Data Breaches

Privacy Rights Clearinghouse brings together publicly reported data breach notifications from across U.S. government agencies into a single, searchable database. Explore our interactive visualizations or purchase the full dataset. Have questions? Check our FAQ below.

Breach Chronology Statistics - Sept 9, 2025 - 75,365 Data Breach Notifications Tracked; 36,594 Unique Breach Events; 9.38 BILLION Individuals impacted

Tracking Two Decades of Data Breaches in the U.S.

Data breaches have exposed the personal information of hundreds of millions of people across the U.S., affecting individuals, businesses, and entire industries - and in many cases many times over. The Data Breach Chronology compiles more than 75,000 reported breaches since 2005 using publicly available notifications exclusively from government sources. While reporting requirements vary by state and disclosure practices differ, this database offers the most comprehensive view available of who was breached, how it happened, and what data was compromised. It captures breach types, along with affected organizations, compromised information, and reporting timelines. By downloading the database, you gain structured, standardized access to fragmented public records, enabling research, risk analysis, policy development, and investigative reporting based on the best data currently available.

Download the Database

The Scale of U.S. Data Breaches

The first data breach notification law in the country was passed in California in 2002, but it took until 2018 for the rest of the country to fully catch up - and the level of coverage still varies considerably across the country. Today, while every state requires breach reporting, only 14 make these reports publicly available.

Download the Full Database

Which States Report Breach Data?

Categorising Breaches

The Data Breach Chronology analyzes each notification across multiple dimensions, including the type of organization affected—from BSF for financial services to MED for healthcare providers—and the method of breach—such as HACK for cyber attacks or PORT for portable device breaches. The high number of "UNKN" classifications reflects a common challenge in breach reporting: notifications often lack sufficient detail to determine an organization's primary function or the specific method of breach. For complete descriptions of our classification system, see our FAQ.

How?

Who?

Where Are Data Breaches Occurring?

Data breaches affect organizations and individuals across every state in the U.S. This map shows reported breaches by state (darker red indicating higher numbers) and some of the most concentrated zipcodes, by the number of breach incidents in the area and the number of individuals impacted. Tracking the true geographic scope of data breaches remains especially challenging - in most cases, neither notification letters nor agency reports reveal where breaches actually occurred. Even in our massive database we can only pinpoint specific locations for a small fraction of incidents.

When Are Breaches Reported?

The Data Breach Chronology tracks both when breaches occurred and when they were reported, offering insight into reporting trends, delays, and practices across the U.S. While breach dates are not always disclosed, the database captures them whenever available, allowing you to compare incident timelines against reporting activity for deeper analysis.

Breach Notifications and Unique Breach Events

We connect individual breach notifications to the unique incidents they describe, revealing how a single event can ripple across states and years as new details emerge. By structuring fragmented, publicly reported data into one searchable resource, the database provides insight into trends, timelines, and the true scale of breaches nationwide.

What Data Are Breaches Exposing?

Reporting agencies rarely specify what data was exposed in a breach, and when they do, the details are often buried deep in notification letters. The Data Breach Chronology extracts and organizes these fragments wherever possible, structuring them into categories defined by the California Consumer Privacy Act (CCPA). This standardization makes it easier to analyze patterns across tens of thousands of breach events and understand what types of personal, financial, and sensitive data are most often compromised.”

Power Your Research With the Data Breach Chronology

You can download the database and support this project with your purchase.

Try a sample in your preferred format:

Download SQLite sample (.db file, recommended)
Download Excel sample (.xlsx file)
Download CSV sample (.csv file)

See our README for documentation.

We offer flexible pricing options for individual researchers and organizations, with substantial academic discounts. Choose from individual researcher access for personal projects, or a multi-user license for classroom and organisational access for teams. Annual subscriptions include ongoing access to monthly database updates and new features.

If you're conducting academic research with limited institutional funding, working with a nonprofit, or are a media outlet operating on a limited budget, and your work directly advances privacy protection, we offer limited complimentary access. Please contact us at databreachchronology@privacyrights.org with detailed information about your funding situation, research project, and how your work aligns with our mission of advancing consumer privacy protections. We typically respond within 3-5 business days.

Get the full dataset

Who Uses The Data Breach Chronology?

Researchers worldwide rely on Privacy Rights Clearinghouse data to advance digital security and privacy protection. Each point below represents a university or research institution using our data breach research.Thanks to community-funded access, each purchase directly supports our mission and provides access to nearly two additional researchers for every supporter who contributes. This sustainable model keeps the database accessible to educators, advocates, journalists, and research institutions everywhere.

Explore The Database

Explore over 75,000 reported data breaches since 2005. Search by organization, breach type, state, or data source to view individual incidents and track broader trends.

Frequently Asked Questions

This project was funded in large part thanks to The Rose Foundation for Communities and the Environment Consumer Products Fund. We have also received funds for this project from cy pres awards and Consumer Federation of America. Additionally, ongoing support from our community of data purchasers is essential to maintaining and expanding this resource. Every purchase enables us to provide complimentary access to researchers working on privacy protection.

If you are interested in supporting this project, please reach out to us at support@privacyrights.org.

The Data Breach Chronology draws from fifteen U.S. government agencies that maintain public records of data breach notifications. These include the U.S. Department of Health and Human Services and various state Attorneys General who require organizations to report breaches affecting their residents.

Each state has unique reporting thresholds and requirements. For example, some states require reporting of any breach affecting state residents, while others set minimum thresholds. Some states make notification letters public, while others provide only summary data.

When a breach affects residents of multiple states, it may be reported to several agencies. To make it possible to track both individual organizations and individual breach events across the database we perform normalization on the organization name and attempt to match and group breach events.

We collect and structure detailed information about each breach across several categories:

Organization Information:

Organization name, normalized name and alternative names
Organization type classification
Unique identifiers for tracking

Incident Details:

Description of what occurred
Type of breach
Types of information exposed
Dates (when reported, when occurred, when ended)
Number of individuals affected (total and state residents)

Location of the Breach Information:

Street address
City, state, and ZIP code
Country

Related Incidents:

Group identifier for related breach notifications
Common breach classification
Common organization type

Source Documentation

Agency report URL
Source agency that reported the breach
Notification letter URL
Full text of notification letter

Each field also includes explanatory notes documenting how we determined the values and any relevant context.

We use a consistent classification system that has evolved with our understanding of data breaches:

Organization Types include:

BSF (Financial Services Business): Banks, credit unions, investment firms, insurance carriers
BSO (Other Business): Technology companies, manufacturers, utilities, professional services
BSR (Retail Business): Physical and online retail merchants
EDU (Educational Institutions): Schools, universities, educational services
GOV (Government and Military): Public administration, government agencies
MED (Healthcare Providers): Hospitals, clinics, HIPAA-covered entities
NGO (Nonprofits): Charities, advocacy groups, religious organizations

Breach Types include:

CARD: Physical payment card compromises (skimming devices, POS tampering)
HACK: External cyber attacks (malware, ransomware, network intrusions)
INSD: Internal threats from authorized users
PHYS: Physical document theft or loss
PORT: Portable device breaches (laptops, phones, tablets)
STAT: Stationary device breaches (desktops, servers)
DISC: Unintended disclosures (misconfiguration, accidents)

As a privacy and consumer advocacy organization, we approach artificial intelligence with both careful consideration and concern. We recognize AI's profound implications for civil liberties, environmental justice, economic equity, and the concentration of power in the technology sector. These issues are at the core of our mission and shape our approach to using AI in our work.

The scope of data breach reporting—thousands of notifications across multiple agencies—creates a significant challenge for a small nonprofit organization. While we previously maintained this database through manual entry, the volume of notifications has grown beyond what we can process without technological assistance. AI tools help us continue this important work while maintaining consistent standards.

We believe our approach balances efficiency with accuracy:

We use AI to normalize scraped text and extract context from data breach notification letters. We also incorporate AI in our classifications, to help determine breach and organization types.
Our AI processing is strictly limited to analyzing the actual content of notifications, not making broader inferences based.
Multiple automated validation checks help identify potential errors or inconsistencies
We regularly review system output and monitor for systematic errors or biases
While the processing is largely automated, we maintain oversight of the final staging and publication process

While we work to minimize issues like hallucination or incorrect inferences through careful system design and validation steps, we acknowledge that complete elimination of these problems isn't currently possible. We continue to explore ways to improve our process, including the potential development of dedicated tools that would allow for local processing and reduce dependency on large technology platforms. We welcome your feedback.

Thank you for your interest – there is no shortage of work that can be done to continue to improve this project, and there are many ways to help out!

Donate your time and expertise as a data science or tableau volunteer to help us collect, clean, process, maintain, and present this resource. Contact us at databreachchronology@privacyrights.org with the subject line “VOLUNTEER”.
Apply for a legal internship to help us stay up to date on changing data security and breach notification laws.
Apply to join our Data Breach Chronology advisory committee to help drive future project decisions and new features. Contact us at databreachchronology@privacyrights.org with the subject line “ADVISORY COMMITTEE”.
Donate to sustain the project.

If you are interested in getting updates on this project, join our email list here.

The Data Breach Chronology began in 2005 under the leadership of Beth Givens, Privacy Rights Clearinghouse's founder and former Executive Director. The current version was developed and is maintained by Emory Roane, Associate Director of Policy at Privacy Rights Clearinghouse. Maintaining this project is made possible by foundation support and purchases of the dataset.

We are also thankful for the contributions of The Rose Foundation for Communities and the Environment, Consumer Federation of America, Coleman Research Lab, Ahmed Eissa, Ava Watson, and everyone else who has supported the project in its various forms over the years.

The Data Breach Chronology is based on publicly available information and should not be considered a complete and accurate representation of every data breach in the United States. Rather, it reflects the data breach notifications themselves that have been reported and made publicly available in the United States.

Users should pay careful attention to the issue of duplicate reporting when making use of this data or making assertions based on this data. While we work to identify when a single breach has been reported to multiple state Attorneys General, this process is not perfect.

Additionally, though we collect the contents of breach notification letters where possible, we do not host these letters locally–and source URLs may no longer be active.

Privacy Rights Clearinghouse makes no representations as to the accuracy of the information included in the Data Breach Chronology.