Breach News Summary
Our Breach Tables keep you on top of all the data breaches we track each month. Learn about which companies were breached, how many were affected, and much more!
Find the latest in breach news:
November 2021
| Company | # Breached | Information Exposed | Cause | Protective Services |
| GoDaddy | 1.2 Million | Email addresses and customer numbers | Security Vulnerability | Unknown |
| California Pizza Kitchen | 100,000 | Names and Social Security numbers of current and former employees | Security Vulnerability | Unknown |
OCtober 2021
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Whole Foods Market, Skaggs and Others | 82 Million | Customer order records, names, physical addresses, email, and partial credit card numbers | Unsecured Database | Unknown |
September 2021
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Neiman Marcus | 4.6 Million | Names, contact information, payment card numbers and expiration dates (without CVV numbers), Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts | Security Vulnerability | Unknown |
| GetHealth, FitBit and Apple | 61 Million | Names, display names, dates of birth, weight, height, genders and geolocations | Third-Party Data Leak | Unknown |
August 2021
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Microsoft Power Apps | 38 Million | COVID-19 vaccination statuses, social security numbers and email addresses | Security Vulnerability | Unknown |
| T-Mobile | 50 Million | Names, Social Security numbers, driver’s license information, phone numbers, and unique International Mobile Equipment Identity (IMEI) numbers of phones on the account | Security Vulnerability | Unknown |
| UNM Health | 637,000 | Names, addresses, dates of birth, medical record numbers, patient identification numbers, health insurance information, and some clinical information related to the healthcare services provided by UNM Health. | Security Vulnerability | Yes, credit monitoring and identity theft protection services |
| SeniorAdvisor | 3 Million | Names, emails, phone numbers and dates contacted | Unsecured Database | Unknown |
| OneMoreLead | 126 Million | Names, job titles, email addresses, work email addresses, home device IP address, home address, work address, personal phone number, work phone number, and employer | Unsecured Database | Unknown |
July 2021
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Campbell Conroy & O’Neil | TBD | Names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials | Ransomware Attack | Yes, two years of free credit monitoring, fraud consultation, and identity theft restoration services |
| Guess | TBD | Social Security numbers, driver’s license numbers, passport numbers and/or financial account numbers | Ransomware Attack | Unknown |
| Forefront Dermatology | 2.4 Million | Names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, healthcare provider names, and/or medical and clinical treatment information | Cyberattack | Unknown |
June 2021
| Company | # Breached | Information Exposed | Cause | Protective Services |
| CVS Health | 1 Billion | Email addresses, search records, visitor and session IDs, device information, configuration data, as well as multiple records for medications, including COVID-19 vaccines and CVS products | Ransomware Attack | Unknown |
| Wegmans | TBD | Names, addresses, phone numbers, birth dates, Shoppers Club numbers, email addresses, and hashed passwords to Wegmans.com accounts | Security Vulnerability | Unknown |
| Carter’s | TBD | Names, email addresses, billing addresses, phone numbers, purchasing details, and shipping tracking IDs and links | Third-Party Data Breach | Unknown |
| Volkswagen & Audi | 3.3 Million | Names, mailing addresses, email addresses, phone numbers, information about a vehicle that has been purchased, leased or inquired about, including vehicle identification numbers, makes, models, years, colors and trim packages | Third-Party Data Breach | Unknown |
May 2021
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Bose Corporation | TBD | Names, Social Security Numbers, compensation information, and other HR-related information. | Ransomware Attack | Unknown |
| Health Plan of San Joaquin | TBD | Social Security numbers, driver’s license numbers, login information, medical records such as lab results and treatment information, and more. | Security Vulnerability | Unknown |
| Bailey & Galyen | TBD | Names, dates of birth, driver’s license or personal identification card numbers, Social Security Numbers, payment account numbers, payment card information, biometric data including but not limited to medical information and history, medical diagnosis and treatment information, health insurance information, and other personal information | Cyberattack | Unknown |
| CaptureRx | 2 Million | Names, birthdates and prescription details | Ransomware Attacks | Unknown |
April 2021
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Experian | TBD | Credit scores | API Vulnerability | Unknown |
| Reverb | 5.6 Million | Names, email addresses, postal addresses, phone numbers, listing/order count, PayPal account email, IP address, and more | Unsecured Database | Unknown |
| GEICO | TBD | Driver’s licence information such as names, addresses and dates of birth | Security Vulnerability | Yes, one year of identity theft protection |
| ParkMobile | 21 Million | Email addresses, phone numbers, license plate numbers, hashed passwords and mailing addresses | Third-Party Data Breach | Unknown |
| ClubHouse | 1.3 Million | Names, user IDs, photo URLs, usernames, Twitter handles, Instagram handles, number of followers, number of people followed by the user, and account creation dates | Scrapped Data | Unknown |
| 500 Million | Names, LinkedIn account IDs, email addresses, phone numbers, gender, LinkedIn profile links, connected social media profile links, professional titles, and other work-related personal data. | Scrapped Data | Unknown | |
| 533 Million | Names, phone numbers, location, email address, and biographical information. | Data Leak | Unknown |
March 2021
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Cancer Treatment Centers of America | 105,000 | Names, health insurance information, medical record numbers, CTCA account numbers, and limited medical information | Phishing Attack | Unknown |
| Hobby Lobby | 300,000 | Names, phone numbers, physical and email addresses, and the last four digits of their payment card, as well as the source code for the company’s app | Cloud-bucket Misconfiguration | None |
| California State Controller’s Office (SCO) | TBD | Personally Identifying Information (PII) contained in Unclaimed Property Holder Reports | Phishing Attack | None |
| MultiCare | 200,000 | Names, insurance policy numbers, Social Security numbers, dates of birth, bank account numbers, and more. | Ransomware Attack | Unknown |
| SITA | TBD | Names, traveler’s service card numbers, and status level | Cyberattack | Unknown |
| Microsoft Exchange | 30,000 Organizations | Remote control over affected systems | Security Vulnerability | Unknown |
February 2021
| Company | # Breached | Information Exposed | Cause | Protective Services |
| T-Mobile | TBD | Names, addresses, email addresses, account numbers, social security numbers (SSNs), account personal identification numbers (PIN), account security questions and answers, date of birth, plan information, and the number of lines subscribed to their accounts. | SIM Swap Attack | Unknown |
| Kroger | TBD | Names, email addresses, phone numbers, home addresses, dates of birth, Social Security numbers as well as information on health insurance, prescriptions and medical history. | Third-Party Breach | Yes, one free year of credit monitoring |
| California DMV | 38 Million | Names, addresses, license plate numbers and vehicle identification numbers (VINs) | Third-Party Breach | Unknown |
| Nebraska Medicine | 219,000 | Names, addresses, dates of birth, medical record numbers, health insurance information, physician notes, laboratory results, imaging, diagnosis information, treatment information, and/or prescription information, and a limited number of Social Security numbers and driver’s license numbers. | Malware Attack | Unknown |
| “Compilation of Many Breaches” (COMB) | 3.2 Billion | Cleartext emails and passwords belonging to past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin, Yahoo, and more | Data Leak | Unknown |
January 2021
| Company | # Breached | Information Exposed | Cause | Protective Services |
| U.S. Cellular | 4.9 Million | Names, addresses, PINs, cell phone numbers, service plans, and billing/usage statements. | Malicious Software | Unknown |
| VIPGames | 23 Million | Usernames, emails, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, bets and data on players who were banned from the platform. | Cloud Misconfiguration | None |
| Bonobos | 7 Million | Home addresses, phone numbers, and account information for 1.8 million registered customers, and 3.5 million partial credit card records | Hack | Unknown |
| MeetMindful | 2.28 Million | Names, email addresses, location details, dating preferences, marital status, birth dates, IP addresses, Bcrypt-hashed account passwords, Facebook user IDs, and Facebook authentication tokens | Data Leak | Unknown |
| Pixlr | 1.9 Million | Email addresses, usernames, hashed passwords, user’s country, newsletter sign up, and other sensitive information | Hack | None |
| Mimecast | TBD | Certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products to Microsoft 365 | Hack | None |
| Socialarks | 214 Million | Facebook, Instagram, and LinkedIn user’s names, phone numbers, email addresses, profile links, usernames, profile pictures, profile description, follower and engagement logistics, location, Messenger ID, website link, job profile, LinkedIn profile link, connected social media account login names and company name | Unsecured Database | None |
| Parler | 70TB | Posts, messages, video data, date, time, and location, and driver’s license or other government-issued photo ID | Hack | None |
| Ubiquiti Inc. | TBD | Names, email addresses, hashed and salted passwords, addresses, and phone numbers. | Hack | None |
December 2020
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Aetna | 484,000 | Names, dates of birth, vision insurance ID numbers, health insurance ID numbers and, for a limited number of individuals, Social Security numbers, birth certificates, diagnoses, and financial information | Third-Party Breach | Unknown |
| Spotify | TBD | Email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify | Software Vulnerability | Unknown |
| Dental Care Alliance | 1 Million | Names, addresses, dental diagnosis and treatment information, patient account numbers, billing information, bank account numbers, the name of the patient’s dentist, and health insurance information | Hack | Unknown |
| FireEye | TBD | FireEye hacking software tools and government client records | Hack | None |
| EyeMed/Tufts Health Plan | 60,545 | Names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, health insurance account/identification numbers, Medicaid or Medicare numbers, driver’s license, birth or marriage certificates, partial or full social security numbers and/or financial information, medical diagnoses and conditions, treatment information, and passport numbers | Phishing Attack | Yes, two years of credit monitoring and identity protection services |
November 2020
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Pray.com | 10 Million | Photos uploaded by the app’s users, names, home and email addresses, phone numbers, marital status, login information along with users’ phone contacts names, phone numbers, email, home and business addresses, company names and family ties | Unsecured Database | Unknown |
| Vertafore | 27 Million | Name, date of birth, address, vehicle registration histories and Texas driver license numbers | Hack | Unknown |
| Expedia, Hotels.com & Booking.com | 10 Million | Name, email address, national ID number, phone number, reservation number, dates of a stay, the price paid per night, credit card details from over 100,000 guests, including card number, cardholder’s name, CVV, and expiration data, and total cost of hotel reservations | Unsecured Database | Unknown |
| Mashable.com | TBD | Name, email address, country, gender, job description, online behavior related details, date of registration, IP addresses, social media profile links, and authentication tokens | Unsecured Database | Unknown |
| JM Bullion | TBD | Name, address, and payment card details including account numbers, card expiration dates, and the security codes | Malware | Unknown |
October 2020
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Fragomen, Del Rey, Bernsen & Loewy | TBD | Name, date of birth, phone number, social security number, passport numbers, mailing address, and email address | Hack | Yes, one year of free credit monitoring |
| Pfizer | TBD | Name, phone number, home address, email address, customer support messages, health data, medical status, phone call transcripts, and prescription information | Unsecured Database | Unknown |
| Broadvoice | 365 Million | Name, caller identification number, phone number, location, voicemails and call transcripts, and medical information | Unsecured Database | None |
| Dickey’s BBQ | 3 Million | Payment card details | Point-of-Sale (POS) system breach | None |
| Barnes & Noble | TBD | Billing and shipping address, telephone number, and email address | Data Breach | None |
| Chowbus | 800,000 | Name, phone number, and mailing and email address | Data Leak | None |
| Blackbaud | 6 Million | Name, email, phone number, date of birth, gender, provider names, dates of service, department visited, and philanthropic giving history | Ransomware | None |
September 2020
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Warner Music Group (WMG) | TBD | Name, email address, telephone number, billing address, shipping address, card number, CVC/CVV, and expiration date | Third-Part Data Breach | None |
| Activision | 500,000 | Username and password | Credential Stuffing | None |
| Children’s Hospitals and Clinics of Minnesota | 160,000 | Name, address, phone number, age, date of birth, gender, medical record number, dates of treatment, locations of treatment, names of doctors and health insurance status | Third-Party Data Breach | None |
| Staples | 2,500 | Name, address, email address, phone number, last four credit card digits, and order details | Data Breach | Unknown |
| Razer | 100,000 | name, email, phone number, customer internal ID, order number, order details, billing and shipping address | Unsecured Database | None |
| NorthShore University HealthSystem | 348,000 | Name, date of birth, address, phone number, e-mail, admission and discharge dates, locations of services, and physician names and specialties | Third-Party Data Breach | Unknown |
| Imperium Health | 140,000 | Name, address, date of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which can include Social Security numbers), and limited clinical and treatment information | Phishing Attack | Unknown |
| Digital Point | 863,412 | Name, email, internal user ID numbers, Internal records and user posts | Unsecured Database | None |
| Telmate | 1 Million | Name, offense, religion, facility, relationship status, medications, gender, email address, physical address, IP address, phone number and driver’s license ID | Unsecured Database | None |
August 2020
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Utah Pathology Services | 112,000 | Name, gender, date of birth, mailing address, phone number, Social Security number, email address, health insurance information, internal record numbers, and diagnostic information related to pathology services | Hack | Yes, one year of free identity monitoring |
| Dynasplint Systems | 103,000 | Name, address, date of birth, Social Security number, and medical information | Malware | Unknown |
| FreePik | 8.3 Million | Emails and hashed passwords | Malware | None |
| ProctorU | 444,000 | Name, email address, address, phone number, hashed password, and affiliated organization | Hack | Unknown |
| Instagram, TikTok & Youtube | 235 Million | Name, age, gender, profile photo, account description, statistics about follower engagement and demographic such as number of likes, followers, follower growth rate, engagement rate, audience demographic (gender, age and location), and whether the profile belongs to a business or has advertisements | Unsecured Database | None |
July 2020
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Avon | 19 Million | Name, phone number, date of birth, email and home address, GPS coordinates, and other technical information | Unsecured Database | None |
| Promo.com | 22 Million | Name, email address, IP address, user location, gender and encrypted passwords | Third-Party Breach | None |
| Drizly | 2.5 Million | Email address, date of birth, hashed passwords, phone number, IP address and geolocation data | Hack | None |
| Dave Mobile Banking App | 7.5 Million | Name, email, birth date, address, phone number, and encrypted Social Security number | Hack | Unknown |
| Ancestry.com | 60,000 | Email address, geolocation data, IP address, system user ID, support messages and technical details | Unsecured Database | None |
| LiveAuctioneers | 3.4 Million | Name, email address, mailing address, phone number, and encrypted passwords | Hack | Unknown |
| Benefit Recovery Specialists | 275,000 | Protected Health Information (PHI), names, Social Security numbers, dates of birth, dates of service, provider names, policy identification numbers, procedure codes, and/or diagnosis codes | Malware | None |
| EDP Renewables North America | 10 TB Data | Name, Social Security number potentially exposed | Ransomware Attack | Yes, one year of free identity protection services |
| Clubillion | 200 Million Records Per Day | IP addresses, email addresses, amounts won, and private app messages | Unsecured Database | Unknown |
June 2020
| Company | # Breached | Information Exposed | Cause | Protective Services |
| TBD | business users’ email address, phone number and the last four-digits of credit card number | Unsecured Database | Unknown | |
| Frost & Sullivan | TBD | Customer records, names, and emails; employee records, user names, emails, and passwords | Exposed Database | Unknown |
| BlueLeaks | 1 Million | Name, bank account number, phone number, documents, videos, emails, and audio files | Hack | Unknown |
| Cognizant | TBD | Name, Social Security number, tax identification number, financial account information, driver’s license, and passport information | Ransomware Attack | Unknown |
| Claire’s | TBD | Payment card information | Magecart Attack | Unknown |
| Amtrak | TBD | Username, password and some personal information | Hack | Yes, one year of free credit monitoring |
May 2020
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Mathway | 25 Million | Email, password, and back-end system data | Hack | None |
| Wishbone | 40 Million | Username, email, phone number, location information and hashed passwords | Hack | None |
| Home Chef | 8 Million | Name, email address, phone number, address, scrambled passwords, and last four digits of credit card number | Hack | None |
| GoDaddy | 28,000 | Username and password | Hack | None |
April 2020
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Quidd | 4 Million | Username, email address, and hashed account password | Hack | None |
| Unnamed U.K-Based Security Firm | 5 Billion | Hashtypes, leak dates, passwords, email addresses, email domains and leak sources | Data Dump | None |
| Ambry Genetics | 233,000 | Name, Social Security number, information related to customers’ use of the genetic laboratory’s services and medical information | Phishing Attack | Yes, free identity monitoring services |
| Nintendo | 160,000 | Login ID and password | Credential Stuffing | None |
| Paay | 2.5 Million | Full plaintext credit card number, expiration date and amount spent | Unsecured Database | None |
| 267 Million | Name, Facebook ID, phone number, email address, birth date, and gender | Sale on the Dark Web | None | |
| Beaumont Health | 112,000 | Name, birth date, Social Security number, driver’s license number, medical condition data and bank account data | Phishing Attack | None |
| Zoom | 500,000 | Email address, password, personal meeting URL, and host key | Credential Stuffing Attack | None |
| San Francisco International Airport (SFO) | Unknown | Username and password | Malware | None |
| Key Ring | 14 Million | Name, full credit card details (including CVV numbers), email address, birth date, address, membership ID numbers, retail club and loyalty card memberships, government IDs, gift cards, medical insurance cards, medical marijuana IDs, IP address and encrypted passwords | Unsecured Database | None |
March 2020
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Marriott | 5.2 Million | Name, address, email address, phone number, loyalty account numbers and points balances, company, gender, birth date, linked airline loyalty programs and numbers, room preferences and language preferences | Third Party Vendor | Yes, one year of free identity theft protection |
| General Electric | 280,000 | Name, address, Social Security number, driver’s license number, bank account number, passport number, dates of birth | Third Party Vendor | Unknown |
| TrueFire | TBD | Name, address, payment card account number, card expiration, and security code | Hack | None |
| Whisper | 900 Million | Nickname, age, ethnicity, gender, and location data | Unsecured Database | None |
| J.Crew | TBD | Username and password | Credential Stuffing | None |
| T-Mobile | TBD | Name, address, Social Security number, financial account information, government identification number, phone number, billing and account information, rate plans and features | Third Party Vendor | Yes, free credit monitoring and identity theft protection |
| Carnival Cruise Lines | TBD | Name, address, Social Security number, passport number, driver’s license number, credit card and financial account information, and health-related information | Hack | Yes, free credit monitoring and identity theft protection |
| Walgreens | TBD | Name, prescription numbers and drug names, store numbers, and shipping address | Unsecured Mobile App | None |
February 2020
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Slickwraps | 850,000 | Name, email address, physical address, phone number, and purchase history | Unsecured Database | None |
| PhotoSquared | 100,000 | Name, address, user photos, order receipts, shipping labels | Unsecured Database | None |
| MGM Resorts | 10.6 Million | Name, home address, phone number, email, and date of birth | Data Dump | None |
| Health Share of Oregon | 654,000 | Name, address, phone number, date of birth, Social Security number, and Medicaid ID number | Third Party Vendor | Yes, one year of free credit monitoring |
| Fifth Third Bank | Unknown | Name, Social Security number, driver’s license information, mother’s maiden name, address, phone number, date of birth and account numbers | Employee Negligence | Yes, free identity theft protection |
| Estee Lauder | 440 Million | Email address, IP address, ports, pathways and storage information | Unsecured Database | None |
January 2020
| Company | # Breached | Information Exposed | Cause | Protective Services |
| THSuite | 85,000 | Name, date of birth, phone number, email, street address, patient name and medical ID number, cannabis variety and quantity purchased, total transaction cost, date received, and photographs of scanned government and employee IDs | Unsecured Database | None |
| Microsoft | 250 million | Email address, IP address, and support case details | Unsecured Database | None |
| Hanna Andersson | Unknown | Name, shipping address, billing address, payment card number, CVV code, and expiration date | Malware Attack | None |
| Peekaboo Moments | Unknown | Email addresses, geographic location data, detailed device data, and links to photos and videos | Unsecured Database | None |
| Landry’s Restaurants | Unknown | Name, credit and debit card numbers, expiration dates, verification codes | Malware Attack | None |
December 2019
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Wyze | 2.4 Million | User name, email address, WiFi network names, lists of camera names and personal health information | Data Leak | None |
| Wawa | Unknown | Name, credit and debit card numbers, and expiration dates | Malware | Yes, free credit monitoring and identity theft protection |
| 267 Million | Name, phone number, Unique Facebook ID, phone number | Unsecured Database | None | |
| LightInTheBox | 1.6 Billion | Email address, IP address, country of residence, destination pages and user activity | Unsecured Database | None |
| TrueDialog | 1 Billion | Names of recipients, account holders and users, email addresses, phone numbers of recipients and users, content of messages, dates and times messages were sent, message status, and account details | Unsecured Database | None |
November 2019
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Unknown | 1.2 Billion | Name, mail address, phone number, employer, location, job title and social media profiles | Unsecured Database | None |
| T-Mobile | 1 Million | Name, billing address, phone number, account number, rate, plan and calling features | Hack | None |
| Macy’s | Unknown | Name, address, phone number, email address, payment card number, card security code, and payment expiration date | Hack | None |
| Disney Plus | Unknown | Username and password | Credential Stuffing | None |
October 2019
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Network Solutions | Unknown | Name, address, phone numbers, email address and service information | Hack | None |
| Bed Bath & Beyond | Unknown | Account login information including email and password | Credential Stuffing | None |
| Adobe | 7.5 Million | Email address, username, country of origin, Adobe products, account creation date, date of last login, subscription and payment status | Security Vulnerability | None |
| Kalispell Regional Healthcare | 130,000 | Name, Social Security number, address, medical record number, date of birth, telephone number, email address, medical history and treatment information, dates of service, treating/referring physicians, medical bill account number and/or health insurance information | Phishing Attack | Yes, free fraud consultation and identity theft restoration services |
| Autoclerk | Unknown | Name, date of birth, home address, phone number, dates, travel costs, check-in times, room numbers, and masked credit card details | Security Vulnerability | None |
| Methodist Hospitals of Indiana | 68,000 | Name, address, date of birth, Social Security number, driver’s license/state ID/passport number, credit card information and patient health record | Phishing Attack | None |
September 2019
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Zynga | 218 Million | Name, email address, login ID, hashed password, phone numbers, Facebook ID and Zynga account ID | Hack | None |
| DoorDash | 4.9 Million | Name, email and delivery addresses, order history, phone number, hashed and salted passwords, last four digits of credit card and bank account, and driver’s license information | Third Party Breach | None |
| Dealer Leads | 198 Million | Name, email address, phone number, home address and IP address | Security Vulnerability | None |
| 419 Million | Unique Facebook ID, phone number, name, gender, and location | Security Vulnerability | None | |
| Providence Health Plan | 122,000 | Name, address, email address, date of birth, Social Security number, member identification number, group number and subscriber number | Hack | Yes, two years of free credit monitoring and identity protection services |
August 2019
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Foxit | 328,000 | Name, email address, password, phone number, company name, and IP address | Hack | Unknown |
| Hostinger | 14 Million | First name, username, email address, IP address and hashed passwords | Hack | None |
| MoviePass | 58,000 | Name, address, MoviePass debit card number, card expiration date, card balance and activation date | Security Vulnerability | None |
| BioStar 2 | 27.8 Million | Fingerprint data, facial recognition information, and unencrypted usernames and passwords | Security Vulnerability | None |
| Choice Hotels | 700,000 | Name, email address, and phone number | Security Vulnerability | None |
| Hy-Vee | 5.3 Million | Payment card data | Hack | None |
| State Farm | Unknown | Username and password | Credential Stuffing | Unknown |
| CafePress | 23.2 Million | Name, address, email address, phone number and hashed passwords | Hack | Unknown |
| Poshmark | Unknown | Name, usernames, gender, city data, email addresses, size preferences and scrambled passwords. | Hack | None |
| StockX | 6.8 Million | Name, email address, scrambled password, shoe size, trading currency, user’s device type and other profile information | Hack | None |
| Presbyterian Healthcare Services | 183,000 | Name, date of birth, Social Security number, health plan and clinical information | Phishing Attack | Yes, one year of free credit monitoring and identity protection services |
| Capital One | 100 Million | Name, Social Security number, address, zip code, phone number, email address, date of birth, linked bank account number, self-reported income, credit score, credit limit, balance, payment history, contact information and transaction data | Employee Error | Yes, free credit monitoring and identity protection services |
July 2019
| Company | # Breached | Information Exposed | Cause | Protective Services |
| MyCastingFile.com | 260,000 | Name, address, email address, phone number, work history, date of birth, height and weight, ethnicity, physical features, vehicle ownership information and casting photograph | Unsecured Database | Unknown |
| Polk County | 450,000 | Driver’s license number and Social Security number | Phishing Attack | Unknown |
| Los Angeles’ Personnel Department | 20,000 | Name, birth date, partial Social Security numbers, email address, and applicant account passwords | Hack | Unknown |
| Capital One | 100 Million | Names, addresses, phone numbers, email addresses, dates of birth, income, credit scores, credit limits, and credit balances | Unauthorized Access | Yes, free credit monitoring and identity protection services |
| Sprint | Unknown | Name, billing address, phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility and add-on services | Hack | Unknown |
| Clinical Pathology Laboratories (CPL) | 2.2 Million | Name, address, phone number, date of birth, dates of service, balance information, treatment provider information, credit card and banking information | Third-Party Breach | Unknown |
| Fieldwork Software | Unknown | Name, credit card number, alarm codes, client information, and other sensitive details of the company’s small business customers | Unsecured Database | Unknown |
| Essentia Health | 1,000 | Patient demographic detail, medical record and patient account number, date of birth, admission and discharge dates, and dates of services | Third-Party Breach | Yes, free credit monitoring services |
| Los Angeles County Department of Health Services | 14,000 | Name, Social Security number, home address, date of birth, phone number and various data related to medical services provided | Phishing Attack | Yes, free credit monitoring and identity protection services |
| Maryland Department of Labor | 78,000 | Name, Social Security number, date of birth, city or county of residence, graduation date and record number | Hack | Yes, two years of free credit monitoring |
| Orvibo | 2 Billion | Email address, password, account reset code, precise geolocation, IP address, username, user ID, family name, family ID, smart device, devices that accessed account, and scheduling information | Hack | Unknown |
June 2019
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Dominion National | 95,000 | Name, address, date of birth, email address, Social Security number, tax ID number, bank account and routing numbers, and member ID number | Hack | None |
| Desjardins | 2.9 Million | Name, date of birth, social insurance number, address, phone number, email address, details of banking habits and Desjardins products, business name, business address, business phone number, owner’s name and names of users on the AccèsD Affaires account | Employee Error | None |
| Oregon Department of Human Services | 645,000 | Name, address, date of birth, Social Security number, case number, personal health information, and other information used in DHS programs | Phishing Attack | None |
| EatStreet | Unknown | Name, credit card numbers , expiration date, card verification code, billing address, email address, phone number, company name, clients name, company address, bank account and routing number | Hack | None |
| Evernote | 4.6 Million | Authentication, financials, private conversations in social media, and personal emails | Security Vulnerability | None |
| Total Registration | Unknown | Names of students and parents, dates of birth, Social Security numbers, languages, grade level, gender, and student ID | Security Vulnerability | None |
| Evite | 100 Million | Usernames, email addresses, IP addresses, and cleartext passwords, birth phone numbers, and postal addresses. | Hack | None |
| US Customs and Border Protection | 100,000 | Images of travelers’ faces and license plates | Hack | None |
| Emuparadise | 1.1 Million | Email address, IP address, username, and password | Security Vulnerability | None |
| Opko Health | 422,600 | Credit card numbers, bank account information, email addresses, physical addresses, phone numbers, balance information | Hack | None |
| LabCorp | 7.7 Million | Name, address, date of birth and balance information | Hack | None |
| Quest Diagnostics | 12 Million | Credit card and bank account numbers, Social Security number, and medical information | Hack | None |
May 2019
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Checkers and Rally’s | Unknown | Name, payment card number, card verification code, and expiration date | Hack | Unknown |
| Unknown | Usernames, encrypted passwords, emails and digital tokens | Hack | None | |
| Canva | 140 Million | Username and email address | Hack | None |
| First American Financial Corp. | 885 Million | Bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images | Unsecured Database | Unknown |
| Inmediata Health Group | 1.5 Million | Name, address, date of birth, Social Security number, gender, and medical information | Security Vulnerability | None |
| 49 Million | Bio information, profile photo, location, verification status, email address and phone number | Unsecured Database | None | |
| Uniqlo | 460,000 | Names, address, contact details, and partial credit card information | Hack | Unknown |
| Unknown | Unknown | Hack | Unknown | |
| Indiana Pacers | Unknown | Name, address, date of birth, Social Security number, passport number, medical and health insurance information, driver’s license/state identification number, account number, credit/debit card number, digital signature, and username and password | Phishing Email | Unknown |
| Freedom Mobile | 1.5 Million | Name, email address, phone number, physical address, dates of birth, account numbers, and credit card information | Unsecured Database | Unknown |
| Wyzant | Unknown | Name, email address, ZIP code and Facebook profile information and pictures if social media account used to login | Hack | Unknown |
April 2019
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Citrix | Unknown | Social Security number, financial information, and other data on current and former employees | Hack | Unknown |
| Unknown | 80 Million | Name, address, geographic location, age, date of birth, and other demographic information | Unsecured Database | None |
| Docker | 190,000 | Username, hashed password, Github, and Bitbucket tokens for Docker auto-builds | Hack | None |
| Atlanta Hawks | Unknown | Names, date of birth, and payment card details | Website Vulnerability | None |
| BodyBuilding.com | 7 Million | Name, email address, billing/shipping address, phone number, order history, birth date, and information included in BodySpace profiles | Hack | None |
| EmCare | 60,000 | Name, Social Security number, date of birth, age, clinical information and driver’s license numbers | Hack | None |
| Steps to Recovery | 150,000 | Name and details of the treatments | Security Vulnerability | None |
| Microsoft | Unknown | Email address, folder names, subject lines of emails, and email contents | Hack | None |
| City of Tallahassee | Unknown | Payroll accounts containing bank account information | Phishing Email | None |
| Prisma Health | 23,811 | Name, Social Security number, email credentials, health insurance information, and financial information | Phishing Email | Credit monitoring and identity theft protection |
| Baystate Health of Springfield | 12,000 | Name, date of birth, Social Security number, Medicare information and medical records | Phishing Email | Credit monitoring and identity theft protection |
| 540 Million | Account name, Facebook ID, and user activity | Third Party | None | |
| Georgia Tech | 1.3 Million | Name, address, Social Security Number and birth date | Hack | Credit monitoring services |
March 2019
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Verifications.io | 982 Million | Name, birth date, address, social media accounts and places of employment | Security Vulnerability | None |
| Earl Enterprise | 2 Million | Name, credit and debit card numbers, and expiration dates | Hack | None |
| Verity Health | 14,894 | Name, address, date of birth, Social Security number, driver’s license, phone number, patient identification number, health plan name, treatment details, medical procedures and conditions, lab test data, medical equipment information, billing codes, dates of service, payment information, claims history, health insurance policy numbers, subscriber identification, health insurance identifiers, and application and claims history | Phishing Email | Identity theft protection and credit monitoring services |
| Asus | 1 Million | Unknown | Hack | None |
| Milestone Family Medicine | 32,178 | Name, date of birth, address, Social Security number, health insurance information, and medical services | Hack | Identity theft protection and credit monitoring services |
| Family Locator | 238,000 | Name, email address, profile photo, passwords, and user and family members’ real-time locations. | Security Vulnerability | None |
| Federal Emergency Management Agency (FEMA) | 2.5 Million | Name, address, birth date, and bank account information | Security Vulnerability | None |
| Oregon Department of Human Services | 2 Million | Name, address, date of birth, Social Security Number, case number and other information used to administer DHS programs | Phishing Email | Identity Theft Protection |
| 200-600 Million | Passwords | Security Vulnerability | None | |
| Zoll Medical | 277,000 | Name, address, date of birth and medical information | Server Migration Error | None |
| MyPillow and Amerisleep | TBD | Credit card credentials | Hack | None |
| Rutland Regional Medical Center | 72,000 | Name, Social Security Number, diagnosis, treatment information, prescription information, doctor’s name, medical record number (MRN) and FIN | Email Hack | None |
| Spectrum Health Lakeland | 60,000 | Name, address, Social Security Number, types of health services provided, dates of those services, health insurance provider and amounts due on the patient account | Ransomware | Credit monitoring and financial investigative services |
| Pasquotank-Camden Emergency Medical Services | 20,420 | Social Security number, date of birth and medical information | Hack | Identity Theft Protection |
| Health Alliance Plan | 120,000 | Name, address, date of birth, member ID number, patient ID number, healthcare provider name, and claim information | Ransomware | Identity Theft Protection |
February 2019
| Company | # Breached | Information Exposed | Cause | Protective Services |
| UConn Health | 326,000 | Name, birth date, Social Security number, limited medical information | Phishing Email | Identity Theft Protection |
| UW Medicine | 974,000 | Name, medical record number, | Security Vulnerability | None |
| Coinmama | 450,000 | Email and hashed password | Security Vulnerability | None |
| AdventHealth | 50,000 | Name, phone number, address, Social Security number, medical history, and insurance information | Hack | None |
| North Country Business Products | TBD | Name, credit card number, expiration date, and CVV | None | |
| 500px | 14.8 Million | Name, username, hashed password, email address, birthdate, general geographic location, and gender | Hack | None |
| Coffee Meets Bagel | 6 Million | Name and email address | Hack | None |
| 1 Million | Access to account | Data Leak | None | |
| Dunkin’ Donuts | TBD | Name, email address, 16-digit DD Perks account number and DD Perks QR code | Credential Stuffing | None |
| EyeSouth Partners | 24,000 | Name, health insurance carrier, and account balances | Hack | None |
| Huddle House | TBD | Name, credit/debit card number, expiration date, cardholder verification value, and service code | Security Vulnerability in POS Systems | None |
| Catawba Valley Medical Center | 20,000 | Name, birth date, Social Security Number, and health information | Phishing Email | None |
| Houzz | TBD | Name, city, state, country, email address, profile description, username, and hashed passwords | Hack | None |
January 2019
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Critical Care, Pulmonary & Sleep Associates | 23,000 | Name, address, date of birth, Social Security Number, clinical data like dates of service, diagnoses, and medical conditions, labs and diagnostic studies, medications, treatment details, , and other treatment information. | Phishing Email | None |
| Rubrik | TBD | Names, contact information, and other details related to corporate accounts | Employee Error | None |
| The Department of Health and Social Services in Alaska | 100,000 | Name, address, date of birth, Social Security number, health information, benefit information and other personal information such as income | Security Vulnerability | None |
| Ascension | 24 Million | Name, address, birth date, Social Security number, bank and checking account numbers, loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents | Security Vulnerability | None |
| ElasticSearch | 108 Million | Name, address, phone number, email address, birth date, username, account balances, IP address, browser and OS details, games played, and win and loss information | Data Leak from Online Betting Sites | None |
| Greater’s Ice Cream | 12,000 | Name, address, phone number, fax number, payment card type, payment card numbers, expiration dates, and verification codes | Website Vulnerability | None |
| BlackRock | 20,000 | Name and email address of financial advisers | Employee Negligence | None |
| Collection #1 | 773 Million | Email and password | Data Leak | None |
| Oklahoma Department of Securities (ODS) | TBD | Personal FBI data, system credentials, internal communication records, spreadsheets of IT credentials, credentials required for remote access to ODS workstations, training documents, email histories, and files relating to ODS investigations | Security Vulnerability | None |
| Fortnite | 80 Million | Name, security tokens to access Fortnite accounts, make in-app purchases and record conversations among players. | Security Vulnerability | None |
| Managed Health Services of Indiana | 31,000 | Name, address, date of birth, insurance ID number, dates of service, and medical conditions | Phishing Email | None |
| OXO International | TBD | Names, billing and shipping address, and credit card information | Hack | Yes, free credit monitoring services |
| BenefitMall | TBD | Name, address, Social Security number, date of birth, bank account number, and information on the payment of insurance premium. | Phishing Email | None |
| DiscountMugs.com | TBD | Name, address, phone number, email address, ZIP code, credit card number, security code, and expiration date. | Hack | None |
| Town of Salem Game | 7.6 Million | Email address, username, password, IP address, game & forum activity, purchased game premium features | Hack | None |
| Blur | 2.4 Million | Name, email address, password hints, IP address, and encrypted Blur password | Security Vulnerability | None |
December 2018
| Company | # Breached | Information Exposed | Cause | Protective Services |
| BevMo | 14,000 | Name, address, phone number credit and debit card numbers and security codes | Hack | None |
| San Diego Unified School District | 500,000 | Name, address, Social Security number, date of birth, phone numbers, payroll and compensation information, viewable paychecks and pay invoices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information, health benefits enrollment information, beneficiary identify information, dependent identity information, savings or flexible spending account information | Phishing Attack | None |
| Caribou Coffee | TBD | Name, card number, expiration date, and card security code | Security Vulnerability | None |
| Warby Parker | 198,000 | Name, email address, payment card information, and prescription information | Hack | None |
| NASA | TBD | SSN and other personally identifiable information (PII) on current and past NASA employees | Hack | Yes, free identity protection services |
| Elizabethtown Community Hospital | 32,000 | Name, address, date of birth, medical record numbers, dates of service and summary of services provided | Hack | None |
| Wright County | 72,000 | TBD | Employee Negligence | None |
| 6.8 Million | Private photos, Facebook Stories, and Marketplace photos | Security Bug | None | |
| Baylor Scott & White Medical Center Frisco | 48,000 | Name, address, telephone number, date of birth, medical record number, date of service, insurance provider, account number, last four digits of the credit card, CCV number, type of credit card, date of recurring payment, account balance, invoice number, and status of transaction | Hack | None |
| City of Topeka | 10,000 | TBD | Hack | None |
| Google+ | 52.5 Million | Name, age, email address, occupation, and profile data | Security Vulnerability | None |
| Quora | 100 Million | Name, email address, encrypted password, and publicly posted questions/answers/comments | Hack | None |
November 2018
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Marriott | 500 Million | Name, address, phone number, date of birth, gender, email address, passport number, Starwood’s rewards information (including points and balance), arrival and departure information, reservation date, and their communication preferences | Hack | Yes, one year of online account monitoring |
| Dunkin’ Donuts | TBD | Name, username, 16-digit DD Perks account number and DD Perks | Hack | Unknown |
| ElasticSearch | 57 Million | Name, address, email address, state, ZIP code, phone number, and IP address | Security Vulnerability | Unknown |
| Atrium Health | 2.65 Million | Name, address, date of birth, Social Security, insurance policy information, service date, medical record numbers, and account balances | Hack | Yes, credit monitoring and identity protection services |
| Amazon | TBD | Name and email address | Technical Error | Unknown |
| USPS | 60 Million | Email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data, real time tracking data | Security Vulnerability | Unknown |
| Voxox | 26 Million | SMS text messages including Password reset links, Two-Factor authentication codes, and shipping notifications | Security Vulnerability | Unknown |
| Health First | 42,000 | Address, date of birth, Social Security number | Phishing Email | Yes, one year of identify theft protection service |
| Nordstrom | 75,000 | Name, address, phone number, date of birth, Social Security number, pay card number, checking account and routing number, insurance provider information, and salary. | Employee error | Yes, two years of identity theft protection |
| Bankers Life | 566,000 | Name, address, date of birth, insurance information, Social Security number, driver’s license, state identification card number, bank account number, credit and debit card information, medications, diagnosis, and treatment plans | Hack | Yes, credit monitoring and identify theft protection service |
| Huntsville Hospital | 15,000 | Name, address, phone number, email address, and Social Security number | Hack | Yes, identity theft protection |
| Canada Post | 4,500 | Name, initials, postcodes, dates of delivery, Ontario Cannabis Store (OCS) reference numbers, Canada Post tracking numbers, and OCS corporate names and business addresses | Hack | Unknown |
| HSBC | 14,000 | Name, address, phone number, email address, date of birth, account number, account type, account balance, transaction history, and statement history | Hack | Yes, one year of credit monitoring and identify theft protection service |
October 2018
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Raley’s | 10,000 | Name, gender, date of birth, health plan, plan member identification number, medical condition, pharmacy location visited | Device Theft | Unknown |
| Tomorrowland | 64,000 | Name, address, age, postcode, and gender | Hack | Unknown |
| Jones Eye Center | 40,000 | Name, address, birth date, service dates, medical record number, Social Security number, insurance information | Hack | Yes, one year of free credit monitoring |
| Cathay Pacific | 9.4 million | Name, address, email address, birth date, phone number, passport number, ID card number, nationality, payment card data | Hack | Unknown |
| U.S. Centers for Medicare & Medicaid Services (CMS) | 75,000 | Name, address, Social Security number | Hack | Unknown |
| FitMetrix | 236,391,692 | Name, email address, birth date, phone number, username, Facebook ID, gender, height, weight | Misconfiguration | Unknown |
| Google+ | 496,951 | Full name, email address, birth date, gender, profile picture, places lived, occupation, relationship status | API bug | No, Google plans to shut down Google+ platform altogether, with the exception of Google+ enterprise version. |
| Central Maine Power | 77,300 | Name, address, former account number | Employee error | No |
| Toyota Industries North America, Inc. | 19,000 | Name, address, birth date, phone number, financial account number, Social Security number, driver’s license number, email address, birth certificate, passwords, healthcare treatment/diagnosis information, medical insurance numbers, username, password, security questions | Email compromise | Yes, one year of free identity protection and credit monitoring |
September 2018
| Company | # Breached | Information Exposed | Cause | Protective Services |
| 90 million | User accounts | Security vulnerability | No | |
| SHEIN | 6.42 million | Email address, encrypted password | Hack | No, company urges all users to reset passwords |
| Chegg | 40 million | Username, email address, shipping address, hashed passwords | Hack | No, company will reset all user account passwords |
| Independence Blue Cross | 17,000 | Name, date of birth, diagnosis information, provider details, insurance claim details | Accidental upload | Yes, two years of free identity protection services |
| Guardant Health | 1,100 | Name, date of birth, Social Security number, medical information | Misconfiguration | Unknown |
| MedCall Advisors | 3,000 | Name, date of birth, medical information, Social Security number | Phishing | Unknown |
| GovPayNet | 14 million | Name, address, phone number, partial credit card information | Website vulnerability | No |
| Blue Cross Blue Shield Rhode Island | 1,567 | ID number, service provider, type of service provided, cost of claim | Employee error | No |
| Tucson Medical Center | 1,800 | Name, birth date, address, medical record number, insurance ID number, Social Security number, protected health information | Unsecured storage | Yes, one year of free credit monitoring and identity protection services |
| Foosackly’s | 165,000 | Payment card data | Hack | No |
| Orrstown Bank | 50,000 | Unknown | Hack | No |
August 2018
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Air Canada | 20,000 | Name, email address, phone number, passport number, passport country of issuance, Aeroplan number, NEXUS number, gender, date of birth, nationality, country of residence | Hack | No |
| T-Mobile | 2.3 million | Name, billing zip code, phone number, email address, account number, account type | Unknown | Unknown |
| Eastern Maine Community College | 42,000 current and former students | Name, address, birth date, Social Security number, username, password | Malware | Free credit monitoring and identity restoration |
| Sitter | 93,000 | Address, phone number, transactional history, phone book contacts, partial credit card numbers, encrypted passwords | Data dump | No |
| Legacy Health | 38,000 | Name, birth date, health insurance information, billing information, medical information, Social Security number, driver’s license number | Email hack | Free credit monitoring for victims whose SSN was exposed |
| Augusta University Health | 417,000 | Demographic information, medical record numbers, treatment information, surgical details, diagnoses, medications, dates of service, insurance information, Social Security number, driver’s license number | Phishing | 1-year free credit monitoring |
| MedSpring Urgent Care (Austin, TX) | 13,034 | Name, account number, medical record number, dates of medical services | Phishing | No |
| Adams County (Wisconsin) | 258,120 | Personal data, health records, tax information, username, password | Unauthorized access | No |
| SSM Health St. Mary’s Hospital | 301,000 | Name, medical record number, demographic information, financial information | Improper disposal | No |
| Institute on Aging (San Francisco, CA) | 3,900 | Name, address, Social Security number, email, phone number, birth date, financial information, medical information. | Email hack | Yes |
| Unknown | Email address, hashed password, private and public messages | Hack | No | |
| UnityPoint Health | 1,400,000 | Name, address, medical information, treatment information, lab results, health insurance information, some Social Security numbers, some payment card data | Phishing | No |
July 2018
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Yale University | Unknown | Social Security Number, name, birth date | Hack | Yes |
| Boys Town National Research Hospital | 105,309 employees and patients | Name, birth date, Social Security number, diagnosis/treatment information, health insurance number, birth and marriage certificates, employer identification number, driver’s license number, passport details, financial information, login credentials | Email hack | No |
| TradeMotion | Unknown | Name, billing/shipping address, email address, phone number, payment card number, CVV code, payment card expiration date | Hack | Yes |
| ComplyRight | 660,000 | Name, address, phone number, email address, Social Security number | Third-party breach | Yes |
| Algonquin College | 111,499 | Name, student ID number, college email address, birth date, phone number, personal email address, home address | Hack | No |
| International Mission Board (IMB) | Unknown | Name, address, birth date, contact information, Social Security number, health information | Unauthorized access | Yes |
| University Medical Center Physicians | 18,000 | Name, address, phone number, medical record number, diagnoses, Social Security number, birth date, health insurance information | Email hack | Yes, one year of credit monitoring and identity restoration services |
| Metro Health Department (Tennessee) | Unknown | HIV diagnosis, Social Security number, medical history | Employee error | No |
| Purdue University | 26,598 applicants | Name, birth date, Social Security number | Employee error | Yes |
| Macy’s | Unknown | Username, password | Phishing scam | Yes |
| Timehop | 21 million | Name, email address, phone number | Hack | No |
| Exactis | 340 million | Phone number, address, date of birth, estimated income, number of children, education level, credit rating, other behavioral data | Misconfigured database | No |
| Adidas (U.S. Online Retail Store) | Unknown | Contact information, user name, encrypted password | Hack | Unknown |
June 2018
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Michigan Medicine | 870 | Name, birth date, medical record number, gender, race, diagnosis, treatment-related information | Laptop theft | No |
| People Dedicated to Quality (PDQ) | Unknown | Name, credit card number, expiration date, cardholder verification value | Hack | No |
| Med Associates | 270,000 | Name, date of birth, address, dates of service, diagnosis codes, procedure codes, medical insurance ID number | Hack | No |
| Flightradar24 | 230,000 | Email address, passwords (hashed) | Unknown | No |
| Chicago Public Schools | 3,700 | Name, email address, phone, student ID number | Employee error | No |
| HealthEquity | 23,000 | Employee name, HealthEquity member ID, employer name, HealthEquity employer ID, deduction amount, Social Security number | Phishing | Yes |
| Dignity Health | 55,947 | Name, doctor name | Employee error | No |
| The Village of Wellington (Palm Beach) | Unknown | Payment card data | Hack | No |
| MyHeritage | 92 million | Email address, password (hashed) | Unknown | No |
| Ticketfly | 26 million | Name, address, email, phone number | Ransomware | No |
May 2018
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Coca Cola | 8,000 employees | Unknown | Insider theft | No |
| LifeBridge Health | 500,000 | Name, address, birth date, insurance information, Social Security number | Third-party back door | Yes |
| University at Buffalo | 28 faculty and staff accounts 862 alumni accounts 1,800 student accounts | Username, password | Phishing | No |
| TeenSafe | Unknown | Child’s name, child’s device information, child’s Apple ID passwords | Cloud misconfiguration | No |
| Chili’s | Unknown | Credit and debit card information | Malware | Yes |
April 2018
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Zippy’s Restaurants | Unknown | Credit/debit cardholder name, card number, expiration date, security code | Unknown | No |
| Access Group | 16,500 | Name, driver’s license number, Social Security number | Vendor error | Yes |
| SunTrust Bank | 1.5 million | Name, address, phone number, account balance | Insider theft | Yes |
| WEI Mortgage | Unknown | Name, Social Security number, date of birth, address, driver’s license, state identification number, passport number, bank account information, credit/debit card information, tax identification number, username, password, loan package information | Business email compromise | Yes |
| Unity Point Health | 16,000 | Details of medical procedures, health insurance information | Compromised employee email account | No |
| Localblox | 48 million | Name, physical address, employment information/job history data, IP address, phone number, behavioral data | Data scraping (Facebook, LinkedIn, Twitter) | No |
| Panera Bread | 37 million | Name, email address, home address, phone number, birth date, customer loyalty account number, last four digits of saved payment cards | Security vulnerability | No |
| MyFitnessPal (Under Armour)r | 150 million | Email, username, hashed password | Hack | No |
| Hudson’s Bay Company (Saks Fifth Avenue, Saks OFF 5th, Lord & Taylor) | 5 million | Payment card data | Hack | Yes |
| [24]7.ai (Sears, Delta Air Lines, Kmart stores) | Unknown | Payment card data | Unknown | No |
March 2018
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Orbitz | 880,000 | Name, payment card information, date of birth, phone number, email address, physical and/or billing address, gender | Unauthorized access | Yes |
| BJC HealthCare | 33,420 | Name, address, phone number, date of birth, Social Security number, driver’s license number, medical insurance information, treatment-related information | Misconfigured database | Yes |
| NIS America (online stores) | Unknown | Payment card data, billing address, shipping address, email address | Phishing | No, $5 discount vouchers for online store |
February 2018
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Massachusetts Department of Revenue | 39,000 | Business name, tax identification number, tax payment amount, tax payment date, number of employees, banking information, one Social Security number | Unknown | No |
| University of Virginia Health System | 1,882 | Private medical records, physical address | Malware | No |
| Department of Fish and Wildlife (California) | 2,300 | Name, Social Security number | Accidental exposure | No |
| FedEx | Unknown | Passport information, driver’s license, security IDs | Cloud misconfiguration | No |
| Staybridge Suites (Lexington, KY) | Unknown | Name, credit card numbers | Malware | No |
| Octoly | 12,000 | Unknown | Cloud service misconfiguration | No |
| Waldo County (Maine) | 100 (employees) | W-2 information (Social Security number, payroll information, salary, withholdings, residential address) | Business email compromise | Yes |
| Western Washington Medical Group | Unknown | Name, address, diagnoses, medical history form, appointment dates, medical history, health care insurance billing information | Accidental exposure | Yes |
January 2018
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Charlotte Housing Authority (employees) | Unknown | W-2 information (name, address, Social Security number, wages) | Business email compromise | No |
| Jason’s Deli | 2 million cards, 164 locations | Payment card data (cardholder name, credit/debit card number, expiration date, verification value and service code) | Unknown | No |
| Homeland Security Office of the Inspector General | 247,167 (current/former employees) | Name, Social Security number, birth date, email address, phone number, physical address | Insider Theft | Yes |
| Forever 21 | Unknown | Payment card number, expiration date, internal verification code, cardholder name (in some instances) | Malware | No |
| RootsWeb Servers | 55,000 | Email, password, username | Accidental exposure | No |
December 2017
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Alteryx | 123 million American households | Address, phone number, consumer behavioral data | Cloud leak | No |
November 2017
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Imgur | 1.7 million | Email address, password | Network vulnerability | No |
| Uber | 57 million | Name, email address, phone number, driver’s license numbers | Hack | Yes (Drivers) |
| Valley Family Medicine | 8,450 | Name, address | Employee error | No |
October 2017
| Company | # Breached | Information Exposed | Cause | Protective Services |
| We Heart It | 8 million | Email, username, encrypted passwords | Hack | No |
| Catholic United Financial | 127,310 | Name, address, birth date, email address, insurance information, Social Security number | Hack | No |
| Pizza Hut | Unknown | Payment card data | Hack | No |
| ShopRite (Ulster, NY) | Unknown | Name, phone number, birth date, prescription information, zip code, driver’s license number | Human error | No |
| Whole Foods | Unknown | Payment card data | Hack | No |
| Graton Resort and Casino | Unknown | Name, address, Social Security number | Human error | Yes |
September 2017
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Sonic | Unknown | Payment card data | Hack | No |
| Deloitte | Unknown | Unknown | Email vulnerability | No |
| Equifax | 143 million | Name, birth date, Social Security number, address, driver’s license, credit card information | Application vulnerability | Yes |
| Time Warner Cable | 4 million | User names, account types, service information, MAC numbers, transaction numbers | Third-party breach | No |
August 2017
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Mid-Michigan Physicians | 106,000 | Name, birthdate, address, phone number, medical information, Social Security number | Hack | Yes |
| Colorado Judicial Branch | 41,140 | Name, birthdate, Social Security number | Unauthorized Access | No |
| The Galt House (Kentucky) | Unknown | Payment card information | Malware | No |
| Anthem | 18,500 Anthem Medicare enrolles | Social Security number, Medicare information | Third-party breach | Yes |
July 2017
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Virgin America | 3,230 | Login credentials, address, Social Security number, government ID information, health-related information | Unauthorized access | No |
| Plastic Surgery Associates of South Dakota | 10,200 | Name, Social Security number, driver’s license, state identification number, credit card information, medical information, address, date of birth, insurance information | Ransomware | Yes |
| Wells Fargo | 50,000 | Name, Social Security number, sensitive financial information | Employee error | No |
| Tewksbury Hospital | 1,100 | Name, address, birth date, phone number, gender, medical history, Social Security number | Unauthorized access | No |
| Dow Jones | 2 million | Unknown | Cloud service error | No |
| Verizon (Nice Systems) | 6 million | Name, phone number, account PIN, home address, email address, Verizon account balances | Misconfigured server | No |
| Avanti Markets | 1.6 million | Payment card data, email address, biometric authentication data | Malware | No |
| Children and Youth Services (Pennsylvania) | 1,800 | Name, address, birth date, Social Security number, public health information | Third-party error | No |
| White Blossom Care Center | 800 | Name, Social Security Number, birth date, health insurance information, medical information | Employee error | Yes |
June 2017
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Atlantic Digestive Specialists | 94,195 | Name, birth date, address, telephone number, medical history, insurance information, Social Security numbers | Ransomware | Yes |
| Aetna (Texas and Ohio) | 2,200 | Full name, health insurance information, payment history, medical history | Unknown | No |
| Southern Illinois Healthcare | 600 | Name, birth date, gender, address, medical insurance information | Employee Error | Yes |
| Select Restaurants, Inc. | Unknown | Payment card data | Hack | No |
| Washington State University | 1 million | Name, Social Security number, medical information | Physical theft | Yes |
| KMart | Unknown | Payment card data | Malware | No |
| Victory Medical Center | 2,000 | Name, birth date, address, phone number, email address, medical account number, demographic information | Data dump | No |
| OneLogin (United States) | Unknown | User, app, key information | Unauthorized access | No |
May 2017
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Chipotle | 2,250 locations | Payment card data | Malware | No |
| AT&T (Dallas, TX) | Unknown | Driver’s license number | Hack/Stolen credentials | Yes |
| Florida Department of Agriculture and Consumer Services | 16,190 | Name, weapon license number, Social Security number | Hack | Yes |
| Brooks Brothers | 220 locations | Name, payment card number, expiration date, verification code | Malware | No |
| DocuSign | Unknown | Email address | Third-party hack | No |
| Bronx Lebanon Hospital Center | 7,000 | Mental health and medical diagnoses, HIV status, sexual assault and domestic violence reports, name, address, addiction history, religious affiliation | Third-party vulnerability/server misconfiguration | No |
| Yankee Car Wash & Detailing | Unknown | Payment card holder’s name, card number, security code | Third-party breach | Yes |
| Gannett Co. | 18,000 employees | Office 365 login credentials, email | Business email compromise | Yes |
| Sabre Hospitality Solutions | Unknown | Payment card data | Hack | No |
| Harrisburg Gastroenterology | Unknown | Name, demographic information, Social Security number, health insurance information, medical history | Unauthorized access | No |
| City of Fitchburg | 1,800 | Social Security number | Unauthorized access | No |
| Home Depot | 8,000 | Spreadsheet of customers’ personal/transaction information | Employee error/technical glitch | No |
April 2017
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Med Center Health | 160,000 | Name, address, Social Security number, insurance information, procedure codes | Physical theft (Insider theft) | Yes |
| Internal Revenue Service (IRS) Data Retrieval Tool (fafsa.gov) | 100,000 | FAFSA information | Hack | No |
| GameStop | Unknown | Payment card data | Unknown | No |
| Westminster College (Fulton) | Unknown | W-2 forms | Business email compromise | Yes |
| InterContinental Hotels Group (IHG) | 1200 hotels | Payment card data | Malware | No |
| Fashion Fantasy Game | 2,436,258 | Email address | System vulnerability | Unknown |
| Schoolzilla | 1.3 million | Social Security number, test scores, personal information | Cloud storage vulnerability | No |
| Lifespan | 20,000 | Name, medical record number, address, medication prescriptions | Physical theft | No |
| Iowa Veterans Home (IVH) | 2,969 | Name, address, phone number, medical information, Social Security number | Phishing | No |
| Behavioral Health Center (Bangor, Maine) | 4,000 | Social Security number, medical information | Unknown | Yes |
| AIDS Drug Assistance Program (California Public Health Department) | 94 | Unknown | Unauthorized access | Yes |
March 2017
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Yahoo | 32 million | User accounts | Unauthorized access/account vulnerability (forged cookies) | No |
| Georgia election system (Kennesaw State University) | Unknown | Voter records | Hack | No |
| Verifone | Unknown | Employee passwords, one customer support unit | Hack | No |
| Weekends Only (Online Shopping Only) | 8,000 | Payment card data | Unknown | Yes |
| U.S. Air Force | 4,000 | Name, address, military rank, Social Security number, phone number, contact info of spouse | Unauthorized access (hard drive not password protected) | No |
| Cincinnati Eye Institute | 500 employees | Social Security number | Third-party breach | Yes |
| Wishbone | 2,487,000 | Email address, name, username, phone number | Unknown | No |
| UNC Health Care | 1,300 | Social Security number, medical history | Accidental exposure | No |
| American Job Link Alliance | Unknown; 10 states (Alabama, Arkansas, Arizona, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma, Vermont) | Name, date of birth, Social Security number | Third-party Breach | Unknown |
| Apple | 300 million | iCloud account | Hack | No |
| Urology Austin | Unknown | Name, address, birth date, Social Security number, medical records | Ransomware | Yes |
| Daytona State College | Unknown | Financial aid forms (Social Security number, name, address, birth date, driver’s license info, salary info) | Unknown | Yes |
| Krystle Property Management, Inc. | Unknown | Property documents, property management software files, letters, Excel spreadsheets, name, address, phone number, Social Security number | Ransomware | No |
February 2017
| Company | # Breached | Information Exposed | Cause | Protective Services |
| InterContinental Hotels Group | Unknown | Payment card data | Malware | No |
| Arby’s | 355,000 | Payment card data | Malware | No |
| PIP Printing Company | Unknown | Highly sensitive documents | Software vulnerability | No |
| Crow and Northern Cheyenne Tribes | 20,000 | Name, address, birth date, tribal enrollment information | Stolen hardware | No |
| American Senior Communities | 17,000 employees | W-2 forms | Business Email Compromise | Yes |
| Family Service (Rochester) | Unknown | Name, address, birth date, Social Security number, driver’s license number, insurance ID number, medication information | Ransomware | Yes |
| Lexington Medical Center (SC) | Unknown | Name, Social Security number, W-2 forms | Unauthorized access | Yes |
| Louisiana Health Cooperative | 8,000 | Name, Social Security number, health insurance information | Third-party breach | Yes |
| Meridian Health Services | 1,200 | W-2 forms | Business email compromise | No |
| CloudPets | 800,000 | Voice recordings | Hack | No |
January 2017
| Company | # Breached | Information Exposed | Cause | Protective Services |
| U.S. Army (Health Workers) | Unknown; 11GB of data | Social Security number, name, address, salary | Network vulnerability | No |
| Topps (Trading card company) | Unknown | Name, email address, physical address, phone number, payment card data | Hack | No |
| eSports Entertainment Association (Esea) | 1,503,707 | Username, email address, password, birth date, phone number, game console ID name | Hack | No |
| Highmark Blue Cross Blue Shield of Delaware | 19,000 | Name, Social Security number, health insurance information | Ransomware | Yes |
| Sentara Healthcare | 5,454 | Name, medical record number, birth date, Social Security number, demographic information, medication information | Third-party breach | Yes |
| Popeyes | Unknown | Payment card data | Malware | No |
| Copilot Support Services | 220,000 | Name, gender, birth date, address, phone number, health insurance information, Social Security number | Unauthorized access | Yes |
| Tipton County Public Schools (employees) | Unknown | W-2 form information | Employee error | No |
| UGI Utilities (Pennsylvania) | 1,900 | Unknown | Phishing email | No |
| TransPerfect | Unknown | W-2 forms, payroll information | Phishing/Business Email Compromise | No |
| Van’s Honda (Wisconsin) | Unknown | Name, Social Security number, address, phone number | Third-party breach | No |
| Marin Software | Unknown | W-2 forms, name, Social Security number, address, email, salary, birth date | Phishing/Business Email Compromise | No |
| Scotty’s Brewhouse | 4,000 | W-2 forms | Business Email Compromise | Yes |
| Lexington County (SC) School District Two | 1,300 | W-2 forms | Business Email Compromise | No |
December 2016
| Company | # Breached | Information Exposed | Cause | Protective Services |
| 1 million | Email address, authentication tokens | Malware | No | |
| University of Wisconsin-Madison Law School | 1,213 | Name, Social Security number | Hack | No |
| Daily Motion | 87.6 million | User account information, encrypted password | Hack | No |
| Quest Diagnostics Inc. | 34,000 | Phone number, lab results | Unauthorized access | No |
| Frederick County Public Schools | 1,000 | Name, Social Security number, date of birth | Data dump | No |
| Yahoo | 1 billion | Name, phone number, birth date, encrypted passwords, security questions | Hack/Unauthorized access | No |
| Lynda.com | 55,000 | Passwords | Unauthorized access | No |
| University of Nebraska Lincoln | Unknown | Name, grade level, student ID information | Unknown | No |
| Community Health Plan of Washington | 400,000 | Name, address, birth date, Social Security number, health-claims information | Network vulnerability | Yes |
| Columbia County School District (Georgia) | Unknown | Name, Social Security number, birth date (employee data) | Hack | No |
| Bleacher Report | Unknown | Name, username, password | Unauthorized access | No |
| New Hampshire Department of Health and Human Services | 15,000 | Name, address, Social Security number, Medicaid identification number | Unauthorized access/Data Dump (social media) | No |
| Medical Marijuana Online Portal (Nevada) | 12,000 | Birthdate, Social Security number | Data dump | No |
November 2016
| Company | # Breached | Information Exposed | Cause | Protective Services |
| The U.S. Office of the Comptroller of the Currency | Unknown | Activity and staff records | Insider theft | No |
| The Red Cross Blood Service (Australia) | 550,000 donors; 1.3 million files exposed | Name, gender, email address, mailing address, phone number, birth date | Security flaw/Accidental exposure | No |
| Integrity Transitional Hospital | 29,514 | Lab test results, health insurance data, driver’s license information | Unknown | No |
| Broward Health Medical Center | Unknown | Full name, date of birth, address, phone number, Social Security number, insurance information, medical information, emergency contact/next of kin information | Physical theft | No |
| Friend Finder Networks | 412 million | Email address, password, date of visits, browser info, IP address, site membership status | Hack | No |
| Michigan State University | 400,000 | Name, Social Security number, MSU identification number | Unauthorized access | Yes |
| Madison Square Garden Company (Madison Square Garden, Radio City Music Hall, Beacon Theatre, The Chicago Theatre) | Unknown | Payment card data | Unknown | No |
| U.S. Navy | 134,386 | Name, Social Security number | Third-party compromise | Yes |
October 2016
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Central Ohio Urology Group | 300,000 | Unknown | Unknown | Yes |
| Hutchinson Community Foundation | Unknown | Personal and financial information | Hack/Ransomware | Yes |
| Vera Bradley | Unknown | Payment card data | Malware | No |
| Modern Business Solutions | 58 million | Name, IP address, birth date, email address, vehicle data, occupation | Hack/Data Dump | No |
| Katy Independent School District | Unknown | Name, birth date, Social Security number, state ID number, email address, zip code | Third-Party Hack/Unauthorized Access | Yes |
| Weebly | 43,430,316 | Email address, username, IP address, password | Unknown | No |
| Indian Banks | 3.2 million | Payment card data | Hack | No |
| Habitat for Humanity of Michigan | 4,600 individual profiles; “hundreds of background and credit check profiles” | Social Security number, other personally identifiable information | Vulnerability/Hack | No |
September 2016
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Kimpton Hotels and Restaurants | 62 locations | Payment card data | Malware | No |
| The University of Alaska Anchorage (Mat-Su Campus) | 5,416 | Name, Social Security number | Unauthorized access | Yes |
| The Hutton Hotel (Nashville, TN) | Unknown | Payment card data | Malware | No |
| VolPtalk | Unknown | Password | Unauthorized access | No |
| ClixSense | 6.6 million | Password, birth date, IP address, email address, account balance, payment history | Unauthorized access/hack | No |
| University Gastroenterology (Rhode Island) | Unknown | Name, address, birth date, Social Security number, medical billing information | Unauthorized access | Yes |
| Bluesnap | 324,000 | Name, email address, IP address, payment card data, phone number, address, transaction history | Third-party breach/Data dump | No |
| Genghis Grill | Unknown | Payment card data | Malware | No |
| Yahoo | 500 million | Name, email address, phone number, birth date, password, security questions | Unknown | No |
August 2016
| Company | # Breached | Information Exposed | Cause | Protective Services |
| U.S. Democratic Party | Unknown | 20,000 sensitive emails | Hack | No |
| Disney Playdom (Interactive Forums) | 355,000 | Username, email address, password | Hack | No |
| Prosthetic and Orthotic Care Inc. (Missouri and Illinois) | Unknown | Name, contact information, P&O ID number, billing information, Social Security number, birth date, insurance information, photos of procedures | Hack | Yes |
| Kimpton Hotels and Restaurants | Unknown | Payment card data | Unauthorized access | No |
| Banner Health | 3.7 million | Name, birth date, address, physician name, dates of service, clinical information, Social Security number, insurance information | Hack | Yes |
| Oracle Corporation (Micros point-of-sale systems) | 330,000 | Password | Malware | No |
| Newkirk Products (Blue Cross, Blue Shield Kansas City) | 790,000 | Name, address, insurance information | Unknown | Yes |
| Jefferson Medical Associates | Unknown | Name, birth date, Social Security number, address, phone number, prescription information | Unauthorized access | No |
| Bon Secours | 650,000 | Name, Social Security number, insurance information, banking information, other medical information | Unauthorized access to the public | No |
| Hyatt, Sheraton, Marriott, Westin Hotels (10 states and District of Columbia) | 20 locations | Payment card data | Hack | No |
| Social Blade (Main site and forum) | 286,095 | Email, IP address, password | Unauthorized access via software vulnerability | No |
| The NSA | Unknown | Exploit codes | Hack | N/A |
| Eddie Bauer (U.S. and Canada) | 350 retailers | Payment card data | Malware | Yes |
| Epic Games Forum | 800,000 | Username, email address, birth date | Hack | No |
| Ashley Madison | 36 million | User account details | Unauthorized access via security vulnerability | No |
| Kentucky Fish and Wildlife | Unknown | Name, address, birth date, last 4 digits of Social Security number, email address | Unauthorized access | No |
| Opera Sync service | 1.7 million | Username, password | Unauthorized access | No |
| SCAN Health Plan (California-based) | 87,000 | Name, address, phone number, Social Security number, medical information, date of birth | Unauthorized access | No |
| Dropbox | 68 million | Username, password | Hack | No |
July 2016
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Muslim Match (international) | 150,000 | Username, password, email, IP address, private messages between users, profile information | Hack | No |
| Planned Parenthood (Dubuque, Iowa) | 2,506 | Name, date of birth, address, insurance information, Social Security number, medical records | Unauthorized access | No |
| North Carolina State University | 38,000 | Name, address, university ID number, Social Security number | Phishing | No |
| DataDog (Amazon Web Services, Microsoft Windows Azure, Google Cloud Platform, Java) | Unknown | Login credentials | Unauthorized access | No |
| Omni Hotels | Unknown | Payment card data | Malware | No |
| The Federal Deposit Insurance Corporation (FDIC) | 44,000 individuals 30,715 banks 1,200 sensitive documents | Unknown | Malware | No |
| Kaiser Permanente (Northern California) | 1,100 | Medical records | Physical theft | No |
| Ubuntu | 2 million | Username, email address, IP address | Unauthorized access via security flaw | No |
| Beggars Group (Independent record label) | Unknown | Payment card data | Hack | No |
| Cici’s Pizza | Unknown | Payment card data | Malware | No |
| Clash of Kings (mobile game) | 1.6 million | Username, email address, IP address, Facebook data, password | Hack | No |
| Athens Orthopedic Clinic | 397,000 | Name, address, Social Security number, date of birth, telephone number, medical records | Unauthorized access through third-party vendor | No |
June 2016
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Myspace (nationwide) | 360 million | Email address, password | Hack | No |
| Tumblr (nationwide) | 65 million | Email address, password | Hack | No |
| Cici’s Pizza | Unknown | Payment card data | Third-party breach | No |
| Milwaukee Bucks | Unknown | Employee W-2 data | Phishing scam: fake CEO email | Yes |
| Washington State Liquor and Cannabis Board | Unknown | Social Security number, driver’s license number, financial information, tax information, attorney-client privileged information | Human error | No |
| JTB Corporation (Japan) | 7.93 million | Name, address, email address, passport number | Phishing email/Human error | No |
| Sutter County Superior Courthouse (California) | Unknown | Social Security number, birthday, address, driver’s license number | Unauthorized access | No |
| VerticalScope (Canada) | 45 million | Username, user ID, email address, encrypted password, IP address | Hack | No |
| Vermont Department of Fish and Wildlife | 1.7 million | Name, address, license information | Unauthorized access | No |
| Acer | Unknown | Name, address, payment card number, card expiration date, CVV security code | Unauthorized access | No |
| SP+ Municipal Services (parking garages) | Unknown | Payment card data | Malware | No |
| Mercy Medical Center (California) | 520 | Medical records, name, date of birth, Social Security number, phone number, address | Insider third-party | No |
| Hard Rock Hotel & Casino (Las Vegas) | Unknown | Payment card data | Malware | No |
| Noodles & Company (Minnesota/Wisconsin) | Unknown | Payment card data | Malware | No |
| Massachusetts General Hospital (Dental practice) | 4,300 | Name, date of birth, Social Security number, medical records | Unauthorized access/third-party breach | No |
| Pandora Radio | Unknown | Password | Indirect hack | No |
May 2016
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Kiddiecare (UK) | 794,000 | Name, address, phone number and email address | Human error | No |
| Brunswick Corp. (nationwide) | 13,000 | Employees’ W-2 forms | Phishing scam: fake CEO email | Yes |
| Poway Unified School District | 36,000 | Name, address, phone number, medical information, birth date, academic test results and occupation of parents | Human error | No |
April 2016
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Minecraft Pocket Edition (nationwide) | 7 million | Username, email address and “weakly” encrypted passwords | Third-party breach (Lifeboat) | No |
| dōTERRA (nationwide) | Unknown | Name, Social Security number, payment card information, date of birth, postal and email address, telephone number, and username and password | Third-party breach | Yes |
| BeautifulPeople.com (nationwide) | 1.1 million | Name, password, dates of birth, email address, personal description, beauty rating, car ownership statuses, drinking habits, smoking habits, education levels, gender, location, home ownership status, income, IP address, job title, interests, physical attributes, sexual preferences and website activity | Hack | No |
| Voya Financial Advisors (nationwide) | Unknown | Name, address, date of birth, last four digits of the Social Security number, [driver’s license, passport or other government issued photo ID number], telephone number, email address, employer, account numbers and balances for various financial accounts, and other financial information such as income and net worth | Unauthorized access | Yes |
| Lucky Pet (nationwide) | Unknown | Name, address and payment card information | Third-party vulnerability | No |
| Naughty America and Suite 703 (nationwide) | 3.2 million | Emails, usernames, encrypted passwords, IP addresses and locations | Hack | No |
March 2016
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Cox Communications (GA) | 40,000 | Employees’ names, email addresses, phone numbers and work-related data | Unknown | No |
| LAZ Parking (nationwide) | 14,000 | Employees’ W-2 forms | Phishing scam: fake CEO email | Yes |
| Sprouts Farmers Market (nationwide) | 20,000 | Employees’ W-2 forms | Phishing scam: fake CEO email | Yes |
| Seagate Technology (CA) | Unknown | Employees’ W-2 forms | Phishing scam: fake CEO email | Yes |
| Snapchat (CA) | Unknown | Employee payroll information | Phishing scam: fake CEO email | Yes |
| Rosen Hotels & Resorts (FL) | Unknown | Name, card number, expiration date and internal verification code | Malware | No |
| Barbara Ann Karmanos Cancer Center (MI) | 2000 | Name, hospital name, patient numbers, and physician | Human error | No |
| Turner Construction Company (nationwide) | Unknown | Employees’ names, Social Security numbers, state in which wages or taxes are reported, and federal, state, local and Medicare earnings and tax withholding data | Human error | Yes |
| 21st Century Oncology Holdings (nationwide) | 2.2 million | Patients’ names, Social Security numbers, physicians’ names, diagnosis and treatment information and insurance information. | Hack | Yes |
| 1-800-Flowers.com (nationwide) | 7,000 | Name, address, email address, payment card number, expiration date and CVV code | Hack | No |
| UC Berkley (CA) | 80,000 | The personal and financial information, including Social Security numbers, of students, alumni, current and former employees. | Hack | Yes |
| Ozaukee County (WI) | 190 | Employees’ and elected officials’ W2 and 1095 forms | Cracked password | Yes |
February 2016
| Company | # Breached | Information Exposed | Cause | Protective Services |
| TaxSlayer (nationwide) | 9,000 | Name, address, Social Security number, dependents’ Social Security numbers and other data contained on your 2014 tax return | Unauthorized access | Yes |
| Gyft (nationwide) | Unknown | Name, contact information, birth date, gift card numbers and potentially account credentials | Unauthorized access | No |
| Apple Health (WA) | 91,000 | Date of birth, Social Security number, Apple Health client ID numbers and private health information | Employee theft | Yes |
| Radiology Regional Center (FL) | 480,000 | Name, Social Security number, address, phone number, financial information and medical data | Human error | Yes |
| Uknowkids.com (nationwide) | 1,700 | Childrens’ text messages, images, names, dates of birth, GPS information and social media account credentials | “Ethical” hack | No |
January 2016
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Time Warner Cable (nationwide) | 320,000 | Email addresses, passwords | Phishing or third-party breach | No |
| Indiana University Health Arnett (IN) | 30,000 | Patient names, dates of birth, phone number, medical record numbers, dates of services, diagnoses and treating physicians’ names. | Human error | No |
| TaxAct (nationwide) | 450 | Tax return information | Unknown | Yes |
| Northwest Territories Power Corporation (Canada) | Unknown | Customer names, meter addresses and account balances | Human error | No |
| Centene Corporation (nationwide) | 1 million Medicare recipients | Name, address, date of birth, Social Security number, member ID number, and health information | Human error | Yes |
| Wendy’s (nationwide) | Unknown | Payment card data | Unknown | No |
December 2015
| Company | # Breached | Information Exposed | Cause | Protective Services |
| VTech (worldwide) | 5 million | Parent’s name, email address, download history, password, mailing address; child’s name, gender, birthdate and uploaded pictures | Unauthorized access | No |
| Elephant Bar Restaurant (CA, CO AZ, MO, NM, FL) | Unknown | Name, payment card account number, card expiration date, and verification code | Malware | No |
| Middlesex Hospital (CT) | 900 | Name, address, date of birth, medical record number, medication, date of service and the date of diagnosis | Phishing | Yes |
| JD Wetherspoon (United Kingdom) | 650,000 | Name, email address, birth date; 100 customer payment cards | Hack | No |
| Optus (Australia) | 31,150 | Name, address, dates of birth, email, phone number, and history of debt collection | Human error | No |
| Swiss Cleaners (CT) | Unknown | Name, card number, expiration date, and a verification code | Malware | No |
| Unknown (nationwide) | 191 million voters | Names, addresses, phone numbers, birth dates, gender, ethnicity, date you registered to vote, party affiliation, National Do Not Call List status, absentee voter status and some email addresses | Unknown | No |
| Hyatt Hotels (nationwide) | Unknown | Payment card data | Malware | No |
| LiveStream (worldwide) | Unknown | Names, email addresses, encrypted passwords, birth dates and phone numbers | Unauthorized access | No |
| SanrioTown (worldwide) | 3.3 million | Names, birth dates, genders, countries of origin, email addresses, hashed passwords and forgotten password questions and answers | Unknown | No |
| HealthSouth Rehabilitation Hospital of Round Rock (TX) | 1359 | Names, addresses, birth dates, Social Security numbers, insurance IDs, phone numbers, diagnoses, referral IDs and medical record numbers | Theft | Yes |
| Oregon Department of Veterans’ Affairs (OR) | 967 | DD214 forms — including names, Social Security numbers and birth dates | Unknown | Yes |
November 2015
| Company | # Breached | Information Exposed | Cause | Protective Services |
| British Gas (United Kingdom) | 2,200 | Email addresses, passwords | Human error | No |
| TalkTalk (United Kingdom) | 28,000 | Names, email addresses, birth dates, phone numbers and limited payment card data | Hack | No |
| Vodafone (United Kingdom) | 2,000 | Names, phone numbers and limited bank account data | Hack | No |
| North Carolina Department of Health and Human Services (NC) | 1,615 | Name, address, Medicaid ID number, gender, race, ethnicity, provider name, provider ID number and insurance information | Human error | No |
| Muhlenberg Community Hospital (KY) | Unknown | Name, address, phone numbers, birthdate, Social Security number, driver’s license/state identification number, medical and health plan information | Malware | Yes |
| University of Cincinnati Health (OH) | 1000 | Names, birth dates, personal health information and some Social Security numbers | Human error | No |
| Georgia Secretary of State Election Office (GA) | 6 million | Voter information, Social Security numbers, dates of birth and driver’s license numbers | Human error | No |
| Starwood Hotels and Resorts (nationwide) | Unknown | Name, payment card number, expiration date and security code | Malware | Yes |
| Hilton Worldwide (nationwide) | Unknown | Names, payment card numbers, security codes and expiration dates | Malware | Yes |
October 2015
| Company | # Breached | Information Exposed | Cause | Protective Services |
| T-Mobile/ Experian (Nationwide) | 15 million | Names, addresses, birth dates, Social Security numbers, driver’s license numbers and passport numbers | Hack | Yes |
| Hilton Worldwide (Nationwide) | Unknown | Payment card data | Malware | Yes |
| Scottrade (Nationwide) | 4.6 million | Names, addresses and possibly Social Security numbers | Hack | No |
| Patreon (Nationwide) | 2.3 million | Usernames, emails, encrypted passwords and addresses along with 14 GB of website code and other data. | Hack | No |
| CarePlus Health Plans (FL) | 1, 400 | Names, addresses, and CarePlus identification numbers. | Human error | No |
| Affinity Health Plan (nationwide) | Unknown | Child’s name, address and member identification number | Human error | No |
| Barrington Orthopedic Specialists (IL) | 1, 009 | Patient names, dates of birth and EMG results and reports | Theft | No |
| Blue Cross and Blue Shield of North Carolina (NC) | 2, 300 individuals | Some individuals had their names, addresses, internal BCBSNC account numbers, group numbers, coverage dates and premium amounts exposed. Others had their type of health plan, health insurance marketplace identification number, payment amounts, telephone number and payment identification numbers exposed. | Human error | No |
| American Thrift Store (AL, GA, LA, MS, TN) | Unknown | Card numbers and expiration dates | Malware | No |
| Dow Jones (nationwide) | 3, 500 | Payment card and contact information | Hack | No |
| Uber (nationwide) | 1,000 | High-quality photocopies of drivers’ licenses, W-9 tax forms, insurance certificate, commercial vehicle registration and other personally identifiable information. | System glitch | No |
September 2015
| Company | # Breached | Information Exposed | Cause | Protective Services |
| Utah Food Bank (UT) | 10,385 | Donors’ names, addresses, email addresses, payment card numbers, CVC codes and expiration dates. | Unauthorized access | Yes |
| The Brunswick Hotel & Tavern (Nationwide) | 2,600 | Names and payment card information | Malware | Yes |
| Heritage Foundation (Nationwide) | Unknown | Donor information | Hack | No |
| ReverbNation (Nationwide) | 3.8 million | E-mail addresses and encrypted passwords; possibly names, addresses, phone numbers, and/or dates of birth | Third party compromise | No |
| Hawaii First Federal Credit Union (HI) | Unknown | Names, addresses, Social Security numbers and bank account numbers. | Unauthorized access | Yes |
| We End Violence (CA) | 80,000 | Usernames, passwords, email addresses, gender, race relationship status and other private details | Hack | No |
| Excellus BlueCross BlueShield (NY) | 10.5 million | Names, addresses, telephone numbers, Social Security numbers, financial account information and in some cases sensitive medical data | Hack | Yes |
| Charlotte-Mecklenburg Schools (NC) | 7,000 job applicants | Names, addresses and Social Security numbers | Unauthorized access | No |
| Oakland Family Services (MI) | 16,000 | Names, addresses, telephone numbers, dates of birth, internal client ID numbers, health plan ID numbers, insurance numbers, dates of services, programs and types of services, and diagnoses. Social Security numbers were exposed for 173 clients. | Phishing | Yes, for those with exposed SSNs. |
August 2015
| Company | #Breached | Information Exposed | Cause | Protection Services |
|---|---|---|---|---|
| Illinois Department of Corrections | 1,000 employees | Names, ranks, salaries, job duties, and Social Security numbers. | Unknown | No |
| Carphone Warehouse | 2.4 million | Names, addresses, dates of birth, unencrypted bank details and encrypted credit card data | Hack | No |
| University of Rhode Island | 3,000 | Email addresses and passwords | Hack | No |
| Web.com | 93,000 | Names and addresses, and credit card information. (Card validation codes were not compromised.) | Hack | Yes |
| Totally Promotional | 14 clients in New Hampshire, undisclosed nationwide | Names, mailing and email addresses, payment card data (number, expiration date, and verification code). | Malware | No |
| Katy Independent School District | 11,658 current and former employees | Names, mailing addresses, dates of birth, and Social Security numbers. | Third-party error | Yes |
| Colorado’s Office of Information Technology | 3,000 residents | Names, addresses, state identification numbers, Medicaid information, names of family members, employer information, income, limited tax data, and some Social Security numbers. | Employee error | Yes |
| GoMohu.com | 2,500 | Names, addresses, email addresses, phone numbers and payment card information (number, expiration data and CVV code). | Malware | Yes |
| University of Connecticut School of Engineering | 200 research sponsors, 1,800 Lync users and unknown number of individuals | Exposure varies; leaked data could include login credentials, payment card information and Social Security numbers | Malware | Yes |
July 2015
| Company | #Breached | Information Exposed | Cause | Protective Services |
|---|---|---|---|---|
| Planned Parenthood | Unknown | Emails, salted passwords, employee information | Hack | No |
| Breakwater Beach | Unknown | Photocopied Social Security cards, driver’s licenses, birth certificates, passports, student IDs, tax forms, seasonal work agreements, minor consent forms and employment eligibility forms. | Employee error | No |
| Ashley Madison | Unknown | Users’ names, addresses, payment card transactions and relationship fantasies; employees network account information, emails and documents; and the company’s bank account data and salary information. | Hack | No |
| Walmart Canada | 60,000 | Payment card information | Third Party Data Breach | No |
| UCLA Health Systems | 4.5 million | names, dates of birth, Social Security numbers, Medicare and health plan identification numbers and medical data of patients | Hack | Yes |
| CVS Photo | Unknown | Payment card information | Third Party Data Breach | No |
| Army National Guard | Unknown | Social Security Numbers, dates of birth, and home addresses | Employee error | No |
| Medical Informatics Engineering | 3.9 million | Name, address, phone number, birth date, Social Security number, and health insurance policy and coverage information. | Hack | Yes |
| Department of Human Services Division of Aging Services | 9,500 | Names and medical information | Employee error | No |
| Hanesbrands | 900,000 | Name, phone number, address and the last four digits of payment cards | Hack | No |
| Service Systems Associates | Nine zoos | Payment card information | Malware | No |
| The Trump Hotel Collection | Unknown | Payment card information | Hack | No |
| Meritus Medical Center | 1,029 patients | Names, dates of birth, ages, genders, medical record numbers, and treatments and/or diagnosis information, health insurance information and Social Security numbers | Employee theft | No |
| FireKeepers Casino | 85,000 | Payment card information | Hack | Yes |
June 2015
| Company | #Breached | Information Exposed | Cause | Protection Services Offered? |
|---|---|---|---|---|
| Woolworth | Over $1 million worth of e-gift cards | Names, emails and e-gift codes | Email error | No |
| U.S. Federal Government Office of Personnel Management | 21.5 million | Employee background checks | Hack | Yes |
| Fred’s Inc. | 650 stores impacted | Payment card information | Malware | No |
| Missing Link Networks Inc. | Unknown | Names, dates of birth, payment card numbers and billing address. | Malware | No |
| UC Irvine Medical Center | 4,859 | Patient names, dates of birth, addresses, employment status, health plan information, diagnoses, medical tests and prescriptions | Employee theft | No |
| Montefiore Medical Center | 12,517 | Patient names, addresses, dates of birth, Social Security numbers, next of kin information and health insurance details | Employee theft | Yes |
| Hershey Park | Unknown | Payment card information | Unauthorized access | No |
| University of Minnesota | 24 professors | Unknown | Unknown |
May 2015
| Company | #Breached | Information Exposed | Cause | Protection Services Offered? |
|---|---|---|---|---|
| Harbortouch Point-of-Sale Systems | 4,200 businesses | Customer payment card information | Malware | No |
| UC Berkeley | 260 students and individuals | Social Security and bank account numbers | Unauthorized access | Yes |
| Hard Rock Hotel & Casino | Unknown | Payment card information | Malware | No |
| Sally Beauty Inc. | Unknown | Payment card information | Unknown | No |
| St. Louis Federal Reserve | Unknown | Online banking credentials | Domain Name System Hijacking | No |
| Chicago Public Schools | 4,000 | Names, addresses, medical information and student ID numbers | Human error | No |
| Adult Friend Finder | 4 million | Users’ dating information, email addresses, usernames, dates of birth and zip codes. | Hack | No |
| Consolidated Tribal Health Project | Unknown | Names, date of birth, addresses, financial information, health insurance information, medical information and Social Security numbers. | Employee theft | Yes |
| CareFirst Blue Cross Blue Shield | 1.1 million | Names, email addresses, birthdates, usernames and subscriber numbers. | Hack | Yes |
April 2015
| Company | #Breached | Information Exposed | Cause | Protection Services Offered? |
|---|---|---|---|---|
| Biggby Coffee | Unknown | Name, address, phone number, email address, employment history | Hack | No |
| Send Grid | Unknown | Usernames, email addresses and passwords | Hack | No |
| Intermedix | 750 | Name, date of birth, Social Security number, name of insurance company, balance owed on the patient’s account in 2012, and record identifier. | Employee Theft | Yes |
| Life Care Center of Attleboro | Unknown | Names, addresses, Social Security numbers, dates of birth, diagnoses, and other medical status, assessment information and possibly financial information. | Human Error | Yes |
| White Lodging Services Corporation | Unknown | Payment card information used at food and beverage retailers | Malware | No |
| HSBC | 685 in New Hampshire, unknown elsewhere | Current and former mortgage customers’ names, Social Security numbers, account information, and phone numbers | Human Error | Yes |
March 2015
| Company | #Breached | Information Exposed | Cause | Protection Services Offered? |
|---|---|---|---|---|
| Permera Blue Cross | 11 million | Name, address, email address, telephone number, date of birth, Social Security number, member identification number, medical claims information and in some cases, bank account information | Hack | Yes |
| Advantage Dental | 150,000 | Names, Social Security numbers, birthdates, phone numbers and home addresses | Malware | Yes |
| Mandarin Oriental Hotels | Unknown | Payment card information | Malware | No |
| Hilton Honors | Unknown | Hilton Honors points, travel history, email address, physical address and the last four digits of payment card | Vulnerability | No |
| Twitch | Unknown | Usernames, names, birth dates, email addresses, phone numbers, address and limited credit card information (card type, truncated card number and expiration date). | Hack | No |
| Natural Grocers | Unknown | Customer payment card information (but no PINs) | Database attack | No |
| Uber | 50,000 drivers | Names and Drivers’ License numbers | Unauthorized access | Yes |
| Slack | Unknown | Usernames, email addresses, and Skype IDs | Hack | No |
| British Airways | Unknown | Executive Account information | Hack | No |
| Associated Dental | 500 | Addresses, birth dates, names, and Social Security numbers | Theft |
February 2015
| Company | #Breached | Information Exposed | Cause | Protection Services Offered? |
|---|---|---|---|---|
| Anthem | 80 million | Names, birthdates, addresses, email addresses, health IDs, employment information, income data and Social Security numbers. | Hack | Yes |
January 2015
| Company | #Breached | Information Exposed | Cause | Protection Services Offered? |
|---|---|---|---|---|
| Chick-fil-A | Unknown | Payment card information | Unknown | Yes |
| Starwood Hotels & Resorts | Unknown | Starwood Preferred Guest loyalty accounts | Reused login credentials | No |
| Metropolitan State University | Unknown | Employees’ Social Security numbers and personal information of students, staff and faculty. | Unknown | No |
December 2014
| Company | #Breached | Information Exposed | Cause | Protection Services Offered? |
|---|---|---|---|---|
| SP+ | Unknown, but 17 facilities were impacted | Debit and credit card information | Malware | No |
| Shutterfly (Treat, Tiny Print, and Wedding Paper Divas) | Unknown | Email addresses and passwords | Hack | No |
| Bebe Stores Inc. | Unknown | Credit and debit card information | Malware | Yes |
| Sony Pictures | 30,000 Sony and Deloitte employees | Employees: salaries, gender, race, possibly Social Security Numbers. Corporate: unreleased movies, company passwords | Hack | No |
| Visionworks | 75,000 | Partially encrypted health information and encrypted credit card information | Human error | No |
| Prince George’s County Public Schools | 10,000 | Social Security numbers, dates of birth and employee identification numbers | Human error | No |
| St. Louis Parking Company | Unknown | Credit and debit card information | Cyber attack | No |
| University of California, Berkeley | 1,600 | Social Security numbers, credit card numbers and drivers’ licenses | Compromised server | Yes |
| Sands Casino | Unknown, employees and guests | Social Security numbers, bank account information and drivers’ licenses | Cyber attack | Yes |
| Independence Blue Cross | 12,500 | Names, addresses, member identification numbers, healthcare plans and members’ group numbers. 8,800 Social Security numbers were also released. | Employee error | Yes, to those who had their SSN exposed. |
November 2014
| Company | #Breached | Information Exposed | Cause | Protection Services Offered? |
|---|---|---|---|---|
| Arizona State Retirement System | 44,000 | Names, Social Security numbers | Unsecure storage | Yes |
| Cape May-Lewes Ferry | 60,000 | Payment card details | malware | Yes |
| USPS | 800,000 employees and 2.9 million customers | Employees: names, dates of birth, Social Security numbers, addresses, dates of employment and other information. Customers: names, home addresses, phone numbers and email addresses. | Hack | Yes, for employees and retirees. |
| Staples | 1.6 million payment cards | Cardholder names, payment card numbers, expiration dates and card verification codes | Malware | Yes |
| Home Depot (update) | 53 million | Email addresses | Hack | Yes |
October 2014
| Company | #Breached | Information Exposed | Cause |
|---|---|---|---|
| MBIA | Unknown | Usernames, passwords, account numbers and balances | Hack |
| JPMorgan | 76 million households, 7 million small business accounts | Names, phone numbers, internal categories (auto, home), addresses and email addresses | Hack |
| Kmart | Unknown | Credit and debit card numbers | Malware |
| Goodwill (update) | 868,000 | Credit and debit card numbers | Malware |
| Telecom | 305,000 | Social Security numbers, names, addresses, driver’s license numbers and phone numbers | Unsecure storage |
| YourTel America | 305,000 | Social Security numbers, names, addresses, driver’s license numbers and phone numbers | Unsecure storage |
September 2014
| Company | #Breached | Information Exposed | Cause |
|---|---|---|---|
| County of Hertford | Unknown | Social Security numbers of delinquent tax payers | Employee error |
| Signature Systems | 108 customers | Payment card details | Malware |
| Viator | 1.4 million | Payment card details, email addresses, passwords and Viator “nicknames” | Hack |
| Supervalu | Unknown | Unknown | Malware |
| Bexar County Sheriff’s Office | 100 | Employee information | Unknown Vulnerability |
| American Family Care | 2,500 | Work-related injuries, physicals, immunizations, drug screens and possibly Social Security numbers. | Stolen laptop |
| Cox Communications | 52 | Names, addresses, email addresses, Secret Questions/Answers, PINs, (in some cases) the last four digits of Social Security numbers or driver’s licenses. | Hack |
August 2014
| Company | # Breached | Information Exposed | Cause |
|---|---|---|---|
| MailPoet | Potentially 1.7 million users | Any information stored within a compromised user’s website. Access to these users’ sites enables hackers to upload files to the webserver and disseminate phishing scams and malware. | Vulnerability/bug in the plugin. |
| TotalBank | 72,000 customers | Names, addresses, account numbers, and account balances, as well as personal identification numbers, which could be Social Security numbers, driver’s license numbers, passport numbers, and alien registration numbers. | Unauthorized system access. |
| Duke University Health System | Unknown | Names, medical record numbers, physician names, and Duke University hospital locations visited (in some cases). | Theft |
| StubHub | Over 1,600 users | Users’ accounts hacked to fraudulently purchase $1 million in tickets | Russian and American hackers breached StubHub accounts. |
| CVS Caremark | 350 customers | Names and full lists of medications. | Programming error |
| Jimmy John’s | Unknown from 43 states | Possibly credit/debit card information | Payment system hack |
| Backcounty Gear | Unknown | Names, addresses, purchase information, and credit and debit card numbers. | Malware |
| Seattle University | Unknown | Names, bank routing numbers, and checking account numbers. | Incorrect permission setting. |
| Bartell Hotels | 40,000-45,000 | Names and credit card numbers | Hack |
| California State University | 6,036 | Names, addresses, birthdates, and Social Security numbers | Hack |
| Hermann Health Systems | 10,604 | Names, addresses, medical record numbers, birthdates, health insurance information, and Social Security numbers (in some cases). | Employee theft |
| AltaMed Health Services | 2,995 | Names, addresses, birthdates, email addresses, telephone numbers, Social Security numbers, provider information, and insurance information | Employee theft |
| Goodwill Industries | Unknown, customers from 21 states | Credit/debit card information | A payment system hack dating back to mid-2013 |
| Dairy Queen | Unknown | Possibly credit/debit card information | Malware |
| The Home Depot | Unknown, all U.S. and Canada stores breached. | Credit/debit card information, zip codes | Malware |
| UPS | Unknown, 51 stores | Credit/debit card information | Malware |
| Various websites | 1.2 billion users | Login credentials from 420,000 websites. | Hack |
July 2014
| Company | # Breached | Information Exposed | Cause |
| BlueShield of California | 18,000 customers | Names, Social Security numbers, business addresses, business telephone numbers, medical groups, and practice areas. | Employee error |
| The Houstonian Hotel | Unknown/10,000 customers notified | Credit/debit card information | Malicious software attack |
| Penn State College of Medicine | 1,176 alumni | Social Security numbers | Malware |
| Jersey City Medical Center | 1,400 | Medical and health insurance information | Human error |
June 2014
| Company | # Breached | Information Exposed | Cause |
|---|---|---|---|
| NRAD Medical Associates | 97,000 | Social Security numbers and health insurance information | Former Employee Theft |
| Butler University | About 163,000 employees and students | Names, dates of birth, Social Security numbers, and bank account information. | Hack |
| Multi-State Billing Services | Nearly 3,500 students | Medicaid identification numbers and Social Security numbers. | Stolen Laptop |
| Stanford Federal Credit Union | About 18,000 | Names, addresses, member numbers, tax identification numbers, loan offers, and credit information. | Employee Error |
| AT&T | Unknown | Social Security numbers and call records were stolen. | Third-Party Unauthorized Access |
| P.F. Chang’s China Bistro | 7 million customers | Credit and debit card numbers were stolen. | Hack |
| Montana Health Department | 1.3 million citizens | Social Security numbers, bank account information, names, addresses, dates of birth, and medical records | Hack |
| Buffalo Heart Group | 600 | Names, date of birth, phone number, addresses, appointment schedule, and billing information. | Third-party theft |
| New York City Health and Hospitals Corporation | 90,000 | Names, birth dates, addresses, phone numbers, medical information, health insurance information, treatment date, services provided, and Social Security numbers. | Employee theft |
| Utility Recovery Group | Unknown | Names, birth dates, addresses, phone numbers, medical information, health insurance information, and Social Security numbers. | Employee theft |
April 2014
| Company | # Breached | Information Exposed | Cause of Breach |
| Kaiser Permanente | 5,100 | Involved patients participating in specific research studies and may have compromised their names, birth dates, medical record numbers, lab results associated with research, addresses and additional medical research data | Malicious Software |
| The Rochester Housing Authority | 180 | Names and Social Security numbers | Employee error |
| Iowa State University | 18,949 | Student ID numbers | Hack |
| Iowa State University | 29,780 | Social Security numbers | Hack |
| LaCie | Unknown | Customers’ names, addresses, email addresses, and payment card numbers and card expiration dates. LaCie website user names and passwords could also have been accessed | Hack |
| EveryChild, Inc | 2,934 | Patients’ birthdates, Social Security numbers, Medicaid numbers, photos and other health information | Stolen computers |
| University Urology, Knoxville,Tenn | 1,144 | Patient names and addresses | Employee theft |
| Veterans of Foreign Wars | 55,000 | Names, addresses, and Social Security numbers | Hack |
| BigMoneyJobs.com | 36,800 | Full names, home addresses, phone numbers, email addresses, website registration information, and plaintext passwords | Hack |
| Deltek Inc. | 80,000 | Payment card information | Hack |
| Boxee TV | 158,128 | Names, e-mail addresses, message histories, and partially protected login credentials | Hack |
| Sutherland Healthcare Solutions | 338,700 | Patients’ first and last names, Social Security numbers and certain medical and billing information. Birth dates, addresses and medical diagnoses may also have been included | Stolen computers |
| MDCH | 2,595 | Names and addresses, and for some individuals, dates of birth. Of those, 1,539 records also included either a Social Security number or a Medicaid identification number. | Stolen Laptop and drive |
| Palomar Health | 5,000 | Patients’ names, dates of birth, diagnoses, insurance carriers and other treatment-related information. It also included 36 patients’ Medicare identification numbers, | Stolen Laptop and drive |
| Specs | 8,900 | Employee names, addresses, phone numbers and Social Security numbers | Hack |
| Specs | 550,000 | Bank routing numbers, card security codes, and other payment card and check information. | Hack |
March 2014
| Company | # Breached | Information Exposed | Cause of Breach |
| Boston Medical Center | 15,000 | Patients’ names, addresses, and medical information, including what drugs they were taking, but did not include Social Security numbers or financial information | Vendor error |
| UPMC | 322 | Names, home addresses, Social Security numbers, wage information, birth dates and bank account and routing numbers | Property theft |
| Statista | 50,000 | Email addresses and passwords | Hack |
| Smuckers Online Store | Unknown | Customer name, address, email address, phone, credit or debit card number, expiration date, and verification code. | Hack |
| Sands, Bethlehem Casino | Unknown | Credit card information or bank account information, as well as Social Security numbers, driver’s license numbers, and other confidential information used to initiate a line of credit, for tax reporting purposes or for gaming. | Hack |
| Sands Casino | Unknown | Credit card information or bank account information, as well as Social Security Numbers, driver’s license numbers and other confidential information used to initiate a line of credit for tax reporting purposes or for gaming | Hack |
| Sally Beauty | 25,000 | Payment card data | Hack |
| North Dakota University | 300,000 | Names and Social Security numbers | Hack |
| Comixology | Unkown | Usernames, emails and encrypted passwords | Hack |
| Valley View Hospital | 5,400 | Names, addresses, and in some cases credit card numbers, bank account numbers, Social Security numbers and phone numbers | Hack |
| Service Coordination Inc | 9,700 | Social Security numbers and medical information | Hack |
| Johns Hopkins University | 1,307 | Names, email addresses and phone numbers | Hack |
| Assisted Living Concepts | 43,600 | Names, address, birth dates, Social Security numbers and pay information of current and former employees | Hack |
| Healthsource of Ohio | 8,800 | Patients’ dates of birth, Social Security numbers, credit card numbers and some healthcare information | Hack |
| Syracuse Retired Police Officers Association | 300 | Names, addresses and Social Security numbers | Employee error |
| Richmond Fire Department | 400 | Names, Social Security numbers | Employee error |
| IRS | 20,000 | Names, Social Security numbers and addresses of employees | Employee error |
| NYC MTA | 15,000 | Social Security numbers, dates of birth, earnings information and other data. | Employee error |
| City of Detroit | 1,700 | Names, birth dates and Social Security Numbers for the current and former employees | Employee error |
| LA County Public County Health | 168,500 | Patients’ names, medical and billing information and Social Security numbers | Computer theft |
| University of California, San Francisco | 10,000 | Names, dates of birth, mailing addresses, medical record numbers, health insurance ID numbers, and driver’s license numbers | Computer theft |
| Indiana University | 146,000 | Names, addresses and Social Security numbers of students and recent graduates who attended the university on any campus from 2011 to 2014 was unsecured for more than 11 months | Exposed Database |
February 2014
| Company | # Breached | Information Exposed | Cause of Breach |
| Indiana University | 146,000 | Student names, Social Security numbers and addresses | Employee Error |
| Arizona Pension System | 52,000 | Names, e-mail addresses, Social Security numbers and addresses of members | Employee Theft |
| University of Maryland | 309,079 | Names, Social Security numbers, date of birth, and University identification numbers | Hacker |
| Forbes | 1,056,986 | Unique emails addresses and accounts, educational accounts (.EDU)Forbes.com based emails including administrators accounts | Hacker (SEA) |
| Kickstarter | Unknown | User names, email addresses, mailing addresses, phone numbers and encrypted passwords | Hacker |
| White Lodging | Unknown: 14 different hotels involved | Names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates | Hacker |
| St. Joseph Health System | 405,000 | Patient names, birth dates, Social Security numbers, possibly addresses. Medical information for patients was accessible, as well as bank information for current and former employees. | Hacker |
| Yahoo Mail | Unknown | Usernames and passwords | Hacker |
| Midland Independent School District | 14,000 | Birthdates, Social Security numbers of all current students from seventh grade through high school seniors, along with graduates dating to the class of 2008 | Stolen Laptop and Hard Drive |
| Easter Seals | 3,026 | Date of birth, health care provider information, patient identification number, health care billing information and therapy notes | Stolen Laptop |
January 2014
| Company | # Breached | Information Exposed | Cause of Breach |
| Snapchat | 4.6 Million users | User Names and Phone Numbers | Hackers |
| Target | Additional 70 Million | Names, Mailing addresses, Phone Numbers or email addresses | Hackers |
| Neiman Marcus | 1.1 Million | Credit and Debit Cards | Hackers |
| Riverside Healthcare | 919 | Patient Records | Insider Theft |
| NORCOM | 6,000 | Patient Records Fulltime and Volunteer Firefighter personnel Data | Hackers |
| PPMH | 6,700 | SSN’s DOB Diagnosis Info | PC Theft |
| NMOHC | 12,354 | Names DOB Medical and Insurance information | Laptop Theft |
| DEW | 4,658 | SSN DOB | Insider Theft |