact information. About 3,200 of those notified are current or former staff and faculty of UC Merced and current and former staff of UC's Oakland headquarters.

 
Information Source:
Media
records from this breach used in our total: 800,000

September 28, 2007 Gap Inc.
San Francisco, California
BSR PORT

800,000

 (866) 237-4007, http://gapinc.com/securityassistance/

A laptop containing the personal information of certain job applicants was recently stolen from the offices of an experienced third-party vendor that manages job applicant data for Gap Inc. Personal data for approximately 800,000 people who applied online or by phone for store positions at one of Gap Inc.'s brands between July 2006 and June 2007 was contained on the stolen laptop. Social Security numbers were included in the information on the laptop.

 

UPDATE (5/28/10): A man whose Social Security number and other personal information were compromised by a company that processed his job application for The Gap Inc. has no legal claims against the company because no actual damage resulted from the privacy breach (a laptop stolen from Vangent), ruled the Ninth Circuit Court of Appeals. Ruiz v. Gap, Inc. 09-15971 (9th Circ. May 28, 2010), http://www.ca9.uscourts.gov/datastore/memoranda/2010/05/28/09-15971.pdf .

 
Information Source:
Dataloss DB
records from this breach used in our total: 800,000

March 29, 2012 Department of Child Support Services, International Business Machines (IBM), Iron Mountain, Inc.
Boulder, Colorado
GOV PORT

800,000

The location listed is that of IBM's headquarters.

On March 12, 2012, the Department of Child Support Services (DCSS) was notified that contractors International Business Machines (IBM) and Iron Mountain, Inc. could not locate several computer devices that had been shipped from Colorado to California. Californians who used state child support services were affected by the loss.  Names, Social Security numbers, addresses, driver's licenses, names of health insurance providers, health insurance plan membership identification numbers, and employer information may have been exposed.  

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 800,000

February 20, 2009 Arkansas Department of InformationSystems, Information Vaulting Services
Little Rock, Arkansas
GOV PORT

807,000

 (888) 682-0411 <a href=http://notify.arkansas.gov>http://notify.arkansas.gov</a>

A computer storage tape with data from criminal background checks dating back to the mid-1990s is missing from an information-protection company's vault. The background-check information includes names, dates of birth, Social Security numbers and addresses.

 
Information Source:
Dataloss DB
records from this breach used in our total: 807,000

December 6, 2013 Horizon Healthcare Services, Inc. (Horizon Blue Cross Blue Shield)
Newark, New Jersey
BSF PORT

840,000

Sometime between November 1 and 3, two unencrypted laptops were stolen from employee workstations.  The laptops were password-protected and cable-locked to the workstations.  Names, Social Security numbers, addresses, dates of birth, Horizon Blue Cross Blue Shield New Jersey identification numbers, and demographic information may have been exposed.  Almost 840,000 Horizon Blue Cross Blue Shield members were affected.

 
Information Source:
California Attorney General
records from this breach used in our total: 840,000

November 4, 2013 CorporateCarOnline.com
Kirkwood, Missouri
BSO HACK

850,000

Hackers stole and stored information online related to customers who used limousine and other ground transportation.  The online information included plain text archives of credit card numbers, expiration dates, names, and addresses.  Many of the customers were wealthy and used credit cards that would be attractive to identity thieves.

 
Information Source:
Media
records from this breach used in our total: 850,000

July 20, 2007 Science Applications International Corp. (SAIC)
San Diego, California
BSO DISC

867,000

 (703) 676-6533, http://www.saic.com/response/

The Pentagon contractor may have compromised personal information. Information such as names, addresses, birth dates, Social Security numbers and health information about military personnel and their relatives were exposed when the data were not encrypted prior to being transmitted online.

UPDATE (5/05/2012): Though 580,000 households were reported, a total of 867,000 people may have been affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 867,000

July 14, 2014 Goodwill Industries International Inc.
Rockville, Maryland
BSR HACK

868,000

Financial institutions are tracking what appears to be fraudulent activity at numerous Goodwill retail stores. The fraudulent activity involves credit card breaches and that the compromised credit cards appear to have started at Goodwill stores across the country. The credit card information is then showing up at other retail establishments, similar to the breaches that occurred at Target, Neiman Marcus, P.F. Changs, etc.

“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email. 

“Investigators are currently reviewing available information,” the statement continued. “At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”

Goodwill Industries stated they learned of the potential breach on July 18th and is working with federal investigators to determine if the breach is legitimate and if legitimate. how many stores were affected.

UPDATE (9/10/2014): Goodwill Industries announced that the data breach they suffered is linked to a third party vendor. 

"Goodwill said a forensic investigation had found that a third-party vendor's systems had been attacked by malware, providing the attackers with access to the credit card data of several of that vendor's customers intermittently between February 10, 2013 and August 14, 2014".

According to Goodwill, 330 Goodwill stores in 20 states were affected. Forbes reported that 868,000 individuals were affected.

More Information: http://www.esecurityplanet.com/network-security/goodwill-data-breach-lin...

 

 
Information Source:
Krebs On Security
records from this breach used in our total: 868,000

June 14, 2006 American International Group (AIG), Indiana Office of Medical Excess, LLC
New York, New York
BSF STAT

930,000

The computer server was stolen on March 31 containing personal information including names, Social Security numbers, birth dates, and some medical and disability information.

UPDATE (1/12/2010) A 28-year-old Indianapolis man was sentenced today to two years in state prison for trying to extort $208,00 from an insurance company after stealing a computer server. In March 2006, the man burglarized the Indianapolis office of AIG Medical Excess, threatening to release clients' personal data on the Internet. The server contained the names of more than 900,000 insured persons, as well as their personal identifying information, and confidential medical information and e-mail communications. At the time of the burglary, the man was an employee of a private security firm that provided security services to the insurance company. On July 23, 2008, Stewart delivered a package to the insurance company. The package included a letter stating that he possessed the stolen server and its confidential data. He asked for $1,000 a week for four years, but the FBI and others intervened. The Indiana State Police, the Indiana Department of Natural Resources, Indianapolis Metropolitan Police Department, and Attorney General also were part of the investigation.

 
Information Source:
Dataloss DB
records from this breach used in our total: 930,000

May 18, 2006 American Red Cross, St. Louis Chapter
St. Louis, Missouri
NGO INSD

1,000,000

A dishonest employee had access to Social Security numbers of donors.  The database was used to call previous donors and urge them to give blood again. The employee misused the personal information of at least three people to perpetrate identity theft and had access to the personal information of one million donors.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,000,000

June 15, 2007 Ohio state workers
Columbus, Ohio
GOV PORT

1,000,000

(888) 644-6648(taped-message), (877) 742-5622 (Ohio Consumers' Counsel) or (800) 267-4474

A backup computer storage device with the names and Social Security numbers of every state worker was stolen out of a state intern's car. The tape, which was stolen in June, contains personally identifiable information of nearly 84,000 current and former Ohio state employees and more than 47,000 state taxpayers.

UPDATE (6/20/07) : The storage device also had the names and Social Security numbers of 225,000 taxpayers.

UPDATE (6/22/07) : Previous news stories reported smaller amounts, but the most recent news story shows 500,000.

UPDATE (7/12/07) The State of Ohio increased the data theft estiamte to one million.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,000,000

March 21, 2008 Compass Bank
Birmingham, Alabama
BSF INSD

1,000,000

A database containing names, account numbers and customer passwords was stolen. A credit-card encoder and software to encode the information onto blank cards was also used to acquire information from ATMs. A former programmer at Birmingham, Ala.-based Compass Bank stole a hard drive containing 1 million customer records and used some of that information to commit debit-card fraud. The thief had used the information stolen from Compass Bank's database to create about 250 counterfeit debit cards. He was able to use about 45 of those cards to access and withdraw cash from customer accounts at the bank before he was arrested.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,000,000

April 23, 2009 Oklahoma Department of Human Services
Oklahoma City, Oklahoma
GOV PORT

1,000,000

(866) 287-0371

Some personal information may have been contained on a laptop computer stolen from an agency employee. Information on the stolen computer included names, Social Security numbers and dates of birth for people who receive DHS services.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,000,000

November 16, 2012 Nationwide Mutual Insurance Company and Allied Insurance
Columbus, Ohio
BSF HACK

1,000,000

Affected Georgia consumers may call 1-800-760-1125. Other consumers with questions may call 1-800-656-2298.

A portion of the computer network used by Nationwide and Allied Insurance agents was breached by cyber criminals on October 3.  The attack was discovered on the same day and contained.  On October 16, it was determined that names, Social Security numbers, driver's license numbers, dates of birth, marital status, gender, occupation, and employer information had been stolen.  Affected parties were identified on November 2 and notifications were sent on November 16.

UPDATE (11/20/2012): At least 28,000 people in Georgia were affected.  The total number of affected people is not known.

UDPATE (12/10/2012): A total of 28,468 people in Georgia, 534 in Oklahoma, 12,490 in South Carolina, 286 in Maryland, 5,050 in California, 91,000 in Iowa, 170 in Hawaii, 8,000 in New Mexico, and 98,191 in Minnesota were affected. This brings the known total to 244,188.  Nationwide/Allied Group reported that the breach compromised the information of one million policyholders and non-policyholders nationwide.

 
Information Source:
California Attorney General
records from this breach used in our total: 1,000,000

December 29, 2008 RBS WorldPay
Atlanta, Georgia
BSF HACK

1.1 million

http://www.rbsworldpay.us/RBS_WorldPay_Press_Release_Dec_23.pdf, http://louisville.bizjournals.com/louisville/othercities/atlanta/stories/2008/12/22/daily24.html

RBS WorldPay belatedly admitted that hackers broke into their systems. In the US up to 1.1 million Social Security numbers were exposed as a result of the breach. Pre-paid cards including payroll cards and open-loop gift cards were affected. RBS stated that PINs for all PIN-enabled cards have been reset.

UPDATE (2/3/09): Hackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering $9 million from ATMs in 49 cities worldwide. Alleged hackers are still at large and could orchestrate another attack.

UPDATE (2/10/09): "Certain personal information" of 1.5 million card holders and Social Security numbers of 1.1 million people were compromised. A class action law suit has been filed against RBS WorldPay.

UPDATE (5/28/09): RBS WorldPay says it has returned to Visa's and MasterCard's lists of validated service providers. It was recently certified as compliant with Payment Card Industry Data Security Standard (PCI DSS) version 1.2.

UPDATE (4/05/10): Russian authorities have nabbed the man accused of masterminding a coordinated global ATM heist of $9.5 million from Atlanta-based card processing company RBS WorldPay.

UPDATE (8/09/10): Sergei Tsurikov of Estonia was brought to Atlanta by the FBI.  He pleaded not guilty to computer fraud, conspiracy to commit computer fraud, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.  The FBI is in the process of extraditing others involved in the international hack.

UPDATE (8/31/10): Another person has been charged with participating in the computer fraud attack.  Vladislav Anatolievich Horohorin is alleged to have used a prepaid payroll card to conduct fraudulent attacks on ATMs in Moscow.

UPDATE (9/15/10): A previously unnamed member of the hacking group will be tried in a Russian court for his involvement in the RBS breach. Eugene Anikin's criminal case was forwarded to Zaeltsovskiy District Court in Novosibirsk for consideration.

UPDATE (2/7/2011): Yevgeny Anikin, 27, pleaded guilty to participating in a hacking ring that stole $10 million from former Royal Bank of Scotland division WorldPay.

UPDATE (8/21/2012): Sonya Martin was sentenced to 2.5 years in federal prison for fraudulently obtaining over $9 million from an Atlanta payroll company.  She was a cell leader in the plan that involved organized computer hacking and ATM cashout schemes. She worked with other members of the network to target 2,100 ATMs in 280 cities around the world.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,100,000

January 10, 2014 Neiman Marcus
Dallas, Texas
BSR HACK

1.1 million

Neiman Marcus confirmed that its database of customer information was hacked last month, around mid-December, the same time that Target stores were targeted. The case is similar to the Target case in that only retail shoppers were affected, no online shoppers were affected.

The cause, size and duration of the attack are not yet known and should start to be revealed once a third party investigation is completed. The company is also working with the Secret Service, which is customary in these types of attacks.

UPDATE (1/16/2014): It has been reported that the breach at Neiman Marcus could as far back as July 2013 and that the breach was not fully contained until Sunday January 12, 2014. Neiman Marcus is still not communicating the total amount of individuals affected, but did comment that "some of their customers" payment cards were used fraudulently and have taken steps to notify those customers. They still do not believe that Social Security numbers or birth dates were affected.

UPDATE (1/25/2014): Neiman Marcus released a statement that approximately 1.1 million individuals have been affected by the recent data breach to their system.

 
Information Source:
Media
records from this breach used in our total: 1,100,000

February 25, 2005 Bank of America Corp.
Charlotte, North Carolina
BSF PORT

1,200,000

Computer tapes with credit card information, Social Security numbers, addresses and account numbers were lost.  Bank of America began monitoring the customer accounts on the lost tapes and said it would contact cardholders if unusual activity was detected.  Around 900,000 of the account holders affected were Defense Department employees.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,200,000

January 14, 2010 Lincoln National Corporation (Lincoln Financial)
Radnor, Pennsylvania
BSF INSD

1,200,000

http://www.finra.org/Newsroom/NewsReleases/2011/P122940

Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers. In a disclosure letter sent to the Attorney General of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source. The unidentified source sent FINRA a username and password to the portfolio management system. "This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies," the letter says. "The sharing of usernames and passwords is not permitted under the LNC security policy."

UPDATE (2/17/2011): Lincoln National Corporation was fined $600,000 by the Financial Industry Regulatory Authority for failing to adequately protect customer information.  Failing to require brokers working remotely to install security software on personal computers led to the fine.

 
Information Source:
Media
records from this breach used in our total: 1,200,000

February 6, 2010 AvMed Health Plans
Gainesville, Florida
MED PORT

208,000

Additional 860,000 added June 3rd; (11/16/10) Estimate reaches 1.22 million

AvMed Health Plans announced that personal information of some current and former subscribers may have been compromised by the theft of two company laptops from its corporate offices in Gainesville. The information included names, addresses, phone numbers, Social Security numbers and protected health information. The theft was immediately reported to local authorities but attempts to locate the laptops have been unsuccessful. AvMed determined that the data on one of the laptops may not have been protected properly, and approximately 80,000 of AvMed's current subscribers and their dependents may be affected. An additional approximate 128,000 former subscribers and their dependents, dating back to April 2003, may also have been affected.

UPDATE (06/03/2010): The theft of the laptops compromised the identity data of 860,000 more Avmed members than originally thought.  The total now nears 1.1 million.

UPDATE (11/17/2010): Five AvMed Health Plans customers filed a class-action lawsuit against the health insurer on behalf of the 1.2 million people who were affected by the breach.  At least two of them believe that their personal information was misused as a result of this particular breach.

UPDATE (09/24/2012): An appeals court ruled that the plaintiffs were "explicitly" able to prove a link between the breach and ID theft they incurred.  The case had been thrown out by a lower court in August 2011, but the appeal ruling may allow victims of identity theft to make it easier to prove that the identity theft was caused by a data breach.

UPDATE (09/05/2013): AvMed Inc. agreed to settle with customers who were affected by the 2009 data breach on September 3, 2013.

UPDATE (10/29/2013): AvMed will pay $3 million.

UPDATE (3/6/2014): "Last week, a judge for the Southern District of Florida gave final approval  to a settlement between health insurance provider AvMed and plaintiffs in a class action stemming from a 2009 data breach of 1.2 million sensitive records from unencrypted laptops. The settlement requires AvMed to implement increased security measures, such as mandatory security awareness training and encryption protocols on company laptops. More notably, AvMed agreed to create a $3 million settlement fund from which members can make claims for $10 for each year that they bought insurance, subject to a $30 cap (class members who experienced identity theft are eligible to make additional claims to recover their monetary losses)".

 
Information Source:
Media
records from this breach used in our total: 1,220,000

January 24, 2012 New York State Electric & Gas (NYSEG), Rochester Gas and Electric (RG&E), Iberdrola USA
Rochester, New York
GOV DISC

878,000 NYSEG customers and 367,000 RG&E customers

Affected customers may call 1-877-736-4495. More information can be found on the websites of the companies www.nyseg.com and www.rge.com.

An employee at a software development consulting firm that was contracted by Iberdrola USA, the parent company of both NYSEG and RG&E, allowed the information systems of clients to be accessed by an unauthorized party.  Customer Social Security numbers, birth dates, and in some cases, financial institution account numbers were exposed.  A total of 878,000 NYSEG customers and 367,000 RG&E electricity customers were affected.  An unknown number of additional customers from both companies who signed up for gas services, but not electricity services were also affected.

UPDATE (07/12/2012): The Department of Public Service reviewed the NYSEG/FG&E incident and concluded that there was no evidence that any confidential customer information was misused.  In addition, the Department of Public Service recommended that both companies further refine their policies, processes, and procedures regarding confidentiality safeguards.  The companies were ordered to send plans for handling the costs incurred in responding to the breach and progress reports about the implementation of recommendations.

 
Information Source:
Databreaches.net
records from this breach used in our total: 1,245,000

January 22, 2007 Chicago Board of Election
Chicago, Illinois
GOV PORT

1.3 million

About 100 computer discs (CDs) with 1.3 million Chicago voters' SSNs were mistakenly distributed to aldermen and ward committeemen. The CDs also contain birth dates and addresses.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,300,000

June 10, 2008 University of Utah Hospitals and Clinics
Salt Lake City, Utah
MED PORT

2.2 million

Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take the eight data tapes to a storage center. The records, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years.

UPDATE (2/5/09): The data tapes were found within a month after being stolen.

UPDATE (6/9/10): An Englewood, Colo., insurance company has filed a federal lawsuit contending that it isn't responsible for reimbursing the University of Utah for $3.3 million in costs related to a 2008 data breach caused by a third-party service provider.

The lawsuit filed in a Utah federal court by Colorado Casualty Insurance Co. contends that the insurer is not obligated to cover the costs sought by the University. Colorado Casualty was providing breach insurance to the University at the time of the breach.

The nine-page complaint, which seeks a declaratory judgment from the court, offers little explanation as to why exactly the insurer believes it is not obligated to pay the breach-related costs sought by the University.

http://www.computerworld.com/s/article/9177702/Insurer_says_it_s_not_liable_for_University_of_Utah_s_3.3M_data_breach

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,300,000

October 23, 2006 Chicago Voter Database
Chicago, Illinois
GOV DISC

1.35 million Chicago residents

An official from the not-for-profit Illinois Ballot Integrity Project says his organization hacked into Chicago's voter database, compromising the names, SSNs and dates of birth of 1.35 million residents. The Chicago Election Board is reportedly looking into removing SSNs from the database. Election officials have patched the flaw that allowed the intrusion.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,350,000

March 8, 2005 DSW Shoe Warehouse, Retail Ventures
Columbus, Ohio
BSR HACK

1,400,000

Credit card information from customers in 25 states was compromised.

UPDATE (04/19/2005): An additional 1,300,000 customers were added to the initial estimate of 100,000.

UPDATE (08/23/2012): DSW was locked in a dispute with National Union over insurance coverage.  A federal appellate court ruled that DSW was entitled to insurance coverage of more than $6.8 million in stipulated losses and prejudgment interest.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,400,000

November 2, 2006 Colorado Department of Human Services via Affiliated Computer Services (ACS)
Dallas, Texas
GOV STAT

Up to 1.4 million

For questions, call ACS at (800) 350-0399

On Oct. 14, a desktop computer was stolen from a state contractor who processes Colorado child support payments for the Dept. of Human Services. Computer also contained the state's Directory of New Hires.

UPDATE (12/07/2006) When initially posted to this list, the number 1.4 million was not added to the total because we could not confirm if SSNs were exposed. The PRC was contacted by an affected individual today who confirmed that names, addresses, SSNs and dates of birth were exposed.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,400,000

November 18, 2009 Health Net
Shelton, Connecticut
MED PORT

1,500,000

The personal information for almost half a million Connecticut residents could be at risk after a portable disk drive disappeared from Health Net in May of 2009. Health Net is a regional health plan and the drive included health information, Social Security number and bank account numbers for all 446,000 Connecticut patients, 1.5 million nationally. The information had been compressed, but not encrypted, although a specialized computer program is required to read it. Patients in Arizona, New Jersey and New York were also affected.


UPDATE (1/22/2010): Connecticut Attorney General (AG) Richard Blumenthal is suing Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers exposed by the security breach. The AG is seeking a court order blocking Health Net from continued violations of HIPAA by requiring that any protected health information contained on a portable electronic device be encrypted. This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorized state attorneys general to enforce HIPAA.

UPDATE (7/7/2010): Health Net and the Connecticut AG reached a $250,000 settlement in connection with this incident.

UPDATE (10/8/2010): Health Net faces an additional $375,000 fine for failing to safeguard the personal information of its members from misuse by third parties.

UPDATE (1/20/2011): The Vermont Attorney General filed a complaint and proposed settlement with Health Net, Inc. and Health Net of the Northeast, Inc. It would require Health Net to pay $55,000 in state fees, submit to a data-security audit and submit reports about the company's information security programs throughout the next two years.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,500,000

October 7, 2011 The Nemours Foundation
Wilmington, Delaware
MED PORT

1.6 million

Three unencrypted computer backup tapes were reported missing on September 8.  The tapes were stored in a locked cabinet, which had been temporarily relocated on or around August 10 for a facility remodeling project.  The cabinet was not found.  The tapes had been stored in the cabinet since 2004 and contained patient information stored between 1994 and 2004.  Names, Social Security numbers, addresses, dates of birth, insurance information, medical treatment information, and direct deposit bank account information were exposed.

UPDATE (10/12/2011): Patients and their guarantors, vendors, and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey, and Florida were affected.  In addition to medical treatment information, the payroll information of current and former employees was exposed.  Nemours took steps to encrypt all computer backup tapes and move non-essential computer backup tapes to a secure, off-site storage facility after the breach.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 1,600,000

May 31, 2006 Texas Guaranteed Student Loan Corp. via subcontractor Hummingbird
Round Rock, Texas
BSF UNKN

1,300,000 plus 400,000 for total of 1,700,000

Additional location: Toronto, Canada

Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers.

UPDATE (6/16/06):TG now says a total of 1.7 million people's information was compromised, 400,000 more than original estimate of 1.3 million.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,700,000

February 12, 2011 Jacobi Medical Center, North Central Bronx Hospital, Tremont Health Center, and Gunhill Health Center
New York, New York
MED PORT

1.7 million

Health and Hospital Corporation is the group that runs the affected hospitals and clinics.  

The New York City Health & Hospitals Corporation's North Bronx Healthcare Network experienced a breach.  Backup tapes were stolen from an unsecured and unlocked van during transport by GRM Information Management Services.  The theft occurred during December of 2010.  The information on the tapes was from patients, staff members and associated employees and dated back to 1991.  Names, Social Security numbers, addresses, patient health information and other patient and employee information may have been exposed.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 1,700,000

March 15, 2011 Health Net Inc., International Business Machines (IBM)
Rancho Cordova, California
MED PORT

1.9 million

Customers with questions may call (855) 434-8081.

Health Net's statement about the breach can be read here.

Nine disc drives that contained sensitive health information went missing from Health Net's data center in Rancho Cordova, California.  The drives contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information. The 1.9 million victims include 622,000 California residents enrolled in Health Net HMOs, 223,000 Californians enrolled in Health Net PPOs and people enrolled in Medicare and other plans. The drives were discovered missing on January 21, but affected individuals were not notified until March 14.

UPDATE (06/07/2011): A class-action lawsuit seeks $5 million from Health Net Inc. and its vendor IBM.  The complaint alleges that Health Net and IBM breached their duty of confidentiality and negligently allowed the release of highly personal and confidential information. The complaint alleges violation of California's Confidentiality of Medical Information Act, Cal. Civ. Code § 56; Cal. Civ. Code § 1798.2, which concerns the unauthorized disclosure of customer records; Cal. Bus. & Prof. Code § 17200, California's unfair-competition law; and public disclosure of private facts.  The lawsuit is seeking injunctive relief, compensatory damages, declaratory relief, and attorney fees and costs.  The citation is Bournas v. Health Net Inc., No.2_11-CV-01262, complaint filed (E.D. Cal. May 11, 2011).

UPDATE (08/09/2011): Health Net's chief operating officer apologized to customers after it was discovered that the original analysis of the breach was flawed.  Around 124,000 Oregon residents who were current members, former members, or employees were believed to have been affected.  Health Net discovered that an additional 6,300 Oregonians had their personal information on the stolen computer drives.  

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 1,900,000

March 2, 2006 Los Angeles County Department of Social Services
Los Angeles, California
GOV PHYS

Potentially 2,000,000

It is unclear if this is the same incident that involved the information of 94,000 people being left next to a recycling bin outside of the Department of Public Social Services in January of 2006.

File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W-2, and date of birth were left unattended for at least one month.  This affects employees and clients.

 
Information Source:
Dataloss DB
records from this breach used in our total: 2,000,000

April 17, 2008 University of Miami
Miami, Florida
MED PORT

2,100,000

  (866) 628-4492

Computer tapes containing confidential information of Miami patients was stolen last month when thieves took a case out of a van used by a private off-site storage company. The data included names, addresses, Social Security numbers or health information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 2,100,000

November 27, 2013 Maricopa County Community College District
Phoenix, Arizona
EDU UNKN

2.49 million

An unspecified data breach may have exposed the information of current and former students, employees, and vendors.  Names, Social Security numbers, bank account information, and dates of birth may have been viewed by unauthorized parties.

UPDATE (12/02/2013): Student academic information may have also been exposed.  The Maricopa County Community College District's governing board will spend as much as $7 million to notify and offer credit monitoring to those who may have been affected.

UPDATE (12/07/2013): Estimations for the cost of the breach are as high as $14 million.

UPDATE (4/22/2014): Maricopa County Community College District waited seven months to inform 2.5 millions individuals (students, staff, graduates) of the security breach. The District is now in a class action lawsuit. The lawsuit claims that the "FBI warned the Maricopa County Community College District in January of 2011 that a number of its databases had been breached and made available for sale on the Internet". It was also reported that "the district's Information Technology Services employee also became aware of the security breach in January 2011, and repeatedly reported their findings to Vice Chancellor George Kahkedjian".

 
Information Source:
Media
records from this breach used in our total: 2,490,000

September 7, 2006 Circuit City and Chase Card Services, a division of JP Morgan Chase & Co.
Wilmington, Delaware
BSF PORT

2.6 million past and current Circuit City credit cardholders

Chase Card Services mistakenly discarded 5 computer data tapes in July containing Circuit City cardholders' personal information.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 2,600,000

January 25, 2014 Michaels Stores Inc.
Irving, Texas
BSR HACK

2.6 million cards

On January 25, 2014, Michaels Stores Inc. communicated with customers as to the possibility of a security breach regarding customers payment cards. They have not confirmed as of yet, that a breach did occur, however based on a preliminary investigation and in light of the recent Target and Neiman Marcus breaches, the company felt it was important to warn customers of the possibility of a breach.

Michaels is currently working with investigators as to the potential of this breach. No additional detailed information has been supplied by the company.

UPDATE (2/11/2014): A class action lawsuit has been filed against Michaels by an individual. The suit claims that "the arts and crafts supplier failed to secure and safeguard customers’ private financial information".  The suit also alleges that "Michaels failed to adequately monitor its payment systems in such a manner that would enable the retailer to detect fraud or other signs of tampering so that the breach of security and diversion of customer information was able to continue unnoticed for a period of time".

It has also been reported that Michaels failed to disclose a data breach that occurred in May of 2011. A lawsuit was filed for the 2011 breach, but was settled. 

The company has not yet released the total number of individuals affected by the breach or when the breach might have taken place.

UPDATE (7/22/2014): "A federal court in Illinois held July 14 that an elevated risk of identity theft from a Michaels Stores Inc. breach provides standing, but without evidence of specific monetary damages that risk is insufficient to support statutory or common law claims (Moyer v. Michaels Stores, Inc., N.D. Ill., No. 1:14-cv-00561,dismissed 7/14/14).

Judge Elaine E. Bucklo of the U.S. District Court for the Northern District of Illinois dismissed the case against the arts and crafts retailer, finding that the plaintiffs failed to plead monetary damages".

 

 
Information Source:
Media
records from this breach used in our total: 2,600,000

April 10, 2007 Georgia Department of Community Health, Affiliated Computer Services (ACS)
Atlanta, Georgia
GOV PORT

2,900,000

http://dch.georgia.gov/vgn/images/portal/cit_1210/19/38/80010015Public_Notice-Missing_Personal_Data.pdf, (866) 213-3969

A computer disk containing personal information including addresses, birthdates, dates of eligibility, full names, Medicaid or children's health care recipient identification numbers, and Social Security numbers went missing from a private vendor, Affiliated Computer Services (ACS), contracted to handle health care claims for the state.

 
Information Source:
Dataloss DB
records from this breach used in our total: 2,900,000

October 4, 2013 Adobe, PR Newswire, National White Collar Crime Center
San Jose, California
BSR HACK

2.9 million (38 million user emails and passwords exposed)

Hackers obtained the customer information of nearly 3 million Adobe custoemrs who used Photoshop, InDesign, Premiere, and other Adobe software products.  Customer IDs, encrypted passwords, names, encrypted credit or debit card numbers, expiration dates, and other information related to customer orders were exposed.  Anyone who bought software directly from Adobe's website is advised to change their Adobe account passwords.

UPDATE (10/11/2013): Hackers kept the source code on a hidden, but unencrypted server.

UPDATE (10/21/2013): A second breach related to the initial one in early October caused Adobe to reset client passwords.

UPDATE (10/29/2013): An investigation revealed that the encrypted passwords of approximately 38 million active users were also exposed.  Adobe IDs were also compromised and were reset by Adobe after the breach.

UPDATE (11/20/2013): Around 42 million passwords for the Australian-based online dating service Cupid Media were also found on the same server that contained stolen Adobe, PR Newswire, and National White Collar Crime Center information.

UPDATE (11/25/2013): Some estimate that 152 million Adobe ID accounts were in a file that began circulating the internet in late October.  Adobe systems Inc has encountered delays in trying to notify all customers of the issue since it was discovered 10 weeks ago. 

 

 
Information Source:
Media
records from this breach used in our total: 2,900,000

March 26, 2010 Educational Credit Management Corporation
ST. Paul, Minnesota
BSF PORT

3,300,000

ECMC, a guarantor of federal student loans, said that a theft has occurred from its headquarters involving portable media with personally identifiable information. The data was in two stolen safes and contained information on approximately 3.3 million individuals and included names, addresses, dates of birth and Social Security numbers. No bank account or other financial account information was included in the data.

 

UPDATE (4/16/10): The information was recovered shortly after the theft and discovered weeks later in a police evidence room.

 
Information Source:
Dataloss DB
records from this breach used in our total: 3,300,000

July 9, 2008 Division of Motor Vehicles Colorado
, Colorado
GOV DISC

3.4 million

The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit. At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers.

 
Information Source:
Media
records from this breach used in our total: 3,400,000

April 11, 2011 Texas Comptroller's Office
Austin, Texas
GOV DISC

3.5 million

The data came from the Teacher Retirement Center of Texas, the Texas Workforce Commission and the Employees Retirement System of Texas.

Those who have questions about the breach may call 1-855-474-2065.

The information from three Texas agencies was discovered to be accessible on a public server. Sometime between January and May of 2010, data that was not encrypted was transferred from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas. It ended up on a state-controlled public server as early as April 2010 and was not discovered until March 31, 2011. Sensitive information such as names, Social Security numbers, addresses, dates of birth and driver's license numbers could have been exposed.  A spokesperson from the Texas Comptroller's Office claims that the breach occurred because numerous procedures were not followed.  Some employees were fired for their roles in the incident.

UPDATE (4/13/2011): Approximately two million of the 3.5 million possibly affected are unemployed insurance claimants who may have had their names, Social Security numbers and mailing addresses exposed.  The birth dates and driver's license numbers of some of these people were also exposed. The information was accidentally disclosed on a Comptroller's publicly accessible server. TWC provided uninsured claimant records from December 31, 2006 December 31, 2009 to the Comptroller's office in April of 2010 to assist in identifying individuals who may have unclaimed property.  The information was sent in a protected manner using Secure File Transfer Protocol (SFTP), which encrypts the data during transmission over a state controlled network used by state agencies and universities.

UPDATE(5/6/2011): Two class action lawsuits have been filed on behalf of 3.5 million Texans who had their information exposed by the breach. The second class action lawsuit seeks a $1,000 statutory penalty for each affected individual.

UPDATE (2/13/2012): The cost of the credit monitoring services provided to those affected has passed $600,000. Currently, no taxpayers have linked fraudulent charges to the breach.

 
Information Source:
Databreaches.net
records from this breach used in our total: 3,500,000

June 6, 2005 Citigroup, UPS
New York, New York
BSF PORT

3,900,000

Customers are being notified that backup tapes containing their account information were lost or stolen while being shipped by UPS.

 
Information Source:
Dataloss DB
records from this breach used in our total: 3,900,000

August 28, 2013 Advocate Medical Group, Advocate Health
Park Ridge, Illinois
MED STAT

4 million

The July 15 office theft of four unencrypted desktop computers resulted in the exposure of patient information. Approximately four million patients who were seen by Advocate Medical Group physicians between the early 1990s and July of 2013 were affected.  Names, Social Security numbers, addresses, and dates of birth were exposed.  Diagnoses, medical record numbers, medical service codes, and health insurance information was also exposed in some circumstances.

UPDATE (09/06/2013): A class-action lawsuit on behalf of patients in the Chicago area has been filed.  It claims that Advocate Medical Center should have done more to protect patient information.

 
Information Source:
Media
records from this breach used in our total: 4,000,000

March 17, 2008 Hannaford Bros. Supermarket chain
Portland, Maine
BSF HACK

4.2 million

 (866) 591-4580

This security breach affects all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. The company is currently aware of about 1,800 cases of reported fraud related to the security breach. Credit and debit card numbers were stolen during the card authorization transmission process. It's unclear if personal information was exposed.

UPDATE (4/2/2009): An April 2, 2009, news story indicated that between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. About 1,800 fraudulent charges had been made.

UPDATE (5/14/2009): A federal appeals court has revived a Tampa class-action suit seeking money for Florida shoppers whose credit and debit card numbers were swiped in a data breach that hit 109 Sweetbay Supermarkets. The suit seeks free credit monitoring, credit repair if necessary and undetermined money damages to be split up among victims of the breach, including those unaware they were victims.

UPDATE (5/22/2009): A Maine U.S. District Court dismissed most of a class action lawsuit against Hannaford, finding that there is no way to value the time and effort that consumers spent in correcting fraudulent activity resulting from the breach. The case of one named plaintiff was not dismissed. That plaintiff suffered actual monetary damages for unreimbursed fraudulent charges.

UPDATE (11/2/2011): Federal Appeals Court Holds Identity Theft Insurance/Credit Monitoring Costs Constitute "Damages" in Hannaford Breach Case (Oct. 24, 2011) http://tinyurl.com/3kxxmnb. http://tinyurl.com/3jkg489

UPDATE (3/29/2013): A United States District Court for the District of Maine has denied a motion that would have allowed a lawsuit to proceed as a class action.  The plaintiffs originally moved to certify the proposed class on September 4, 2012.  http://tinyurl.com/bsg9xpu

 
Information Source:
Dataloss DB
records from this breach used in our total: 4,200,000

August 18, 2014 Community Health Systems
Franklin, Tennessee
MED HACK

4.5 million

Community Health Systems out of Franklin Tennessee has announced a large data breach of their medical system. The breach occured when hackers infiltrated the server of the health system compromising Social Security numbers, names and addresses for 4.5 million patients. Authorities believe that the hackers were based out of China and the attacks happened from April 2014 through June 2014.

The company operates 206 hospitals in 29 states and is currently doing further investigations regarding the attack.

 

More Information:  http://bits.blogs.nytimes.com/2014/08/18/hack-of-community-health-system...

 

UPDATE (8/26/2014): Five Alabama residents have filed a class-action lawsuit against Community Health Systems following last week's announcement of the data breach of 4.5 million patients.

 

 
Information Source:
Media
records from this breach used in our total: 4,500,000

Breach Total
929,676,448 RECORDS BREACHED
(Please see explanation about this total.)
from 4,419 DATA BREACHES made public since 2005
Showing 4351-4400 of 4419 results


X

Sign In!

Loading