List of Notable Breaches
- 1 2015
- 2 2014
- 3 2013
- 4 2012
- 5 2011
- 6 2010
- 7 See Also
October - December
- In late December, a misconfiguration of the Steam gaming platform resulted in the ability of customers to look at the payment data of other customers. The error was initially reported on December 25th by the Daily Dot, with follow-up coverage by Hacked and numerous others. As of December 30th, Steam had still not addressed its customer base regarding the data leak.
- In late December, white hat Chris Vickery managed to get hold of 191 million US voter records. According to Hacked writer Justin O'Connell, "Much of the information has been available before, purchased by political campaigns to garner support and votes, but the information has never been available all in one place. While there are some websites, such as coloradovoters.info, where such information is available, this recent leak is much more far-reaching."
- In December, the office of New York City-area Doctor Mary Ruth Buchness accidentally disclosed the records of 15,000 patients on file. Included were social security numbers, current addresses, and other contact information. The breach took place through an accidental e-mail forwarding to a client by the name of Missy Brown, who promptly notified the Department of Health after getting an unsatisfactory response from the office of Dr. Buchness.
- In November, OH Muhlenberg published a press release regarding one of its hospitals in Kentucky had been victimized in a data breach. The company had only taken control of the hospital in July, but by September the FBI had informed them of suspicious activity. After an internal review, "the hospital confirmed that a limited number of computers were infected with a keystroke logger designed to capture and transmit data as it was entered onto the affected computers."
- In November, two women filed a lawsuit against the Georgia Secretary of State alleging that the government functionary had illegally revealed the data of at least 6 million Georgia voters to agencies who legally buy voter information. The Secretary of State claims that a breach did not occur when it accidentally gave copies of the entire voter registry to at least 12 parties.
- In November, investigative journalists at the Intercept looked into a data dump of Securus Technologies, a prison and jail telephony provider, sent by an anonymous hacker via Aaron Swartz's SecureDrop system, which the Intercept had set up as a way for leakers to safely give them information anonymously. Within the data dump were numerous privileged, recorded phone calls between lawyers and clients. See also: Original reporting at the Intercept.
- In late October, Texas-based Emergence Health Network disclosed a breach that may have gone back as far as 2012. The attacker who'd accessed the system could have bilked Social Security and other sensitive data. In total, 11,100 records were affected.
- In October, Children's Medical Clinics of East Texas informed the families of as many as 16,000 patients that a breach of their personal data had taken place through the actions of an employee. The employee was reportedly taking screenshots of the data and providing it to an identified third party as part of some arrangement.
- In October, Cottage Health, a Southern California healthcare network, reported a potential breach of "limited information" on around 11,000 patients. This was not the first time in their history that such breaches had happened. The disclosure was a matter of course, as no breach was actually confirmed, but a significant security hole was discovered in their data management system when the firm hired a security firm to penetration test their system.
- In October, a misconfigured web portal led to the breach of 35,000 health records by Keenan & Associates, who administer health plans in California. As in many such cases, the only consolation that the victims were offered was identity theft protection, in this case up to $1 million.
- In October, Scottrade disclosed an old data breach from 2013 and 14 which exposed over 4 million customer records. The breach had only recently been disclosed to the company by the FBI, and appeared not to contain sensitive data, but rather contact details.
- In October, Salt Lake County, Utah, reported a scheduled systems upgrade in June had led to a security misconfiguration which could potentially have enabled an informed attacker to access the personal data of roughly 14,000 individuals filing workers' compensation claims. This data would have included Social Security numbers and addresses.
- In October, it was discovered that between 2013 and 2015, T-Mobile's partner Experian leaked as many as 15 million customer records including their social security numbers, home addresses, and payment information, all the sort of information identity thieves need to create false accounts with the data. The records were sold for as little as $1 a piece on the Dark Web.
July - September
- In September, Galen Marsh was charged with stealing the data of over 350,000 Morgan Stanley clients. Although Marsh plead guilty, the FBI believed at the time that his computer had actually been hacked by overseas hackers.
- In late September, after complaints from customers of unauthorized charges on their credit cards, Noble House Hotel and Resorts in Washington State discovered malware at one of their point-of-sale systems which had resulted in the theft of 19,472 credit card details.
- In September, Michigan-based Oakland Family Services reported the breach of over 16,000 records. It clarified: "However, there was no infiltration of the electronic medical record databases, or any other agency email accounts or databases."
- In September, yet another Blue Cross Blue Shield hack was reported, this time with a branch in New York. 10 million records were exposed in the breach, and the organization offered credit monitoring.
- In mid-September, a security researcher discovered publicly available records of around 1.5 million clients of organizations that use Systema Software's web claims applications.
- In mid-September, a stolen laptop resulted in the exposure of roughly 14,500 personal records at Louisiana State University's Health New Orleans School of Medicine.
- In September, West Coast-focusing healthcare provider Molina Healthcare, which is based in California, informed more than 50,000 clients, both former and current, of a breach that had occurred at CVS, it's over-the-counter partner. The firm learned from CVS that, in March, a disgruntled employee had stolen the records.
- In early September, reports came out that a third-party vulnerability led to the exposure of some 79,000 student records at California State University. The third party was We End Violence, an organization which provides a platform called Agent of Change aimed at mitigating violent behaviors in society.
- In late August, the Utah Food Bank reported a potential breach of more than 10,000 donor credit card details.
- In August, an employee of Schwab Retirement Plan Services accidentally disclosed nearly 10,000 records to another retirement account provider, which is against protocol. No known consequences of the breach were reported.
- In late August, hacker JM511 (twitter) infiltrated AutoZonePro.com and gleaned over 160,000 records. To prove he had achieved the hack, JM511 posted this paste.
- In August, Illinois based healthcare provider Empi disclosed a breach of 160,000 client records as a result of a stolen laptop.
- In August, Web.com disclosed the theft of 93,000 customer credit card details to the Securities and Exchange commission. CVV codes were not taken in the breach.
- In August, it was revealed that JP Morgan, one of the largest banks in the world, had been thoroughly breached for at least several months. It was later discovered that the hack had gone on since at least 2012 and that the hackers had siphoned upwards of $100 million from victimized accounts, funneling the cash through shell companies and a Bitcoin exchange.
- In August, Siouxland Anesthesiology Pain Clinic in South Dakota reported the theft of records by a "foreign hacker." The Clinic spoke only through its attorney and did not indicate what the true nature of the hack was.
- In August, SterlingBackcheck, a New York-based background checking services firm, reported a stolen laptop containing 100,000 records. The kinds of personal data required for a background check can often go further than mere Social Security numbers and addresses, but also friends and associates, previous addresses, and other information necessary to thoroughly steal an identity.
- In August, an IRS agent misplaced a USB stick containing the personal data of roughly 11,000 employees of Katy Independent School District in Katy, Texas. No confirmed identity thefts resulted, but as part of protocol the breach was reported.
- In August, Pediatric Group LLC based in Illinois reported under legal obligation to the Department of Health a breach of some 10,000 records. No media coverage is known at this time, however the filing lists it as a "Hacking/IT Incident" which usually means either phishing or weak security.
- In late July, the Maryland Department of Human Resources reported a breach of 11,549 records. The breach was the result of data being sent to an "unintended recipient." The notice was later removed from their website, but is archived here.
- In July, point-of-sale payment processor Service System Associates reported a breach of some 60,000 credit card records from the gift shops of nine zoos across the United States. Complete information was taken, including CVV number. This breach was the result of malware.
- In July, UCLA Health, a massive southern California health care system, reported the potential leak of about 4.5 million patient records. It said that hackers had accessed one of its databases which contained unencrypted records. It said that while there was no indication the data was copied, it could not rule out the possibility because the hackers would have had access to said files.
- In late July, hackers used an SQL Injection to compromise the database of Akorn, an Illinois-based pharmaceutical company. 50,000 records were compromised. The hackers then proceeded to sell the records to the highest bidder, or back to Akorn, if the ransom were right.
- In July, the Army National Guard had approximately 850,000 personnel records exposed when an unintended file transfer was made to a contract data center. A spokesman for the Guard said, "All current and former Army National Guard members since 2004 could be affected by this breach because files containing personal information was inadvertently transferred to a non-DoD-accredited data center by a contract employee."
- In July, Montefiore Health Systems in Bronx, New York, NY, was victimized in a breach by one of its own employees. They were informed by law enforcement of the data theft, who also arrested the employee and eight others who were stealing personal health information and selling it.
- In July, North East Medical Services in California reported the breach of nearly 70,000 records as a result an employee's car being broken into and a company laptop being stolen.
- In July, Alfa Specialty Insurance Corporation of Tennessee reported that the "Names, addresses, dates of birth, driver's license numbers and Social Security numbers" of more than 85,000 members had been inadvertently exposed to the internet. From the language in a letter sent to the Attorney General of New Hampshire, bad configuration and/or security on one of Alfa's servers was the culprit.
- In July, Firekeepers Casino in Battle Creek, Michigan, reported a data breach of up to 85,000 credit and debit cards captured between September, 2014 and April, 2015. Further, another server yielded thousands of employee files and certain customer records. At the time of the report, investigators had not confirmed any usage of the data.
In July, a group calling themselves The Impact Team announced that they had achieved a full-scale breach of the extramarital affair dating website Ashley Madison along with its sister sites Established Men and Cougar Life.
The hackers appeared to be motivated by a dual moral mission in that the site encourages and allegedly enables men to cheat on their wives but also that the site was reportedly dishonest about its data practices. The hackers' main focus seemed to be the fact that the site charged users a fee to have their account details erased from the database, but then never actually deleted the details. Impact Team gave Avid Life Media, the Canadian parent company, a grace period to close down Established Men and Ashley Madison, though they made an exception for Cougar Life. One of the things the hackers divulged was that more than 90% of users on Ashley Madison and Established Men identified as men. People across the Internet seemed to be both amused and in support of the hackers' efforts, a rarity in personal data breach.
Within days of the initial announcement, Ashley Madison announced that it would no longer require users to pay a fee to have their data removed, perhaps in hopes of catering to the hackers' primary beef with the site. Avid Life Media chose not to take Ashley Madison and Ashley Madison offline, and in late August, the database was published online as a torrent file.
- In July, a professional Italian security team called, creatively, The Hacking Team, was compromised in the extreme by a hacker calling himself Phineas. The white hat firm serviced mainly governments and large organizations and had been accused in the past of assisting rogue states and repressive regimes in persecuting systems and limiting Internet freedoms. One of the initial effects of this breach was the disclosure of a previously unknown bug in Adobe Flash. Days later, the entire database of Hacking Team was available via WikiLeaks.
- In July, McLean Hospital in Massachussetts divulged a security breach it had discovered in May which affected nearly 13,000 records. The fatal flaw involved "unencrypted backup tapes."
- In July, it was revealed that the OPM database had been breached and that more than 21 million background check records had been exposed. Previously, in June, the OPM had announced that 14 million records were breached, but after reviewing the damage done, the government realized it was wrong by a significant amount. The hack resulted in CIA spies being pulled from Asia as well as federal employees suing the government.
- In July, Illinois-based Automotive Recovery Services suffered a breach of its "legacy systems" and informed nearly 20,000 charitable vehicle donors from the period of 2005 - 2014 that any data they'd had on those systems was now compromised. The data included names, addresses, social security numbers, and driver's license numbers.
April - June
- In June, Indiana-based Medical Informatics Engineering disclosed that a server breach had resulted in the likely theft of roughly 3,900,000 patient records. Not all of the records included the Social Security number vital to data thieves, but some did. As a result, a class-action lawsuit was filed in August on behalf of James Young, who claimed that while he did not suffer a data loss, his suit was as a result of "the stress, nuisance, and annoyance of dealing with all issues resulting from the MIE data breach."
- In June, CVS healthcare in RI reported to the government thanks to federal laws that nearly 13,000 records had been exposed as a result of a stolen computer.
- In June, Nevada's Half Dental reported a breach of some 12,000 patient files to the government, as per federal law which requires them to do so. The incident received limited or no media attention.
- In June, a breach of eCellar, a payment processing and inventory suite which caters to the wine industry, mostly in the Napa Valley of California, resulted in the compromise of some 250,000 estimated customer records, including personally identifying information and credit and debit card data.
- In June, Lancaster County EMS in South Carolina, which stored data on unencrypted USB drives inside of a safe, discovered that the safe in question had been stolen. As many as 50,000 patients were affected.
- In June, New York's North Shore-LIJ Health System informed roughly 18,000 patients that five laptops containing their personal health information had been stolen from the office a contractor the company did business with, Global Care Delivery.
- In late May, the IRS informed the public that more than 330,000 taxpayer records, including Social Security numbers, dates of birth, and addresses, had been hijacked as a result of a vulnerability in its "Get Transcript" application.
- In May, Jacobi Medical Center in New York had 90,000 records stolen by a former employee.
- In May, Pennsylvania State University State notice only2015.05.18 Re_PSU_Security_Incident_0_0.pdf? revealed that it had been provided a victim notification report by the FBI in November of last year and had investigated the claim to discover that 17,933 records at the College of Engineering had been exposed.
- In May, Sally Beauty Holdings, a national beauty products chain, reported "unusual debit and credit card activity." Brian Krebs confirmed that financial institutions had reported as many as 62,210 odd transactions, all of which had one thing in common: having been used at Sally locations. Krebs' information mostly came from the state of Indiana.
- In May, Medical Management LLC, a medical billing company, disclosed that it had been informed by the FBI that a call center employee with access to billing information had stolen some customer records and transferred them to a third party. The company gave a figure of 20,512 total records stolen from at least 40 providers.
- In May, CareFirst BlueCross BlueShield, based in Maryland, disclosed the potential theft of 1.1 million records due to a weakly configured server. The data gathered was mostly related to web accounts and did not include personal health information.
- In May, Indiana-based Beacon Health System reported a breach from 2013 until 2015 which affected more than 300,000 patient records. Given the age of the attack, which was conducted via phishing, the health providers felt compelled to say there was no known use of the data as of yet.
- In April, the Seton Family of Hospitals in the Austin area of Texas reported that a successful phishing attack had exposed roughly 39,000 patient records and offered credit monitoring.
- In April, the City of Philadelphia's Fire Department Emergency Medical Services Unit disclosed a data theft from 2012 which affected over 80,000 records. Anyone who'd had medical services in from a period of 2012 and before had their records sold to a nefarious actor, most likely identity thieves. The Department said the theft did not come to light until just before it publicized the warning in April, 2015.
In April, National Seating and Mobility in Tennessee suffered a loss of nearly 10,000 records when a locked work van was broken into and two laptops were stolen among other things.
- In early April, Auburn University in Alabama notified more than 360,000 people that their records had potentially been compromised via a bad server configuration which made the data publicly available, including valuable data such as social security numbers. They were made aware of the security hole on March 1st but did not tell anyone until April 1st, which happened to be April Fool's Day. Nevertheless, the security flaw was real. Their memo to affected parties read, in part:
While these investigations are ongoing, we have determined that files containing your name, address, date of birth, Social Security number, email address, and academic information were among those potentailly exposed as a result of this incident.
- In April, Saint Agnes Health Care in Maryland reported that nearly 25,000 patient records had been compromised by unidentified hackers. The hack was achieved through classical e-mail phishing.
- In April, Oregon Health Co-Op reported a breach of some 14,000 records thanks to a stolen laptop. The laptop was password protected, but that does not necessarily mean anything. Not only was the information of members in the breach, but also that of their dependents.
January - March
- In late March, the AT&T Group Health Plan in Texas reported a breach of 50,000 records to the government. There appears to be no media coverage of the incident, but it is veritable that they made the report.
- In March, Cora Eutsay, an employee of Florida's Department of Economic Opportunity was charged with having illegally accessed some 200,000 records in the Department of Children and Families' ACCESS system. A federal and state investigation alleged that he was trafficking in the data, selling it to identity thieves.
- On March 19th, Career Education Corporation in Illinois, a publicly traded company which owns the likes of Colorado Technical University, was hacked to the tune of more than 150,000 records. While this is a large amount of records, and it is a high-profile company, we have thus far been able to find media reports or statements by the corporation.
- In March, the Virginia Department of Medical Assistance Services had a server breached containing more nearly 700,000 medical records. The incident was not widely reported in detail and therefore further information is not available at this time.
- In mid-March, Advantage Dental, an Oregon company with more than 30 dental clinics, divulged a breach of its customer database. More than 151,000 Social Security numbers were exposed in the hack, but the company said that financial and treatment information would have been unavailable to the hackers.
- In March, Sacred Health System in Florida reported a December, 2014 breach of one of its third-party billing services which resulted in Sacred Health customer data being exposed. In total, 14,177 records were exposed.
- In March, the Indiana State Medical Association reported a February 13th breach of nearly 40,000 records via breaking and entering / theft. Calling it a "random criminal act," the Association did report the same day as the event occurred, though the breach was not made public until early March.
- In March, Piedmont Advantage Credit Union told 46,000 members that it was unable to locate a laptop which contained their sensitive information, and offered them credit protection services.
- In March, Uber went public with knowledge that at least 50,000 drivers had been compromised in a security breach. It had waited five months by this point to inform the drivers or the public, and later reports indicate that the company has numerous security flaws being exploited a regular basis, with user accounts being bought and sold on the dark web.
- In early March, the Georgia Department of Community Health reported two separate breaches totaling over 800,000 records.
- In February, the Boston Baskin Cancer Foundation in Boston, Mass., informed over 55,000 patients that a robbery had taken place which exposed data such as social security numbers, addresses, and the usual medical record fare. The Foundation later reportedly updated its security and data handling practices.
- In February, Anthem reported a hack that left nearly 80 million of its clients vulnerable, including their social security numbers, which are mostly used in the establishment of financial accounts. By the end of that month, Anthem noted that it had discovered nearly 20 million more records had been compromised.
- In late February, Washington, DC-based Children's National Health System disclosed a breach they'd discovered in December of the previous year, which they believed to have been possible between July and December of 2014. The breach was the result of compromised employee e-mail accounts. 18,000 records were exposed and a lawsuit was filed in July.
- In February, South Sunflower County Hospital in Mississippi reported the improper disposal of records resulting in a potential breach of 19,000 records. This was disclosed to the government as per law, but was not covered anywhere in the media, indicating that nothing became of the breach. It is still notable due to the scope of the breach -- 19,000 individual records.
- In February, former Florida governor and presidential candidate Jeb Bush, in an attempt at transparency, released more than 300,000 e-mails to the public domain. The trouble with this move was that the e-mails contained some 13,000 social security numbers of Florida residents.
- In January, Umass Memorial Medical Group in Massachusetts reported that data on 14,000 patients had been stolen by a former employee. The data included social security and credit card numbers.
- In January, Metropolitan State University in Minnesota disclosed a breach of up to 160,000 records including staff, faculty, and students. The school said it did not believe financial information such as credit cards was involved, but that several of the affected databases did contain social security numbers.
- In January, Aspire Indiana, a private nonprofit corporation specializing in mental and behavioral health, had several laptops stolen which potentially exposed the personal information of over 45,000 clients. Of these, at least 1,500 had social security information available. In a now-standard move, the company offered affected individuals credit monitoring services free of charge. The laptops may not have been stolen for the purpose of data collection, but an update was never posted as to whether any of the information was used or not.
October - December
- In mid-Novemer, a Sentara Healthcare electronic medicine dispensing device was stolen from a locked vehicle in Virginia. Over 50,000 people's personal medical information was exposed, though financial and Social Security details were not stored on the device.
- In late October, Bayview Solutions, a debt brokerage, were charged by the Federal Trade Commission with posting the information of some 28,000 debtors on a public website where they were trying to sell the debt holdings.
- In early October, the Cape May-Lewes Ferry in Delaware disclosed that it had learned in July of a potential breach of roughly 60,000 credit and debit card transaction records going back about a year. By October, they reported the breach and were still investigating. All impacted individuals were offered a year of credit monitoring service for free.
July - September
- In September, it was uncovered that over 100 listings contained exploits which tricked eBay users into entering personal information. The attack was orhcestrated using cross-site scripting techniques or XSS. According to Hacked writer Alex Gorale:
- In July, six men were arrested in connection with using stolen accounts to purhcase tickets via StubHub and then selling the tickets for cash. More than 1,000 accounts were breached for a sum total of more than $1 million. StubHub is a subsidiary of eBay.
- In July, Goodwill reported a breach of more than 850,000 payment records at its nationwide secondhand stores. Initially, the company did not confirm the breach had taken place, but by September, it had.
April - June
- In June, Anonymous reportedly posted the customer records of more than 75,000 American Express customers online. The firm did not discover the breach on its own, but was rather informed by law enforcement.
- In early June, a stolen laptop resulted in more than 40,000 records belonging to members of the Union Labor Life Insurance Company in Michigan. There was no evidence that the data had been yet used in identity theft or otherwise, but the company was compelled by law to report the incident.
- In early June, the Montana Department of Public Health and Human Services reported that a server had been breached and the records, including addresses and Social Security numbers, of more than 1 million people had been compromised. Additionally, bank account records of employees were also available to the hackers. The organization told media that the vulnerability had existed since July, 2013.
- In early June, Arkansas State University reported a breach of some 50,000 child health practitioners' Social Security numbers as a result of a database hack.
- In late May, a Home Depot in Georgia reported that for about two weeks between May 7th and May 21st, an employee had illicitly gathered the credit card records of about 30,000 people in the tool rental area.
- In mid-May, Entercom Portland, a branch of a larger radio conglomerate, reported that a magnetic tape system containing the information of about 13,000 individuals had been stolen from a car that was burglarized. The broadcasters insisted that it was unlikely any further use would made of the data, since the tapes "require special software and hardware to read, and cannot be accessed by the typical home computer."
- In May, Gingerbread Shed Corporation, a firm which makes software for festivals like Country Jam and Vibes, revealed a breach that may have affected up to 50,000 user details, including user names, passwords, names, addresses, and credit card information. The breach took place between November, 2012 and February, 2014, and wasn't discovered by the company until April, 2014.
- In May, Paytime, a Pennsylvania payroll provider, was breached to the tune of at least 233,000 records after unknown hackers exploited a vulnerability in their system. The data stolen included Social Security numbers and bank account numbers for some, among other information relevant to payroll processing and also highly valuable to identity thieves. It must be noted that the figure, 233,000 was only their latest estimate, and they were in most cases unsure of how many people were actually affected.
- In May, Craftsman Book Company experienced a breach of more than 10,000 user accounts on its website. It remains unclear whether payment information was compromised.
- In late April, Central City Concern, a non-profit in Portland, Oregon, reported that it had been notified by federal authorities that a former employee had stolen the data of more than 17,000 people associated with 15 of its clients. The employee intended to use the data to file false tax returns.
- In April, Michigan's Grand Valley State University reported that one of its vendors had inadvertantly posted personal information, including internal identification numbers, addresses, and names, of at least 10,000 students. Social Security information was not compromised.
- In late April, Boston Medical Center fired a transcription service for posting more than 15,000 records on the public internet without any sort of password protection, making them vulnerable to any random visitor. In this case, there was nothing Boston Medical Center could have done which they did not do.
- In late April, Centura Health, a Colorado-based healthcare system, warned over 12,000 people that their personal information had been compromised in a hack.
- In April, Iowa State University reported a server breach that affected over 48,000 current and former students, including Social Security numbers.
- In mid-April, University of Pittsburgh Medical Center reported that the personal information of its 62,000 employees had been compromised in a data breach.
- In mid-April, Aaron Brothers, a major art supplies retailer related to Michaels, a similar store, reported that malware affected its point of sale system from June the previous year until February had affected around 400,000 credit card records. Michaels stores were also affected, but nowhere near the level that Aaron Brothers were.
- In April, Lowe's reported to 35,000 of its employees that their records had been breached due to a bug in a third-party system that the company contracts with.
- In April, the VFW, or Veteran's of Foreign Wars, an organization of combat veterans, discovered that 55,000 veteran records had been exposed in a hack which involved the installation of malicious code. Furthermore, the VFW did not believe that its members, who are not active military usually, were not the actual target, and that the attack had originated in China. Their notice to members said:
VFW has been informed that the purpose of the attack was not identity theft, but rather to gain accesss to information regarding military plans or contracts.
- In April, Macon-Bibb County, Georgia, reported that it had fixed a breach affecting the personal information of more than 12,000 people, including driver's licenses, birth certificates, and Social Security numbers.
January - March
- In March, Deltek, a government contractor responsible for the GovWin IQ program, reported a breach from the previous year involving the records of some 80,000 employees of vendors it served. It noted in its disclosure that it was not the only organization targeted in the breach, and that several government orgnanizations had also been targeted by the same unknown attackers.
- In March, about 20,000 IRS employees were potentially compromised when an higher-ranking employee took home a USB drive containing their data and plugged it into their insecure home network. Insecure, in this instance, does not necessarily mean that there was no security, but rather that it did not meet federal guidelines or those required by law of storage of personal records.
- In March, Auburn University's College of Business discovered an unpatched vulnerability in its server and later reported that nearly 14,000 student records were vulnerable. It subsequently "hired an independent, third-party computer forensics expert to assist in identifying the full extent of data potentially exposed as a result of this incident."
- In March, the Catholic Archdiocese of Seattle, Washington, was hacked and the information of 90,000 people was subsequently available to identity thieves. It was then used in at least one case to send a man a false, alleged "tax refund check" in the amount of $10,000, which the man knew to be false since he owed the government money.
- In March, it surfaced that Spec's, a Texas liquor chain with more than 100 stores, was infected with malware since at least October 31st, 2012, and that the breach had managed to acquire more than 550,000 credit card records. The company was not immediately aware of what happened, but a third-party processor informed them of a problem and they called in a firm to investigate the breach. They said at the time that less than 5% of their total transactions during the period had been affected, but also admitted that the attackers had been clever and must have gone to great lengths to achieve the breach.
- In March, St. Joseph Home Care in California accidentally gave up information on 11,800 of its patients to an investment firm while creating a business arrangement with them. No subsequent malfeasance was suspected as a result.
- In March, Spectrum Health Systems in Massachussetts reported a breach of more than 14,000 records to the federal government.
- In mid-March, Patient Care Services at St. Francis, Inc., in Oklahoma, reported to the federal government a breach of some 84,000 patient records. Despite the size of the breach, it went largely, if not totally, unreported.
- In mid-March, University of California San Francisco had a break-in. Unencrypted computers were stolen containing the personal health information of nearly 10,000 students.
- In mid-March, the Maryland Developmental Disabilities Administration was compromised on the order of almost 10,000 records as a result of a hack at one of its licensed providers.
- In March, Statista, a statistics portal firm, had about 50,000 e-mail and encrypted password combinations stolen from their server, a fact that forced them to notify the effected parties. It is unknown whether the encrypted passwords were ever unencrypted, but as a precaution users were made to reset their passwords.
- In March, University of Wisconsin at Parkside informed 15,000 students of a data breach involving their personal information, including Social Security numbers. The breach affected students who had enrolled or submitted information since 2010, and was discovered as a result of routine maintenance, malware having been installed by unknown attackers.
- In March, despite supposedly having no evidence of a data breach, the North Dakota University System notified almost 300,000 users of a breach by hackers.
- In late February, as many as 146,000 students at Indiana University were exposed thanks to a misconfigured, insecure server, including their Social Security numbers and last known addresses. Recent graduates were also affected. The data was exposed for nearly 12 months and was indexed by a web crawler. A representative said, "This is not like incidents where there is very good forensic evidence that a file was taken." Unlike similar problems of that season, there was no evidence that the University had been targeted in an attack.
- In late February, more than 43,000 employees of assisted living facilities operated by Assisted Living Concepts, LLC, an Illinois-based company, were exposed when their payroll provider was hacked.
- In late February, Network Pharmacy Knoxville reported that the personal information of nearly 10,000 individuals was located on a laptop that was stolen from the group.
- In late February, Banner Health in Phoenix, Arizona, a not-for-profit, made the unusual mistake of printing customer Social Security numbers on the magazine address labels of more than 50,000 patients.
- In mid-February, J. M. Smucker Company, the famed jam and jelly producer, closed its online store after the payment details of around 23,000 customers were stolen. After a month, it re-opened.
- In February, as many as 20,000 Home Depot employee records were compromised by three human resources workers in Georgia who were thus investigated by the Secret Service due to the national nature of the crime.
- In February, around 14,000 current and former student records were affected by a breach at Midland Independent School District in Texas. A laptop was stolen and the data did include the vital Social Security numbers.
- In February, for the second time in a decade (first time in 2006), Variable Annuity Life Insurance Company of Texas suffered a breach as a result of a former employee taking a massive amount of data with them. To be more specific, the employee in question, a financial advisor, abconded with the private records, including full and partial Social Security numbers, of more than 770,000 members of the company. The company had no means of detectin the breach, which occurred via thumb drive, and were informed by law enforcement who uncovered it as part of a search warrant.
- In mid-February, the Cooke County Health & Hospital System notified over 22,000 individuals of a breach that appears to have occurred as a result of a spear phishing attack. Cooke County encompasses Chicago, one of America's major cities.
- In mid-February, the Virginia Department of Medical Assistance Services reported a mishandling of the records of more than 25,000 clients. The breach was listed as "Unauthorized Disclosure, Paper, Other."
- In the middle of February, over 300,000 University of Maryland students, faculty, and staff had sensitive data, including their Social Security numbers, compromised in a hack of a database containing the information. The University reportedly said the database went all the way back to 1998, and that everyone who had received a student ID or other services by it was at risk of identity theft. A positive of the incident was that University President Wallace Loh pledged to double the University's investment in IT security.
- In early February, the St. Joseph Health System in Texas reported a breach of a single server containing the records of more than 400,000 patient and employee records, including all the things that go into that -- SSN, phone number, and so forth. While not widely reported, the breach was one of the largest of 2014.
- In early February, Sutherland Healthcare Solutions in California, which handles medical billing for much of the Los Angeles region and was located in Torrance, was victimized in a break-in whereupon 8 computers containing full identifying information on more than 330,000 people were stolen. Initially, the company only believed around 166,000 records to have gone missing, but [ later confirmed] that an addition 170,000 records were involved.
- In late January, Unity Health Insurance said that University of Wisconsin at Madison's School of Pharmacy had misplaced a hard drive, resulting in the potential exposure of over 41,000 medical records.
- In late January, the City of Norwood, Ohio reported a stolen laptop containing the records of nearly 10,000 residents.
- In January, the Department of Labor in Connecticut reported that it had accidentally given the information of the wrong person to around 27,000 individuals. This would have included information related to their identity and their previous year's income, although the Department did not make explicitly clear whether the mishap had revealed Social Security numbers or not.
- In late January, Coca-Cola Company's headquarters in Georgia reported the theft of several laptops which contained the personal information of over 70,000 employees.
- In January, Walgreen Co. of Illinois reported that over 17,000 records were compromised in a "paper/other" error between September and October of the previous year.
- In late January, around 18,000 members of the LA Health Care Plan in Los Angeles, California, were able to see the details of other members' accounts while using the plan's payment portal.
- In January, the Terrell County Department of Health in Georgia reported an unauthorized breach that had take place two years before, in 2012. About 18,000 records were affected over the course almost four months.
- In January, Neiman Marcus, an upscale retailer, disclosed that it had detected a malware and card skimming breach that had taken place between July and late October of 2013. The company was not informed until mid-December, when a third-party card processor told them about it. In total, the breach potentially affected 1.1 million credit cards.
- In January, the Wyoming WIC subdivision of the Department of Health unintentionally sent information about nearly 12,000 clients of the program to a business partner. Whether any subsequent misuse of the data took place is not relevant as the department was compelled to report the breach in any case.
- In January, New Mexico Oncology Hematology Consultants reported that over 12,000 patient records were stolen along with a laptop.
- In January, it was reported at the federal level that between late 2011 and 2012, an employee at Wyatt Dental Group in Louisiana willfully made illegal use with access to more than 10,000 patient records.
- In early January, the North Carolina Department of Health and Human Services accidentally mailed over 48,000 Medicaid cards belonging to children, which included some personal information, to wrong addresses.
- In early January, Methodist Dallas Medical Center in Texas reported that it had uncovered an 8 year breach, spanning from 2005 until September, 2013, affecting as many as 44,000 patient records.
- On New Year's Day, Barry University in Florida's Foot and Ankle institute divulged that a laptop had been infected with malware, potentially exposing some 136,000 patients of the school.
October - December
July - September
April - June
January - March
October - December
July - September
April - June
January - March
October - December
July - September
April - June
January - March
October - December
July - September
April - June
January - March
- 2015: The Year Of The Breach; Close To 200 Million Personal Records Exposed by Hacked writer Eliot Maras
- The Biggest Hacks and Breaches from 2014 by Hacked writer Alex Gorale
- Identify Theft Resource Center's 2015 Reports