Frequently Asked Questions About the Chronology of Data Breaches
- What does the Chronology of Data Breaches contain?
- What does the Total Number indicate?
- Is the Chronology of Data Breaches a complete listing of all breaches?
- Are there state-specific breach listings?
- How often is the Chronology updated?
- Where do you obtain information about the data breaches that are reported on this Web page?
- What should I do if my personal information has been compromised in a data breach?
- Are there resources for businesses and other organizations on how to avoid having sensitive data breached?
- What should I do if my business or organization experiences a security breach?
- Do states have laws that require those entities that experience a data breach to notify the affected individuals?
- Which states have laws that require breached organizations to report breaches and submit notice letters to a central clearinghouse?
- Has anyone analyzed this and other data breach listings in order to compile statistics and arrive at other observations? Have any analyses of security breach laws been published?
- Are there other resources with additional information about security breaches?
The data breaches noted here  have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included the number of records involved in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws. The breaches posted below include only those reported in the United States. They do not include incidents in other countries.
The running total  we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals.
In reality, the number given below should be much larger. For many of the breaches listed, the number of records is unknown. Further, this list is not a comprehensive compilation of all breach data (see below).
No, it is not a complete listing of breaches. The list is a useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches. But the list is not a comprehensive listing. Reported incidents affecting more than nine individuals from an identifiable entity are included. Breaches affecting nine or fewer individuals are included if there is a compelling reason to alert consumers. Most of the information is derived from the Open Security Foundation list-serve (see below) which is in turn derived from verifiable media stories, government web sites/pages, or blog posts with information pertinent to the breach in question. If a breached entity has failed to notify its customers or a government agency of a breach, then it is unlikely that the breach will be reported anywhere. If you are aware of a breach that is not included in our list, below, feel free to contact us here: http://www.privacyrights.org/about_us.htm .
Some states have state laws that require breaches to be reported to a centralized data base. These states include Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic breaches affecting more than 1,000 residents). However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. For details, see the Open Security Foundation Datalossdb website: http://datalossdb.org/primary_sources 
We usually update this list every two days.
Where do you obtain information about the data breaches that are reported on this Web page?
Most of the breaches summarized below on this page have been obtained from the Open Security Foundation list-serve. As of January 2010, we have expanded our sources to also include Databreaches.net, PHI Privacy and NAID. As of March 2012, we began using the California Attorney General list of data breaches.
- The Open Security Foundation's DataLossDB.org (www.datalossdb.org ) offers a free e-mail list-serve on the latest breaches.
To subscribe to DataLoss, send a message to: firstname.lastname@example.org 
- Consumers may access a list of data breaches from Datalossdb.org upon creating a username and password. The DataLossDB.org page includes a search engine and news articles for the breaches listed below, and also provides an open source database of its data breach records. It is a flat comma-separated value file that can be imported into a database or spreadsheet program for your own data analysis.
- Beginning in January 2010, we have expanded the sources of our breaches. We now include the following sources:
- Databreaches.net (www.databreaches.net ) is a spinoff from www.PogoWasRight.org  and compiles a wide range of breach reports since January 2009.
- Personal Health Information Privacy (www.phiprivacy.net/ ), affiliated with Databreaches.net , is a database that compiles only medical data breaches. Many of these are obtained from the US Department of Health and Human Services' medical data breach list (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html ), which provides only minimal information.
- National Association for Information Destruction, Inc (www.naidonline.org ) provides monthly newsletters that include a number of data breaches largely due to improper document destruction.
For tips on what to do if your personal information has been exposed due to a security breach, read our guide  at http://www.privacyrights.org/fs/fs17b-SecurityBreach.htm .
Learn about security and privacy protection practices for your workplace.
- Debix data breach resources (laws, notice letters, audit guide, webinars), http://debix.com/business/resources.php 
- Visual Data Breach Risk Assessment Study, by PeopleSecurity for 3M (Dec. 2010), http://solutions.3m.com/3MContentRetrievalAPI/BlobServlet?locale=en_US&lmd=1291398659000&assetId=1273672752407&assetType=MMM_Image&blobAttribute=ImageFile 
- "Guide to Protecting the Confidentiality of Personally Identifiable Information," National Institute of Standards and Technology. Special Publication 800-122. (April 2010) http://ssrn.com/abstract=1671082 .
- "Forrester Consulting Study, “The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk,” (April 2010) sponsored by RSA and Microsoft, available at www.rsa.com/CorporateSecrets . For press release, see http://www.microsoft.com/Presspass/press/2010/apr10/04-05MSRSAPR.mspx?rss_fdn=Press%20Releases .
- "Data Breach and Incident Readiness Planning Guide" from the Online Trust Alliance (January 2011).
- "Security & Privacy -- Made Simpler," from the Better Business Bureau http://www.bbb.org/us/corporate-engagement/security/ 
- “Protecting Personal Information: A Guide for Business,” from the Federal Trade Commission. www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index. 
- “Information Security Handbook,”from the National Institute of Standards and Technology
- “Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace,” from the Privacy Rights Clearinghouse
- The California Office of Privacy Protection has developed a series of Recommended Practices. Several of the guides may be helpful in protecting your business whether or not you are located in California.
- “A California Business Privacy Handbook,” www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf 
- '“Recommended Practices for Protecting the Confidentiality of Social Security numbers,” www.privacyprotection.ca.gov/res/docs/pdf/ssnrecommendations.pdf 
The following resources guide businesses who have experienced a security breach through the notification process and in working with law enforcement.
- “Recommended Practices on Notification of Security Breach Involving Personal Information,” from the California Office of Privacy Protection may be useful whether or not you are located in California. http://tinyurl.com/9npvftl 
- “Dealing with a Data Breach,” from the Federal Trade Commission
Yes. The catalyst for reporting data breaches to the affected individuals has been the California law that requires notice of security breaches. It is the first of its kind in the nation, implemented July 2003.
Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.
- http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx 
- Description of California law, SB 1386, www.privacyrights.org/ar/SecurityBreach.htm 
- http://www.privacy.ca.gov/business/recom_breach_prac.pdf 
For a list of states enacting security breach and freeze laws, visit these Web sites:
- Map of State Data Breach Notification Laws (August 2012) http://net-security.org/secworld.php?id=13490 
- Intersections Data Breach Consumer Notification Guide, by Intersections, Inc. (July 2010)
- Security breach notice laws provided by Consumers Union
- Nymity map, "Breach Notification laws of the United States,"
http://www.nymity.com/FormDownload.aspx?docid=E5AE006F-1947-4163-BDAC-0BFE129E5C89  (registration required)
- Security Breach Notification Chart (Perkins, Coie)
- State Data Breach Notification Laws (Scott&Scott)
- State Data Security Breach Legislation Survey, by Mintz Levin law firm (updated August 2009),
- State Laws Governing Security Breach Notification (Crowell Moring)
- Security freeze laws (Consumers Union)
(Note: As of November 2007, the three credit bureaus enable individuals nationwide to freeze their credit reports.)
The state of Massachusetts requires that breached entities report data breaches to the Massachusetts Office of Consumer Affairs and Business Regulation.
- Breach report, 2011, http://www.mass.gov/ocabr/docs/2011-data-breach-report.pdf 
The Open Security Foundation and Chris Walsh have compiled breach notice letters from the states that require breached entities to submit such letters to a central repository. These states are: Maryland, New Hampshire, New York, North Carolina, and Vermont. To view these letters, visit http://datalossdb.org/primary_sources .
As of January 2012, the California Attorney General posts data breach notice letters here: http://oag.ca.gov/ecrime/databreach/list . Additional information about data security breach reporting is found here: http://oag.ca.gov/ecrime/databreach/reporting .
Has anyone analyzed this and other data breach listings in order to compile statistics and arrive at other observations? Have any analyses of security breach laws been published?
- College Data Breach Infographic - 8 Years of Data Breaches (Apr. 23 2013) http://www.databreachwatch.org/college-data-breach-infograhic-8-years-of-data-breaches/ 
- 2013 Data Breach Investigations Report (Apr. 23, 2013) http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf 
- 2013 Identity fraud Report: Data Breaches Becomign a Treasure Trove for Fraudsters (Feb. 2013) (purchase required) https://www.javelinstrategy.com/brochure/276 
- 2013 Trustwave Global Security Report (Feb. 21, 2013) (registration required) https://www2.trustwave.com/2013GSR.html 
- Redspin Breach Report 2012 - Protected Health Information (Feb. 13, 2013) (registration required) http://www.redspin.com/docs/Redspin_Breach_Report_2012.pdf 
- Report: Large-Scale Data Breaches Climb, but Fewer Patients Affected (Feb. 14, 2013) http://tinyurl.com/b2z4oo8 
- 2013 Data Privacy, Information Security and Cyber Insurance Trends, by Cyber Data-Risk Managers (Jan. 2013) http://tinyurl.com/bdjn2qd 
- 5th Annual HIMSS Security Survey (Dec. 12, 2012), www.himss.org/content/files/2012_HIMSS_SecuritySurvey.pdf 
- Third Annual Benchmark Study on Patient Privacy and Data Security, by Ponemon Institute (Dec, 2012) (registration required) http://www2.idexpertscorp.com/ponemon2012/ 
- Empirical Analysis of Data Breach Litigation by Romanosky, Hoffman, and Acquisti (Feb. 2012) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461 
- Hitech Act Three Years Later: Are Health Records Safe? by Kaufman, Rossin & Co. (Sept. 2012) http://www.kaufmanrossin.com/images/news/docs/N/343/Two%20Years%20Later_final.pdf 
- Guide to Privacy and Security of Health Information, Office of the National Coordinator for Health Information Technology (May 2012), http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf 
- Massachusetts Office of Consumer Affairs and Business Regulation, "2011 Data Breach Notification Report" (April 2012), http://www.mass.gov/ocabr/docs/2011-data-breach-report.pdf  .
- Security Best Practices for File-Based Data Movement: an IT Practitioners Guide, by Rod Gifford (April 2012) http://tinyurl.com/822kn2d 
- 2012 HIMSS Analytics Report: Security of Patient Data (April 2012), http://www.krollcybersecurity.com/white-papers/himss-2012-43port.aspx  (registration required)
- 2012 Verizon Data Breach Investigation Report (March 2012) http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z037 
- The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security (March 2012) http://webstore.ansi.org/phi/  (free, although registration is required).
- Redspin Breach Report 2011 - Protected Health Information (Feb. 9, 2012) http://www.redspin.com/docs/Redspin_PHI_2011_Breach_Report.pdf  (registration required)
- Trustwave 2012 Global Security Report https://www.trustwave.com/global-security-report  (registration required), news story at http://www.infosecurity-us.com/view/23746/food-and-beverage-industry-has-unsavory-history-of-databreaches/ .
- Survey finds that data breaches cause lasting and costly damage, taking average of one year to restore reputation (Ponemon Institute, Oct. 27, 2011)(no endorsements implied) http://www.ponemon.org/index.php  http://tinyurl.com/7fcvq5x 
- 2011 Survey of Patient Data Breaches, by Veriphyr, (Aug. 2011), http://www.veriphyr.com/landing/HIPAA_violation_survey/  (registration required).
- Perceptions of Network Security: Survey of IT and IT Security Practitioners in the U.S., by Juniper Networks and Ponemon Institute http://tinyurl.com/itsecuritysurvey  (June 2011) (Finding: 90% of study recipients reported at least one breach in the past year).
- U.S. Dept. of Health & Human Services Inspector General's review of the Centers for Medicare and Medicaid Services Oversight of HIPAA, particularly the implementation of electronic medical records. http://oig.hhs.gov/oas/reports/region4/40805069.pdf  (May 16, 2011) (Findings: Digital medical records are vulnerable).
- 2011 Data Breach Investigations Report, by Verizon Risk Team, U.S. Secret Service and Dutch High Tech Crime Unit (April 2010), http://www.verizonbusiness.com/resources/report/rp_data-breach-investigations-report-2011_en_xg.pdf 
- Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency, by McAfee and SAIC (March 2011), http://www.mcafee.com/us/resources/reports/rp-underground-economies 
- 61% of Data Breaches a Result of Malicious Intent, by Becker's Hospital Review: Business & Legal Issues For Health System Leadership. (February 11, 2011), http://tinyurl.com/Becker61-DBreachesMalicious 
- Privacy and Security in Health Care: A Fresh Look, by Deloitte Center for Health Solutions (Feb. 2011),http://www.deloitte.com/us/privacyandsecurityinhealthcare 
- Preventing a Data Breach and Protecting Health Records: One Year Later: Are you Vulnerable to a Breach? by Kaufman, Rossin & Co. (Feb. 2011) (registration required) http://tinyurl.com/8pkh2zv 
- 2010 Annual Study: U.S. Cost of a Data Breach, by Ponemon Institute and Symantac (March 2011). http://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf . Symantec and the Ponemon Institute have also launched the Data Breach Risk Calculator . This Free online tool lets companies estimate how a data breach could impact the company.
- Benchmark Study on Patient Privacy and Data Security, by Ponemon Institute (registration required, November 2010) http://www2.idexpertscorp.com/resources/healthcare/healthcare-articles-whitepapers/ponemon-benchmark-study-on-patient-data-security-practices/?utm_source=Ponemon%2BRedirect&utm_medium=Online&utm_campaign=Ponemon%2BRedirect/ 
- Many Practices, Hospitals Don't Monitor Data Security, report of survey in AMEDNEWS.com (Nov. 22, 2010), http://www.ama-assn.org/amednews/2010/11/22/bisc1122htm 
- Report on Hawaii: Personal Information Breaches, Part 1. (Nov. 17, 2010), http://www.libertycoalition.net/sites/privacyrights.org/files/2010-11-17%20Report%20on%20Hawaii%20Breaches%20Part%201.pdf 
- Microsoft Security Intelligence Report [for first half of 2010] (Vol. 9, October 2010), http://www.microsoft.com/security/sir/default.aspx 
- Data Leakage Detection, by Panagiotis Papadimitriou and Hector Garcia-Molina, IEEE Transactions on Knowledge and Data Engineering (Vol. No. 2010), http://ilpubs.stanford.edu:8090/968/1/leakage_tkde_final.pdf 
- Privacy Breach Benchmarks Compel Care Providers to Deploy Breach Monitoring and Commit to a Culture of Privacy and Compliance, by FairWarning (2010), http://www.fairwarning.com/documents/2010-FAIRWARNING-FINDINGS-REPORT.pdf 
- An Analysis of Breaches Affecting 500 or More Individuals in Healthcare, by Chris Hourihan, HiTrust (August 2010) https://www.hitrustcentral.net/blogs/ht/archive/2010/08/02/update-an-analysis-of-hhs-breach-data.aspx 
- Outbound Email and Dataloss Prevention in Today's Enterprise, by Proofpoint and Osterman Research (Aug. 2010) http://www.proofpoint.com/id/outbound/index.php  (registration required)
- Verizon 2010 Data Breach Report, in collaboration with U.S. Secret Service (July 2010), www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf 
- The Leaking Vault: Five Years of Data Breaches, by Suzanne Widup, published by Digital Forensics Association (July 2010), www.digitalforensicsassociation.org/storage/The_Leaking_Vault-Five_Years_of_Data_Breaches.pdf 
- HIMSS and Kroll study, "2010 HIMSS Analytics Report: Security of Patient Data" (April 2010).
Study, www.krollfraudsolutions.com/about-kroll/HIMSS-Security-Patient-Data-Report.aspx . (Registration required)
News story, http://www.healthcareitnews.com/news/study-points-critical-gaps-hospital-data-security .
- InformationWeek Analytics 2010 Strategic Security Survey, by Michael A. David (April 2010) http://reports.informationweek.com/abstract/21/3018/Security/research-2010-strategic-security-survey.html  (registration required)
- Fourth Annual U.S. Cost of Data Breach study (Ponemon Institute) (January 2009) http://blogs.findlaw.com/technologist/2010/02/data-security-breaches-cost-real-money.html 
- Outpacing Change: Ernst & Young's 12th Annual Global Information Security Survey (2009)
http://www.ey.com/GL/en/Services/Assurance/Fraud-Investigation---Dispute-Services/Global-Fraud-Survey---a-place-for-integrity  
- Deloitte 2009 TMT Global Security Survey (May 14, 2009)
- Your Botnet is My Botnet: Analysis of a Botnet Takeover (Brett Stone-Gross, et al, UC-Santa Barbara, 2009) #mce_temp_url#  (analysis of Torpig)
- Using Science to Battle Data Loss: Analyzing Breaches by Type and Industry
(Interhack, Matthew Curtin and Lee Ayres, April 2009)
- 2009 Data Breach Investigations Report (Verizon)
- Airport Insecurity: The Case of Lost & Missing Laptops (Larry Ponemon, June 30, 2008)
- More Than Half of Ex-Employees Admit to Stealing Company Data According to New Study,
(Symantec, Ponemon, Feb. 2009)
- Data Hemorrhages in the Health-Care Sector [on P2P networks]. (Eric Johnson, Dartmouth College, Feb. 2009), http://mba.tuck.dartmouth.edu/digital/Research/ResearchProjects/JohnsonHemorrhagesFC09Proceedingd.pdf 
- Data Leakage Worldwide: White Paper (Cisco, 2008),
- "Education Sector Data Breach Study"(Joseph Campana, Nov. 2008),
- 2008 Data Breach Investigations Report (Verizon),
- Adam Dodge has compiled a report, "ESI Year in Review - 2007," on the information security incidents occurring at colleges and universities around the world as reported in the news during 2007(posted February 10, 2008).http://www.adamdodge.com/esi/yir_2007 
- For a statistical breakdown of types of breaches and an analysis by industry sector for 2006, see Beth Rosenberg's report,www.privacyrights.org/ar/DataBreaches2006-Analysis.htm 
- Jimmy Atkinson's "Ask the Advisor" blog features a post, "How Many Times Has Your Personal Information Been Stolen This Year?" at www.yourcreditadvisor.com/blog/2007/07/how_many_times.html 
- To use an online "calculator" to arrive at an estimated cost of a breach based on the number of records exposed, visit this Web site: www.tech-404.com/calculator.html  (no product endorsements are implied).
LEGAL AND POLICY ANALYSES
- State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust, by Deloitte and National Association of State Chief Information Officers (Sept. 2010), http://www.nascio.org/publications/documents/Deloitte-NASCIOCybersecurityStudy2010.pdf  
- Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes, by Dana Lesemann (September 2, 2010). Akron Intellectual Property Journal, Vol. 4, p. 203, 2010. Available at SSRN: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1671082 
- Prepared Testimony of Federal Trade Commission on Data Security, by Maneesha Mithal, before the U.S. Senate's Committee on Commerce Science, and Transportation, Subcommittee on Consumer Protection, Product Safety and Insurance (Sept. 22, 2010). http://www.ftc.gov/os/testimony/100922datasecuritytestimony.pdf 
- Data Breach Notification Law Across the World from California to Australia (Alana Maurushat,
Univ. of New South Wales Faculty of Law Research Series, 2009)
http://law.bepress.com/unswwps-flrps09/art11/  
- Read the June 2008 study,"Do Data Breach Disclosure Laws Reduce Identity Theft?" (Sasha Romanosky et al)
- CSO Online, "Data Breach Notification Laws, State by State (with map)," (Feb. 12, 2008),
- Read an analysis by California attorney Alan Mansfield about the California security breach law,
- Read law school professors Schwartz and Janger's law review article on data breach notice laws,
- Read commentary by Jeffrey Rawitz, Jones Day law firm, "Security Breach Notification Requirements"
- Read an analysis  of state security breach notice laws by Alan Wernick, Esq., in the Journal of AHIMA (Nov.-Dec, 2006)
- Read "Security Breach Notifications: a State and Federal Law Maze," (July 27, 2005) by Gibson, Dunn & Crutcher LLP
www.gibsondunn.com/publications/pages/SecurityBreachNotificationsaStateandFederalLawMaze.aspx  For a state-by-state analysis, view this chart .
- Read "The Cyber Risks of Outsourcing " by Branner and Freeman (Sept. 2007)
- Legal Risks on the Radar, by Corporate Board Member. (August 2012) http://finance.yahoo.com/news/corporate-board-member-fti-consulting-153300873.html  (includes discussion of IT security ,as number-one-rated risk)
- Health-Related Data Breaches Affecting 500 or More Persons. Website of U.S. Dept. of Health and Human Services, http://tinyurl.com/hhsbreachtool 
- Tax Returns Expose Social Security Numbers to Public, by Identity Finder (April 2012) (registration required), http://www.identityfinder.com/us/Files/TaxReturnExposure.pdf 
- Social-Engineer.org: Social Engineering Capture the Flag Results (from Defcon 19 conference, 2011) (a report on the use of a social engineering experiment to obtain sensitive company information) http://www.social-engineer.com/downloads/Social-Engineer_Defcon_19_SECTF_Results_Report.pdf 
- Doppelganger Domains (typo-squatting study re: email messages), by Garrett Gee and Peter Kim of the Godai Group (Sept. 6, 2011), http://www.wired.com/images_blogs/threatlevel/2011/09/Doppelganger.Domains.pdf. 
- Data Breach and Encryption Handbook, by Lucy Thomson, ed., American Bar Assoc. (Feb. 2011), http://apps.americanbar.org/abastore/index.cfm?section=main&fm=Product.AddToCart&pid=540059 
- U.S. Health & Human Services list of health-related breaches
- Maine Attorney General's Office, breach listing, as posted by Datalossdb:
- Identity Theft Resource Center (contains links to news stories)
- New Hampshire Dept. of Justice Security Breach List
- Adam Shostack's Blog: http://www.homeport.org/~adam/ 
- Pogo Was Right
- Read more about security breaches
www.databreaches.net , a service of Pogo Was Right (see above).
- Educational Security Incidents (Adam Dodge)
- Security Beat (includes links to news articles and offers free e-mail list-serve)
- World Privacy Forum, Security Breaches in the Digital Medical Environment (scroll to section D of testimony)