Chronology of Data Breaches

A data breach is an event where private, secured information is intentionally or unintentionally released. Private data can include financial or medical records, social security numbers (SSN), trade secrets and intellectual property. Breaches range from malicious attacks by black hat hackers, governmental organizations or organized crime to careless mishandling of sensitive data. Data breaches can occur electronically or by the theft or misplacement of physical data, such as confidential files or a hard drive.


Many of the breaches listed below have compromised millions of people’s personal information or have resulted in the theft of sensitive corporate or governmental information.

CardSystems: On June 16, over 40 million card accounts were compromised during a security breach. CardSystems, which was a third party processing company for credit cards, failed to encrypt its customers information.

iBill: In March of 2006, 17 million records, including names, numbers and email addresses were exposed by either an insider or via malicious software.

Department of Veteran Affairs: The theft of an employee’s laptop resulted in the names, SSN, dates of birth and other personally identifiable information of every American veteran discharged since 1975 to be exposed.

AOL Search Data Leak: On August 4, a researcher at AOL released a compressed text file containing 20 million search keywords. Intended for research purposes it was publicly available for several days. Many searches contained personally identifiable information and the New York Times was able to use the information to track down and identify one user to show how compromising the mistake was.

TJ Stores: In January, TJX revealed that over 45 million credit and debit card numbers had been exposed during unauthorized intrusions dating back to 2005. At the time this was the largest data breach in history.

Fidelity National Information Services: On July 3, a database analyst at the company stole over 8 million customer records including credit card numbers and bank account information.

UK Child Benefit Data: In October, two discs containing information pertaining to child benefits went missing. This information included personal information for every family claiming child benefits in the United Kingdom, which was nearly 25 million records.

Hannaford Bros. Supermarket Chain: On March 17, sensitive data was breached during a card authorization. Malware loaded onto company servers allowed hackers to access financial information when customers swiped their credit cards during checkout. Every grocery location was compromised, resulting in at least 2,000 cases of fraud.

Bank of New York Mellon: Only weeks after the attack on Hannaford Bros. as many as 12.5 million records were compromised when a box of data tapes storing sensitive information was lost.

Countrywide Financial Corp: In August, the FBI arrested two people in connection with the theft of sensitive personal information, including SSN. They had been involved in a two year breach, downloading 20,000 records a week and selling them for $500 to buyers.

CheckFree Corporation: The website of CheckFree, a bill payment service, was compromised when criminals hijacked several of the company’s Internet domains, rerouting traffic to malicious sites in the Ukraine. Five million records were potentially compromised.

Heartland Payment Systems: In the largest breach of data ever reported, over 130 million credit and debit records were compromised by malicious software. It is suspected that the action was part of a massive global cyberfraud operation.

U.S. Military Veterans: In another security breach of veterans’ personal information a defective hard drive was not properly erased before being returned. It contained over 76 million records dating back to 1972.

RockYou!: Social gaming company RockYou! database had a significant flaw and 32 million passwords and email addresses were exposed.

WikiLeaks: In October of 2010, anonymous whistleblower website WikiLeaks published over 250,000 diplomatic cables from the US State Department. At over 261 million words this is the largest exposure of classified information in history.

Sony Playstation: In April, over 100 million unencrypted credit card numbers were exposed during an external intrusion. Passwords and login information were also compromised.
Sony Pictures: Sony was again compromised in June when hackers acquired one million user passwords and other user data. The unencrypted information was then made public by the hackers.
further resources

Privacy Rights Clearinghouse provides a comprehensive chronology and updated information about data breaches. Its database is updated weekly.
The Identity Theft Resource Center provides full coverage of data breaches, including yearly reports. It also has resources for data breach victims.
The Office of Inadequate Security tracks the latest news and legislation regarding data breaches and information security concerns.