Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?

Chronology of Data Breaches

Custom Sort
Select your desired results. Then click "Go!"

Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
815,842,526 RECORDS BREACHED
(Please see explanation about this total.)
from 4,495 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
October 25, 2012 Waipahu Aloha Clubhouse
Waipahu, Hawaii
MED HACK

600 (No SSNs or financial information exposed)

An employee noticed unusual activity on a computer on September 25, 2012.  It is possible that former and current members of the Waipahu Aloha Clubhouse had information on the computer that was remotely accessed by an unauthorized party.  Names, Social Security numbers, dates of birth, addresses, phone numbers, and consumer record numbers dating back to 1997 may have been exposed. Though the Clubhouse services people living with severe and persistent mental illness, no medical records were exposed.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

January 7, 2014 Risk Solutions International LLC, Loudoun County Public Schools
Ashburn, Virginia
EDU DISC

Unknown

Loudoun County school officials have responded to a data breach that made publicly available personal information about students and staff members, along with detailed emergency response plans for each school.

More than 1,300 links could be accessed through a Google search, thought to be password protected, unveiled thousands of detailed documents as to how each school in the district will respond to a long list of emergencies, which included the staging areas for response teams as well as where the students and staff would be located during an emergency.

Additional documents that could be accessed included students' courrse schedules, locker combinations, home addresses, phone numbers and birthdates along with the address and cell phone numbers for many school administrators.

The contractor Risk Solution International acknowledged that the breach was caused by "human error" on their part, which is said to be the cause of the data breach.

 

UPDATE: Loudoun County Public Schools administrators released a more detailed statement about the information made publicly available on the Internet due to errors committed by the contractor Risk Solutions International (RSI).

According to school officials, the investigation is continuing as to how the webpage, which was made accessible through online search engines without any password protection happened. The page included 1,286 links detailing information on 84 Loudoun schools. It is unknown how long the information was exposed or how many links were opened by unauthorized individuals.

Locker combinations were revealed for one school and only one parent contact information was revealed for fewer than 10 schools according to the spokesperson for the district. The statement also made clear that RSI's website was not hacked and that it never lost its password security. Instead, the breach occurred when RSI employees were doing technical testing on November 4th , December 19th and December 24th 2013. (1/9/2014)

 
Information Source:
Media
records from this breach used in our total: 0

July 4, 2014 St. Vincent Breast Center
Indianapolis, Indiana
MED DISC

63,000

St. Vincent Breast Center have announced that patient's health information may have been breached after the center sent around 63,000 letters to the wrong patients. The letters included patient names, addresses and in certain references to scheduled appointments. Reportedly no Social Security numbers, financial information or clinical information.

"St.Vincent Breast Center entered into an agreement with Indianapolis Breast Center P.C. and Solis Women’s Health Breast Imaging Specialists of Indiana P.C. after they both closed last year.

On May 5, St.Vincent Breast Center mailed letters intended for prior patients of the Indianapolis Breast Center and Solis Women’s Health to inform them that St.Vincent was available to provide care. Some letters also welcomed patients who had previously scheduled healthcare services.

Officials said on May 15, people who had accidentally received another person’s letter began calling St.Vincent".

For those affected they can call 1-877-216-3862 from Monday through Friday 9:00 a.m. to 7:00 p.m.

 
Information Source:
Media
records from this breach used in our total: 0

July 21, 2014 Dominion Resources Inc.
Richmond, Virginia
BSO HACK

1,700

Personal information of more than 1,700 people at Dominion Resources Inc. were compromised when unauthorized parties hacked the employee wellness plan. The hacker gained access via a subcontractor's system, StayWell Health Management LLC who runs Dominions "Well on Your Way" program which includes a health screening, to gain the information hacked.

The hacking actually occurred at a vendor Stay Well uses, Onsite Health Diagnostics, based in Irvine, Texas, that provideds the sign-up mechanism for "Well on Your Way's" health-screening appointments.

The information included individuals' names, addresses, email addresses, phone numbers, gender and dates of birth of employees, spouses and domestic partners who went online to schedul a health-screening appointment going back to 2012.

"Dominion Resources said the company was notified of the breach on June 24 but didn't learn the identities of those affected until July 7th. Dominion Resources is investigating why it took so long for the company to be notified. They are no longer using Onsite Health Diagnostics for scheduling".

 
Information Source:
Media
records from this breach used in our total: 0

March 3, 2015 Toys "R" Us
Wayne, New Jersey
BSR HACK

Unknown

Toys "R" Us contacted customers that their passwords to their reward program account would be reset in order to avoid an unauthorized attempts to their rewards program account.

The company communicated that those notified did not necessarily have their accounts accessed, however, the risk was higher due to the discovery by the company of "recycled login details used by some of its customers." 

Between January 28th and January 30th, 2015, the company discovered a number of "illegal login attempts made to its Rewards "R" Us accounts." The current announcement is an additional security measure so that other customer accounts cannot be accessed in a similar way.  "Out of an abundance of caution, we are therefore treating your account password as compromised and taking appropriate steps to address the situation," in a letter sent by the company to its customers.

More Information: http://www.welivesecurity.com/2015/03/03/toys-r-us-resets-account-passwo...

 
Information Source:
Media
records from this breach used in our total: 0

March 4, 2015 Mandarin Oriental Hotel Group
New York, New York
BSO HACK

Unknown

The hotel chain Mandarin Oriental has announced that their point-of-sale systems were hacked and infected with malware that stole customer credit card data. The hacking, according to the hotel chain, is limited to hotels in the U.S and Europe.

The company has not communicated exactly how many of the hotels locations were compromised only stating that "Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law. The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio.Unfortunately incidents of this nature are increasingly becoming an industry-wide concern. The Group takes the protection of customer information very seriously and is coordinating with credit card agencies and the necessary forensic specialists to ensure our guests are protected.”

According to Krebs on Security, "banking industry sources say the breach almost certainly impacted most if not all Mandarin hotels in the United States, including locations in Boston, Florida, Las Vegas, Miami, New York, and Washington D.C. Sources also say the compromise likely dates back to just before Christmas 2014."

More Information: http://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-orien...

 
Information Source:
Krebs On Security
records from this breach used in our total: 0

March 2, 2015 Natural Grocers
Lakewood, Colorado
BSR HACK

Unknown

Natural Grocers announced a possible datal breach of its customers payment cards.

The grocery retailer claims they have not received any reports or complaints of fraudulent activity of customers payment cards, however, according to Krebs on Security "Sources in the financial industry tell KrebsOnSecurity they have traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country.  The grocery chain says it is investigating "a potential data security incident invloving an unauthroized intrusion targeting limited customer payment card data.""

The grocery retailer has 93 stores in 15 states and has hired a third party vendor that specializes in data forensics to investigate the possible breach. The company claims that "no personally identifiable information, such as names, addresses or Social Security numbers, was involved, as the company does not collect that data as part of its payment processing system."

Again, as stated by KrebsOnSecurity, "According to a source with inside knowledge of the breach, the attackers broke injust before Christmas 2014, by attacking weaknesses in the company's database servers. From there, the attackers moved laterally with Natural Grocers internal network, eventually planting card-snooping malware on point-of-sale systems."

More Information: https://krebsonsecurity.com/2015/03/natural-grocers-investigating-card-b...

 
Information Source:
Krebs On Security
records from this breach used in our total: 0

January 1, 2015 Fast Forward Academy
Altamonte Springs, Florida
EDU HACK

Unknown

The Fast Forward Academy LLC has notified customers of a data breach to their systems that store customer and partner information. The information compromised included names, addresses, Social Security numbers, and email addresses.

The company is providing access to Triple Bureau Credit Monitoring services at no charge for 12 months. Those affected can enroll at https://www.myidmanager.com/promo_code.html and provide the code provided by the company or call 1-866-717-94291-866-717-9429 FREE to set up services or their help line at 1-800-405-61081-800-405-6108 FREE Monday through Friday between the hours of 8 a.m. to 5 p.m. EST.

More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47924

 
Information Source:
records from this breach used in our total: 0

June 2, 2010 Avalon Center
Cheektowaga, New York
MED DISC

Unknown

Sensitive medical information was dumped outside of a DMV office. The medical information came from a eating disorder clinic that had recently closed. Patient information such as medical treatment and Social Security number was exposed. It is unknown how the information ended up in the dumpster.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

June 2, 2010 Rainbow Hospice and Palliative Care
Park Ridge, Illinois
MED PORT

Unknown

http://www.rainbowhospice.org/protection/

According to their website: "On April 12, 2010, one of our laptop computers, which contained personal information, was stolen during a patient visit.  The laptop had security measures in place, but there is a very small chance that protected information such as name, address, date of birth, Social Security number, insurance information, medications, treatment, and diagnoses may have been inappropriately accessed."

 

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

November 10, 2009 Obsidian Financial Group
Woodbury, New York
BSF INSD

Unknown

A former employee broke into a Woodbury financial services company, photocopied customers' Social Security numbers and bank reference numbers and took the photocopied data with him when he left.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 25, 2005 Purdue University
West Lafayette, Indiana
EDU HACK

1,200 (not included in total because news stories are not clear if SSNs or financial information were exposed)

Computers in the College of Liberal Arts' Theater Dept. were hacked, exposing personal information of employees, students, graduates, and business affiliates.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

April 13, 2010 Virginia Beach Dept. of Social Services
Virginia Beach, Virginia
GOV INSD

Unknown

At least eight human services employees, including supervisors, have been fired or disciplined in the past year for wrongfully accessing confidential and personal information about former employees, family members and clients. The violations include a boss who forced her employees to gather information from a state database about her husband's child and a worker who checked on the status of a dead client's Medicaid benefits to help the client's family. Most of the cases stemmed from the agency's financial assistance department, which handles food stamps, Medicaid assistance, grants for the disabled and emergency relief for needy families. As part of their jobs, the 330 employees in the department who provide social services have varying degrees of access to secured databases. They need the information to determine whether a client qualifies for financial help.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

November 17, 2009 Nebraska Workers' Compensation Court
Omaha, Nebraska
GOV HACK

Unknown

Someone broke into a server that temporarily held injury reports. Whenever a worker has a job-related injury, a report is filed with the Workers' Compensation Court and the information is temporarily stored on that server. Personal information, including birth dates and Social Security numbers, would have been on the server.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

June 4, 2005 Duke University Medical Center
Durham, North Carolina
EDU HACK

14,000 (No reports of full SSNs or financial information)

A hacker broke into the computer system, stealing thousands of passwords and fragments of Social Security numbers.  Fourteen thousand affected people were notified, including 10,000 employees of Duke University Medical Center.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 30, 2005 Motorola
Schaumburg, Illinois
BSO STAT

Unknown

Two computers were stolen from third party vendor Affiliated Computer Services (ACS).  They had security safeguards and contained names and Social Security numbers of Motorola employees.  Motorola notified affected staff by email and offered fraud insurance coverage.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 6, 2005 City National Bank, Iron Mountain
Los Angeles, California
BSF PORT

Unknown

Two tapes containing Social Security numbers, account numbers, and other customer information were lost or stolen during transportation.  The tapes have been missing since April.  City National Bank notified its customers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

August 30, 2005 JP Morgan Chase & Co.
Dallas, Texas
BSF PORT

Unknown

A laptop was stolen on August 8th.  It contained personal and financial account information of customers.  Those affected were contacted.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

September 23, 2005 Bank of America
Charlotte, North Carolina
BSF PORT

Not disclosed

A laptop was stolen from a Bank of America service provider.  Information such as names, account numbers, routing transit numbers, and credit card numbers were compromised by the theft.  An unspecified number of Visa Buxx users were contacted by Bank of America.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

November 11, 2005 Scottrade Troy Group
Santa Ana, California
BSF HACK

Unknown

A hacker compromised a server containing names, Social Security numbers, driver's licenses, state ID numbers, dates of birth, phone numbers, bank names, bank codes, bank account numbers and Scottrade account numbers.  Scottrade alerted all affected customers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

December 7, 2005 Idaho State University, Office of Institutional Research
Pocatello, Idaho
EDU HACK

Unknown

Contact: Information Technology Services (208) 282-2872, http://www.isu.edu/announcement/

ISU discovered a security breach in a server containing archival information about students, faculty, and staff, including names, Social Security numbers, birth dates, and grades. Anyone who was a student or employee between 1995 and 2005 could be affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

December 12, 2005 Sam's Club, a division of Wal-Mart Stores, Inc
Bentonville, Arkansas
BSR UNKN

Unknown

Note: location is corporate headquarters, not necessarily the location of the breach.

Customers who used credit cards at the wholesaler's gas stations discovered fraudulent activity on their credit accounts.  Sam's Club is unaware of how the information was stolen.  Visa alerted the affected financial institutions and asked them to provide fraud monitoring services for the affected customers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

December 16, 2005 La Salle Bank, ABN AMRO Mortgage Group, DHL
Ann Arbor, Michigan
BSF PORT

[2,000,000] Not included in total below.

A backup tape with residential mortgage customers' information was lost in shipment by DHL.  It contained Social Security numbers and account information.

UPDATE (12/20/05): DHL found the lost tape.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 0

January 27, 2010 Department of Commerce
Washington, District Of Columbia
GOV DISC

Unknown

A Department of Commerce employee inadvertently transmitted over the Internet a file containing the Personally Identifiable Information (PII) of Commerce employees to other Department employees. Although the Department employees were authorized to send and receive the PII, the transmission of the PII over the Internet in unencrypted form may have compromised their name and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

January 2, 2006 H&R Block
Kansas City, Missouri
BSO DISC

Unknown

H&R Block included Social Security numbers in a 40-digit number string on mailing labels.  Affected individuals were contacted.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

January 17, 2006 City of San Diego, Water & Sewer Department
San Diego, California
GOV INSD

Unknown

A dishonest employee accessed customer account files, including Social Security numbers, and stole the identities of two individuals.

 
Information Source:
Media
records from this breach used in our total: 0

January 20, 2006 Indiana University, University Place Conference Center & Hotel
Indianapolis, Indiana
BSO HACK

Unknown

The computer housing the reservations data base was compromised. Data included credit card account numbers and names.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 0

January 23, 2006 University of Notre Dame
Notre Dame, Indiana
EDU HACK

Unknown

Hackers may have accessed Social Security numbers, credit card information and check images of people who donated to the University between November 22 of 2005 and January 12 of 2006.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

October 14, 2010 Citibank
Florence, Kentucky
BSF INSD

Unknown

Three women have been charged for their roles in defrauding clients of a Citibank in Florence, KY. At least two of the women were employees of Citibanks in other states. One woman stole customer credit card account numbers and changed their addresses, while another used the information to make purchases in another state. The third woman assisted in collecting the purchased goods. The fraud began at the end of 2006 and two of the women were arrested in March of 2007.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

February 17, 2006 California Department of Corrections, Pelican Bay State Prison
Sacramento, California
GOV INSD

Unknown

Inmates gained access to files stored in a warehouse.  The files contained employees' Social Security numbers, birth dates and pension account information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 2, 2006 Olympic Funding
Chicago, Illinois
BSF UNKN

Unknown

Three hard drives containing clients' names, Social Security numbers, addresses and phone numbers stolen during a break in.  Information on the drives was protected via password and security software.  The business owner sent letters to his clients alerting them of the theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 8, 2006 Verizon Communications
New York, New York
BSO PORT

Unknown

Two laptops containing employees' personal information including Social Security numbers were stolen.  Verizon is offering affected employees free use of a credit monitoring service.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 8, 2006 iBill [disputed]
Deerfield Beach, Florida
BSF UNKN

17,781,462 (SSNs and financial information not involved)

A dishonest insider or possibly malicious software linked to iBill was used to post names, phone numbers, addresses, e-mail addresses, Internet IP addresses, login names and passwords, credit card types and purchase amount online. Credit card account numbers, expiration dates, security codes, and Social Security numbers were NOT included, but in our opinion the affected individuals could be vulnerable to social engineering to obtain such information. Whether iBill is the source of the breach has been disputed

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 11, 2006 California Department of Consumer Affairs (DCA)
Sacramento, California
GOV PHYS

Unknown

Mailed applications of DCA licensees or prospective licensees for CA state boards and commissions were stolen. The forms include full or partial Social Security numbers, driver's license numbers, and potentially payment checks.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

November 6, 2009 MassMutual
Springfield, Massachusetts
BSF HACK

Unknown

According to MassMutual, a "limited amount" of personal employee information maintained in a database by an outside vendor may have been subject to unauthorized access. The vendor engaged a forensics team to investigate, and at this time they believe that no misuse of the information or fraudulent activity involving the data has occurred. This database does not include client or field representative information; it also did not contain personal Social Security or bank account information, according to the company.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 14, 2006 Buffalo Bisons and Choice One Online
Buffalo, New York
BSO HACK

Unknown

A hacker accessed sensitive financial information including the credit card numbers names, and passwords of customers who ordered items online. The Bisons mailed letters to affected customers and notified American Express, MasterCard, Discover, and Visa.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

November 20, 2009 University Medical Center
Las Vegas, Nevada
MED INSD

Unknown

Someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries. Private information about accident victims treated at University Medical Center has apparently been leaking for months; allegedly so ambulance-chasing attorneys could mine for clients.


UPDATE (4/29/10): A man was indicted today by a federal grand jury in an alleged conspiracy to pay a University Medical Center employee for private information about traffic accident victims that was used to drum up clients. The man was indicted on one count of conspiracy to illegally disclose personal health information, in violation of the Health Insurance Portability and Accountability Act, better known as HIPAA. Between January and November 19, 2009 the man allegedly conspired with people, including a UMC employee, to use hospital "face sheets" to solicit personal injury cases for attorneys. The UMC employee faxed the registration sheets of trauma patients to the man on at least 55 occasions and was paid about $8,000, the indictment said. The U.S. Attorney's press release said the man has been summoned for a May 14 hearing. If convicted, he faces up to five years in prison and a $250,000 fine.

UPDATE (5/11/2011): A man responsible for the breach was sentenced to 33 months in prison and three years of supervised release.  He had been charged with conspiracy to illegally disclose personal health information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

November 19, 2009 TAD Gear
San Francisco, California
BSR HACK

Unknown

action@tadgear.com

TAD Gear recently learned that their database was illegally accessed from an external source, and it appears that some customer data was taken, which may include customer names, contact information and credit card data. The possibility of a security breach came to their attention when certain customers notified them that unauthorized charges had appeared on their credit cards. Upon learning of the potential breach of security, TAD Gear immediately initiated an investigation, and took corrective steps.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

November 21, 2009 Notre Dame University
Notre Dame, Indiana
EDU DISC

Unknown

Notre Dame is warning university employees to keep an eye on their bank accounts after a security breach. Personal information of some past and current employees - including name, Social Security number and birth date - was accidentally posted onto a public website. The error was corrected and the information removed from the website.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

November 24, 2009 ACORN
San Diego, California
BSO DISC

Unknown

Documents that contained personnel information were accidentally thrown away in a dumpster. San Diego staff members were doing an office clean-up in preparation for a major 10-station phone bank program being set up in their offices; it appears that included in the piles of garbage being thrown out there were some documents containing private information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

March 30, 2010 Three Rivers Community College
Norwich, Connecticut
EDU HACK

Unknown

Three Rivers Community College may have suffered a security breach due to unauthorized access to its computer network. Data made vulnerable in the breach included names and Social Security numbers. Those affected would have been involved in the following programs during these years:
1997-2009: Participants in the Real Estate programs
2004-2009: Participants in the Life Long Learners programs
2003-2006: Participants in the Patient Care Technicians programs
2004-2006: Participants in the Certified Nursing Assistant programs
2004-2005: Participants in the Electric Boat academic programs
2007-2008: Participants in the Bridges to Health Care Careers programs
2006-2008: Participants in the Photons for Educators programs
2004-2009: Faculty or staff members of the Three Rivers Continuing Education office.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

November 29, 2009 Salem Housing and Community Services
Salem, Oregon
GOV DISC

Unknown

Sloppy handling of confidential records by a state agency in Salem left people's names, Social Security numbers, ages and addresses exposed in an open recycling bin outdoors. In a separate security lapse by another state agency, confidential records with the names and Social Security numbers of former state parks and recreation employees landed in the same recycling bin.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

April 28, 2006 Ohio Secretary of State
Cleveland, Ohio
GOV DISC

Potentially millions of registered voters

The names, addresses, and Social Security numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to 20 political campaign operations for spring primary election races. The records of about 7.7 million registered voters are listed on the CDs, but it's unknown how many records contained Social Security numbers, which were not supposed to have been included on the CDs.

UPDATE (9/15/06): A news report said that some Social Security numbers still remain on the agency's Web site.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 2, 2006 Georgia State Government
Atlanta, Georgia
GOV STAT

Unknown

Government surplus computers that sold before their hard drives were erased contained credit card numbers, birth dates, and Social Security numbers of Georgia citizens.  The State stopped selling the computers after being notified by a buyer.  Thousands of patient records from a psychiatric hospital in Rome, Georgia were found on one computer's hard drive.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 4, 2006 Idaho Power Company
Boise, Idaho
BSO PORT

Unknown

Four company hard drives were sold on eBay containing hundreds of thousands of confidential company documents, employee names and Social Security numbers, and confidential memos to the company's CEO.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

June 22, 2006 Ohio University
Athens, Ohio
EDU HACK

Unknown

http://www.ohio.edu/datasecurity/

A computer was compromised that hosted a variety of Web-based forms, including some that processed online business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration.

 
Information Source:
Media
records from this breach used in our total: 0

May 5, 2006 Wells Fargo
San Francisco, California
BSF STAT

Unknown

A computer containing names, addresses, Social Security numbers and mortgage loan deposit numbers of existing and prospective customers may have been stolen while being delivered from one bank facility to another.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 17, 2006 M &T Bank via contractor PFPC
Buffalo, New York
BSF PORT

Unknown

A laptop computer, owned by PFPC, a third party company that provides record keeping services for M & T's Portfolio Architect accounts was stolen from a vehicle. The laptop contained clients' account numbers, Social Security numbers, last name and the first two letters of their first name.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 0

May 24, 2006 Sacred Heart University
Fairfield, Connecticut
EDU HACK

Unknown

It was discovered on May 8th that a computer containing personal information including names, addresses and Social Security numbers was breached.  The University did not immediately release information on who the breach affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

December 15, 2009 RockYou
Redwood City, California
BSR HACK

32 million (No SSNs or financial information reported)

The security firm Imperva issued a warning to RockYou that there was a serious SQL Injection flaw in their database. Such a flaw could grant hackers access to the service's entire list of user names and passwords in the database. Imperva said that after it notified RockYou about the flaw, it was apparently fixed over the weekend. But that's not before at least one hacker gained access to what they claim is all of the 32 million accounts; 32,603,388 to be exact. The database included a full list of unprotected plain text passwords and email addresses.

UPDATE (4/21/2011): The 32 million email addresses and passwords exposed include log in information from social networking sites like Facebook and MySpace.  

On April 18, 2011 a court ruled that the loss of information caused injury. The court determined that "the unauthorized disclosure of personal information via the Internet is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts."  The court also found that RockYou.com's privacy policy language, which stated that RockYou.com's servers were secure, did not automatically preclude the plaintiff's allegation that a contract had been breached because the plaintiff alleged that the servers were not secure.

UPDATE (3/27/2012): The Federal Trade Commission is alleging that RockYou violated the Children's Online Privacy Protection Act Rule (COPPA Rule) by collecting information from approximately 179,000 children.  A proposed FTC settlement order requires RockYou to pay a civil penalty of $250,000 to settle COPPA charges. In addition to the penalty, the company would be barred from future deceptive claims regarding company privacy and data security, required to implement and maintain a data security program, and barred from future violations of the COPPA rule.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

Breach Total
815,842,526 RECORDS BREACHED
(Please see explanation about this total.)
from 4,495 DATA BREACHES made public since 2005
Showing 1-50 of 4495 results


X

Sign In!

Loading