The 15 Most Massive Data Breaches in History

Updated: November 12, 2009

 

If you're an organ donor, a welfare recipient, a student, an employee, a patient or if you do business or have an account virtually anywhere, your personal data is entrusted in the hands of strangers. These strangers have an obligation to keep information such as your date of birth, full name, address, Social Security number, phone numbers, medical records, employee records and banking information safe and confidential. However, through weak security on computer networks, theft and loss of laptops and employee negligence, much of your information can be exposed or fall into the hands of identity thieves through data breaches. Here are 15 of the largest data breaches in history in chronological order. If you have never been affected by a data breach, congratulations, you have been lucky so far as more than 340,102,273 records containing sensitive personal information have been breached just in the U.S. since January 2005.

Citigroup Loses Data of 3.9 Million Customers

 

On June 6, 2005, Citigroup announced that tapes containing personal data of 3.9 million consumer lending customers of its CitiFinancial subsidiary had been lost by UPS. Approximately 50,000 of the records belonged to customers who had closed their accounts, with the rest being active consumer accounts. The tapes were being shipped to a credit bureau in Texas when they were lost by UPS. The Social Security numbers, names, account history and loan information of the former and current customers. UPS claimed there seemed to be no indication of theft or fraudulent activity and Citigroup informed customers that there was "little risk" of accounts being compromised. The data was never recovered.

40 Million Visa, Mastercard and American Express Records Hacked

 

On June 19, 2005, CardSystems Solutions announced that 40 million debit and credit card numbers had been compromised in a successful hacking attempt using a malicious script. According to Visa, the network that was hacked had been certified secure based on an industry standard developed by none other than Mastercard and Visa. An investigation following the massive data breach revealed that the network was not compliant with the self-developed industry standards of security. Visa spokesperson Rosetta Jones threw CardSystems Solutions under the bus by saying, "Had they been following the rules and requirements, they would not have been compromised."

26.5 Million Records Stolen From US Dept of Veteran Affairs

 

In May 2006, an employee of the US Department of Veteran Affairs took a laptop home without authorization from the department. The laptop and the sensitive personal data of 26.5 million people who were discharged from the US military since 1975 it contained, were stolen during a burglary at the employee's home. Included in the data was veterans' names, Social Security numbers and dates of birth. In some cases, the same information was included for the veterans' wives. The department vowed to send a letter to every veteran affected in the breach "to the extent possible."

AOL Posts 20 Million User Searches

 

AOL inadvertently made public 20 million keyword searches made by hundreds of thousands of its users between March and May of 2006. On August 7, 2006, the company issued an apology, saying it was a mistake and no personally identifiable information had been made available. However, Michael Arrington, the editor of TechCrunch, reviewed the data and found that it contained credit card numbers, Social Security card numbers, names and addresses. All of the exposed data was that of AOL users in the U.S.

Unauthorized Intrusion at TJX Companies Inc. Exposes Over 100 Million Records

 

TJX Companies Inc. owns and operates TJMaxx, Marshalls, Winners, HomeSense, AJWright, TKMAxx and other off-retail outlets in the US, UK, Ireland, Canada and Puerto Rico. On Jan 17, 2007 TJX announced it had experienced an "unauthorized intrusion" into its computer systems. Initially the company claimed the security breach took place from May 2006 to January 2007. It later conceded that the system was also likely hacked multiple times beginning in July 2005. TJX had used an outdated wireless security encryption system and had failed to install firewalls and data encryption, so the theives were easily able to access streaming personal data as it was scanned. A month before the breach was discovered, information stolen from TJX was used in an $8 million gift card scam. As the story of this historically huge data breach unfolded, the numbers continued to grow. All told, it is believed that more than 100 million records including private and sensitive data were stolen in the breach. The ringleader of the theft operation was sentenced to five years in prison and ordered to pay nearly $600,000 in restitution.

8.6 Million Records Stolen From Dai Nippon Printing Company

 

A former contractor of Dai Nippon Printing Company in Tokyo, Japan stole 8.6 million records containing the personal data of customers of 43 of the company's clients. The company announced this data breach on March 12, 2007. The stolen data included the names, addresses and credit card numbers of people who were targeted for direct marketing. In the US, customers of American Home Assurance Co. and Toyota Motor were affected in the breach.

8.5 Million Records Stolen From Fidelity National Information Services

 

On July 3, 2007 an employee at Certegy Check Services, a subsidiary of Fidelity National Information Services, stole 8.5 million customer records, which included credit card and banking information and other personal information. A class action lawsuit was filed against Fidelity and one of its subsidiaries, charging the companies with negligence in connection with the data breach. The employee, a former database analyst at Certegy Check Services Inc. agreed to plead guilty to federal fraud charges and was sentenced to four years and nine months in prison and ordered to pay a $3.2 million fine. On July 7, 2008, a class action settlement entitled each person whose financial information was stolen to up to $20,000 for unreimbursed identity theft losses.

6.3 Million Data Files Stolen From TD Ameritrade Holding Corp.

 

When one of TD Ameritrade's databases was hacked in 2007, the thief was able to gain access to more than 6.3 million customer data files. The company announced that the data stolen included names, e-mail addresses, phone numbers and home addresses but no Social Security numbers. Those affected by this data breach began receiving e-mail spam shortly after the theft and on September 14, 2007 Ameritrade sent a mass e-mail to customers conceding that Social Security numbers had been accessed in the breach. On October 27, 2009, TD Ameritrade seemed to be close to a settlement with those affected by the data theft. However, the federal judge overseeing the case rejected the proposed settlement, saying it provided "no discernible benefit to the victims," so it's back to the drawing board for Ameritrade to try to come up with a new offer that won't insult the victims or the court.

25 Million Child Benefit Records Missing From HM Revenue and Customs

 

In the UK, two password-protected CDs containing the names, birth dates and National Insurance numbers of 25 million children, parents, guardians and caregivers contained in the HM Revenue and Customs child benefit database were lost on October 18, 2007. However, the missing CDs were not reported to the senior management at HM Revenue and Customs until November 8, 2007. Chancellor of the Exchequer Alistair Darling was notified of the loss on November 10, 2007 and the public was notified on November 22, 2007. Darling said the reason for the delay in notifying those who may be affected was necessary to allow the banks time to locate any potentially affected accounts and monitor them for unusual activity.

40 Million Credit Card Records Stolen From Hannaford Brothers Supermarkets

 

In March 2008, Hannaford Brothers supermarket chain disclosed it had suffered a data breach involving credit and debit card transactions at its stores. Malware was loaded onto the Hannaford servers and allowed hackers to intercept the card data as customers swiped them at checkout counters. The 40 million stolen credit card numbers and expiration dates were transferred overseas and resulted in at least 2,000 cases of credit card fraud.

Data of 11 Million GS Caltex Customers Leaked

 

The personal data of 11.1 million GS Caltex customers was found on two discs that were discovered lying in the street in September 2008. GS Caltex is one of the country's largest oil refineries. The DVD and CD that were found were believed to have been thrown in the trash and contained the names, Social Security numbers, addresses, cell phone numbers, e-mail addresses and workplaces of customers. GS Caltex announced there had been no trace of any hacking and the data stored on the discs could not be used to make any purchases. Identity theft is perhaps another story.

5 Million Customer Records Compromised at CheckFree Corp.

 

A data breach involving approximately 5 million customer records occurred when hackers took control of several Internet domains owned by CheckFree Corp. Malicious software installed on the server redirected traffic to a site hosted in the Ukraine. Since the company actually lost control of their domains, the actual size of the breach remains a mystery, but all 5 million consumers were notified in January 2009.

134 Million Records Compromised by Heartland Payment Systems

 

On Jan 20, 2009, New Jersey-based credit and debit processing and check management services Heartland Payment Systems announced that 134 million credit card records had been compromised as a result of a global fraud operation. Computer forensics analysis found that the Heartland network was infected with several instances of malicious software and cardholder data, including names and credit card numbers were stolen. The company says it is not taking more precautions to prevent data breaches in the future. Two Russian men and one Florida man were charged with the hacking of Hannaford Brothers Supermarkets and Heartland Payment Systems.

76 Million US Military Veterans' Records Compromised

 

The Inspector General of the National Archives and Records Administration is currently investigating a huge data breach involving millions of US veterans. The agency sent a defective hard drive back to a vendor for repair and recycling, but failed to destroy the data on the hard drive before sending. The defective drive was one of six drives in a RAID array containing an Oracle database that holds the personal data of 76 million veterans. The data on the drive potentially contains Social Security numbers of veterans dating back to 1972.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more