Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?

Chronology of Data Breaches

Custom Sort
Select your desired results. Then click "Go!"

Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
815,842,526 RECORDS BREACHED
(Please see explanation about this total.)
from 4,489 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
April 18, 2012 Emory Healthcare, Emory University Hospital
Atlanta, Georgia
MED PORT

315,000 (228,000 SSNs reported)

Patients with questions may call the Emory Healthcare Support Center hotline at 1-855-205-6950.

Emory Healthcare revealed that 10 backup discs that contained patient information are missing from a storage location at Emory University Hospital.  The discs were determined to have been removed sometime between February 7, 2012, and February 20, 2012.  The patient information was related to surgery and included names, Social Security numbers, diagnoses, dates of surgery, procedure codes or the name of the surgical procedures, surgeon names, anesthesiologist names, device implant information, and other protected health information.  Patients treated at Emory University Hospital, Emory University Hospital Midtown (formerly known as Emory Crawford Long Hospital) and Emory Clinic Ambulatory Surgery Center between September of 1990 and April of 2007 were affected.

UPDATE (6/09/2012): A suit seeking class action status was filed on June 4.  The suit seeks unspecified damages over the loss of 10 computer disks containing the personal and health information of between 250,000 and 315,000 patients treated between 1999 and 2007.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 228,000

May 19, 2007 Texas Commission on Law Enforcement Standards and Education
Austin, Texas
GOV PORT

230,000

A laptop computer was stolen from the state agency that licenses police officers. It contained information on every licensed peace officer in Texas, including SSNs, driver's license numbers, and birth dates.

 
Information Source:
Dataloss DB
records from this breach used in our total: 230,000

October 30, 2007 Hartford Financial Services Group
Hartford, Connecticut
BSF PORT

230,000

Other locations: Ohio

Three backup tapes that contained personal information of 230,000 customers, including 9,200 Ohioans, mainly of the company's property lines, were misplaced.

 
Information Source:
Dataloss DB
records from this breach used in our total: 230,000

May 23, 2006 Mortgage Lenders Network USA
Middletown, Connecticut
BSF INSD

231,000

A former employee was arrested for extortion for attempting to blackmail his former employer for $6.9 million. He threatened to expose company files containing sensitive customer information - including customers' names, addressess, Social Security numbers, loan numbers, and loan types - if the company didn't pay him. He stole the files over the 16 months he worked there.

 
Information Source:
Dataloss DB
records from this breach used in our total: 231,000

January 12, 2011 Seacoast Radiology
Rochester, New Hampshire
MED HACK

231,400

http://www.seacoastprivacy.com/

On November 12, Seacoast discovered that a server had been breached. Patient names, Social Security numbers, addresses, phone numbers and other personal information may have been exposed by the breach. Credit card and other financial information were not exposed. The estimated number of individuals who received notification is 231,400.  Not all people who received a notification letter were affected.  Patients and people serving as insurance guarantors were affected. It is believed that the hackers were utilizing Seacoast's bandwidth to play a popular game called Call of Duty: Black Ops.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 231,400

May 14, 2014 Paytime
Mechanicsburg, Pennsylvania
BSF HACK

233,000

Paytime issued notices to its customers about a data breach that it discovered on April 30.

According to recent reports, the breach has affected approximately 233,000 individuals in every state, although the majority were in Pennsylvania. The information could have included "employees' names, Social Security Numbers, direct deposit bank account information (if provided), dates of birth, hire dates, wage information, home and cell phone numbers, other payroll related information and home addresses".

The investigation so far has uncovered "intruders were skilled hackers working from foreign IP addresses."

 

 
Information Source:
Media
records from this breach used in our total: 233,000

November 30, 2012 Western Connecticut State University
Danbury, Connecticut
EDU DISC

235,000

A computer vulnerability allowed the information of students, student families, and other people affiliated with the University to be exposed. The records covered a 13 year period and included Social Security numbers.  High school students who had associations with the University may have had their SAT scores exposed as well.  The issue existed between April 2009 and September 2012.  

 
Information Source:
Media
records from this breach used in our total: 235,000

October 26, 2006 Akron Children's Hospital
Akron, Ohio
MED HACK

235,903

Overseas hackers broke into two computers at Children's Hospital. One contains private patient data (including Social Security numbers) and the other holds billing and banking information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 235,903

January 31, 2006 Boston Globe (The New York Times Company) and The Worcester Telegram & Gazette
Boston, Massachusetts
BSO DISC

240,000

Recycled paper used in wrapping newspaper bundles for distribution turned out to contain credit and debit card information along with routing information for personal checks of subscribers.

 

 
Information Source:
Dataloss DB
records from this breach used in our total: 240,000

June 1, 2006 Ernst & Young
New York, New York
BSO PORT

243,000

Additional locations: Throughout the US and UK. Breach occurred in Texas.

A laptop containing names, addresses and credit or debit card information of Hotels.com customers was stolen from an employee's car in Texas.

 
Information Source:
Media
records from this breach used in our total: 243,000

March 30, 2007 Los Angeles County Child Support Services
Los Angeles, California
GOV PORT

243,000

Three laptops containing personal information including about 130,500 Social Security numbers — most without names, 12,000 individuals' names and addresses, and more than 101,000 child support case numbers were apparently stolen from the department's office.

 
Information Source:
Dataloss DB
records from this breach used in our total: 243,000

November 6, 2009 National Archives and Records Administration
College Park, Maryland
GOV STAT

250,000

The National Archives and Records Administration violated its information security policies by returning failed hard drives from systems containing personally identifiable information of current government employees and military veterans back to vendors. By agency policy, NARA is supposed to destroy the hard drives rather than return them. On two separate occasions the agency sent defective disk drives back to vendors under a maintenance contract, rather than destroying and disposing of them in-house.

UPDATE (1/12/2010):There was a rather large amount of data on this hard drive -- as much as two terabytes of data. The NARA is having to, in effect, do a forensic analysis to try to identify individuals and their information. They had a rolling production of notices to individuals. The total had been 26,000, and then their forensic contractor came up with a new group that contained as many as 150,000 names.

UPDATE (1/27/2010) Media stories now put the number of records involved at 250,000.

 
Information Source:
Dataloss DB
records from this breach used in our total: 250,000

May 19, 2009 National Archives and Records Administration
College Park, Maryland
GOV PORT

250,000

The National Archives lost a computer hard drive containing massive amounts of sensitive data from the Clinton administration, including Social Security numbers, addresses, and Secret Service and White House operating procedures. The Archives had been converting the Clinton administration information to a digital records system when the hard drive went missing. The hard drive was left on a shelf and unused for an uncertain period of time. When the employee tried to resume work, the hard drive was missing.

 
Information Source:
Dataloss DB
records from this breach used in our total: 250,000

December 2, 2008 Florida Agency for Workforce Innovation
Tallahassee, Florida
GOV DISC

259,193

Employment information and more than a quarter million Social Security numbers were posted online. The breach occurred when several thousand Excel and text files containing millions of employment records were posted in the course of developing a new website.

 
Information Source:
Dataloss DB
records from this breach used in our total: 259,193

January 8, 2008 Wisconsin Department of Health and Family Services
Madison, Wisconsin
GOV DISC

260,000

Social Security numbers were printed on about 260,000 informational brochures sent by a vendor hired by the state, Electronic Data Systems Inc. (EDS), to recipients of SeniorCare, BadgerCare and Medicaid. The company agreed to pay $250,000 to the state for the mistake, as well as paying for an identity theft monitoring service for the affected individuals, for a total of about $1 million.

 
Information Source:
Dataloss DB
records from this breach used in our total: 260,000

October 8, 2012 TD Bank
Cherry Hill, New Jersey
BSF PORT

260,000

Two data backup tapes were lost during shipping in late March 2012.  The tapes included customer names, Social Security numbers, addresses, account numbers, debit card numbers, and credit card numbers.

UPDATE (10/13/2012): A total of 260,000 customers from Maine to Florida were notified.

UPDATE (10/15/2014):  "TD Bank NA has agreed to pay $850,000 to settle a multistate probe into the security breach, New York's attorney general said".

More Information: http://www.bloomberg.com/news/2014-10-15/td-bank-resolves-claims-over-da...

UPDATE (12/10/2014): TD Bank has settled with the state of Massachusetts for $625,000, seperate from the above previous settlement deals the bank made with other states.

More Information: http://www.americanbanker.com/news/bank-technology/td-bank-pays-625000-i...

 
Information Source:
California Attorney General
records from this breach used in our total: 260,000

December 25, 2005 Ameriprise Financial Inc.
Minneapolis, Minnesota
BSF PORT

226,000

(877) 267-7408

A laptop was stolen from an employee's car on Christmas eve. It contained customers' names and Social Security numbers and in some cases, Ameriprise account information. Around 68,000 customers had their names and Social Security numbers exposed.  Around 158,000 customers had their names and internal account numbers exposed.

UPDATE (08/01/06): The laptop was recovered by local law enforcement in the community where it was stolen.

UPDATE (12/11/06): The company settled with the Massachusetts securities regulator in the office of the Secretary of State. Ameriprise agreed to hire an independent consultant to review its policies and procedures for employees' and contractors' use of laptops containing personal information. Ameriprise will pay the state regulator $25,000 for the cost of the investigation.

 
Information Source:
Dataloss DB
records from this breach used in our total: 262,000

October 23, 2006 Sisters of St. Francis Health Services via Advanced Receivables Strategy (ARS), a Perot Systems Company
Indianapolis, Indiana
MED PORT

266,200

(866) 714-7606

On July 28, 2006, a contractor working for Advanced Receivables Strategy, a medical billing records company, misplaced CDs containing the names and SSNs of 266,200 patients, employees, physicians, and board members of St. Francis hospitals in Indiana and Illinois. About 260,000 patients and about 6,200 employees, board members and physicians were affected for a total of 266,200.  Also affected were records of Greater Lafayette Health Services. The disks were inadvertently left in a laptop case that was returned to a store. The purchaser returned the disks. The records were not encrypted even though St. Francis and ARS policies require encryption.

 
Information Source:
Dataloss DB
records from this breach used in our total: 266,200

April 6, 2007 Hortica (Florists’ Mutual Insurance Company), UPS
Edwardsville, Illinois
BSF PORT

268,000

http://www.hortica-insurance.com/hotTopics/26.PDF, (800) 851-7740, securedata@hortica-insurance.com

A locked shipping case of backup tapes containing personal information including names, Social Security numbers, drivers' license numbers, and bank account numbers went missing while in transit with UPS.

 
Information Source:
Dataloss DB
records from this breach used in our total: 268,000

December 5, 2007 Memorial Blood Centers
Duluth, Minnesota
MED PORT

268,000

Hot Line (888) 333-1491 Contacts: Memorial Blood Centers Laura Kaplan, (651) 332-7220 lkaplan@mbc.org or Jim McCartney, (952) 346-6688

A laptop computer holding donor information was stolen. About 268,000 donor records on this laptop computer contain a donor name in combination with the donor's Social Security number.

 
Information Source:
Dataloss DB
records from this breach used in our total: 268,000

July 12, 2005 University of Southern California (USC)
Los Angeles, California
EDU DISC

270,000 possibly accessed, dozens exposed

A reporter contacted USC based on an individual's claim to be able to access personal information on college applicants online.  USC removed the site pending investigation and sent letters to affected individuals.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 270,000

April 6, 2012 Utah Department of Health
Salt Lake City, Utah
GOV HACK

780,000 (280,000 SSNs)

Utah Medicaid clients have had their information exposed by a hack of an improperly protected Utah Department of Health computer server.  The breach was discovered when an unusual amount of data was found to be streaming out of the server on April 2. Medicaid clients who had not had their Social Security numbers transitioned into the system had their Social Security numbers exposed.  A majority of the affected individuals had medical claims, dates of birth, addresses, physicians' names, and other forms of medical information exposed, but not Social Security numbers. Two out of three of those who were affected were children.  The cost of working with the credit-reporting company Experian to contain the breach is estimated to be $460,000.

UPDATE (04/10/2012): Though the number of affected individuals was originally reported as 181,604 with 25,096 Social Security numbers exposed, Utah Department of Health reported that nearly 280,000 people had their Social Security numbers exposed by the breach.  An additional 500,000 victims did not have their Social Security numbers exposed, but had some form of personal information such as date of birth, name, and address exposed. People who visited a health care provider in the past four months is likely to have been affected by the breach.

UPDATE (05/15/2012): The governor of Utah fired the Director of the Department of Technology Services and appointed a new employee, an ombudsman, to shepherd victims through the process of protecting their identities and credit.  Two other members of the technology services department are under review.  The vulnerability that caused the breach was partly, if not fully, due to failure to change a default password. Additionally, data will now be encrypted while it is on Utah servers as well as when it is in transit.

UPDATE (07/22/2012): Those who wish to learn more about the Utah Department of Health breach will be able to attend a series of statewide workshops running from July 26 until August 22.  Information on Utah's Data Breach Security Tour can be found here.

UPDATE (03/25/2013): The state of legislature of Utah added an second year of free credit monitoring to those who were affected by the breach.  Additionally, a Utah health department official revealed that only 59,500 people had taken advantage of the first year of free credit monitoring service.  Those who did not enroll in 2012 may call 801-538-6923 or email ombudsman@utah.gov to sign up for the 2013-2014 term.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 280,000

March 6, 2014 North Dakota University
Bismarck, North Dakota
EDU HACK

290,780

North Dakota University System has notified individuals of a security breach of a computer server that stores personal information on students, staff and faculty.

On February 7, 2014 the server was hacked into and more than 209,000 current and former students and 780 faculty and staff had personal information stored on thus server that included names and Social Security numbers according to Larry Skogen, the Interim Chancellor.

The university has notified officials and has set up a website www.ndus.edu/data with information and is organizing a call center for questions from those who were affected.

Authorities have announced that "an entity operating outside the Unites States apparently used the server as a launching pad to attack other computers, possibly accessing outside accounts to send phishing emails"

 
Information Source:
Media
records from this breach used in our total: 290,780

January 9, 2007 Towers Perrin
New York, New York
BSF INSD

300,000

 

Around 18,000 past and present employees, presumably of Altria, and 6,300 employees of Philip Morris were affected.

 

Five laptops were stolen from Towers Perrin, allegedly by a former employee. The theft occurred Nov. 27, 2006. The computers contain names, SSNs, and other pension-related information, presumably of several companies, although news reports are not clear. Companies named include Altria (unknown number, possibly 18,000 employees) and Philip Morris (6,300 employees).

UPDATE (1/11/07): NY police arrested a junior-level administrative employee of the company in the theft of the laptops.

UPDATE (2/6/09): It now appears that 300,000 people were affected.  Additional companies include Citigroup, Time Warner, United Technologies, Prudential Financial, Random House, Stanley Inc., Bertelsmann Services Inc., Lloyd's Register Group, AGL Resources Inc., Salvage Association, The Nielsen Company, Major League Baseball, Unilever, Harlequin Holdings, Celanese Americas Corporation, The Interpublic Group, Dover Corporation, Continuum Health Partners, Maersk Inc./P&O Nedlloyd, Roman Catholic Diocese of Brooklyn, Cambrex Corporation, Strategic Industries, Shorewood, Swiss International Air Lines, LTD, Alpharma Inc.

 
Information Source:
Dataloss DB
records from this breach used in our total: 300,000

May 19, 2007 Illinois Dept. of Financial and Professional Regulation
Chicago, Illinois
GOV HACK

300,000

For information about breach www.idfpr.com

A computer server in the office of the Illinois Dept. of Financial and Professional Regulation was breached earlier this year. SSNs, tax numbers, and addresses of banking and real estate licensees and applicants were exposed. The hacking incident was discovered May 3.

 
Information Source:
Dataloss DB
records from this breach used in our total: 300,000

January 29, 2008 Horizon Blue Cross Blue Shield
Newark, New Jersey
MED PORT

300,000

More than 300,000 members names, Social Security numbers and other personal information were contained on a laptop computer that was stolen. The laptop was being taken home by an employee who regularly works with member data.

 
Information Source:
Dataloss DB
records from this breach used in our total: 300,000

November 15, 2006 Look Tours LLC
North Las Vegas, Nevada
BSR STAT

300,000

A number of computers were stolen during a September 28 office burglary. Some of the information on the computers included name, address, email address and credit card number and information. Customers and some current and former employees and consultants were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 300,000

March 3, 2011 Cord Blood Registry
San Francisco, California
MED PORT

300,000

Backup tapes were stolen from an employee's car in San Francisco on December 13, 2010. Names and Social Security, driver's license and credit card numbers were on the tapes. The tapes were not encrypted. Customers began receiving notification on February 14 of 2011. A computer and other personal property were stolen during the burglary.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 300,000

June 12, 2011 Southern California Medical-Legal Consultants, Inc. (SCMLC)
Seal Beach, California
BSO DISC

300,000

Those with questions may call 562-493-0851 or email notify@scmlc.com.

A data security firm discovered that SCMLC data was available online.  The names and Social Security numbers of around 300,000 people who applied for California workers' compensation benefits may have been accessed by unauthorized parties.

 
Information Source:
Databreaches.net
records from this breach used in our total: 300,000

December 16, 2011 Restaurant Depot, Jetro Cash & Carry
College Point, New York
BSR HACK

300,000

The location listed is that of Restaurant Depot's corporate location.

People who shopped at Jetro or Restaurant Depot between September 21 and November 18 may have had their credit or debit card information taken by a hacker.  Customer names, card numbers, expiration dates, and verification codes were exposed.  The breach investigation began on November 9 when the parent company became aware of customers experiencing card fraud.

 
Information Source:
Databreaches.net
records from this breach used in our total: 300,000

January 28, 2013 Cbr Systems
San Bruno, California
MED PORT

300,000

The 2010 theft of a company laptop, a hard drive, and a number of unencrypted backup tapes resulted in the exposure of sensitive information.  Social security numbers, credit and debit card numbers, driver's license numbers, and dates of birth were contained on one or more of the devices.

Cbr Systems reached a settlement with the Federal Trade Commission in early 2013.  Cbr Systems must establish an information security program and be independently audited every other year for 20 years.  The full settlement can be found here: http://ftc.gov/opa/2013/01/cbr.shtm

 
Information Source:
Media
records from this breach used in our total: 300,000

June 29, 2006 Nebraska Treasurer's Office
Lincoln, Nebraska
GOV HACK

309,000

A hacker broke into a child-support computer system and may have obtained names, Social Security numbers and other information such as tax identification numbers for 9,000 businesses.

 
Information Source:
Dataloss DB
records from this breach used in our total: 309,000

February 19, 2014 University of Maryland
College Park, Maryland
EDU HACK

309,079

The University of Maryland, located in College Town Maryland, had one of their records databases hacked Tuesday January 18, 2014 around 4:00 a.m by an outside source.

This particular database holds information dating back to 1998 and includes names, Social Security numbers, dates of birth and university identification numbers for 309,079 people affiliated with the school at their College Park and Shady Grove campuses.

The hackers did not alter anything in the actual database, but apprarently have made a "copy" of the information. The university commented at how sophisticated the attack was by the hacker or hackers and they must have had a "very significant understanding" of how the database was designed and maintained, including the level of encryption and protection of the database.

According to the university President, school officials are investigating the breach and taking steps to prevent any further system intrusions.

The college has put out the following statements:

"The University is offering one year of free credit monitoring to all affected persons. Additinoal information will be communicated within the next 24 hours on how to activate this service.

University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.

All updates regarding this matter will be posted to this website.  If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at datasecurity@umd.edu".

 

 
Information Source:
Media
records from this breach used in our total: 309,079

March 10, 2005 LexisNexis
Dayton, Ohio
BSO INSD

310000

Unauthorized individuals used IDs and passwords of legitimate customers to obtain consumers' Social Security numbers, driver's license numbers, and names and addresses. Most of the breaches were at the company's subsidiary Seisint Inc., based in Florida.

UPDATE (4/12/05) An internal investigation at LexisNexis has uncovered evidence that an additional 280,000 records may have been involved in this breach, increasing the total from 30,000 to 310,000.

UPDATE (06/30/06): Five men were arrested in connection with this breach.

 
Information Source:
Dataloss DB
records from this breach used in our total: 310,000

February 13, 2008 Lifeblood
Memphis, Tennessee
MED PORT

321,000

Laptop computers with birth dates and other personal information of roughly 321,000 blood donors are missing and presumed stolen. Stored inside both computers were names, birth dates and addresses at the time of the individual's last donation or attempted donation. In most cases, the donors' Social Security numbers were also stored, along with driver's licenses, telephone numbers, e-mail addresses, ethnicity, marital status, blood type and cholesterol levels. Social Security numbers had been used to track blood from the donor to the recipients.

 
Information Source:
Dataloss DB
records from this breach used in our total: 321,000

May 16, 2006 American Institute of Certified Public Accountants (AICPA)
New York, New York
NGO PORT

330,000 [Updated 6/16/06]

An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company. AICPA offered one year of free credit monitoring services to affected members.

 
Information Source:
Dataloss DB
records from this breach used in our total: 330,000

November 12, 2008 University of Florida College of Dentistry
Gainesville, Florida
EDU HACK

330,000

Some current and former dental patients have been notified that an unauthorized intruder recently accessed a College of Dentistry computer server storing their personal information. College information technology staff members were upgrading the server and found software had been installed on it remotely. Information stored on the server included names, addresses, birth dates, Social Security numbers and, in some cases, dental procedure information for patients dating back to 1990.

 
Information Source:
Dataloss DB
records from this breach used in our total: 330,000

October 27, 2006 Link Staffing Services
Houston, Texas
BSO STAT

332,000

On September 26 it was discovered that a computer server was stolen during an office burglary. The server had employee names and Social Security numbers. Current and former employees were notified at the end of October after an investigation of the breach.

 
Information Source:
Dataloss DB
records from this breach used in our total: 332,000

December 28, 2007 Davidson County Election Commission
Nashville, Tennessee
GOV PORT

337,000

Someone broke into several county offices over Christmas and stole laptop computers that county officials now believe may have contained Social Security numbers and other personal information for every registered voter in Davidson County.

UPDATE (1/19/08): Metro Police confirmed late Thursday they have recovered the hard drive from the laptop computer, containing names and complete Social Security numbers for 337,000 registered voters, that was stolen from the Election Commission in December.

 
Information Source:
Dataloss DB
records from this breach used in our total: 337,000

February 15, 2006 U.S. Department of Agriculture (USDA)
Washington, District Of Columbia
GOV DISC

350,000

The Social Security numbers of tobacco farmers were accidentally released when the U.S. Department of Agriculture attempted to comply with the Freedom of Information Act.  Those who received the information agreed to destroy any copies and return the original discs, which also contained tax identification numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 350,000

February 15, 2012 University of North Carolina at Charlotte
Charlotte, North Carolina
EDU DISC

350,000

UNC-Charlotte will post information about the breach here.  Those with questions may also call (855) 205-6937.

An online security breach occurred at the UNC-Charlotte campus and was discovered on January 31.  It is unclear how much information could have been accessed. The number of people affected was not revealed.  An email alert was sent to students and staff on February 15 in order to inform them that a "potentially significant data exposure of its Information Systems" had occurred.  The University also stated that it had corrected the known issues related to the breach.

UPDATE (5/09/2012): Around 350,000 people had their Social Security numbers exposed. Financial information was also exposed.  A system misconfiguration and incorrect access settings caused a large amount of electronic data hosted by the University to be accessible from the Internet. One exposure issue affected general University systems over a period of about three months.  A second exposure issue affected the college of engineering systems for over a decade.

 
Information Source:
Databreaches.net
records from this breach used in our total: 350,000

June 9, 2011 Citibank
New York, New York
BSF HACK

360,000

Customers may call 888-640-4982 for more information.

Hackers have managed to access the information of approximately 1% of Citibank's 21 million users. U.S. Customer names, account numbers, and contact information were exposed.  Security codes and dates of birth were not exposed.  The breach occurred sometime in May.  

UPDATE (6/13/2011): Citibank released an official statement on the Citigroup website.

UPDATE (6/14/2011): It has been revealed that hackers obtained customer names, account numbers and transaction information by logging into the customer credit card site and guessing the account numbers of other customers.  Since the account number appeared in the web address browser bar, simply altering an account number allowed the hackers to access a different account.  The hackers also utilized an automatic computer program to guess account numbers quickly. This incident appears to have occurred in early May.

UPDATE (6/14/2011): Connecticut Attorney General George Jepsen asked Citigroup Inc. to provide more information about the data breach.  Jepsen feels that more information about the types of account information exposed, the cause of the breach, the steps taken to notify affected individuals and the steps to prevent future breaches is needed.  He requested the additional information by June 22.

UPDATE (6/16/2011): The number of affected individuals has been raised from 210,000 to 360,000.  Further investigation of and information about the breach revealed that the breach was discovered on May 10.  By May 24, Citigroup officials concluded that the data thieves had captured names, account numbers, and email addresses of about 360,000 customer accounts.  Social Security numbers, expiration dates, and three-digit security passwords found on the back of credit cards were not exposed.

UPDATE (6/24/2011): At least 3,400 of the customers whose credit card information was stolen have suffered a combined loss of $2,700,000.

UPDATE (09/03/2013): Citibank has agreed to pay $15,000 in civil penalties to Connecticut's Privacy Protection Guaranty and Enforcement Account and $40,000 to the General Fund of Connecticut.  Citibank will also hire a third party to conduct an information security audit of the Account Online section of Citibank's website.

 
Information Source:
Databreaches.net
records from this breach used in our total: 360,000

January 25, 2006 Providence Home Services
Portland, Oregon
MED PORT

365,000

Backup tapes, laptops and disks containing Social Security numbers, clinical and demographic information were stolen from the car of an employee. In a small number of cases, patient financial data was stolen.

UPDATE (9/26/06) Providence Health System and the Oregon Attorney General have filed a settlement agreement. Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its security programs.

UPDATE (7/15/08) Providence Health will pay $100,000 and adhere to a compliance plan under the first ever Resolution Agreement negotiated by CMS (Centers for Medicare and Medicaid Services of the U.S. Dept. of Health and Human Services) under the HIPAA Privacy and Security Standards. The Corrective Action Plan requires Providence to revamp its security policies to include physical protections for portable devices and off-site transport and storage of backup media. Further, it must implement technical safeguards, such as encryption and password protection. And it must conduct random compliance audits and submit compliance reports to HHS for the next three years.

UPDATE (4/16/2012): The Oregon Supreme Court struck down a class-action suit against Providence Health Systems.  The Oregon Supreme Court claimed that there was no evidence that any of the 365,000 patients who were affected by the breach suffered any financial loss or other adverse consequences.

 
Information Source:
Dataloss DB
records from this breach used in our total: 365,000

July 12, 2010 Marsh and Mercer
Washington, District Of Columbia
BSF PORT

378,000

Marsh and Mercer's Seabury and Smith, Inc. and Mercer Health and Benefits LLC operations were involved.  The list of known organizations with affected employees includes Idaho Power, Saint Luke's health System and Saint Alphonsus Regional Medical Center.

The location is listed as Seabury and Smith's office.

The insurance broker and benefits consulting firm reported the loss of a backup tape during transport.  The tape contained employee benefits information for companies that used Marsh and Mercer for consultation. Names, addresses, Social Security numbers, dates of birth, account information and driver's license numbers were on the tape.

UPDATE (8/9/10): Three hundred current and former Boise, Idaho city employees were also affected.

UPDATE (8/26/10): The Idaho Power website revealed that around 5,000 employees were affected, and a total of 375,000 individuals from other organizations were affected.

 
Information Source:
Databreaches.net
records from this breach used in our total: 378,000

December 13, 2006 Boeing
Seattle, Washington
BSO PORT

382,000 current and former employees

In early December, a laptop was stolen from an employee's car. Files contained names, salary information, SSNs, home addresses, phone numbers and dates of birth of current and former employees.

UPDATE (12/14/06): Boeing fired the employee whose laptop was stolen.

UPDATE(1/26/07): The laptop was recovered.

 
Information Source:
Dataloss DB
records from this breach used in our total: 382,000

December 12, 2006 Aetna, Nationwide, WellPoint Group Health Plans, Humana Medicare, Mutual of Omaha Insurance Company, Anthem Blue Cross Blue Shield via Concentra Preferred Systems
Dayton, Ohio
MED PORT

396,279

A lockbox holding personal information of health insurance customers was stolen Oct. 26. Thieves broke into an office building occupied by insurance company vendor, Concentra Preferred Systems. The lockbox contained computer backup tapes of medical claim data for Aetna and other Concentra health plan clients. Exposed data includes member names, hospital codes, and either SSNs or Aetna member ID numbers. SSNs of 750 medical professionals were also exposed. Officials downplay the risk by stating that the tapes cannot be used on a standard PC.

UPDATE (12/23/06): The lockbox also contained tapes with personal information of 42,000 NY employees insured by Group Health Insurance Inc.)

UPDATE(1/24/07): Personal data of 28,279 Nationwide's Ohio customers were also compromised.  2/11/10 Total changes to 396,279 to reflect final total of records breached in all of the affected companies.

 
Information Source:
Dataloss DB
records from this breach used in our total: 396,279

February 24, 2011 Cambridge Who's Who Publishing, Inc.
Uniondale, New York
BSO PORT

400,000

A former employee made accusations that Who's Who experienced a breach of 400,000 data tapes with customer information.  It is not clear what happened, but the tapes were misplaced during the shipping process sometime before October 20, 2010.  The information on the tapes included customer names, Social Security numbers, addresses, driver's license numbers, payroll data, checking account numbers and credit card information may have been exposed.

 
Information Source:
Databreaches.net
records from this breach used in our total: 400,000

May 27, 2011 Spartanburg Regional Hospital
Spartanburg, South Carolina
MED PORT

400,000

The March 28 theft of a laptop resulted in the exposure of patient information.  The laptop was stolen from an employee's car on March 28.  It contained patient names, Social Security numbers, addresses, dates of birth and medical billing codes. Spartanburg Regional has not revealed the number of affected patients.

UPDATE (7/03/2011): Spartanburg Regional notified HHS that 400,000 patients were affected.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 400,000

April 17, 2014 Aaron Brothers
Coppell, Texas
BSR HACK

400,000

Aaron Brothers, a division of Michaels Stores Inc. appears to been a part of the data breach of Michaels Stores Inc. The company confirmed on Thursday April 17, 2014 that the payment system breach also affected its Aaron Brothers chain. Approximately 400,000 cards were potentially breached from June 26, 2013 through February 27, 2014.

 
Information Source:
Media
records from this breach used in our total: 400,000

February 5, 2014 St. Joseph Health System
Suwanee, Georgia
MED HACK

405,000

St. Joseph Health System in Texas has reported a data breach of a server that stored information for numerous facilities.

Information was accessed through a single server by hackers from China and other locations. The server contained employee and patient data for St. Joseph Regional Health Center in Bryan, Burleson St. Joseph Center, Madison St. Joseph Health Center, Grimes St. Joseph Health Center and St. Joseph Rehabilitation Center. The affected server was taken offline once the breach was discovered.

The breach supposedly occurred between December 16 through the 18th, 2013.

The data included patient names, birth dates, Social Security numbers, and possibly addresses. Medical information for patients was accessible, as well as bank information for current and former employees. Both adult and minor information may have been compromised.

Currently, investigators could not determine if any information had been extracted or used.

 
Information Source:
California Attorney General
records from this breach used in our total: 405,000

Breach Total
815,842,526 RECORDS BREACHED
(Please see explanation about this total.)
from 4,489 DATA BREACHES made public since 2005
Showing 4351-4400 of 4489 results


X

Sign In!

Loading