Chronology of Data Breaches:

Send to PrinterSend to Printer

Return to the Chronology of Data Breaches

Frequently Asked Questions About the Chronology of Data Breaches

What does the Chronology of Data Breaches contain?

The data breaches noted here have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included the number of records involved in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws. The breaches posted below include only those reported in the United States. They do not include incidents in other countries.

What does the Total Number indicate?

The running total we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals. 

In reality, the number given below should be much larger. For many of the breaches listed, the number of records is unknown. Further, this list is not a comprehensive compilation of all breach data (see below).

Is the Chronology of Data Breaches a complete listing of all breaches?

No, it is not a complete listing of breaches. The list is a useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches. But the list is not a comprehensive listing. Reported incidents affecting more than nine individuals from an identifiable entity are included. Breaches affecting nine or fewer individuals are included if there is a compelling reason to alert consumers. Most of the information is obtained from verifiable media stories, government web sites/pages (for example state Attorneys General such as the California AG’s breach website), or blog posts with information pertinent to the breach in question. If a breached entity has failed to notify its customers or a government agency of a breach, then it is unlikely that the breach will be reported anywhere. If you are aware of a breach that is not included in our list, below, feel free to contact us here: .

Are there state-specific breach listings?

Some states have state laws that require breaches to be reported to a centralized data base. These states include Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic breaches affecting more than 1,000 residents).  However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. For details, see the Open Security Foundation Datalossdb website:

How often is the Chronology updated?

We usually update this list every two days.

Where do you obtain information about the data breaches that are reported on this Web page?

Most of the breaches summarized below on this page have been obtained from the Open Security Foundation list-serve.  As of January 2010, we have expanded our sources to also include, PHI Privacy and NAID.  As of March 2012, we began using the California Attorney General list of data breaches.

  • The Open Security Foundation's ( offers a free e-mail list-serve on the latest breaches.
    To subscribe to DataLoss, send a message to:
  • Consumers may access a list of data breaches from upon creating a username and password.  The page includes a search engine and news articles for the breaches listed below, and also provides an open source database of its data breach records. It is a flat comma-separated value file that can be imported into a database or spreadsheet program for your own data analysis. 
  • Beginning in January 2010, we have expanded the sources of our breaches.  We now include the following sources:

Uses of Chronology of Data Breaches in Publications: Please Footnote the Source Appropriately

Privacy Rights Clearinghouse publishes the Chronology of Data Breaches as a source of information for both past and current breaches. Any individual or organization is welcome to use our data for research as well as general interest. If data from the Chronology is cited in a publication, including papers and research by students, please properly footnote the Chronology of Data Breaches as the source.

It’s important to note that our Chronology of Data Breaches does not reflect a complete list of breaches. We obtain information about breaches from the media and from sources such as websites of state Attorneys General for states in which AGs make such information available. In addition, our numbers only include breaches that occur within the United States. No international data breaches are posted.  For additional information about the Chronology of Data Breaches, please read our FAQ here.

What should I do if my personal information has been compromised in a data breach?

For tips on what to do if your personal information has been exposed due to a security breach, read our guide at

Are there resources for businesses and other organizations on how to avoid having sensitive data breached?

Learn about security and privacy protection practices for your workplace.

What should I do if my business or organization experiences a security breach?

The following resources guide businesses who have experienced a security breach through the notification process and in working with law enforcement.

Do states have laws that require those entities that experience a data breach to notify those affected?

Yes. The catalyst for reporting data breaches to the affected individuals has been the California law that requires notice of security breaches. It is the first of its kind in the nation, implemented July 2003.

Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. 


For a list of states enacting security breach and freeze laws, visit these Web sites:

Which states have laws that require breached organizations to report breaches and submit notice letters to a central clearinghouse?

The state of Massachusetts requires that breached entities report data breaches to the Massachusetts Office of Consumer Affairs and Business Regulation.

The Open Security Foundation and Chris Walsh have compiled breach notice letters from the states that require breached entities to submit such letters to a central repository. These states are: Maryland, New Hampshire, New York, North Carolina, and Vermont. To view these letters, visit

As of January 2012, the California Attorney General posts data breach notice letters here: Additional information about data security breach reporting is found here:

Has anyone analyzed this and other data breach listings in order to compile statistics and arrive at other observations? Have any analyses of security breach laws been published?







Are there other resources with additional information about security breaches?