Data Breaches
Privacy Rights Clearinghouse brings together publicly reported data breach notifications from across U.S. government agencies into a single, searchable database. Explore our interactive visualizations or purchase the full dataset. Have questions? Check our FAQ below.
The Data Breach Chronology
Search our entire database, or keep an eye on the most recent reported breaches. Every breach in our database, at your fingertips. By clicking on "More Information" you can find details about any breach and a link to the original notification.
Mapping Data Breaches
Data breaches affect organizations and individuals across every state in the U.S. This map shows reported breaches by state (darker red indicating higher numbers) and, where possible, concentrations by zip code. Tracking the true geographic scope of data breaches remains challenging - in most cases, neither notification letters nor agency reports reveal where breaches actually occurred. Even in our massive database we can only pinpoint specific locations for a small fraction of incidents.
Two Decades of Data Breaches
The first data breach notification law in the country was passed in California in 2002, but it took until 2018 for the rest of the country to fully catch up - and the level of coverage still varies considerably across the country. Today, while every state requires breach reporting, only 14 make these reports publicly available.
Who and How?
The Data Breach Chronology analyzes each notification across multiple dimensions, including the type of organization affected—from BSF for financial services to MED for healthcare providers—and the method of breach—such as HACK for cyber attacks or PORT for portable device breaches. The high number of "UNKN" classifications reflects a common challenge in breach reporting: notifications often lack sufficient detail to determine an organization's primary function or the specific method of breach. For complete descriptions of our classification system, see our FAQ.
Community-Funded Research Access
Every purchase from our community enables us to provide free access to researchers working on privacy protection. For every community supporter who purchases access, we're able to provide complimentary access to nearly two additional researchers.
This sustainable model ensures the Data Breach Chronology remains accessible to educators, privacy advocates, and academic institutions while maintaining the quality and comprehensiveness of our research resource.
Download Options
You can download the database and support this project with your purchase.
Try a sample in your preferred format:
- Download SQLite sample (.db file, recommended)
- Download Excel sample (.xlsx file)
- Download CSV sample (.csv file)
See our README for documentation.
We offer flexible pricing options for individual researchers and organizations, with substantial academic discounts. Choose from individual researcher access for personal projects, or a multi-user license for classroom and organisational access for teams. Annual subscriptions include ongoing access to monthly database updates and new features.
If you're conducting academic research with limited institutional funding, working with a nonprofit, or are a media outlet operating on a limited budget, and your work directly advances privacy protection, we offer limited complimentary access. Please contact us at databreachchronology@privacyrights.org with detailed information about your funding situation, research project, and how your work aligns with our mission of advancing consumer privacy protections. We typically respond within 3-5 business days.
Frequently Asked Questions
This project was funded in large part thanks to The Rose Foundation for Communities and the Environment Consumer Products Fund. We have also received funds for this project from cy pres awards and Consumer Federation of America. Additionally, ongoing support from our community of data purchasers is essential to maintaining and expanding this resource. Every purchase enables us to provide complimentary access to researchers working on privacy protection.
If you are interested in supporting this project, please reach out to us at support@privacyrights.org.
No. This is a database built on publicly reported data breach notifications, and should not be considered a complete and accurate representation of every data breach in the United States. It reflects breaches reported in the United States that are made publicly available by government entities.
The Data Breach Chronology draws from fifteen U.S. government agencies that maintain public records of data breach notifications. These include the U.S. Department of Health and Human Services and various state Attorneys General who require organizations to report breaches affecting their residents.
Each state has unique reporting thresholds and requirements. For example, some states require reporting of any breach affecting state residents, while others set minimum thresholds. Some states make notification letters public, while others provide only summary data.
When a breach affects residents of multiple states, it may be reported to several agencies. To make it possible to track both individual organizations and individual breach events across the database we perform normalization on the organization name and attempt to match and group breach events.
We collect and structure detailed information about each breach across several categories:
Organization Information:
- Organization name, normalized name and alternative names
- Organization type classification
- Unique identifiers for tracking
Incident Details:
- Description of what occurred
- Type of breach
- Types of information exposed
- Dates (when reported, when occurred, when ended)
- Number of individuals affected (total and state residents)
Location of the Breach Information:
- Street address
- City, state, and ZIP code
- Country
Related Incidents:
- Group identifier for related breach notifications
- Common breach classification
- Common organization type
Source Documentation
- Agency report URL
- Source agency that reported the breach
- Notification letter URL
- Full text of notification letter
Each field also includes explanatory notes documenting how we determined the values and any relevant context.
We use a consistent classification system that has evolved with our understanding of data breaches:
Organization Types include:
- BSF (Financial Services Business): Banks, credit unions, investment firms, insurance carriers
- BSO (Other Business): Technology companies, manufacturers, utilities, professional services
- BSR (Retail Business): Physical and online retail merchants
- EDU (Educational Institutions): Schools, universities, educational services
- GOV (Government and Military): Public administration, government agencies
- MED (Healthcare Providers): Hospitals, clinics, HIPAA-covered entities
- NGO (Nonprofits): Charities, advocacy groups, religious organizations
Breach Types include:
- CARD: Physical payment card compromises (skimming devices, POS tampering)
- HACK: External cyber attacks (malware, ransomware, network intrusions)
- INSD: Internal threats from authorized users
- PHYS: Physical document theft or loss
- PORT: Portable device breaches (laptops, phones, tablets)
- STAT: Stationary device breaches (desktops, servers)
- DISC: Unintended disclosures (misconfiguration, accidents)
As a privacy and consumer advocacy organization, we approach artificial intelligence with both careful consideration and concern. We recognize AI's profound implications for civil liberties, environmental justice, economic equity, and the concentration of power in the technology sector. These issues are at the core of our mission and shape our approach to using AI in our work.
The scope of data breach reporting—thousands of notifications across multiple agencies—creates a significant challenge for a small nonprofit organization. While we previously maintained this database through manual entry, the volume of notifications has grown beyond what we can process without technological assistance. AI tools help us continue this important work while maintaining consistent standards.
We believe our approach balances efficiency with accuracy:
- We use AI to normalize scraped text and extract context from data breach notification letters. We also incorporate AI in our classifications, to help determine breach and organization types.
- Our AI processing is strictly limited to analyzing the actual content of notifications, not making broader inferences based.
- Multiple automated validation checks help identify potential errors or inconsistencies
- We regularly review system output and monitor for systematic errors or biases
- While the processing is largely automated, we maintain oversight of the final staging and publication process
While we work to minimize issues like hallucination or incorrect inferences through careful system design and validation steps, we acknowledge that complete elimination of these problems isn't currently possible. We continue to explore ways to improve our process, including the potential development of dedicated tools that would allow for local processing and reduce dependency on large technology platforms. We welcome your feedback.
Thank you for your interest – there is no shortage of work that can be done to continue to improve this project, and there are many ways to help out!
- Donate your time and expertise as a data science or tableau volunteer to help us collect, clean, process, maintain, and present this resource. Contact us at databreachchronology@privacyrights.org with the subject line “VOLUNTEER”.
- Apply for a legal internship to help us stay up to date on changing data security and breach notification laws.
- Apply to join our Data Breach Chronology advisory committee to help drive future project decisions and new features. Contact us at databreachchronology@privacyrights.org with the subject line “ADVISORY COMMITTEE”.
- Donate to sustain the project.
If you are interested in getting updates on this project, join our email list here.
Please email us at databreachcorrections@privacyrights.org and include “CORRECTION” in the subject line followed by the name of the breached organization. Include any documentation that supports the correction so we can review and update our records.
The Data Breach Chronology began in 2005 under the leadership of Beth Givens, Privacy Rights Clearinghouse's founder and former Executive Director. The current version was developed and is maintained by Emory Roane, Associate Director of Policy at Privacy Rights Clearinghouse. Maintaining this project is made possible by foundation support and purchases of the dataset.
We are also thankful for the contributions of The Rose Foundation for Communities and the Environment, Consumer Federation of America, Coleman Research Lab, Ahmed Eissa, Ava Watson, and everyone else who has supported the project in its various forms over the years.
The Data Breach Chronology is based on publicly available information and should not be considered a complete and accurate representation of every data breach in the United States. Rather, it reflects the data breach notifications themselves that have been reported and made publicly available in the United States.
Users should pay careful attention to the issue of duplicate reporting when making use of this data or making assertions based on this data. While we work to identify when a single breach has been reported to multiple state Attorneys General, this process is not perfect.
Additionally, though we collect the contents of breach notification letters where possible, we do not host these letters locally–and source URLs may no longer be active.
Privacy Rights Clearinghouse makes no representations as to the accuracy of the information included in the Data Breach Chronology.