Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?

Chronology of Data Breaches

Custom Sort
Select your desired results. Then click "Go!"

Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
867,217,832 RECORDS BREACHED
(Please see explanation about this total.)
from 4,257 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Publicsort icon Name Entity Type
July 22, 2013 Apple Inc.
Cupertino, California
BSR HACK

Unknown

Apple's website for developers was accessed by unauthorized parties.  Registered developer names, mailing addresses, and email addresses may have been accessed on Thursday, July 18.  Encrypted customer information was not affected.

 
Information Source:
Media
records from this breach used in our total: 0

July 23, 2013 Henry Ford Health System
Detroit, Michigan
MED PHYS

15,417 (No SSNs or financial information reported)

A warehouse that was not owned by Henry Ford Health System was raided for old X-rays.  X-rays can be stripped for silver and these medical X-rays also contained the names, addresses, and dates of birth of patients of Henry Ford Health System.  The X-rays dated between 1996 and 2003.  Henry Ford Health System learned about the issue on May 24.

 
Information Source:
Media
records from this breach used in our total: 0

July 24, 2013 NYC Bike Share, Citibike
New York, New York
BSR DISC

1,200

NYC Bike Share discovered that customer credit card numbers, names, and addresses had been posted on a publicly accessible page of its website.  The glitch was corrected after being active between April 15 and late May.  Customers who initially entered their information incorrectly had their information posted online for 24 hours.  The data was cleared every 24 hours between April 15 and late May.

 
Information Source:
Media
records from this breach used in our total: 1,200

July 24, 2013 Tinder
West Hollywood, California
BSO DISC

Unknown

Tinder advertises to users that their physical location information is never shown to other users.  An outside engineer discovered an issue with the Tinder app that allowed the locations of users to be available for at least two weeks.  Last known locations, Facebook IDs, dates of birth, gender, and names were available.  

 
Information Source:
Media
records from this breach used in our total: 0

July 24, 2013 Tinder
West Hollywood, California
BSO DISC

Unknown

Tinder advertises to users that their physical location information is never shown to other users.  An outside engineer discovered an issue with the Tinder app that allowed the locations of users to be available for at least two weeks.  Last known locations, Facebook IDs, dates of birth, gender, and names were available.  

 
Information Source:
Media
records from this breach used in our total: 0

July 25, 2013 Securities and Exchange Commission (SEC)
Washington, District Of Columbia
BSF DISC

Unknown

A July 8 letter warned current and former employees that SEC employee data had been found on the networks of another federal agency.  The outside federal agency was not named. It appears that a former SEC employee inadvertently and unknowingly downloaded the names, Social Security numbers, and dates of birth of SEC employees onto a thumb drive and then transferred them to another agency.  The employee wanted a template of the document rather than the actual employee data that it contained.  The accidental upload of sensitive information occured in April of 2012 and again in June of either 2012 or 2013.  Employees who were with SEC before October of 2009 were affected. The breach lasted for 10 months before being noticed. The SEC confiscated the flash drive when the breach was uncovered.

 
Information Source:
Media
records from this breach used in our total: 0

July 25, 2013 Baltimore City
Baltimore, Maryland
GOV PHYS

Unknown

Thousands of current and former Baltimore City employees are at risk after a box was found with Baltimore City personnel information.  Records been discarded in a publicly accessible place for trash.  Names, Social Security numbers, dates of birth, drivers' license information, and other vital and personal employee information was contained in the records. The Department of Public Works obtained the box of information and is attempting to contact people based on lists of class attendants that were among the records.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 26, 2013 NASDAQ OMX Group Inc.
New York, New York
BSF INSD

Unknown

Malware was installed on servers between November of 2008 and October of 2010.  This allowed one or more hackers to execut commands to delte, change, and steal data from the computers used by NASDAQ.  A total of five foreign hackers were charged for involvement in a series of financial incidents.  They were all collaborating in a scheme to target major corporate networks and were able to steal more than 160 million credit card numbers across corporations.

 
Information Source:
Media
records from this breach used in our total: 0

July 26, 2013 Stanford University
Stanford, California
EDU HACK

Unknown

People who used Stanford University's computer network have been asked to reset their passwords. Stanford released few details but stated that it does not appear that Social Security numbers and financilai nformation were accessed or exposed.

 
Information Source:
Media
records from this breach used in our total: 0

July 26, 2013 St. Mary's Bank
Manchester, New Hampshire
BSF HACK

115,775

Current and former members may have had their Social Security numbers, transaction records, and other personal information exposed due ot malware that was found on an employee's office computer.  The malware was discovered on May 26 and St. Mary's began mailing letters on July 12.  The malware could have been on up to 23 work stations as early as February.  There has been no evidence of names, Social Security numbers, addresses, account numbers, transaction records, or other sensitive information being accessed by an unauthorized individual so far.

 
Information Source:
Media
records from this breach used in our total: 115,775

July 29, 2013 Fairfax County Public Schools
Falls Church, Virginia
MED PORT

2,000 (No Social Security numbers or financial information reported)

Brookfield, Fairfax Villa, and Navy elementary schools were affected.  Lanier and Rocky Run middle schools were affected. Chantilly High School and Chantilly Academy were also affected.

The July 15 theft of a laptop resulted in the exposure of student information.  The laptop was stolen from the car of a school nurse and contained school, health and other confidential information.  Student names, school identification numbers, allergies, and other medical conditions were on a spreadsheet on the health-department-issued laptop.

 
Information Source:
Media
records from this breach used in our total: 0

July 29, 2013 Wal-Mart
, Oklahoma
BSR CARD

Unknown

Multiple locations in Oklahoma were affected.

Two men were indicted for their role in a skimming plot.  They are accused of fraudulently obtaining $400,000 by placing skimming devices at gas pumps at Wal-Mart stores for up to two months at a time.  The then created counterfeit cards by using hte legitimate card information obtained through skimming.  The skimming ring ran from April 2012 through January 2013.

 
Information Source:
Media
records from this breach used in our total: 0

July 29, 2013 Oregon Health & Science University (OHSU)
Portland, Oregon
MED DISC

3,000 (No SSNs or financial information reported)

Patient data could have been accessed due to a storage error.  The information of patients admitted between January 2011 and July 3 of 2013 was placed on Google's cloud computing system.  The information was password-protected, but could have still been used for promotional and other purposes because OHSU does not have a contract with Google.  OSHU removed the information from the cloud.

 
Information Source:
Media
records from this breach used in our total: 0

July 29, 2013 Lone Star Circle of Care
Austin, Texas
MED PORT

1,955

The theft of a laptop from an employee's car around May 1, 2013 resulted in the exposure of patient information.  Patients who were seen between 2012 and 2013 may have had their or their childrens' names, Social Security numbers, and diagnosis information exposed.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 1,955

July 29, 2013 Jacksonville Spine Center
Jacksonville, Florida
MED PHYS

5,200 (No Social Security numbers or financial information reported)

Paper patient records were lost, stolen, or exposed during an April 25 breach.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

July 29, 2013 Samaritan Regional Health System
Ashland, Ohio
MED PHYS

2,203 (No Social Security numbers or financial information reported)

An exposure of patient paper records was discovered on May 29th.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

July 29, 2013 South Florida Neurology Associates, P.A.
Boca Raton, Florida
MED PORT

900 (No Social Security numbers or financial information reported)

The theft of a laptop resulted in the exposure of patient information.  The laptop was stolen sometime between May 25 and May 30.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

July 29, 2013 Sheet Metal Local 36 Welfare Fund, People Resource Corporation
St. Louis, Missouri
MED UNKN

4,560 (No Social Security numbers or financial information reported)

A data breach occured between August 1, 2012 and July 8, 2013.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

July 29, 2013 MED-EL Corporation
Durham, North Carolina
MED DISC

609 (No Social Security numbers or financial information reported)

An email error that occrred on June 25 resulted in the exposure of health information.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

July 29, 2013 Northrop Grumman Retiree Health Plan, CVS Caremark
Fall Church, Virginia
MED PHYS

4,305 (No Social Security numbers or financial information reported)

A breach involving paper records from CVS Caremark affected 4,305 Northrop Grumman Retiree Health Plan enrollees.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

July 30, 2013 US Airways, McKesson, City of Houston, Automatic Data Processing (ADP), AlliedBarton Security Services
Tempe, Arizona
BSO DISC

4,500

A programming error at ADP resulted in the exposure of employee names, Social Security numbers, and other information on W-2 forms.  Employees could have inadvertently downloaded the W-2s of other employees.  The error was corrected on May 4 and involved W-2 forms for tax years 2010, 2011, and/or 2012. ADP alerted US Airways to the issue on June 6, 2013.

UPDATE (09/13/2013): McKesson and the city of Houston were also affected by the breach.

UPDATE (09/30/2013): AlliedBarton Security Services was also affected.  It appears that 206 ADP customers were affected.  Two of the customers affected have at least 4,500 employees.

 
Information Source:
Media
records from this breach used in our total: 4,500

July 30, 2013 University of Delaware
Newark, Delaware
EDU HACK

74,000

Additional information can be found on the University of Delaware's website here: http://www.udel.edu/it/response/

Students and staff members may have had their information exposed during a hacking incident. The hacker or hackers were able to exploit a vulnerability in software acquired by a vendor.  Names, addresses, Social Security numbers, and university ID numbers were exposed.

UPDATE (08/19/2013): An additional 2,000 people were affected.  They were not employees but had received payment from the University of Delaware.

 
Information Source:
Media
records from this breach used in our total: 74,000

July 30, 2013 US Airways, Advanced Data Processing
Tempe, Arizona
BSO DISC

40,000

A programming error at Advanced Data Processing (ADP) caused employee names, Social Security numbers, and total taxable W-2 wages for the tax years 2010, 2011, and 2012 to be exposed.  A group of other US Airway employees were able to download the payroll information of their colleagues.  ADP corrected the issue in early May and notified US Airways in early June.

 
Information Source:
Media
records from this breach used in our total: 40,000

July 30, 2013 California Correctional Health Care Services
Sacramento, California
MED PHYS

Unknown

An employee lost dental records while outside of California Correctional Health Care Services on June 19, 2013.  The records contained patient names, CDCR numbers, dates of birth, and dental treatment plan information.

 
Information Source:
California Attorney General
records from this breach used in our total: 0

July 31, 2013 Rocky Mountain Spine Clinic
Lone Tree, Colorado
MED INSD

532

An employee in the billing department was fired for sending sensitive patient information to their personal email. The incident occurred in June and it does not appear that the email was sent with malicious intent.

 
Information Source:
Media
records from this breach used in our total: 532

July 31, 2013 South Central Los Angeles Regional Center
Los Angeles, California
MED PORT

Unknown

The July 6 theft of an employee's vehicle resulted in the exposure of client information.  The stolen car contained an Ipad with client names and UCI numbers.  

 
Information Source:
California Attorney General
records from this breach used in our total: 0

July 31, 2013 Fidelity Investments, Oracle
Redwood, California
BSF DISC

Unknown

Current and former Oracle employees may have had their 401(k) information viewed by a plan administrator at the firm of another Fidelity client.  Names, Social Security numbers, compensation, and other 401(k) savings and investmant plan information was briefly viewed by accident.  The issue was discovered on July 10, 2013.  

 
Information Source:
California Attorney General
records from this breach used in our total: 0

August 1, 2013 Bridgewater Associates, LP, Ceridian
Westport, Connecticut
BSF DISC

Unknown

An unauthorized individual accessed a database of employee information used for COBRA.  Names, Social Security numbers, dates of birth, addresses, and other benefit plan information of employees and their dependents may have been accessed on the Ceridian database.  The breach was discovered when a Bridgewater consultant reported that their password for the Ceridian database had been changed and someone else had used the credentials to access the database on three separate occassions.  The breach occurred sometime before April 12, 2013.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

August 2, 2013 Clark Memorial Hospital
Jeffersonville, Indiana
MED DISC

1,087 (No SSNs or financial information reported)

A third-party mailing error resulted in the exposure of patient health information.  Billing statements with names, dates of service, insurance information, billing information, and financial status were mailed to incorect addresses.

 
Information Source:
Media
records from this breach used in our total: 0

August 2, 2013 Medtronic
Fridley, Minnesota
MED PHYS

2,764

A box of training records went missing from a Medtronic facility in Minnesota.  Most of the records dated back to 2008.  People who received training in using insulin pumps or continuous glucose monitoring devices may have been affected. A limited number of patients had their Social Security numbers exposed.  Those who may have been affected were notified in early July.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 2,764

August 7, 2013 Retinal Consultants Medical Group (Vitreo-Retinal Medical Group)
Sacramento, California
MED PORT

1,837 (No SSNs or financial information reported)

The theft of a laptop resulted in the exposure of patient information.  The laptop was stolen from the medical group's offices sometime between June 5 and June 6.  Patient names, dates of birth, gender, race, and medical images were exposed.  

UPDATE (08/28/2013): The breach affected 1,837 patients.

 
Information Source:
Media
records from this breach used in our total: 0

August 8, 2013 US Airways Group
Tempe, Arizona
BSO HACK

7,700

US Airways customers with Divident Miles accounts may have had their information compromised.  Dates of birth, security question answers, last four digits of credit card numbers, and frequent-flier miles may have been accessed and compromised.

UPDATE (08/02/2013): Names, email addresses, and Known Traveler numbers were exposed.  in some cases mileage was stolen from the accessed accounts.

 
Information Source:
Media
records from this breach used in our total: 7,700

August 8, 2013 M2ComSys, Cogent Healthcare, Inc.
Brentwood, Tennessee
MED DISC

32,000

Cogent Healthcare offices across the country, Cogent Medical Care, Endion Medical Healthcare (Endion SeniorCare), Parkview Community Hospital Medical Center, Inpatient Specialists of Southwest Florida, and Comprehensive Hospital Physicians of Florida were affected.

M2ComSys (M2), a medical transcription company, stored physicians' notes for Cogent Healthcare.   It was discovered that the online system that stored the notes could be accessed.  Patient care notes with names, physician names, dates of birth, diagnosis descriptions. summary of treatment, medical history, medical record numbers, and other medical information were exposed.  The notes could have been accessed on May 5, 2013 and improper access to the site ended on June 24, 2013.  M2 no longer provides services for Cogent Healthcare.

UPDATE (9/17/2013): At least 32,000 patients were affected across all medical centers.  

 
Information Source:
California Attorney General
records from this breach used in our total: 32,000

August 9, 2013 Smartphone Experts
Inverness, Florida
BSR HACK

Unknown

A hacker was able to access the computer system Smartphone Experts used to process online payments on June 13.  Customer names, addresses, credit and debit card account numbers, CVV codes, and payment card experiation dates were accessed.  The credit card information was encrypted, but the hacker may have used a decryption feature within the online payment processing system to access customer information.

UPDATE (09/06/2013): The breach occurred on June 13.  This entry originally listed it as having occurred on July 12.

 
Information Source:
California Attorney General
records from this breach used in our total: 0

August 9, 2013 Auburn University - School of Forestry and Wildlife Sciences
Auburn, Alabama
EDU DISC

Unknown

Spreadsheets with donor and alumni information were accidentally uploaded to a publicly accessible server after an administrative error.  The error was discovered on June 19 and Auburn's IT office removed the information.  Names, Social Security numbers, maiden names, mailing addresses, first year at Auburn, graduation year, alumni status, email addresses, and phone numbers were exposed.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

August 9, 2013 Northrop Grunman
Suwanee, Georgia
BSO HACK

70,000

People who were linguists or applied to be linguists within Northrop Grunman Technical Services, inc. Balkans Linguist Support Program may have had their personal information exposed. A database that contained names, Social Security numbers, dates of birth, blood types, contact information, and additionaly types of government-issued identification numbers was accessed by unauthorized parties.  The breach occured sometime between November 2012 and May 2013 and was discovered on July 26.

UPDATE (08/15/2013): Over 70,000 people, including thousands of linguists, were affected.

 
Information Source:
Media
records from this breach used in our total: 70,000

August 11, 2013 Resources for Human Development, Inc. (RHD)
Philadelphia, Pennsylvania
MED INSD

40

At least 40 residents of RHD had their information sold for fraudulent purposes by a dishonest RHD employee.  The former employee was part of a bank fraud conspiracy that involved fraudulent tax refunds and bank fraud.  The former employee was sentenced to three years in prison and three years of supervised release for aggravated identity theft and bank fraud.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 40

August 12, 2013 Income and Capital Growth Strategies Inc.
Van Nuys, California
BSF HACK

Unknown

An employee was the target of a computer network intrustion sometime between July 12 and July 15.  Information about clients and their dependents may have also been exposed.  Names, Social Security numbers, addresses, dates of birth, drivers' license numbers, and bank account information may have been accessed.  

 
Information Source:
California Attorney General
records from this breach used in our total: 0

August 13, 2013 Caledonia Home Health and Hospice
Saint Johnsbury, Vermont
MED PORT

Unknown

The theft of an employee's Netbook on July 20 resulted in the exposure of patient information.  The Netbook was stolen from the employee's home and contained Social Security numbers and other protected patient information. 

 
Information Source:
Media
records from this breach used in our total: 0

August 14, 2013 Michigan Department of Community Health, Michigan Cancer Consortium
Lansing, Michigan
MED HACK

49,000

A server for the Michican Cancer Consortium that housed names, Social Security numbers, dates of birth, cancer screening test results, and testing dates was hacked.  The Michigan Department of Community Health claimed that the breach should not fall under strict HIPAA regulations because testing records, rather than medical records, were affected.

 
Information Source:
Media
records from this breach used in our total: 49,000

August 15, 2013 Harris County
Harris, Texas
GOV HACK

16,000

The information of current and former Harris County employees was found on electronic files in Vietnam.  Names, Social Security numers, and dates of birth were exposed.  The files were from 2005 and 2007 and appear to have been created before Harris County put in place stricter identity theft regulations.

 
Information Source:
Media
records from this breach used in our total: 16,000

August 16, 2013 Exelixis
San Francisco, California
BSR PORT

Unknown

The theft of one or more pieces of company electronic equipment exposed client information.  The theft was discovered on July 30 and names, Social Security numbers, financial account numbers, addresses, and dates of birth may have been exposed.

 
Information Source:
California Attorney General
records from this breach used in our total: 0

August 16, 2013 U.S. Department of Energy
Washington, District Of Columbia
GOV UNKN

104,000 (5,711 confirmed)

An unspecified security incident caused the personal information of current and former employees to be exposed.  No classified data was lost.

UPDATE (08/30/2013): An August 29 memo revealed that the system that was hacked was called DOEInfo.  A total of 2,539 current employees and 3,172 former employees were affected.  Names, Social Security numbers, and dates of birth were exposed.

UPDATE (09/03/2013): Approximately 53,000 current and former federal employees, employee dependents and contractors had their information exposed.  The incident occurred in July of 2013.

UPDATE (10/22/2013): The Department of Energy revised the number of affected current and former employees to 104,000.

UPDATE (12/13/2013): Up to 150,000 employees may have been affected.

UPDATE (12/17/2013): A federal audit revealed that the Department of Energy had received warnings about the security of its information systems, yet failed to act.

 
Information Source:
Media
records from this breach used in our total: 104,000

August 16, 2013 Ferris State University
Big Rapids, Michigan
EDU HACK

62,000 (39,000 Social Security numbers)

An unauthorized person gained access to the school's computer network.  Campus ID numbers, names, and possibly other information of staff and students were exposed.  In addition to the 39,000 people who had their files with Social Security numbers exposed, 19,000 more indidviduals were notified of the breach.

UPDATE (10/22/2013): It is estimated that 62,000 people were affected and $380,000 was spent investigating the breach.  This number includes providing services to those who were affected.

 
Information Source:
Media
records from this breach used in our total: 39,000

August 16, 2013 California Correctional Health Care Services
Sacramento, California
MED INSD

1,001 (No SSNs or financial information reported)

Missing dental information was discovered to have been removed by a staff member.  Patient names, dates of birth, dental treatment plans, and other information were exposed.  Dental records may have also been taken.  The documents were first discovered missing on June 19 and had not been recovered as of August 16.

UPDATE (08/28/2013): A total of 1,001 inmates were affected.

 
Information Source:
California Attorney General
records from this breach used in our total: 0

August 16, 2013 California Department of Corrections and Rehabilitation, Centinela State Prison
Imperial, California
MED DISC

Unknown

A file containing staff names, Social Security numbers, and dates of birth was saved to a Centinela State Prison server that was accessible to all staff.  It was on the server between July 26 and July 29 before being removed.

 
Information Source:
California Attorney General
records from this breach used in our total: 0

August 20, 2013 League of Legends, Riot Games
Santa Monica, California
BSO HACK

120,000

A security breach has resulted in the usernames, email addresses, first and last names, and encrypted passwords of League of Legends users to be exposed.  About 120,000 transaction records from 2011 may have been accessed.  The transaction records contained hashed and salted (encrypted) credit card numbers. The information was stored on a system that had not been used since 2011.

 
Information Source:
Media
records from this breach used in our total: 120,000

August 21, 2013 Hope Community Resources (HCR)
Anchorage, Alaska
MED DISC

3,700 (No Social Security numbers or financial information reported)

The health information of disabled patients was accidnetally released in an email on the night of August 19.  A survey was sent via email to supporters of HCR. The email also contained names, dates of birth, guardians and parents, addresses, and other patient information.

 
Information Source:
Media
records from this breach used in our total: 0

August 21, 2013 Emory University
Atlanta, Georgia
EDU HACK

Unknown

Anyone with an Emory University netID/username is being advised to change their account password due to a breach.  Emory University stated that it appears the attack on their information technology infrastructure is similar to attacks that similar organizations have seen in the past few months.  Emory University also stated that it does not appear that sensitive information was accessed.  

 
Information Source:
Media
records from this breach used in our total: 0

August 22, 2013 San Francisco State University - College of Extended Learning
San Francisco, California
EDU HACK

Unknown

A server that contained the personal information of students was breached on March 25, 2013.  Federal law enforcement notified San Francisco State University of the breach on June 11.  The College of Extended Learning notified students of the issue on August 12.  An unspecified number of names, Social Security numbers, and other personal information was exposed.

 
Information Source:
Media
records from this breach used in our total: 0

Breach Total
867,217,832 RECORDS BREACHED
(Please see explanation about this total.)
from 4,257 DATA BREACHES made public since 2005
Showing 3851-3900 of 4257 results


X

Sign In!

Loading