Frequently Asked Questions About the Chronology of Data Breaches
- What does the Chronology of Data Breaches contain?
- What does the Total Number indicate?
- Is the Chronology of Data Breaches a complete listing of all breaches?
- Are there state-specific breach listings?
- How often is the Chronology updated?
- Uses of Chronology of Data Breaches in Publications: Please Footnote the Source Appropriately
- What should I do if my personal information has been compromised in a data breach?
- Are there resources for businesses and other organizations on how to avoid having sensitive data breached?
- What should I do if my business or organization experiences a security breach?
- Do states have laws that require those entities that experience a data breach to notify the affected individuals?
- Which states have laws that require breached organizations to report breaches and submit notice letters to a central clearinghouse?
- Has anyone analyzed this and other data breach listings in order to compile statistics and arrive at other observations? Have any analyses of security breach laws been published?
- Are there other resources with additional information about security breaches?
- Report 
The data breaches noted here  have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included the number of records involved in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws. The breaches posted below include only those reported in the United States. They do not include incidents in other countries.
The running total  we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals.
In reality, the number given below should be much larger. For many of the breaches listed, the number of records is unknown. Further, this list is not a comprehensive compilation of all breach data (see below).
No, it is not a complete listing of breaches. The list is a useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches. But the list is not a comprehensive listing. Reported incidents affecting more than nine individuals from an identifiable entity are included. Breaches affecting nine or fewer individuals are included if there is a compelling reason to alert consumers. Most of the information is obtained from verifiable media stories, government web sites/pages (for example state Attorneys General such as the California AG’s breach website), or blog posts with information pertinent to the breach in question. If a breached entity has failed to notify its customers or a government agency of a breach, then it is unlikely that the breach will be reported anywhere. If you are aware of a breach that is not included in our list, below, feel free to contact us here: https://www.privacyrights.org/cc/complaint  .
Some states have state laws that require breaches to be reported to a centralized data base. These states include Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic breaches affecting more than 1,000 residents). However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. For details, see the Open Security Foundation Datalossdb website: http://datalossdb.org/primary_sources 
We usually update this list every two days.
Where do you obtain information about the data breaches that are reported on this Web page?
Most of the breaches summarized below on this page have been obtained from the Open Security Foundation list-serve. As of January 2010, we have expanded our sources to also include Databreaches.net, PHI Privacy and NAID. As of March 2012, we began using the California Attorney General list of data breaches.
- The Open Security Foundation's DataLossDB.org (www.datalossdb.org ) offers a free e-mail list-serve on the latest breaches.
To subscribe to DataLoss, send a message to: email@example.com 
- Consumers may access a list of data breaches from Datalossdb.org upon creating a username and password. The DataLossDB.org page includes a search engine and news articles for the breaches listed below, and also provides an open source database of its data breach records. It is a flat comma-separated value file that can be imported into a database or spreadsheet program for your own data analysis.
- Beginning in January 2010, we have expanded the sources of our breaches. We now include the following sources:
- Databreaches.net (www.databreaches.net ) is a spinoff from www.PogoWasRight.org  and compiles a wide range of breach reports since January 2009.
- Personal Health Information Privacy (www.phiprivacy.net/ ), affiliated with Databreaches.net , is a database that compiles only medical data breaches. Many of these are obtained from the US Department of Health and Human Services' medical data breach list (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html ), which provides only minimal information.
- National Association for Information Destruction, Inc (www.naidonline.org ) provides monthly newsletters that include a number of data breaches largely due to improper document destruction.
Privacy Rights Clearinghouse publishes the Chronology of Data Breaches as a source of information for both past and current breaches. Any individual or organization is welcome to use our data for research as well as general interest. If data from the Chronology is cited in a publication, including papers and research by students, please properly footnote the Chronology of Data Breaches as the source.
It’s important to note that our Chronology of Data Breaches does not reflect a complete list of breaches. We obtain information about breaches from the media and from sources such as websites of state Attorneys General for states in which AGs make such information available. In addition, our numbers only include breaches that occur within the United States. No international data breaches are posted. For additional information about the Chronology of Data Breaches, please read our FAQ here .
For tips on what to do if your personal information has been exposed due to a security breach, read our guide  at http://www.privacyrights.org/fs/fs17b-SecurityBreach.htm .
Learn about security and privacy protection practices for your workplace.
- Debix data breach resources (laws, notice letters, audit guide, webinars), http://debix.com/business/resources.php 
- Visual Data Breach Risk Assessment Study, by PeopleSecurity for 3M (Dec. 2010), http://solutions.3m.com/3MContentRetrievalAPI/BlobServlet?locale=en_US&lmd=1291398659000&assetId=1273672752407&assetType=MMM_Image&blobAttribute=ImageFile 
- "Guide to Protecting the Confidentiality of Personally Identifiable Information," National Institute of Standards and Technology. Special Publication 800-122. (April 2010) http://ssrn.com/abstract=1671082 .
- "Forrester Consulting Study, “The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk,” (April 2010) sponsored by RSA and Microsoft, available at www.rsa.com/CorporateSecrets . For press release, see http://www.microsoft.com/Presspass/press/2010/apr10/04-05MSRSAPR.mspx?rss_fdn=Press%20Releases .
- "Data Breach and Incident Readiness Planning Guide" from the Online Trust Alliance (January 2011).
- "Security & Privacy -- Made Simpler," from the Better Business Bureau http://www.bbb.org/us/corporate-engagement/security/ 
- “Protecting Personal Information: A Guide for Business,” from the Federal Trade Commission. www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index. 
- “Information Security Handbook,”from the National Institute of Standards and Technology
- “Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace,” from the Privacy Rights Clearinghouse
- The California Office of Privacy Protection has developed a series of Recommended Practices. Several of the guides may be helpful in protecting your business whether or not you are located in California.
- “A California Business Privacy Handbook,” www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf 
- '“Recommended Practices for Protecting the Confidentiality of Social Security numbers,” www.privacyprotection.ca.gov/res/docs/pdf/ssnrecommendations.pdf 
The following resources guide businesses who have experienced a security breach through the notification process and in working with law enforcement.
- “Recommended Practices on Notification of Security Breach Involving Personal Information,” from the California Office of Privacy Protection may be useful whether or not you are located in California. http://tinyurl.com/9npvftl 
- “Dealing with a Data Breach,” from the Federal Trade Commission
Yes. The catalyst for reporting data breaches to the affected individuals has been the California law that requires notice of security breaches. It is the first of its kind in the nation, implemented July 2003.
Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.
- http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx 
- Description of California law, SB 1386, www.privacyrights.org/ar/SecurityBreach.htm 
- http://www.privacy.ca.gov/business/recom_breach_prac.pdf 
For a list of states enacting security breach and freeze laws, visit these Web sites:
- Comparison of US State and Federal Security Breach Notification Laws, by Steptoe & Johnson LLP (January 21, 2016), http://www.steptoe.com/assets/htmldocuments/SteptoeDataBreachNotificatio... 
- Map of State Data Breach Notification Laws (August 2012) http://net-security.org/secworld.php?id=13490 
- Intersections Data Breach Consumer Notification Guide, by Intersections, Inc. (May 2014) Intersections Consumer Notification Guide 
- Security breach notice laws provided by Consumers Union
- Nymity map, "Breach Notification laws of the United States,"
http://www.nymity.com/404Error?docid=E5AE006F-1947-4163-BDAC-0BFE129E5C89  (registration required)
- Security Breach Notification Chart (Perkins, Coie) http://www.perkinscoie.com/files/upload/PS_12_04SecurityBreachNotificationLawChart.pdf 
- State Data Breach Notification Laws (Scott&Scott)
- State Data Security Breach Legislation Survey, by Mintz Levin law firm (updated August 2009),
- State Laws Governing Security Breach Notification (Crowell Moring)
- Security freeze laws (Consumers Union)
(Note: As of November 2007, the three credit bureaus enable individuals nationwide to freeze their credit reports.)
The state of Massachusetts requires that breached entities report data breaches to the Massachusetts Office of Consumer Affairs and Business Regulation.
- Breach report, 2011, http://www.mass.gov/ocabr/docs/2011-data-breach-report.pdf 
The Open Security Foundation and Chris Walsh have compiled breach notice letters from the states that require breached entities to submit such letters to a central repository. These states are: Maryland, New Hampshire, New York, North Carolina, and Vermont. To view these letters, visit http://datalossdb.org/primary_sources .
As of January 2012, the California Attorney General posts data breach notice letters here: http://oag.ca.gov/ecrime/databreach/list . Additional information about data security breach reporting is found here: http://oag.ca.gov/ecrime/databreach/reporting .
Has anyone analyzed this and other data breach listings in order to compile statistics and arrive at other observations? Have any analyses of security breach laws been published?
- The Real Cost of Data Breaches, by Vanson Bourne for FireEye. (registration required) https://www2.fireeye.com/WEB-Real-Cost-of-Data-Breaches.html 
- 2016 Vormetric Data Threat Report (registration required) http://www.vormetric.com/campaigns/datathreat/2016/ 
- Criminal Attacks Are Now Leading Cause of Data Breach in Healthcare,
According to New Ponemon Study http://www.ponemon.org/news-2/66 
- Verizon 2016 Data Breach Investigations Report (April 2016). http://news.verizonenterprise.com/2016/04/2016-data-breach-report-info/  (registration possibly required)
- SailPoint Survey: 1 in 4 Employees Will Share Sensitive Information Outside the Company, (March 21, 2016. https://www.sailpoint.com/news/market-pulse-survey-2016 
- California Data Breach Report: February 2016, by California Attorney General, https://oag.ca.gov/breachreport2016 
- Data Breach Digest: Scenarios from the Field, by Verizon (Feb. 2016) (registration required), http://www.verizonenterprise.com/verizon-insights/data-breach-digest/2016/ 
- 1in 3 Americans Victim of Healthcare Data Breach in 2015 http://www.information-management.com/news/security/1-in-3-americans-vic... 
- 2015 Protected Health Information Data Breach Report (December 2015), by Verizon http://www.verizonenterprise.com/phi/?_ga=1.261004685.1094070594.1450479875 
- Global survey by Gemalto reveals impact of data breaches on customer loyalty (December 2015), http://www.gemalto.com/press/Pages/Global-survey-by-Gemalto-reveals-impact-of-data-breaches-on-customer-loyalty.aspx 
- State of Cybersecurity Survey: 2015 ACC Foundation (December 9, 2015), http://www.acc.com/legalresources/resource.cfm?show=1416923 
- Follow the Data: Dissecting Data Breaches and Debunking the Myths, by Numaan Huq of Trend Micro (Sept. 2015), http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/follow-the-data 
- State Data Breach Law Charts, by BakerHostetler (2015), http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf 
- 2015 Data Breach Investigations Report, by Verizon (April 2015), registration required, http://verizonenterprise.com/DBIR/2015/ 
- IBM Security Services 2014 Cyber Security Intelligence Index (June 2014). http://media.scmagazine.com/documents/82/ibm_cyber_security_intelligenc_... 
- Just in Time Research: Data Breaches in Higher Education (May 20, 2014), http://www.educause.edu/library/resources/just-time- 
- Poll: Nearly half of cardholders likely to avoid stores hit by data breaches (Oct. 19, 2014), http://www.creditcards.com/credit-card-news/shopping-after-breach.php 
- Security Roundtable: Turning the Tables on Cyber Attacks (August 12, 2014), http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-turning-the-tables-on-cyber-attacks.pdf 
- “Global Consumers: Concerned and Willing to Engage in the Battle Against Fraud,” (July 22, 2014), http://www.aciworldwide.com/news-and-events/press-releases/globally-3-in-10-consumers-dont-trust-retailers-with-securing-their-data.aspx 
- “Internet Security Threat Report 2014,” by Symantec, http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf  . Summary page, http://www.symantec.com/security_response/publications/threatreport.jsp 
- 2014 Data Breach Investigation Report, by Verizon (Feb. 2014), www.verizonenterprise.com/DBIR/2014 
- BNA: Board Liability for Breaches (July 1, 2014), http://www.bna.com/unthinkable-may-need-n17179891721/ 
- eBay Hack Affects Sales at 9 in 10 Stores, Survey Finds (July 2, 2014), http://news.parcel2go.com/article/ebay-hack-hit-sales-at-9-in-10-stores-survey-finds-10544 
- “Consumer Insecurity about Data Insecurity,” infographic by TSYS (July 2014), http://www.tsys.com/ConsumerDataSecurity/index.cfm?utm_source=pymnts&utm_medium=link&utm_campaign=consumer-data-infographic 
- Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012, U.S. Dept. of Health and Human Services, (June 2014) http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreport2011-2012.pdf 
- The Aftermath of a Mega Data Breach: Consumer Sentiment, Conducted by Ponemon Institute, Sponsored by Experian Data Breach Resolution (April 2014), http://www.experian.com/assets/p/data-breach/experian-consumer-study-on-aftermath-of-a-data-breach.pdf  (registration required)
- Will Healthcare Be The Next Retail? Which Industries Are Best at Securing Their Networks from Cyber Threats? By Bitsight (May 2014) http://info.bitsighttech.com/bitsight-insights-industry-security-ratings-vol-4-rc  (registration required)
- 2014 Cost of Data Breach: Global Analysis (Ponemon, May 2014),
- More online Americans say they've experienced a personal data breach, "Pew Research Center Survey" (April 14, 2014) http://www.pewresearch.org/fact-tank/2014/04/14/more-online-americans-say-theyve-experienced-a-personal-data-breach/ 
- Cyber Incident Response: Are Business Leaders Ready? An Economist Intelligence Unit Report (registration required), http://www.arbornetworks.com/ciso/eiureport 
- 2013 Healthcare Information and Management Systems Society (HIMSS) Security Survey, (Feb. 2014), http://www.himss.org/library/privacy-security/annual-security-survey-results 
- 2013 Cost of Data Breach Study: Global Analysis, by Symantec and Ponemon Research (Feb. 2014), http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon-2013 
LEGAL AND POLICY ANALYSES
- State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust, by Deloitte and National Association of State Chief Information Officers (Sept. 2010), http://www.nascio.org/publications/documents/Deloitte-NASCIOCybersecurityStudy2010.pdf  
- Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes, by Dana Lesemann (September 2, 2010). Akron Intellectual Property Journal, Vol. 4, p. 203, 2010. Available at SSRN: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1671082 
- Prepared Testimony of Federal Trade Commission on Data Security, by Maneesha Mithal, before the U.S. Senate's Committee on Commerce Science, and Transportation, Subcommittee on Consumer Protection, Product Safety and Insurance (Sept. 22, 2010). http://www.ftc.gov/os/testimony/100922datasecuritytestimony.pdf 
- Data Breach Notification Law Across the World from California to Australia (Alana Maurushat,
Univ. of New South Wales Faculty of Law Research Series, 2009)
http://law.bepress.com/unswwps-flrps09/art11/  
- Read the June 2008 study,"Do Data Breach Disclosure Laws Reduce Identity Theft?" (Sasha Romanosky et al)
- CSO Online, "Data Breach Notification Laws, State by State (with map)," (Feb. 12, 2008),
- Read an analysis by California attorney Alan Mansfield about the California security breach law,
- Read law school professors Schwartz and Janger's law review article on data breach notice laws,
- Read commentary by Jeffrey Rawitz, Jones Day law firm, "Security Breach Notification Requirements"
- Read an analysis  of state security breach notice laws by Alan Wernick, Esq., in the Journal of AHIMA (Nov.-Dec, 2006)
- Read "Security Breach Notifications: a State and Federal Law Maze," (July 27, 2005) by Gibson, Dunn & Crutcher LLP
www.gibsondunn.com/publications/pages/SecurityBreachNotificationsaStateandFederalLawMaze.aspx  For a state-by-state analysis, view this chart .
- Read "The Cyber Risks of Outsourcing " by Branner and Freeman (Sept. 2007)
- Legal Risks on the Radar, by Corporate Board Member. (August 2012) http://finance.yahoo.com/news/corporate-board-member-fti-consulting-153300873.html  (includes discussion of IT security ,as number-one-rated risk)
- Health-Related Data Breaches Affecting 500 or More Persons. Website of U.S. Dept. of Health and Human Services, http://tinyurl.com/hhsbreachtool 
- Tax Returns Expose Social Security Numbers to Public, by Identity Finder (April 2012) (registration required), http://www.identityfinder.com/us/Files/TaxReturnExposure.pdf 
- Social-Engineer.org: Social Engineering Capture the Flag Results (from Defcon 19 conference, 2011) (a report on the use of a social engineering experiment to obtain sensitive company information) http://www.social-engineer.com/downloads/Social-Engineer_Defcon_19_SECTF_Results_Report.pdf 
- Doppelganger Domains (typo-squatting study re: email messages), by Garrett Gee and Peter Kim of the Godai Group (Sept. 6, 2011), http://www.wired.com/images_blogs/threatlevel/2011/09/Doppelganger.Domains.pdf. 
- Data Breach and Encryption Handbook, by Lucy Thomson, ed., American Bar Assoc. (Feb. 2011), http://apps.americanbar.org/abastore/index.cfm?section=main&fm=Product.AddToCart&pid=540059 
- U.S. Health & Human Services list of health-related breaches
- Maine Attorney General's Office, breach listing, as posted by Datalossdb:
- Identity Theft Resource Center (contains links to news stories)
- New Hampshire Dept. of Justice Security Breach List
- Adam Shostack's Blog: http://www.homeport.org/~adam/ 
- Pogo Was Right
- Read more about security breaches
www.databreaches.net , a service of Pogo Was Right (see above).
- Educational Security Incidents (Adam Dodge)
- Security Beat (includes links to news articles and offers free e-mail list-serve)
- World Privacy Forum, Security Breaches in the Digital Medical Environment (scroll to section D of testimony)