Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?

Chronology of Data Breaches

Custom Sort
Select your desired results. Then click "Go!"

Click or unclick the boxes then select go.


Select features then click GO. To modify your search, check or uncheck the boxes and click GO.


Reset the checkboxes to the default "all selected."

Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.

display_id:page_1

display_id:page_1

Breach Total
816,324,756 RECORDS BREACHED
(Please see explanation about this total.)
from 4,517 DATA BREACHES made public since 2005
Date Made Publicsort ascending Name Entity Type
February 16, 2006 University of Washington Medical Center
Seattle, Washington
MED HACK

Unknown

The hacked system serves users at Harborview Medical Center, University of Washington Medical Center, University of Washington School of Medicine, UW Medicine Neighborhood Clinics and UW Physicians.

A hacker broke into the UW Medicine computer system in June of 2004. The incident was not discovered until December of 2005. The hacker may have accessed and copied patient and business records for 18 months. The goal of the hacker appears to have been to use the system for its computing power and data storage.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0
February 16, 2006 The Princeton Review
New York, New York
BSR DISC

Unknown

An unauthorized user attempted to obtain the IDs and passwords of a small number of account holders. A small number of the accounts may have contained names, Social Security numbers, dates of birth, email addresses, mailing addresses and information from college applications. The unauthorized user may have had access to the information before the February 10 incident was discovered. At least 35 New York residents were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0
February 15, 2006 U.S. Department of Agriculture (USDA)
Washington, District Of Columbia
GOV DISC

350,000

The Social Security numbers of tobacco farmers were accidentally released when the U.S. Department of Agriculture attempted to comply with the Freedom of Information Act.  Those who received the information agreed to destroy any copies and return the original discs, which also contained tax identification numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 350,000
February 15, 2006 Old Dominion University
Norfolk, Virginia
EDU DISC

601

An instructor posted a class roster containing names and Social Security numbers to a publicly accessible website.  The information was posted during the spring semester of 2004.  Letters were sent to affected students which contained websites where the students could check to see if they had been victims of identity theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 601
February 15, 2006 Suffolk County Clerk's Office
Long Island, New York
GOV DISC

7,000

Between 7,000 and 8,000 homeowners had their Social Security numbers accidentally posted online. After realizing the mistake, County officials realized that they could not remove the information. People who pay to access the County's public records online will be able to see the Social Security numbers associated with people and addresses in the system that date back to 2001. The county could not alter public records in any way, but a new program will be implemented to block the Social Security numbers from newly recorded documents.

 
Information Source:
Dataloss DB
records from this breach used in our total: 7,000
February 13, 2006 Ernst & Young
New York, New York
BSO PORT

38,000

Additional locations: Throughout the US and UK

38,000 BP employee in U.S. In addition to Sun, Cisco and IBM employees.

A laptop containing the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees was stolen from a locked car. While Ernst and Young waited until pressured to inform a majority of those affected about the breach, at least one CEO from the affected companies was contacted immediately.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 38,000
February 9, 2006 OfficeMax
Naperville, Illinois
BSR HACK

200,000, although total number is unknown.

The location listed is Office Max's headquarters.  Sam's Club and other businesses may have also been affected.

Debit card accounts and pin numbers from bank and credit union accounts nationwide (including CitiBank, BofA, WaMu, Wells Fargo) were exposed. The crooks created counterfeit cards to make fraudulent purchases and withdrawals from card-holder accounts. 

UPDATE (3/14/06) New Jersey law enforcement arrested 14 people connected to the crime spree. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 200,000
February 6, 2006 Prudential Financial Inc.
Newark, New Jersey
BSF DISC

1,000

A health insurer claims data were erroneously faxed to a company in Canada by doctors and clinics across the U.S.. Data included the patients' Social Security numbers, bank account details and health care information.

 
Information Source:
Media
records from this breach used in our total: 1,000
February 4, 2006 FedEx
Los Angeles, California
BSO DISC

1,100

Up to 1,100 workers in Los Angeles and Orange Counties could be affected.

Eighty-five hundred W-2 forms including other workers' tax information such as Social Security numbers and salaries were sent out to employees. Fewer than 1,100 employees had their information exposed.  The company suspects that their internal processing center may have misaligned the forms and caused them to be cut in the wrong place. Workers were asked not to open their W-2s, but many had already done so before the notification. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,100
February 2, 2006 Presbyterian Healthcare Service
Albuquerque, New Mexico
MED STAT

450

The theft of a computer may have exposed patient and physician information. Names, Social Security numbers, addresses, phone numbers and credit card numbers were on the computer. The computer may have been stolen for the purpose of committing identity theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 450
February 1, 2006 Blue Cross and Blue Shield of North Carolina
Durham, North Carolina
BSO DISC

629

Social Security numbers of members were printed on the mailing labels of envelopes with information about a new insurance plan.  Those who were affected were contacted immediately.

 
Information Source:
Dataloss DB
records from this breach used in our total: 629
February 1, 2006 University of Colorado, Colorado Springs (UCCS)
Colorado Springs, Colorado
EDU HACK

2,500

Names, Social Security numbers, addresses and birth dates of current and former employees were accessed.  A computer in the Personnel Department was hacked and infected with a virus.  People employed by the University at anytime between the attack and 2004 are at risk.  The virus infected other computers at the University and was part of a worldwide attack.

 
Information Source:
Dataloss DB
records from this breach used in our total: 2,500
January 31, 2006 Boston Globe (The New York Times Company) and The Worcester Telegram & Gazette
Boston, Massachusetts
BSO DISC

240,000

Recycled paper used in wrapping newspaper bundles for distribution turned out to contain credit and debit card information along with routing information for personal checks of subscribers.

 

 
Information Source:
Dataloss DB
records from this breach used in our total: 240,000
January 31, 2006 Honeywell International
Morristown, New Jersey
BSO UNKN

19,000

Personal information of current and former employees including Social Security numbers and bank account information was posted on an Internet Web site. It was not known whether this was the result of a malicious insider or an administrative error.  Current and former employees whose information was compromised were informed immediately and offered free credit monitoring and identity theft insurance.

 
Information Source:
Dataloss DB
records from this breach used in our total: 19,000
January 27, 2006 State of Rhode Island website (www.RI.gov)
Providence, Rhode Island
GOV HACK

4,118

Hackers obtained credit card information in conjunction with names and addresses. The credit card companies were notified of the breach, but not the customers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 4,118
January 26, 2006 College of St. Scholastica
Duluth, Minnesota
EDU STAT

12,000

A computer was stolen from a locked office in the College's information Technology Department on or around December 24. The computer had Social Security numbers and names of current and former students. The thief was caught and claims that none of the personal information was used.

 
Information Source:
Dataloss DB
records from this breach used in our total: 12,000
January 25, 2006 Providence Home Services
Portland, Oregon
MED PORT

365,000

Backup tapes, laptops and disks containing Social Security numbers, clinical and demographic information were stolen from the car of an employee. In a small number of cases, patient financial data was stolen.

UPDATE (9/26/06) Providence Health System and the Oregon Attorney General have filed a settlement agreement. Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its security programs.

UPDATE (7/15/08) Providence Health will pay $100,000 and adhere to a compliance plan under the first ever Resolution Agreement negotiated by CMS (Centers for Medicare and Medicaid Services of the U.S. Dept. of Health and Human Services) under the HIPAA Privacy and Security Standards. The Corrective Action Plan requires Providence to revamp its security policies to include physical protections for portable devices and off-site transport and storage of backup media. Further, it must implement technical safeguards, such as encryption and password protection. And it must conduct random compliance audits and submit compliance reports to HHS for the next three years.

UPDATE (4/16/2012): The Oregon Supreme Court struck down a class-action suit against Providence Health Systems.  The Oregon Supreme Court claimed that there was no evidence that any of the 365,000 patients who were affected by the breach suffered any financial loss or other adverse consequences.

 
Information Source:
Dataloss DB
records from this breach used in our total: 365,000
January 25, 2006 University of Delaware
Newark, Delaware
EDU STAT

159

Two separate breaches occurred on the campus during November and December. A computer from the School of Urban Affairs and Public policy was hacked and a back-up hard drive was stolen from the Department of Entomology and Wildlife Ecology. The hacking incident occurred between November 22 and 26 and exposed the Social Security numbers of 159 graduate students. The hard drive theft occurred between December 16 and 18 and the personal information of an unknown number of people was exposed.

 
Information Source:
Dataloss DB
records from this breach used in our total: 159
January 24, 2006 University of Washington Medical Center
Seattle, Washington
MED PORT

1,600

Laptops containing names, Social Security numbers, maiden names, birth dates, diagnoses and other personal data were stolen from a UW office.  The information was password protected and the affected patients were notified.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,600
January 23, 2006 University of Notre Dame
Notre Dame, Indiana
EDU HACK

Unknown

Hackers may have accessed Social Security numbers, credit card information and check images of people who donated to the University between November 22 of 2005 and January 12 of 2006.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0
January 21, 2006 California Army National Guard
Sacramento, California
GOV PHYS

Hundreds (at least 200)

A briefcase with personal information of National Guardsmen including a seniority roster, Social Security numbers and dates of birth was stolen from the car of an employee.  A memo was sent to National Guard soldiers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 200
January 20, 2006 Indiana University, University Place Conference Center & Hotel
Indianapolis, Indiana
BSO HACK

Unknown

The computer housing the reservations data base was compromised. Data included credit card account numbers and names.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 0
January 20, 2006 University of Kansas (Kansas University)
Lawrence, Kansas
EDU DISC

9,200

A computer file with sensitive personal information was accessible to the public.  Students who applied and paid an application fee online between April 29, 2001 and December 16, 2005 had their names, Social Security numbers, birth dates, addresses, phone numbers and credit card numbers exposed.

 
Information Source:
Dataloss DB
records from this breach used in our total: 9,200
January 17, 2006 City of San Diego, Water & Sewer Department
San Diego, California
GOV INSD

Unknown

A dishonest employee accessed customer account files, including Social Security numbers, and stole the identities of two individuals.

 
Information Source:
Media
records from this breach used in our total: 0
January 16, 2006 New York City Teachers Retirement System
New York, New York
GOV INSD

5,800

A dishonest employee and two others were arrested for their part in writing and cashing fraudulent checks. Police found fraudulent checks with the names of 19 pension members and beneficiaries in the apartment of the former employee. The employee was originally hired as a temp and had worked for the company for three years. He had access to the information of 5,800 pension members.

 
Information Source:
Dataloss DB
records from this breach used in our total: 5,800
January 15, 2006 Illinois Education Association
Springfield, Illinois
NGO STAT

Unknown

Two laptops, six desktops and a digital camera were stolen from the Illinois Education Association office sometime prior to the week of January 3. Some of the computers contained Social Security numbers of members. Many member organizations were affected. Over 2,400 members from the Elgin Area School District were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0
January 12, 2006 People's Bank
Bridgeport, Connecticut
BSF PORT

90,000

A computer tape containing names, addresses, Social Security numbers, and checking account numbers was lost while being transported by UPS.  The bank alerted the affected customers and provided them with a credit monitoring service for one year.

 
Information Source:
Dataloss DB
records from this breach used in our total: 90,000
January 2, 2006 H&R Block
Kansas City, Missouri
BSO DISC

Unknown

H&R Block included Social Security numbers in a 40-digit number string on mailing labels.  Affected individuals were contacted.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0
January 1, 2006 University of Pittsburgh Medical Center, Squirrel Hill Family Medicine
Pittsburgh, Pennsylvania
MED STAT

700

Six computers containing names, Social Security numbers, and birth dates of patients were stolen from doctors' offices. A letter was sent notifying the affected patients.

 
Information Source:
Dataloss DB
records from this breach used in our total: 700
December 28, 2005 Marriott International Inc.
Orlando, Florida
BSR PORT

206,000

It is unclear whether backup computer tapes with credit card account information and Social Security numbers were lost or stolen from headquarters during November. Employees and time-share owners and customers were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 206,000
December 25, 2005 Ameriprise Financial Inc.
Minneapolis, Minnesota
BSF PORT

226,000

(877) 267-7408

A laptop was stolen from an employee's car on Christmas eve. It contained customers' names and Social Security numbers and in some cases, Ameriprise account information. Around 68,000 customers had their names and Social Security numbers exposed.  Around 158,000 customers had their names and internal account numbers exposed.

UPDATE (08/01/06): The laptop was recovered by local law enforcement in the community where it was stolen.

UPDATE (12/11/06): The company settled with the Massachusetts securities regulator in the office of the Secretary of State. Ameriprise agreed to hire an independent consultant to review its policies and procedures for employees' and contractors' use of laptops containing personal information. Ameriprise will pay the state regulator $25,000 for the cost of the investigation.

 
Information Source:
Dataloss DB
records from this breach used in our total: 262,000
December 22, 2005 Ford Motor Co.
Dearborn, Michigan
BSO STAT

70,000

A computer containing names and Social Security numbers of current and former employees was stolen.  Ford alerted those who were affected and offered to pay for their credit monitoring services.

 
Information Source:
Dataloss DB
records from this breach used in our total: 70,000
December 22, 2005 H&R Block
Kansas City, Missouri
BSO DISC

Unknown

Many past and present customers received unsolicited copies of the program TaxCut that displayed their Social Security numbers on the outside, embedded in a lengthy string of code.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 0
December 21, 2005 Sunrise Volkswagen
Lynbrook, New York
BSR PHYS

Unknown

Bank credit applications with names, Social Security numbers, addresses, telephone numbers, employment information and signatures were obtained by unauthorized access between December 15 and 16.  

 
Information Source:
Dataloss DB
records from this breach used in our total: 0
December 20, 2005 Guidance Software, Inc.
Pasadena, California
BSO HACK

3,800

A hacked database exposed credit card numbers of law enforcement officials and network security professionals.  The company is a leading provider of software used to diagnose hacked attacks.

UPDATE (4/3/07): The FTC came to a settlement agreement and final consent order against Guidance Software.

 
Information Source:
Dataloss DB
records from this breach used in our total: 3,800
December 16, 2005 La Salle Bank, ABN AMRO Mortgage Group, DHL
Ann Arbor, Michigan
BSF PORT

[2,000,000] Not included in total below.

A backup tape with residential mortgage customers' information was lost in shipment by DHL.  It contained Social Security numbers and account information.

UPDATE (12/20/05): DHL found the lost tape.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 0
December 16, 2005 Colorado Technical University (CTU)
Colorado Springs, Colorado
EDU DISC

300

An email was erroneously sent which contained names, phone numbers, email addresses, Social Security numbers and class schedules.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 300
December 12, 2005 Sam's Club, a division of Wal-Mart Stores, Inc
Bentonville , Arkansas
BSR UNKN

Unknown

Note: location is corporate headquarters, not necessarily the location of the breach.

Customers who used credit cards at the wholesaler's gas stations discovered fraudulent activity on their credit accounts.  Sam's Club is unaware of how the information was stolen.  Visa alerted the affected financial institutions and asked them to provide fraud monitoring services for the affected customers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0
December 12, 2005 Iowa State University
Ames, Iowa
EDU HACK

5,500

At least one ISU computer was hacked. Social Security numbers and encrypted credit card numbers may have been obtained. Between 2,000 and 2,500 Social Security numbers are at risk and between 2,300 and 3,000 credit card numbers are at risk. Student, alumni, employee and volunteer information was put at risk. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 5,500
December 9, 2005 Oregon Community Credit Union
Springfield, Oregon
BSF PHYS

200

A packet of insurance forms with names, Social Security numbers and addresses of around 200 Oregon Community Credit Union employees was inside of a stolen car. Someone tried to use the identity of an employee after the theft.  The company is on alert and purchased extended identity theft insurance for those who were affected by the theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 200
December 8, 2005 San Antonio Independent School District
San Antonio, Texas
EDU PORT

1,000

A laptop with personal information of more than a thousand teachers was stolen from an employee's unlocked car.  The information included names, Social Security numbers and dates of birth. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,000
December 8, 2005 J-Sargeant Reynolds Community College
Richmond, Virginia
EDU DISC

26,000

The names, Social Security numbers and addresses of students taking non-credit classes from 2000 to 2003 were posted online for months.  The information was compiled for a mailing list, but an employee posted it on the College's server.  A student informed officials of the mistake after accessing the information online.  The College began the process of removing the information from the web.

 
Information Source:
Dataloss DB
records from this breach used in our total: 26,000
December 8, 2005 Federal Reserve Bank of Dallas
Dallas, Texas
GOV PHYS

8,000

A courier truck dropped canceled personal and business checks on northbound Central Expressway near Woodall Rodgers Freeway around 4 a.m.  The incident closed the freeway exit until 7 a.m.  Employees from the Federal Reserve, the courier company and the Texas Department of Transportation removed many checks, though some disappeared.  Some unaffiliated people also returned checks to the authorities.  A very similar incident happened in August of 2005.

 
Information Source:
Dataloss DB
records from this breach used in our total: 8,000
December 7, 2005 Idaho State University, Office of Institutional Research
Pocatello, Idaho
EDU HACK

Unknown

Contact: Information Technology Services (208) 282-2872, http://www.isu.edu/announcement/

ISU discovered a security breach in a server containing archival information about students, faculty, and staff, including names, Social Security numbers, birth dates, and grades. Anyone who was a student or employee between 1995 and 2005 could be affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0
December 6, 2005 Washington State Employment Security Department
Olympia, Washington
GOV PORT

530

A laptop was stolen from the trunk of an auditor's car. Names, Social Security numbers and earnings of former employees from 2002 to 2005 were exposed.  The Employment Security Department does not have all of the contact information for those affected and used the media to help notify those whose information was compromised.  The laptop contained unemployment insurance reports for 49 Seattle businesses that were undergoing routine audits by Employment Security between November 2004 and October 2005..

 
Information Source:
Dataloss DB
records from this breach used in our total: 530
December 2, 2005 Cornell University
Ithaca, New York
EDU HACK

900

The University discovered a security breach last summer that exposed names, addresses, Social Security numbers, bank names and account numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 900
December 1, 2005 First Trust Bank
Memphis, Tennessee
BSF PORT

100,000

A man claiming to be a janitor bypassed security and stole a laptop from the bank.  The laptop contained Social Security numbers and other personal information of current and former customers.  Affected customers were contacted and the theft was caught on tape.

 
Information Source:
Dataloss DB
records from this breach used in our total: 100,000
December 1, 2005 University of San Diego
San Diego, California
EDU HACK

7,800

Hackers gained access to computers containing personal income tax data, including Social Security numbers, names, and addresses.  Faculty members, students and vendors had their information compromised and were notified by the University.

 
Information Source:
Dataloss DB
records from this breach used in our total: 7,800
November 23, 2005 University of Delaware
Newark, Delaware
EDU HACK

952

Two separate departments were breached by hacking within a short period of time.  A School of Education computer with the names and Social Security numbers of 772 students registered in online education courses was attacked in late August.  A Department of English computer that had the Social Security numbers of 180 faculty, graduate assistant and other teaching staff from the department was also hacked in August.  The larger breach appears to be the result of someone attempting to establish an illegal movie sharing system.  The smaller breach was a possible attempt to log onto and control one server in order to gain control over servers of other campuses.  Those affected received notification and Social Security numbers have been removed from both servers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 952
November 19, 2005 Boeing
Chicago, Illinois
BSO PORT

161,000

A laptop containing names, Social Security numbers, bank account information and other human resources data was stolen.  Affected current and former employees were notified.

 
Information Source:
Dataloss DB
records from this breach used in our total: 161,000

Pages

Showing 4351-4400 of 4517 results