Data Breaches

This project was funded in large part thanks to The Rose Foundation for Communities and the Environment Consumer Products Fund.  We have also received funds for this project from cy pres awards and Consumer Federation of America.  

If you are interested in supporting this project, please reach out to us at support@privacyrights.org. 

No. This is a database built on publicly reported data breach notifications, and should not be considered a complete and accurate representation of every data breach in the United States. It reflects breaches reported in the United States that are made publicly available by government entities.

The Data Breach Chronology draws from fifteen U.S. government agencies that maintain public records of data breach notifications. These include the U.S. Department of Health and Human Services and various state Attorneys General who require organizations to report breaches affecting their residents.

Each state has unique reporting thresholds and requirements. For example, some states require reporting of any breach affecting state residents, while others set minimum thresholds. Some states make notification letters public, while others provide only summary data.

When a breach affects residents of multiple states, it may be reported to several agencies. To make it possible to track both individual organizations and individual breach events across the database we perform normalization on the organization name and attempt to match and group breach events.

We collect and structure detailed information about each breach across several categories:

Organization Information:

• Organization name, normalized name and alternative names
• Organization type classification
• Unique identifiers for tracking

Incident Details:

• Description of what occurred
• Type of breach
• Types of information exposed
• Dates (when reported, when occurred, when ended)
• Number of individuals affected (total and state residents)

Location of the Breach Information:

• Street address
• City, state, and ZIP code
• Country

Related Incidents:

• Group identifier for related breach notifications
• Common breach classification
• Common organization type

Source Documentation

• Agency report URL
• Source agency that reported the breach
• Notification letter URL
• Full text of notification letter

Each field also includes explanatory notes documenting how we determined the values and any relevant context.

We use a consistent classification system that has evolved with our understanding of data breaches:

Organization Types include:

• BSF (Financial Services Business): Banks, credit unions, investment firms, insurance carriers
• BSO (Other Business): Technology companies, manufacturers, utilities, professional services
• BSR (Retail Business): Physical and online retail merchants
• EDU (Educational Institutions): Schools, universities, educational services
• GOV (Government and Military): Public administration, government agencies
• MED (Healthcare Providers): Hospitals, clinics, HIPAA-covered entities
• NGO (Nonprofits): Charities, advocacy groups, religious organizations

Breach Types include:

• CARD: Physical payment card compromises (skimming devices, POS tampering)
• HACK: External cyber attacks (malware, ransomware, network intrusions)
• INSD: Internal threats from authorized users
• PHYS: Physical document theft or loss
• PORT: Portable device breaches (laptops, phones, tablets)
• STAT: Stationary device breaches (desktops, servers)
• DISC: Unintended disclosures (misconfiguration, accidents)

As a privacy and consumer advocacy organization, we approach artificial intelligence with both careful consideration and concern. We recognize AI's profound implications for civil liberties, environmental justice, economic equity, and the concentration of power in the technology sector. These issues are at the core of our mission and shape our approach to using AI in our work.

The scope of data breach reporting—thousands of notifications across multiple agencies—creates a significant challenge for a small nonprofit organization. While we previously maintained this database through manual entry, the volume of notifications has grown beyond what we can process without technological assistance. AI tools help us continue this important work while maintaining consistent standards.

We believe our approach balances efficiency with accuracy:

• We use AI to normalize scraped text and extract context from data breach notification letters. We also incorporate AI in our classifications, to help determine breach and organization types.
• Our AI processing is strictly limited to analyzing the actual content of notifications, not making broader inferences based.
• Multiple automated validation checks help identify potential errors or inconsistencies
• We regularly review system output and monitor for systematic errors or biases
• While the processing is largely automated, we maintain oversight of the final staging and publication process

While we work to minimize issues like hallucination or incorrect inferences through careful system design and validation steps, we acknowledge that complete elimination of these problems isn't currently possible. We continue to explore ways to improve our process, including the potential development of dedicated tools that would allow for local processing and reduce dependency on large technology platforms. We welcome your feedback.

Thank you for your interest – there is no shortage of work that can be done to continue to improve this project, and there are many ways to help out! 

• Donate your time and expertise as a data science or tableau volunteer to help us collect, clean, process, maintain, and present this resource. Contact us at databreachchronology@privacyrights.org with the subject line “VOLUNTEER”.
• Apply for a legal internship to help us stay up to date on changing data security and breach notification laws.  
• Apply to join our Data Breach Chronology advisory committee to help drive future project decisions and new features. Contact us at databreachchronology@privacyrights.org with the subject line “ADVISORY COMMITTEE”.
• Donate to sustain the project.  

If you are interested in getting updates on this project, join our email list here.

Please email us at databreachcorrections@privacyrights.org and include “CORRECTION” in the subject line followed by the name of the breached organization. Include any documentation that supports the correction so we can review and update our records.

The Data Breach Chronology began in 2005 under the leadership of Beth Givens, Privacy Rights Clearinghouse's founder and former Executive Director. The current version was developed and is maintained by Emory Roane, Associate Director of Policy at Privacy Rights Clearinghouse. Maintaining this project is made possible by foundation support and purchases of the dataset.

We are also thankful for the contributions of The Rose Foundation for Communities and the Environment, Consumer Federation of America, Coleman Research Lab, Ahmed Eissa, Ava Watson, and everyone else who has supported the project in its various forms over the years. 

The Data Breach Chronology is based on publicly available information and should not be considered a complete and accurate representation of every data breach in the United States. Rather, it reflects the data breach notifications themselves that have been reported and made publicly available in the United States.

Users should pay careful attention to the issue of duplicate reporting when making use of this data or making assertions based on this data. While we work to identify when a single breach has been reported to multiple state Attorneys General, this process is not perfect.

Additionally, though we collect the contents of breach notification letters where possible, we do not host these letters locally–and source URLs may no longer be active.

Privacy Rights Clearinghouse makes no representations as to the accuracy of the information included in the Data Breach Chronology.