Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?


Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
930,526,448 RECORDS BREACHED
(Please see explanation about this total.)
from 4,427 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
May 4, 2009 Virginia Prescription Monitoring Program
Richmond, Virginia
MED HACK

531,400

The FBI and Virginia State Police are searching for hackers who demanded that the state pay them a $10 million ransom for the return of millions of personal pharmaceutical records they say they stole from the state's prescription drug database. A notice posted on the DHP Web site acknowledged that the site is currently experiencing technical difficulties which affect computer and e-mail systems. Some customer identification numbers, which may be Social Security numbers, were included, but medical histories were not.

UPDATE (6/4/09): The state is mailing individual notifications to 530,000 people whose prescription records may have contained Social Security numbers. In addition, 1,400 registered users of the database, mostly doctors and pharmacists, who may have provided Social Security numbers when they registered for the program, are being notified. The database that was hacked contained records of more than 35 million prescriptions dispensed since 2006 for certain federally controlled drugs with a high potential for abuse.

 
Information Source:
Media
records from this breach used in our total: 531,400

March 30, 2006 Georgia Technology Authority (GTA)
Atlanta, Georgia
GOV HACK

573,000

Hackers exploited a security flaw to gain access to confidential information including Social Security numbers and bank-account details of state pensioners.  The State only had contact information for 180,000 of those affected and relied on media coverage to get the word out to others.

 
Information Source:
Dataloss DB
records from this breach used in our total: 573,000

July 24, 2009 Network Solutions
Herndon, Virginia
BSO HACK

573,000

Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months. Network Solutions discovered that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores.

 
Information Source:
Dataloss DB
records from this breach used in our total: 573,000

February 2, 2007 U.S. Department of Veterans Affairs, VA Medical Center
Birmingham, Alabama
MED PORT

48,000 veterans plus 535,000

(877) 894-2600, http://www1.va.gov/opa/pressrel/pressrelease.cfm?id=1294

An employee reported a portable hard drive stolen or missing that might contain personal information about veterans including Social Security numbers.

UPDATE (2/10/07): VA increases number of affected veterans to 535,000, included in the total below.

UPDATE (2/12/07): VA reported that billing information for 1.3 million doctors was also exposed, including names and Medicare billing codes, not included in the total below.

UPDATE (3/19/07): The VA's Security Operations Center has referred 250 incidents since July 2006 to its inspector general, which has led to 46 separate investigations.

UPDATE (6/18/07):More than $20 million to respond to its latest data breach, the breach potentially puts the identities of nearly a million physicians and VA patients.

 
Information Source:
Dataloss DB
records from this breach used in our total: 583,000

May 2, 2005 Time Warner, Iron Mountain Inc.
New York, New York
BSO PORT

600,000

Backup tapes containing the personal information of current and former employees from as far back as 1986 was lost or stolen during shipping. An 800 number was set up to answer questions and provide free credit monitoring for one year.

UPDATE (5/3/2005): A contractor named Iron Mountain Inc. lost the tapes during shipping. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 600,000

February 24, 2010 Citigroup
New York, New York
BSF DISC

600,000

About 600,000 Citigroup customers got a shock earlier this month when they received their annual tax documents with their Social Security numbers printed on the outside of the envelope. The digits were not identified as a Social Security number, and they were printed at the lower edge of the mailing envelope with other numbers and letters that together resembled a mail routing number.

 
Information Source:
Dataloss DB
records from this breach used in our total: 600,000

May 25, 2012 University of Nebraska, Nebraska Student Information System, Nebraska College System
Lincoln, Nebraska
EDU HACK

654,000

The University of Nebraska set up a webpage for more information on the breach: http://nebraska.edu/security

A University technical staff member discovered a breach on May 23.  Staff took steps to limit the breach and there was no clear evidence that any information was downloaded.  The Social Security numbers, addresses, grades, transcripts, housing and financial aid information for current and former University of Nebraska students may have been accessed.  The database also included the information of people who applied to the University of Nebraska, but may have not been admitted, and alumni information as far back as Spring of 1985. The University of Nebraska was still investigating the extent of the breach as of May 25, 2012.

UPDATE (05/29/2012): The University of Nebraska created a webpage for information about the breach.  Close to 21,000 people had bank account information that was linked to the student information system and exposed.  The University of Nebraska's computer database also held 654,000 Social Security numbers, though it is unclear if that number completely overlaps the number of individuals who had their bank account information exposed.  Current and former students of the University of Nebraska campuses in Lincoln, Omaha, and Kearney were affected; as well as anyone who applied to the University since 1985.

UPDATE (06/01/2012): The Nebraska College System began using a shared student information system called NeSIS in 2009.  This resulted in data from Chadron State, Peru State, and Wayne State colleges being exposed.

UPDATE (09/10/2012): Police seized computers and related equipment belonging to a University of Nebraska-Lincoln (UNL) undergraduate student who is believed to be involved in the incident.

UPDATE (12/11/2012): The former UNL student has been charged with intentionally accessing a protected computer system and causing damage of at least $5,000.

UPDATE (06/22/2013): The hacker now faces an additional nine charges of exceeding his authorized access to a computer and two charges of knowingly transmitting a program that damaged computers owned by the University of Nebraska and Nebraska State College Systems.

UPDATE (12/03/2013): The hacker and former UNL student pleaded guilty to one count of intentionally damaging a protected computer and causing loss in excess of $5,000.  His sentencing was scheduled for March 21, 2014.

 
Information Source:
Dataloss DB
records from this breach used in our total: 654,000

April 28, 2005 Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp
Hackensack, New Jersey
BSF INSD

676,000

Note: location listed is the corporate headquarters of Bank of America, not necessarily where the breach occurred.

Bank employees illegally sold account information to someone posing as a collection agency. Customers affected were notified and received one year of free credit monitoring services.

 
Information Source:
Dataloss DB
records from this breach used in our total: 676,000

April 19, 2008 Central Collection Bureau
Indianapolis, Indiana
BSO STAT

700,000

A computer server containing Social Security numbers and other personal information was stolen last month from a Southside debt-collection bureau. The information includes customer-billing records for Indiana businesses, including Citizens Gas & Coke Utility, St. Vincent Health and Methodist Medical Group.

 
Information Source:
Dataloss DB
records from this breach used in our total: 700,000

November 6, 2008 Express Scripts
St. Louis, Missouri
BSO UNKN

700000

Express Scripts has received a letter demanding money from the company under the threat of exposing records of millions of patients. The letter, included personal information on 75 people covered by Express Scripts, including birth dates, Social Security numbers and prescription information. Express manages prescription benefits for roughly 50 million people.

UPDATE 10/1/09: Express Scripts notified about 700,000 consumers that their records may have been breached.

 
Information Source:
Dataloss DB
records from this breach used in our total: 700,000

May 12, 2012 Hewlett, Packard, California Department of Social Services
Riverside, California
GOV PORT

701,000

Around 700,000 caregivers and care recipients had their information lost or stolen during transit between Hewlett Packard and the State Compensation Insurance Fund in Riverside, California.  A package that originally contained microfiche with payroll data entries and possibly other sensitive information arrived via U.S. Postal Service damaged and missing thousands of payroll data entries. Names, wages, Social Security numbers, and state identification numbers were exposed. A total of 375,000 In-Home Supportive Services workers were affected and 326,000 recipients of In-Home Supportive Services care were affected.

UPDATE (05/30/2013): A total of 748,902 elderly home care recipients and their caretakers were affected.

 
Information Source:
Databreaches.net
records from this breach used in our total: 701,000

July 18, 2006 CS Stars, subsidiary of insurance company Marsh Inc.
Chicago, Illinois
BSF STAT

722,000

On May 9, CS Stars lost track of a personal computer containing records of more than a half million New Yorkers who made claims to a special workers' comp fund. The lost data includes SSNs and date of birth but apparently no medical information.

UPDATE (7/26/06): Computer was recovered.

UPDATE (04/26/07): The New York Attorney General's office found that CS Stars violated the state's security breach law. CS Stars must pay the Attorney General's office $60,000 for investigation costs. It was determined that the computer had been stolen by an employee of a cleaning contractor, the missing computer was located and recovered, and that the data on the missing computer had not been improperly accessed.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 722,000

December 15, 2010 Ohio State University
Columbus, Ohio
EDU HACK

750,000 (Unknown numbers of SSNs and financial information)

Affected individuals can find more information at www.osu.edu/creditsafety

Students, professors and other University affiliates were notified that their information may have been accessed by a hacker.  University officials discovered the breach in late October.  Unauthorized individuals logged into an Ohio State server and had access to names, Social Security numbers, dates of birth and addresses of current and former students, faculty, staff, University consultants and University contractors.

UPDATE (1/14/11): 517,729 former students and 65,663 current students were affected.  Exact numbers for current and former faculty, staff, consultants and contractors were not given.

UPDATE (2/22/2011): As of February 22, OSU was still attempting to find and inform affected individuals of the breach.  Around 226,000 notification letters were mailed to alumni in February.

 
Information Source:
Databreaches.net
records from this breach used in our total: 750,000

December 12, 2006 University of California at Los Angeles (UCLA)
Los Angeles, California
EDU HACK

800,000

Affected individuals can call UCLA at (877) 533-8082, http://www.identityalert.ucla.edu

Hacker(s) gained access to a UCLA database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants, including those who did not attend. Exposed records contained names, SSNs, birth dates, home addresses, and contact information. About 3,200 of those notified are current or former staff and faculty of UC Merced and current and former staff of UC's Oakland headquarters.

 
Information Source:
Media
records from this breach used in our total: 800,000

September 28, 2007 Gap Inc.
San Francisco, California
BSR PORT

800,000

 (866) 237-4007, http://gapinc.com/securityassistance/

A laptop containing the personal information of certain job applicants was recently stolen from the offices of an experienced third-party vendor that manages job applicant data for Gap Inc. Personal data for approximately 800,000 people who applied online or by phone for store positions at one of Gap Inc.'s brands between July 2006 and June 2007 was contained on the stolen laptop. Social Security numbers were included in the information on the laptop.

 

UPDATE (5/28/10): A man whose Social Security number and other personal information were compromised by a company that processed his job application for The Gap Inc. has no legal claims against the company because no actual damage resulted from the privacy breach (a laptop stolen from Vangent), ruled the Ninth Circuit Court of Appeals. Ruiz v. Gap, Inc. 09-15971 (9th Circ. May 28, 2010), http://www.ca9.uscourts.gov/datastore/memoranda/2010/05/28/09-15971.pdf .

 
Information Source:
Dataloss DB
records from this breach used in our total: 800,000

March 29, 2012 Department of Child Support Services, International Business Machines (IBM), Iron Mountain, Inc.
Boulder, Colorado
GOV PORT

800,000

The location listed is that of IBM's headquarters.

On March 12, 2012, the Department of Child Support Services (DCSS) was notified that contractors International Business Machines (IBM) and Iron Mountain, Inc. could not locate several computer devices that had been shipped from Colorado to California. Californians who used state child support services were affected by the loss.  Names, Social Security numbers, addresses, driver's licenses, names of health insurance providers, health insurance plan membership identification numbers, and employer information may have been exposed.  

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 800,000

February 20, 2009 Arkansas Department of InformationSystems, Information Vaulting Services
Little Rock, Arkansas
GOV PORT

807,000

 (888) 682-0411 <a href=http://notify.arkansas.gov>http://notify.arkansas.gov</a>

A computer storage tape with data from criminal background checks dating back to the mid-1990s is missing from an information-protection company's vault. The background-check information includes names, dates of birth, Social Security numbers and addresses.

 
Information Source:
Dataloss DB
records from this breach used in our total: 807,000

December 6, 2013 Horizon Healthcare Services, Inc. (Horizon Blue Cross Blue Shield)
Newark, New Jersey
BSF PORT

840,000

Sometime between November 1 and 3, two unencrypted laptops were stolen from employee workstations.  The laptops were password-protected and cable-locked to the workstations.  Names, Social Security numbers, addresses, dates of birth, Horizon Blue Cross Blue Shield New Jersey identification numbers, and demographic information may have been exposed.  Almost 840,000 Horizon Blue Cross Blue Shield members were affected.

 
Information Source:
California Attorney General
records from this breach used in our total: 840,000

November 4, 2013 CorporateCarOnline.com
Kirkwood, Missouri
BSO HACK

850,000

Hackers stole and stored information online related to customers who used limousine and other ground transportation.  The online information included plain text archives of credit card numbers, expiration dates, names, and addresses.  Many of the customers were wealthy and used credit cards that would be attractive to identity thieves.

 
Information Source:
Media
records from this breach used in our total: 850,000

October 10, 2014 Oregon Employment Department/WorkSource Oregon
Portland, Oregon
GOV HACK

850000

The Oregon Employment Department, specifically WorkSource Oregon, discovered a data breach of a data base that contained personal information of individuals searching for jobs when an anonymous tip came in alerting officials of the breach.

Social Security numbers of more than 850,000 individuals were compromised in the breach. Officials shut down the website and were investigating the breach.

More Information: http://www.oregonlive.com/money/index.ssf/2014/10/security_breach_discov...

 
Information Source:
Media
records from this breach used in our total: 850,000

July 20, 2007 Science Applications International Corp. (SAIC)
San Diego, California
BSO DISC

867,000

 (703) 676-6533, http://www.saic.com/response/

The Pentagon contractor may have compromised personal information. Information such as names, addresses, birth dates, Social Security numbers and health information about military personnel and their relatives were exposed when the data were not encrypted prior to being transmitted online.

UPDATE (5/05/2012): Though 580,000 households were reported, a total of 867,000 people may have been affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 867,000

July 14, 2014 Goodwill Industries International Inc.
Rockville, Maryland
BSR HACK

868,000

Financial institutions are tracking what appears to be fraudulent activity at numerous Goodwill retail stores. The fraudulent activity involves credit card breaches and that the compromised credit cards appear to have started at Goodwill stores across the country. The credit card information is then showing up at other retail establishments, similar to the breaches that occurred at Target, Neiman Marcus, P.F. Changs, etc.

“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email. 

“Investigators are currently reviewing available information,” the statement continued. “At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”

Goodwill Industries stated they learned of the potential breach on July 18th and is working with federal investigators to determine if the breach is legitimate and if legitimate. how many stores were affected.

UPDATE (9/10/2014): Goodwill Industries announced that the data breach they suffered is linked to a third party vendor. 

"Goodwill said a forensic investigation had found that a third-party vendor's systems had been attacked by malware, providing the attackers with access to the credit card data of several of that vendor's customers intermittently between February 10, 2013 and August 14, 2014".

According to Goodwill, 330 Goodwill stores in 20 states were affected. Forbes reported that 868,000 individuals were affected.

More Information: http://www.esecurityplanet.com/network-security/goodwill-data-breach-lin...

 

 
Information Source:
Krebs On Security
records from this breach used in our total: 868,000

June 14, 2006 American International Group (AIG), Indiana Office of Medical Excess, LLC
New York, New York
BSF STAT

930,000

The computer server was stolen on March 31 containing personal information including names, Social Security numbers, birth dates, and some medical and disability information.

UPDATE (1/12/2010) A 28-year-old Indianapolis man was sentenced today to two years in state prison for trying to extort $208,00 from an insurance company after stealing a computer server. In March 2006, the man burglarized the Indianapolis office of AIG Medical Excess, threatening to release clients' personal data on the Internet. The server contained the names of more than 900,000 insured persons, as well as their personal identifying information, and confidential medical information and e-mail communications. At the time of the burglary, the man was an employee of a private security firm that provided security services to the insurance company. On July 23, 2008, Stewart delivered a package to the insurance company. The package included a letter stating that he possessed the stolen server and its confidential data. He asked for $1,000 a week for four years, but the FBI and others intervened. The Indiana State Police, the Indiana Department of Natural Resources, Indianapolis Metropolitan Police Department, and Attorney General also were part of the investigation.

 
Information Source:
Dataloss DB
records from this breach used in our total: 930,000

May 18, 2006 American Red Cross, St. Louis Chapter
St. Louis, Missouri
NGO INSD

1,000,000

A dishonest employee had access to Social Security numbers of donors.  The database was used to call previous donors and urge them to give blood again. The employee misused the personal information of at least three people to perpetrate identity theft and had access to the personal information of one million donors.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,000,000

June 15, 2007 Ohio state workers
Columbus, Ohio
GOV PORT

1,000,000

(888) 644-6648(taped-message), (877) 742-5622 (Ohio Consumers' Counsel) or (800) 267-4474

A backup computer storage device with the names and Social Security numbers of every state worker was stolen out of a state intern's car. The tape, which was stolen in June, contains personally identifiable information of nearly 84,000 current and former Ohio state employees and more than 47,000 state taxpayers.

UPDATE (6/20/07) : The storage device also had the names and Social Security numbers of 225,000 taxpayers.

UPDATE (6/22/07) : Previous news stories reported smaller amounts, but the most recent news story shows 500,000.

UPDATE (7/12/07) The State of Ohio increased the data theft estiamte to one million.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,000,000

March 21, 2008 Compass Bank
Birmingham, Alabama
BSF INSD

1,000,000

A database containing names, account numbers and customer passwords was stolen. A credit-card encoder and software to encode the information onto blank cards was also used to acquire information from ATMs. A former programmer at Birmingham, Ala.-based Compass Bank stole a hard drive containing 1 million customer records and used some of that information to commit debit-card fraud. The thief had used the information stolen from Compass Bank's database to create about 250 counterfeit debit cards. He was able to use about 45 of those cards to access and withdraw cash from customer accounts at the bank before he was arrested.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,000,000

April 23, 2009 Oklahoma Department of Human Services
Oklahoma City, Oklahoma
GOV PORT

1,000,000

(866) 287-0371

Some personal information may have been contained on a laptop computer stolen from an agency employee. Information on the stolen computer included names, Social Security numbers and dates of birth for people who receive DHS services.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,000,000

November 16, 2012 Nationwide Mutual Insurance Company and Allied Insurance
Columbus, Ohio
BSF HACK

1,000,000

Affected Georgia consumers may call 1-800-760-1125. Other consumers with questions may call 1-800-656-2298.

A portion of the computer network used by Nationwide and Allied Insurance agents was breached by cyber criminals on October 3.  The attack was discovered on the same day and contained.  On October 16, it was determined that names, Social Security numbers, driver's license numbers, dates of birth, marital status, gender, occupation, and employer information had been stolen.  Affected parties were identified on November 2 and notifications were sent on November 16.

UPDATE (11/20/2012): At least 28,000 people in Georgia were affected.  The total number of affected people is not known.

UDPATE (12/10/2012): A total of 28,468 people in Georgia, 534 in Oklahoma, 12,490 in South Carolina, 286 in Maryland, 5,050 in California, 91,000 in Iowa, 170 in Hawaii, 8,000 in New Mexico, and 98,191 in Minnesota were affected. This brings the known total to 244,188.  Nationwide/Allied Group reported that the breach compromised the information of one million policyholders and non-policyholders nationwide.

 
Information Source:
California Attorney General
records from this breach used in our total: 1,000,000

December 29, 2008 RBS WorldPay
Atlanta, Georgia
BSF HACK

1.1 million

http://www.rbsworldpay.us/RBS_WorldPay_Press_Release_Dec_23.pdf, http://louisville.bizjournals.com/louisville/othercities/atlanta/stories/2008/12/22/daily24.html

RBS WorldPay belatedly admitted that hackers broke into their systems. In the US up to 1.1 million Social Security numbers were exposed as a result of the breach. Pre-paid cards including payroll cards and open-loop gift cards were affected. RBS stated that PINs for all PIN-enabled cards have been reset.

UPDATE (2/3/09): Hackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering $9 million from ATMs in 49 cities worldwide. Alleged hackers are still at large and could orchestrate another attack.

UPDATE (2/10/09): "Certain personal information" of 1.5 million card holders and Social Security numbers of 1.1 million people were compromised. A class action law suit has been filed against RBS WorldPay.

UPDATE (5/28/09): RBS WorldPay says it has returned to Visa's and MasterCard's lists of validated service providers. It was recently certified as compliant with Payment Card Industry Data Security Standard (PCI DSS) version 1.2.

UPDATE (4/05/10): Russian authorities have nabbed the man accused of masterminding a coordinated global ATM heist of $9.5 million from Atlanta-based card processing company RBS WorldPay.

UPDATE (8/09/10): Sergei Tsurikov of Estonia was brought to Atlanta by the FBI.  He pleaded not guilty to computer fraud, conspiracy to commit computer fraud, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.  The FBI is in the process of extraditing others involved in the international hack.

UPDATE (8/31/10): Another person has been charged with participating in the computer fraud attack.  Vladislav Anatolievich Horohorin is alleged to have used a prepaid payroll card to conduct fraudulent attacks on ATMs in Moscow.

UPDATE (9/15/10): A previously unnamed member of the hacking group will be tried in a Russian court for his involvement in the RBS breach. Eugene Anikin's criminal case was forwarded to Zaeltsovskiy District Court in Novosibirsk for consideration.

UPDATE (2/7/2011): Yevgeny Anikin, 27, pleaded guilty to participating in a hacking ring that stole $10 million from former Royal Bank of Scotland division WorldPay.

UPDATE (8/21/2012): Sonya Martin was sentenced to 2.5 years in federal prison for fraudulently obtaining over $9 million from an Atlanta payroll company.  She was a cell leader in the plan that involved organized computer hacking and ATM cashout schemes. She worked with other members of the network to target 2,100 ATMs in 280 cities around the world.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,100,000

January 10, 2014 Neiman Marcus
Dallas, Texas
BSR HACK

1.1 million

Neiman Marcus confirmed that its database of customer information was hacked last month, around mid-December, the same time that Target stores were targeted. The case is similar to the Target case in that only retail shoppers were affected, no online shoppers were affected.

The cause, size and duration of the attack are not yet known and should start to be revealed once a third party investigation is completed. The company is also working with the Secret Service, which is customary in these types of attacks.

UPDATE (1/16/2014): It has been reported that the breach at Neiman Marcus could as far back as July 2013 and that the breach was not fully contained until Sunday January 12, 2014. Neiman Marcus is still not communicating the total amount of individuals affected, but did comment that "some of their customers" payment cards were used fraudulently and have taken steps to notify those customers. They still do not believe that Social Security numbers or birth dates were affected.

UPDATE (1/25/2014): Neiman Marcus released a statement that approximately 1.1 million individuals have been affected by the recent data breach to their system.

 
Information Source:
Media
records from this breach used in our total: 1,100,000

February 25, 2005 Bank of America Corp.
Charlotte, North Carolina
BSF PORT

1,200,000

Computer tapes with credit card information, Social Security numbers, addresses and account numbers were lost.  Bank of America began monitoring the customer accounts on the lost tapes and said it would contact cardholders if unusual activity was detected.  Around 900,000 of the account holders affected were Defense Department employees.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,200,000

January 14, 2010 Lincoln National Corporation (Lincoln Financial)
Radnor, Pennsylvania
BSF INSD

1,200,000

http://www.finra.org/Newsroom/NewsReleases/2011/P122940

Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers. In a disclosure letter sent to the Attorney General of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source. The unidentified source sent FINRA a username and password to the portfolio management system. "This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies," the letter says. "The sharing of usernames and passwords is not permitted under the LNC security policy."

UPDATE (2/17/2011): Lincoln National Corporation was fined $600,000 by the Financial Industry Regulatory Authority for failing to adequately protect customer information.  Failing to require brokers working remotely to install security software on personal computers led to the fine.

 
Information Source:
Media
records from this breach used in our total: 1,200,000

February 6, 2010 AvMed Health Plans
Gainesville, Florida
MED PORT

208,000

Additional 860,000 added June 3rd; (11/16/10) Estimate reaches 1.22 million

AvMed Health Plans announced that personal information of some current and former subscribers may have been compromised by the theft of two company laptops from its corporate offices in Gainesville. The information included names, addresses, phone numbers, Social Security numbers and protected health information. The theft was immediately reported to local authorities but attempts to locate the laptops have been unsuccessful. AvMed determined that the data on one of the laptops may not have been protected properly, and approximately 80,000 of AvMed's current subscribers and their dependents may be affected. An additional approximate 128,000 former subscribers and their dependents, dating back to April 2003, may also have been affected.

UPDATE (06/03/2010): The theft of the laptops compromised the identity data of 860,000 more Avmed members than originally thought.  The total now nears 1.1 million.

UPDATE (11/17/2010): Five AvMed Health Plans customers filed a class-action lawsuit against the health insurer on behalf of the 1.2 million people who were affected by the breach.  At least two of them believe that their personal information was misused as a result of this particular breach.

UPDATE (09/24/2012): An appeals court ruled that the plaintiffs were "explicitly" able to prove a link between the breach and ID theft they incurred.  The case had been thrown out by a lower court in August 2011, but the appeal ruling may allow victims of identity theft to make it easier to prove that the identity theft was caused by a data breach.

UPDATE (09/05/2013): AvMed Inc. agreed to settle with customers who were affected by the 2009 data breach on September 3, 2013.

UPDATE (10/29/2013): AvMed will pay $3 million.

UPDATE (3/6/2014): "Last week, a judge for the Southern District of Florida gave final approval  to a settlement between health insurance provider AvMed and plaintiffs in a class action stemming from a 2009 data breach of 1.2 million sensitive records from unencrypted laptops. The settlement requires AvMed to implement increased security measures, such as mandatory security awareness training and encryption protocols on company laptops. More notably, AvMed agreed to create a $3 million settlement fund from which members can make claims for $10 for each year that they bought insurance, subject to a $30 cap (class members who experienced identity theft are eligible to make additional claims to recover their monetary losses)".

 
Information Source:
Media
records from this breach used in our total: 1,220,000

January 24, 2012 New York State Electric & Gas (NYSEG), Rochester Gas and Electric (RG&E), Iberdrola USA
Rochester, New York
GOV DISC

878,000 NYSEG customers and 367,000 RG&E customers

Affected customers may call 1-877-736-4495. More information can be found on the websites of the companies www.nyseg.com and www.rge.com.

An employee at a software development consulting firm that was contracted by Iberdrola USA, the parent company of both NYSEG and RG&E, allowed the information systems of clients to be accessed by an unauthorized party.  Customer Social Security numbers, birth dates, and in some cases, financial institution account numbers were exposed.  A total of 878,000 NYSEG customers and 367,000 RG&E electricity customers were affected.  An unknown number of additional customers from both companies who signed up for gas services, but not electricity services were also affected.

UPDATE (07/12/2012): The Department of Public Service reviewed the NYSEG/FG&E incident and concluded that there was no evidence that any confidential customer information was misused.  In addition, the Department of Public Service recommended that both companies further refine their policies, processes, and procedures regarding confidentiality safeguards.  The companies were ordered to send plans for handling the costs incurred in responding to the breach and progress reports about the implementation of recommendations.

 
Information Source:
Databreaches.net
records from this breach used in our total: 1,245,000

January 22, 2007 Chicago Board of Election
Chicago, Illinois
GOV PORT

1.3 million

About 100 computer discs (CDs) with 1.3 million Chicago voters' SSNs were mistakenly distributed to aldermen and ward committeemen. The CDs also contain birth dates and addresses.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,300,000

June 10, 2008 University of Utah Hospitals and Clinics
Salt Lake City, Utah
MED PORT

2.2 million

Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take the eight data tapes to a storage center. The records, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years.

UPDATE (2/5/09): The data tapes were found within a month after being stolen.

UPDATE (6/9/10): An Englewood, Colo., insurance company has filed a federal lawsuit contending that it isn't responsible for reimbursing the University of Utah for $3.3 million in costs related to a 2008 data breach caused by a third-party service provider.

The lawsuit filed in a Utah federal court by Colorado Casualty Insurance Co. contends that the insurer is not obligated to cover the costs sought by the University. Colorado Casualty was providing breach insurance to the University at the time of the breach.

The nine-page complaint, which seeks a declaratory judgment from the court, offers little explanation as to why exactly the insurer believes it is not obligated to pay the breach-related costs sought by the University.

http://www.computerworld.com/s/article/9177702/Insurer_says_it_s_not_liable_for_University_of_Utah_s_3.3M_data_breach

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,300,000

October 23, 2006 Chicago Voter Database
Chicago, Illinois
GOV DISC

1.35 million Chicago residents

An official from the not-for-profit Illinois Ballot Integrity Project says his organization hacked into Chicago's voter database, compromising the names, SSNs and dates of birth of 1.35 million residents. The Chicago Election Board is reportedly looking into removing SSNs from the database. Election officials have patched the flaw that allowed the intrusion.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,350,000

March 8, 2005 DSW Shoe Warehouse, Retail Ventures
Columbus, Ohio
BSR HACK

1,400,000

Credit card information from customers in 25 states was compromised.

UPDATE (04/19/2005): An additional 1,300,000 customers were added to the initial estimate of 100,000.

UPDATE (08/23/2012): DSW was locked in a dispute with National Union over insurance coverage.  A federal appellate court ruled that DSW was entitled to insurance coverage of more than $6.8 million in stipulated losses and prejudgment interest.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,400,000

November 2, 2006 Colorado Department of Human Services via Affiliated Computer Services (ACS)
Dallas, Texas
GOV STAT

Up to 1.4 million

For questions, call ACS at (800) 350-0399

On Oct. 14, a desktop computer was stolen from a state contractor who processes Colorado child support payments for the Dept. of Human Services. Computer also contained the state's Directory of New Hires.

UPDATE (12/07/2006) When initially posted to this list, the number 1.4 million was not added to the total because we could not confirm if SSNs were exposed. The PRC was contacted by an affected individual today who confirmed that names, addresses, SSNs and dates of birth were exposed.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,400,000

November 18, 2009 Health Net
Shelton, Connecticut
MED PORT

1,500,000

The personal information for almost half a million Connecticut residents could be at risk after a portable disk drive disappeared from Health Net in May of 2009. Health Net is a regional health plan and the drive included health information, Social Security number and bank account numbers for all 446,000 Connecticut patients, 1.5 million nationally. The information had been compressed, but not encrypted, although a specialized computer program is required to read it. Patients in Arizona, New Jersey and New York were also affected.


UPDATE (1/22/2010): Connecticut Attorney General (AG) Richard Blumenthal is suing Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers exposed by the security breach. The AG is seeking a court order blocking Health Net from continued violations of HIPAA by requiring that any protected health information contained on a portable electronic device be encrypted. This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorized state attorneys general to enforce HIPAA.

UPDATE (7/7/2010): Health Net and the Connecticut AG reached a $250,000 settlement in connection with this incident.

UPDATE (10/8/2010): Health Net faces an additional $375,000 fine for failing to safeguard the personal information of its members from misuse by third parties.

UPDATE (1/20/2011): The Vermont Attorney General filed a complaint and proposed settlement with Health Net, Inc. and Health Net of the Northeast, Inc. It would require Health Net to pay $55,000 in state fees, submit to a data-security audit and submit reports about the company's information security programs throughout the next two years.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,500,000

October 7, 2011 The Nemours Foundation
Wilmington, Delaware
MED PORT

1.6 million

Three unencrypted computer backup tapes were reported missing on September 8.  The tapes were stored in a locked cabinet, which had been temporarily relocated on or around August 10 for a facility remodeling project.  The cabinet was not found.  The tapes had been stored in the cabinet since 2004 and contained patient information stored between 1994 and 2004.  Names, Social Security numbers, addresses, dates of birth, insurance information, medical treatment information, and direct deposit bank account information were exposed.

UPDATE (10/12/2011): Patients and their guarantors, vendors, and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey, and Florida were affected.  In addition to medical treatment information, the payroll information of current and former employees was exposed.  Nemours took steps to encrypt all computer backup tapes and move non-essential computer backup tapes to a secure, off-site storage facility after the breach.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 1,600,000

May 31, 2006 Texas Guaranteed Student Loan Corp. via subcontractor Hummingbird
Round Rock, Texas
BSF UNKN

1,300,000 plus 400,000 for total of 1,700,000

Additional location: Toronto, Canada

Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers.

UPDATE (6/16/06):TG now says a total of 1.7 million people's information was compromised, 400,000 more than original estimate of 1.3 million.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,700,000

February 12, 2011 Jacobi Medical Center, North Central Bronx Hospital, Tremont Health Center, and Gunhill Health Center
New York, New York
MED PORT

1.7 million

Health and Hospital Corporation is the group that runs the affected hospitals and clinics.  

The New York City Health & Hospitals Corporation's North Bronx Healthcare Network experienced a breach.  Backup tapes were stolen from an unsecured and unlocked van during transport by GRM Information Management Services.  The theft occurred during December of 2010.  The information on the tapes was from patients, staff members and associated employees and dated back to 1991.  Names, Social Security numbers, addresses, patient health information and other patient and employee information may have been exposed.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 1,700,000

March 15, 2011 Health Net Inc., International Business Machines (IBM)
Rancho Cordova, California
MED PORT

1.9 million

Customers with questions may call (855) 434-8081.

Health Net's statement about the breach can be read here.

Nine disc drives that contained sensitive health information went missing from Health Net's data center in Rancho Cordova, California.  The drives contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information. The 1.9 million victims include 622,000 California residents enrolled in Health Net HMOs, 223,000 Californians enrolled in Health Net PPOs and people enrolled in Medicare and other plans. The drives were discovered missing on January 21, but affected individuals were not notified until March 14.

UPDATE (06/07/2011): A class-action lawsuit seeks $5 million from Health Net Inc. and its vendor IBM.  The complaint alleges that Health Net and IBM breached their duty of confidentiality and negligently allowed the release of highly personal and confidential information. The complaint alleges violation of California's Confidentiality of Medical Information Act, Cal. Civ. Code § 56; Cal. Civ. Code § 1798.2, which concerns the unauthorized disclosure of customer records; Cal. Bus. & Prof. Code § 17200, California's unfair-competition law; and public disclosure of private facts.  The lawsuit is seeking injunctive relief, compensatory damages, declaratory relief, and attorney fees and costs.  The citation is Bournas v. Health Net Inc., No.2_11-CV-01262, complaint filed (E.D. Cal. May 11, 2011).

UPDATE (08/09/2011): Health Net's chief operating officer apologized to customers after it was discovered that the original analysis of the breach was flawed.  Around 124,000 Oregon residents who were current members, former members, or employees were believed to have been affected.  Health Net discovered that an additional 6,300 Oregonians had their personal information on the stolen computer drives.  

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 1,900,000

March 2, 2006 Los Angeles County Department of Social Services
Los Angeles, California
GOV PHYS

Potentially 2,000,000

It is unclear if this is the same incident that involved the information of 94,000 people being left next to a recycling bin outside of the Department of Public Social Services in January of 2006.

File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W-2, and date of birth were left unattended for at least one month.  This affects employees and clients.

 
Information Source:
Dataloss DB
records from this breach used in our total: 2,000,000

April 17, 2008 University of Miami
Miami, Florida
MED PORT

2,100,000

  (866) 628-4492

Computer tapes containing confidential information of Miami patients was stolen last month when thieves took a case out of a van used by a private off-site storage company. The data included names, addresses, Social Security numbers or health information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 2,100,000

November 27, 2013 Maricopa County Community College District
Phoenix, Arizona
EDU UNKN

2.49 million

An unspecified data breach may have exposed the information of current and former students, employees, and vendors.  Names, Social Security numbers, bank account information, and dates of birth may have been viewed by unauthorized parties.

UPDATE (12/02/2013): Student academic information may have also been exposed.  The Maricopa County Community College District's governing board will spend as much as $7 million to notify and offer credit monitoring to those who may have been affected.

UPDATE (12/07/2013): Estimations for the cost of the breach are as high as $14 million.

UPDATE (4/22/2014): Maricopa County Community College District waited seven months to inform 2.5 millions individuals (students, staff, graduates) of the security breach. The District is now in a class action lawsuit. The lawsuit claims that the "FBI warned the Maricopa County Community College District in January of 2011 that a number of its databases had been breached and made available for sale on the Internet". It was also reported that "the district's Information Technology Services employee also became aware of the security breach in January 2011, and repeatedly reported their findings to Vice Chancellor George Kahkedjian".

 
Information Source:
Media
records from this breach used in our total: 2,490,000

September 7, 2006 Circuit City and Chase Card Services, a division of JP Morgan Chase & Co.
Wilmington, Delaware
BSF PORT

2.6 million past and current Circuit City credit cardholders

Chase Card Services mistakenly discarded 5 computer data tapes in July containing Circuit City cardholders' personal information.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 2,600,000

January 25, 2014 Michaels Stores Inc.
Irving, Texas
BSR HACK

2.6 million cards

On January 25, 2014, Michaels Stores Inc. communicated with customers as to the possibility of a security breach regarding customers payment cards. They have not confirmed as of yet, that a breach did occur, however based on a preliminary investigation and in light of the recent Target and Neiman Marcus breaches, the company felt it was important to warn customers of the possibility of a breach.

Michaels is currently working with investigators as to the potential of this breach. No additional detailed information has been supplied by the company.

UPDATE (2/11/2014): A class action lawsuit has been filed against Michaels by an individual. The suit claims that "the arts and crafts supplier failed to secure and safeguard customers’ private financial information".  The suit also alleges that "Michaels failed to adequately monitor its payment systems in such a manner that would enable the retailer to detect fraud or other signs of tampering so that the breach of security and diversion of customer information was able to continue unnoticed for a period of time".

It has also been reported that Michaels failed to disclose a data breach that occurred in May of 2011. A lawsuit was filed for the 2011 breach, but was settled. 

The company has not yet released the total number of individuals affected by the breach or when the breach might have taken place.

UPDATE (7/22/2014): "A federal court in Illinois held July 14 that an elevated risk of identity theft from a Michaels Stores Inc. breach provides standing, but without evidence of specific monetary damages that risk is insufficient to support statutory or common law claims (Moyer v. Michaels Stores, Inc., N.D. Ill., No. 1:14-cv-00561,dismissed 7/14/14).

Judge Elaine E. Bucklo of the U.S. District Court for the Northern District of Illinois dismissed the case against the arts and crafts retailer, finding that the plaintiffs failed to plead monetary damages".

 

 
Information Source:
Media
records from this breach used in our total: 2,600,000

April 10, 2007 Georgia Department of Community Health, Affiliated Computer Services (ACS)
Atlanta, Georgia
GOV PORT

2,900,000

http://dch.georgia.gov/vgn/images/portal/cit_1210/19/38/80010015Public_Notice-Missing_Personal_Data.pdf, (866) 213-3969

A computer disk containing personal information including addresses, birthdates, dates of eligibility, full names, Medicaid or children's health care recipient identification numbers, and Social Security numbers went missing from a private vendor, Affiliated Computer Services (ACS), contracted to handle health care claims for the state.

 
Information Source:
Dataloss DB
records from this breach used in our total: 2,900,000

Breach Total
930,526,448 RECORDS BREACHED
(Please see explanation about this total.)
from 4,427 DATA BREACHES made public since 2005
Showing 4351-4400 of 4427 results


X

Sign In!

Loading