Data Breaches

Thank you for visiting the Chronology of Data Breaches!

We’re in the process of implementing some exciting new features and apologize for any inconvenience. In the meantime, you can download a compilation of recent data below.

If you have questions, please contact us at



    Download the Database



    What do the acronyms stand for?

    Type of Breach:

    • CARD - Fraud involving debit and credit cards, not via hacking. For example, skimming devices at point-of-service terminals. 
    • HACK - Hacked by an outside party or infected by malware
    • INSD - Insider (someone with legitimate access intentionally breaches information – such as an employee, contractor or customer)
    • PHYS - Includes paper documents that are lost, discarded or stolen (non electronic)
    • PORT - Portable Device. Lost, discarded or stolen laptop, PDA, smartphone, memory stick, CDs, hard drive, data tape, etc.
    • STAT - Stationary computer loss (lost, inappropriately accessed, discarded or stolen computer or server not designed for mobility)
    • DISC - Unintended disclosure (not involving hacking, intentional breach or physical loss – for example: sensitive information posted publicly, mishandled or sent to the wrong party via publishing online, sending in an email, sending in a mailing or sending via fax) 
    • UNKN - Unknown. We don't have enough information about this breach to know how exactly the information was exposed.

    Type of Business:

    • BSF - Businesses-Financial and Insurance Services
    • BSO - Businesses - Other
    • BSR - Businesses-Retail/Merchant - Including Online Retail
    • EDU - Educational Institutions
    • GOV - Government & Military
    • MED - Healthcare, Medical Providers & Medical Insurance Services
    • NGO - Nonprofits
    • UNKN - Unknown

    How do we get information about data breaches?

    We provide attribution information for every breach that we include in our Chronology. In general, we try to rely on breach information published by government agencies that receive notices directly from breached businesses as a result of some regulatory obligation. Tracking information about data breaches in the US is a difficult challenge, given the fact that there is no single federal data breach standard. Instead, we have to rely on a patchwork of coverage throughout the states for this information. Currently we source most of our breach data from a handful of state attorneys general's offices as well as the Department of Health and Human Services.

    Are these all of the data breaches that occurred in the United States?

    Absolutely not! Though we aim to provide the most accurate, up-to-date window into the landscape of data breaches, this is only an incomplete look at the true scope of the problem. We've talked about how difficult it is to track this information, but ultimately we're trying to apply a technological solution to a legislative problem.

    The first data breach notification law in the world was passed with the help of Privacy Rights Clearinghouse in 2002, in California, and it took until 2018 before the rest of the states finished following suit with similar laws of their own. Still, not every state provides the same level of protections, and without a federal standard, we're stuck trying to put together this puzzle while missing some necessary pieces. 

    Something doesn't look right, can you correct this?

    If you see something that isn't accurate, please let us know. You can submit your correction to