Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?


Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
867,217,832 RECORDS BREACHED
(Please see explanation about this total.)
from 4,257 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
September 14, 2006 Illinois Department of Corrections (IDOC)
Springfield, Illinois
GOV PHYS

16,500

A document containing employees' personal information was found outside the agency's premises where it should not have been. It has since been retrieved. Information included employees' names, SSNs, and salaries.

 
Information Source:
Dataloss DB
records from this breach used in our total: 16,500

December 24, 2008 Federal Emergency Management Agency
New Orleans, Louisiana
GOV DISC

16,857

An unauthorized breach of private information resulted in the information release of 16,857 names, Social Security numbers, phone numbers, and other private details of people who had applied for benefits. The information was flashed on a pair of privately run Web sites, but for how long was unclear.

 
Information Source:
Dataloss DB
records from this breach used in our total: 16,857

February 17, 2006 Mount St. Mary's Hospital
Lewiston, New York
MED PORT

17,000

Two laptops containing dates of birth, addresses and Social Security numbers of patients were stolen in an armed robbery in New Jersey.  The laptops and sensitive files were password protected.  The Hospital contacted those whose information may have been compromised.  St. Mary's is just one of ten hospitals that were affected by the theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,000

April 27, 2006 Long Island Railrad via contractor Iron Mountain
Jamaica, New York
GOV PORT

17,000

Data tapes containing personal information including names, addresses, Social Security numbers and salary figures of virtually everyone who worked for or currently works for the agency were lost.  The lost occurred during delivery by contractor Iron Mountain. Data tapes belonging to the U.S. Department of Veteran's Affairs may also have been affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,000

June 3, 2006 Humana
Louisville, Kentucky
MED DISC

17,000 current and former Medicare enrollees

Personal information of Humana customers enrolled in the company's Medicare prescription drug plans could have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,000

July 14, 2006 Northwestern University
Evanston, Illinois
EDU HACK

17,000

(888) 209-0097. http://www.northwestern.edu/newscenter/stories/2006/07/data.html 

Files containing names and some personal information including SSNs were on 9 desktop computers that had been accessed by unauthorized persons outside the University. The computers were in the Office of Admissions and Financial Aid.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,000

October 19, 2006 Allina Hospitals and Clinics
Minneapolis, Minnesota
MED PORT

Individuals in 17,000 households

A laptop stolen from a nurse's car on October 8 contains the names and SSNs of individuals in approximately 17,000 households participating in the Allina Hospitals and Clinics obstetric home-care program since June 2005.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,000

June 11, 2007 Pfizer
New York, New York
BSO DISC

17,000

866-274-3891

Installation of certain file sharing software on a Pfizer laptop, exposed files containing names, Social Security numbers, addresses and bonus information of present and former Pfizer colleagues. Investigation revealed that certain files containing data were accessed and copied.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,000

May 2, 2008 Marine Corps Reserve Center
San Antonio, Texas
GOV INSD

17,000

A former U.S. military contractor has pleaded guilty to exceeding authorized access to a computer and aggravated identity theft after he was accused of selling names and Social Security numbers of 17,000 military employees.

 
Information Source:
Media
records from this breach used in our total: 17,000

July 9, 2010 Emily Morgan Hotel
San Antonio, Texas
BSO PHYS

17,000

Identity thieves obtained stacks of credit card receipts from one of the hotel's storage rooms in 2006.  Hundreds of thousands of dollars in fraudulent charges were then made in three different states.  Investigators first became aware of a large identity theft issue in the area during the beginning of 2009.

UPDATE (12/4/2010): The ringleader pleaded guilty to ID theft fraud conspiracy, access device fraud and conspiracy to launder money. Seven other co-conspirators have been identified.

UPDATE (4/7/2011): A former hotel worker faces up to 22 years in prison for stealing customer information and using it to go on a shopping spree.  In 2006, the former employee used credit card receipts from the Emily Morgan hotel in downtown San Antonio to make fraudulent charges totaling $300,000.  This appears to be the one of the largest cases in Alamo City’s history.  The accused former employee pleaded guilty to three charges and is scheduled to be sentenced in July.

 
Information Source:
Databreaches.net
records from this breach used in our total: 17,000

June 25, 2007 UnitedHealthCare
Trumbull, Connecticut
MED INSD

17,000

A former employee had the names, Social Security numbers, dates of birth and addresses of about 127 members. The employee is believed to have participated in fraudulent activity and may have accessed approximately 17,000 members' information during the final 2 1/2 years of his or her employment.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,000

May 14, 2012 York County, South Carolina
York, South Carolina
GOV HACK

17,000

Hackers gained access to York County's web application server.  It contained two databases with the information of 17,000 job applicants and vendors.  The first database contained about 12,500 names from as far back as 15 years ago.  The second database was newer and contained information that had been collected up until August 29, 2011.  The intrusion was discovered by the county on August 29 and no new applicants or vendors were affected by the breach.  Those who may have been affected were not notified until after a thorough investigation by York County's IT department.  No definitive evidence was found for a breach after the nine-month investigation.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,000

October 10, 2012 Equifax
Atlanta, Georgia
BSF DISC

17,000

Equifax settled charges with the Federal Trade Commission after it was discovered that Equifax Information Services improperly sold lists of consumer data.  People who were late on their mortgage payments had their information sold to firms that should not have received the information and subsequently resold it to other firms.  Equifax agreed to pay nearly $1.6 million to resolve charges that it violated the FTC and Fair Credit Reporting Acts. The settlement prohibits Equifax from providing prescreened lists to unauthorized parties, having poor procedures for releasing prescreened lists, and selling prescreened lists in certain circumstances.

 
Information Source:
Media
records from this breach used in our total: 17,000

June 5, 2009 Virginia Commonwealth University
Richmond, Virginia
EDU STAT

17,214

A desktop computer was stolen from a secured area within Cabell Library in mid-April. The computer may have contained student names, Social Security numbers and test scores dating from October 2005 to the present. VCU discontinued use of Social Security numbers as ID numbers in January 2007. An additional 22,500 students are being notified that their names and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,214

June 23, 2008 Colt Express Outsourcing Services, CNET Networks
Walnut Creek, California
BSO STAT

17241

Burglars stole computer systems from the offices of the company that administers the Internet publisher's benefit plans. The computers contained names, birth dates, Social Security numbers and employment information of the beneficiaries of CNET's health insurance plans. CNET was only one of several clients affected.

UPDATE (8/26/08): Among the companies whose staffers have been exposed by the Colt break-in in Walnut Creek, California: Google, Bebe Stores, Alston & Bird, and the California Bankers Assn.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,241

May 23, 2007 Waco Independent School District
Waco, Texas
EDU HACK

17,400

Two high school seniors recently hacked into the district's computer network potentially compromising the personal information including Social Security numbers of students and employees.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,400

March 20, 2005 Northwestern University
Evanston, Illinois
EDU HACK

17,500

Hackers gained access to multiple computers and gathered user ID and password information from the University's network.  The personal information for around 500 faculty members, 2000 staff members, and 14,000 alumni was compromised. 

 
Information Source:
Media
records from this breach used in our total: 17,500

December 15, 2006 University of Colorado, Boulder, Academic Advising Center
Boulder, Colorado
EDU HACK

17,500

http://www.colorado.edu/its/security/awareness/privacy/identitytheft.pdf

A server in the Academic Advising Center was the subject of a hacking attack. Personal information exposed included names and SSNs for individuals who attended orientation sessions from 2002-2004. CU-Boulder has since ceased using SSNs as identifiers for students, faculty, staff, and administrators.

 
Information Source:
Dataloss DB
records from this breach used in our total: 17,500

July 17, 2013 Office of the Medicaid Inspector General (OMIG)
Albany, New York
MED INSD

17,743

A link to the official notice can be foudn here:

http://apps.cio.ny.gov/apps/mediaContact/public/preview.cfm?parm=E5EBBF4...

An OMIG employee sent an email that contained sensitive records to their own email account on October 12, 2012.  Medicaid paitient first and last names, Social Security numbers, dates of birth, and Medicaid client information numbers may have been compromised. 

 
Information Source:
Media
records from this breach used in our total: 17,743

June 29, 2005 Bank of America
Charlotte, North Carolina
BSF PORT

18,000

A laptop containing the names, Social Security numbers, and addresses of customers was stolen from a consultant's car.

 
Information Source:
Dataloss DB
records from this breach used in our total: 18,000

August 7, 2006 U.S. Department of Veterans Affairs via contractor Unisys Corporation
Reston, Virginia
GOV INSD

5,000

Five thousand Philadelphia patients, 11,000 Pittsburgh patients and 2,000 deceased patients were affected.  There is a possibility that 20,000 others were also affected.

A computer at contractor's office was reported missing Aug. 3.  It contained billing records with names, addresses, SSNs, and dates of birth of veterans at two Pennsylvania locations.

UPDATE (9/15/06): Law enforcement recovered the computer and arrested an individual who had worked for a company that provides temporary labor to Unisys.

 
Information Source:
Dataloss DB
records from this breach used in our total: 18,000

December 31, 2008 Ohio State University
Columbus, Ohio
EDU DISC

18,000

http://www.studentlife.osu.edu/dataexposure

Ohio State University has notified 18,000 current and former students that their personel information was mistakenly stored on a computer server exposed to the Internet. The data included student names, Social Security numbers, addresses and coverage dates for those enrolled in the health insurance plan for three quarters in 2005-06.

 
Information Source:
Dataloss DB
records from this breach used in our total: 18,000

April 8, 2009 Metro Nashville School/Public Consulting Group
Nashville, Tennessee
EDU DISC

18,000

(615) 259-INFO (4636)

Metro Nashville students' names, Social Security numbers, addresses and dates of birth and parents' demographic information were available by searching Google. A private contractor unintentionally put student data on a computer Web server that wasn't secure. The data was available online from Dec. 28 to March 31.

 
Information Source:
Dataloss DB
records from this breach used in our total: 18,000

January 11, 2011 University of Connecticut, HuskyDirect.com
Storrs, Connecticut
EDU HACK

18,059

Customers who used their credit cards on UConn's Huskydirect.com sports gear website may have had their personal information exposed in a data security breach. A hacker was able to access the Huskydirect.com customer database and may have viewed billing information with names, addresses, telephone numbers, credit card numbers, expiration dates, security codes and email addresses. The Huskydirect.com database is run by an outside vendor. People who made purchases offline are not at risk.

UPDATE (1/31/2011): Some people who were affected by the breach have recently reported fraudulent charges.

UPDATE (2/19/2011): Additional details reveal the exact number of names that were on the customer database, the fact that the perpetrator used an administrative password, and the fact that Fandotech, the company that was hosting and managing the site, was not following correct web security procedures.

 
Information Source:
Databreaches.net
records from this breach used in our total: 18,059

May 30, 2013 California Department of Developmental Services
Santa Monica, California
MED PORT

18,100

An employee at North Los Angeles County Regional Center left a work laptop, a personal laptop, and an iPhone in their car overnight. The items were stolen during the night.  The employee worked for a program that served disabled infants and toddlers.  Names, Social Security numbers, and other personal information were on the unencrypted work laptop.  The theft occurred in November and patients were notified in January of 2013. 

 
Information Source:
Media
records from this breach used in our total: 18,100

January 28, 2008 Kiwanis International, On-Net Services
Indianapolis, Indiana
NGO HACK

18,432

On January 4, Kiwanis learned of an unauthorized intrusion into its Kiwanis Family Store Website and database that occurred sometime between December 1 of 2007 and January 4 of 2008. The unauthorized person or persons illegally accessed information by running a SQL injection program that gathered names, credit card numbers, expiration dates and billing/shipping addresses of individuals who had purchased items from the Kiwanis Family Store.

 
Information Source:
Dataloss DB
records from this breach used in our total: 18,432

September 29, 2010 Morgan Keegan & Company
Memphis, Tennessee
BSF PORT

18,500

An attorney was able to collect a disk with client names and detailed financial information during an investigation. Clients were notified and their accounts are being monitored for unauthorized use. The breach was discovered on September 15 and the disk was later returned by the attorney.

 
Information Source:
Media
records from this breach used in our total: 18,500

July 19, 2013 University of Virginia, Aetna Health Care
Charlottesville, Virginia
EDU DISC

18,700

A mailing error by a third-party mailing vendor used by Aetna Health Care resulted in the Social Security numbers of students being exposed in open-enrollment brochures.

 
Information Source:
Media
records from this breach used in our total: 18,700

February 16, 2012 Central Connecticut State University (CCSU)
New Britain, Connecticut
EDU HACK

18,763

A computer breach in a CCSU Business Office exposed the information of current and former faculty, staff, and student workers.  A Z-Bot virus designed to relay information was discovered on the computer on December 6, 2011.  The computer had been exposed for eight days and only exposed the Social Security numbers of those who were affected. People associated with CCSU as far back as 1998 were affected.

 
Information Source:
Databreaches.net
records from this breach used in our total: 18,763

December 17, 2013 Colorado Governor's Office of Information Technology
Denver, Colorado
GOV PORT

18,800

A Colorado state employee lost a flash drive that contained the information of current and former Colorado state employees.  It contained names, Social Security numbers, and a limited number of home addresses.  The flash drive was discovered missing in late November and is believed to have been lost while the employee traveled between work sites.  Approximately 8,000 of those who were affected were current employees while 10,800 were former employees.

 
Information Source:
Media
records from this breach used in our total: 18,800

October 10, 2011 University of Georgia (UGA)
Athens, Georgia
EDU DISC

18,931

A data file that contained employment information such as names, Social Security numbers, dates of birth, dates of employment, gender, race, home phone numbers, and addresses was accidentally placed on a publicly available web server. The information was available from 2008 until 2011. Faculty and staff who worked at UGA in 2002 were affected.

 
Information Source:
Media
records from this breach used in our total: 18,931

April 21, 2005 Carnegie Mellon University
Pittsburgh, Pennsylvania
EDU HACK

19,000

The compromised information included Social Security numbers and grades from master's alumni classes 1997 through 2004, job offer information from master's alumni classes 1985 through 2004, contact information for all alumni, and Social Security numbers and grades from doctoral students enrolled between 1998 and 2004.  Between 5,000 and 6,000 of those affected had their credit card information and Social Security numbers compromised. Emails and letters were sent to those who were affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 19,000

January 31, 2006 Honeywell International
Morristown, New Jersey
BSO UNKN

19,000

Personal information of current and former employees including Social Security numbers and bank account information was posted on an Internet Web site. It was not known whether this was the result of a malicious insider or an administrative error.  Current and former employees whose information was compromised were informed immediately and offered free credit monitoring and identity theft insurance.

 
Information Source:
Dataloss DB
records from this breach used in our total: 19,000

August 29, 2006 AT&T via vendor that operates an order processing computer
San Francisco, California
BSO HACK

19,000

Computer hackers accessed credit card account data and other personal information of customers who purchased DSL equipment from AT&T's online store. The company is notifying fewer than 19,000 customers.

UPDATE (9/1/06). The breach was followed by a bogus phishing e-mail to those customers that attempted to trick them into revealing more info such as SSN and birthdate -- essential for crime of identity theft.

 
Information Source:
Dataloss DB
records from this breach used in our total: 19,000

May 23, 2008 R.E. Moulton
Irving, Texas
BSF PORT

19,000

Thieves broke into the Irving, Texas, regional office and stole a laptop computer containing personally information of numerous individuals, including names and Social Security numbers. The company is in the medical stop-loss insurance industry. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 19,000

May 13, 2009 United Food and Commercial Workers Union 555
Tigard, Oregon
NGO PORT

19,000

A union employee's laptop was stolen on the East Coast. The laptop may have contained personal information of Local 555 members, including birth dates and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 19,000

May 18, 2012 UnitedHealthcare (United Health Group Plan)
Minneapolis, Minnesota
MED INSD

19,100

A dishonest employee used the names, Social Security numbers, addresses, phone numbers, dates of birth, and Medicare Health Insurance Claim Numbers to steal the identities of at least 24 Idaho customers enrolled in UnitedHealthcare Medicare plans. On January 30, 2012, it was discovered that the former employee may have accessed the information in the United Health Care database in a way that was inconsistent with his job duties and possibly for fraud purposes.  The information was taken between June 28 and December 12 of 2011. Affected patients were notified on March 30.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 19,100

September 21, 2010 Pediatric and Adult Allergy, PC
Des Moines, Iowa
MED PORT

19,222

Patients of Dr. George Caudill (retired), Dr. Veljko Zivkovich (retired) Dr. Robert Colman and Dr. Whitney Molis were notified that a backup tape with their personal information was lost on or around July 11. The patient information included name, address, phone number, date of birth, Social Security number, dates of service, services and diagnoses. Medical records and financial information were not on the backup tape. It appears that all patients with accounts created before July 10, 2010 were affected.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 19,222

October 11, 2010 University of Oklahoma-Tulsa Neurology Clinic, Neurology Services of Oklahoma, LLC
Oklahoma City, Oklahoma
MED HACK

19,264

Neurology Services of Oklahoma, LLC is located in Tulsa, OK.

Malware was discovered on a clinic computer on or around July 28. Patients who saw Dr. John Cattaneo at the clinic and at his former employer Neurology, LLC were notified of the breach. Patient names, Social Security numbers, phone numbers, addresses, dates of birth, medical record numbers, lab reports and dates of service were in documents that may have been accessed by the virus.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 19,264

June 23, 2010 Florida International University
Miami, Florida
EDU DISC

19,495

Florida International University is in the process of sending notification letters to 19,407 students and 88 faculty members after the university’s IT Security Office discovered personal data may have been exposed over the internet via a database’s external search function. An announcement posted on the FIU website lists the personal data as GPAs, test scores, and Social Security numbers that were stored on the College of Education’s E-Folio software app. This database kept track of student data related to state mastery standards, grade tracking, assignments, and Social Security numbers for both students and faculty.

 
Information Source:
Dataloss DB
records from this breach used in our total: 19,495

September 28, 2006 New York State Banking Department
New York, New York
BSF DISC

19,640

During the routine process of indexing the search engine of the Department's website, data files from the 2005 Volume of Operations Reports were inadvertently made accessible to members of the public between July 27 and August 29. Personal information included the Social Security numbers of all independent contractors employed by both licensed mortgage bankers and registered mortgage brokers. Social Security numbers of all felons employed by those registrants who also opted to electronically failed their 2005 VOO reports were also available through the Department's website search engine.

 
Information Source:
Dataloss DB
records from this breach used in our total: 19,640

July 20, 2011 Swedish Medical Center
Seattle, Washington
MED DISC

19,799

The full names and Social Security numbers of current and former employees were accessible online for nearly nine weeks. Employees who worked for Swedish, but not Swedish Physician Division,  in 1994, 1995, 2002, 2003, 2004 and 2006 had their information posted sometime between the middle of April and June 17, 2011. The cause of the accidental disclosure was not reported.

 
Information Source:
Databreaches.net
records from this breach used in our total: 19,799

April 28, 2005 Georgia Southern University
Stateboro, Georgia
EDU HACK

tens of thousands (at least 20,000)

Hackers accessed a University server which contained thousands of credit card and Social Security numbers collected over three years.  Students who received bookstore credit through scholarship or financial aid between the fall 2003 and spring of 2005 semesters, and anyone who made credit purchases at campus stores, stadium, or website are at risk.  Email alerts were sent to students and alumni.

 
Information Source:
Dataloss DB
records from this breach used in our total: 20,000

October 27, 2006 Gymboree
San Francisco, California
BSR PORT

up to 20,000 employees

A thief stole 3 laptop computers from Gymboree's corporate headquarters. They contained unencrypted human resources data (names and Social Security numbers) of thousands of workers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 20,000

June 14, 2007 Division of Workforce Services
Salt Lake City, Utah
GOV UNKN

20,000

(801) 281-1267

Children's Social Security numbers are believed to have been compromised by identity thieves.

 
Information Source:
Media
records from this breach used in our total: 20,000

July 17, 2007 Western Union
Greenwood Village, Colorado
BSF HACK

20,000

Credit card information and names were hacked from a database. The thieves got names, addresses, phone numbers and complete credit-card information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 20,000

November 1, 2007 City University of New York
New York, New York
EDU PORT

20,000

A broken laptop containing personal information was taken from the School's financial aid office.

 
Information Source:
Dataloss DB
records from this breach used in our total: 20,000

March 3, 2008 Kaft Foods
Northfield, Illinois
BSO PORT

20,000

A company-owned laptop computer was stolen from an employee of Kraft Foods traveling on company business. The laptop contained the names and may have contained Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 20,000

March 20, 2008 Lasell College
Newton, Massachusetts
EDU HACK

20,000

A hacker accessed data containing personal information on current and former students, faculty, staff and alumni. Information included names and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 20,000

April 29, 2010 St. Jude Heritage Medical Group
Orange, California
MED PHYS

20,000

(800) 627-8106

20,000 patients may have had their personal information stolen after a break-in at the St. Jude Heritage Healthcare Clinical Management Services building in Fullerton. The thieves stole five computers. The stolen patient data included Social Security numbers, dates of birth and in some cases, health related information.

 
Information Source:
Dataloss DB
records from this breach used in our total: 20,000

Breach Total
867,217,832 RECORDS BREACHED
(Please see explanation about this total.)
from 4,257 DATA BREACHES made public since 2005
Showing 3701-3750 of 4257 results


X

Sign In!

Loading