The Data Breach Chronology Now Tracks Vendors, Subtypes, and Almost 100,000 Breach Notifications

Third-party vendor tracking. When a breach originates at a service provider (a cloud host, a payroll company, a managed IT vendor), we now identify that vendor by name and link all affected organizations together. If a single vendor compromise generates 40 notifications filed across 15 states over several months, you can now find them all with one query. This is something researchers have been asking us about for years, and it opens up supply-chain risk analysis that wasn’t possible before.

Breach and organization subtypes. We’ve added a second layer of classification beneath the existing breach type and organization type taxonomies. Instead of just knowing a breach was “HACK,” you can now see whether it was ransomware, phishing, credential-stuffing, a zero-day exploit, or one of 36 specific methods. Instead of just “MED” for healthcare, you can distinguish hospital systems from dental practices, insurance carriers from home health hospices. There are 86 organization subtypes in total.

Breach group aggregates. Related notifications have been linked into event groups since v2.0, but you had to calculate aggregate statistics yourself. Version 2.5 adds pre-calculated fields on every row: total affected across all organizations in the group, the earliest breach date, the notification delay, the union of information types exposed. The grouping algorithm has also been rewritten to detect multi-organization vendor events automatically.

Corporate identifiers. Each organization is now matched against eight public registries: SEC EDGAR (CIK + ticker), GLEIF (LEI), NPI, IRS EIN, IPEDS, FDIC, NCUA, and Census Bureau. If you’re joining breach data with Compustat, CRSP, or any other dataset keyed on these identifiers, you no longer need to do name matching yourself.

Geographic coordinates. Breach locations now include latitude and longitude, which means you can do spatial analysis and mapping directly from the data.

Six new state sources. Hawaii, Idaho, Illinois, Nebraska, Rhode Island, and South Carolina have been added, bringing the total to 21 data sources (20 state attorneys general plus HHS/HIPAA).

The Chronology now contains approximately 98,000 breach notification records with 65 fields per record, covering incidents reported from 2006 through the present. Each record corresponds to a single breach notification filed with a government agency, and four overlapping systems let you connect related records: individual record IDs, normalized organization names, normalized vendor names, and event group identifiers that link all notifications for the same underlying incident.

The full text of breach notification letters is included in the SQLite export, which makes full-text search across the entire corpus possible. You can search for specific legal language, specific types of remediation offered, or mentions of particular technologies or circumstances.

Researchers at more than 250 universities and institutions around the world have used the Data Breach Chronology in their work, and the ways people use it keep surprising us.

Researchers are using the Chronology to study how breaches affect stock prices and bond yields, to build actuarial models for cyber insurance pricing, to measure whether breach notification laws actually deter identity theft, to trace how a single vendor compromise ripples through supply chains, and to estimate the social cost of breaches by linking incident data to identity theft surveys. Faculty are using it to teach cybersecurity risk management courses. Doctoral students are building dissertations around it. High school classes have used it to teach data visualization and privacy fundamentals.

Purchases of the database directly fund the continued development, maintenance, and monthly updates of the Chronology. They also support our complimentary access program: for roughly every purchase, we provide two researchers working on unfunded consumer privacy research with access to the full dataset. If you’re working on research that advances consumer privacy, we’d love to hear about it.

The full Chronology lives at privacyrights.org/data-breaches. A few starting points:

• Search the database — all 98,000 records with filtering by organization, breach type, state, date range, and more.
• Visualizations — interactive explorations of breach trends, vendor cascades, geographic patterns, and source coverage.
• Subscribe to PRC Breach Watch — our weekly and monthly newsletter that surfaces notable breaches as they’re filed.
• Dynamic report — an always-current standalone report that summarizes the Chronology at a glance: breach counts, notification volume, weekly timelines against prior-year and five-year baselines, breach types and organization types, notification sources by state, and notable incidents. Customize the window to a full year, any quarter, H1/H2, or year-to-date to generate shareable infographics on demand.

The full database is available through the Data Breach Chronology store in three tiers:

• Single User: Full database (SQLite, CSV, Excel) with documentation
• Team Snapshot: Same data, licensed for organizational use
• Team Subscription: Monthly updates as new notifications are added

The SQLite export includes all 65 fields, including the full text of breach notification letters.

We add new breach notifications every week and are working on expanding to additional state sources. If you’ve used the Chronology in your work, or if you have feedback on the new fields, we’d like to hear from you at databreachchronology@privacyrights.org.

The Data Breach Chronology is maintained by Privacy Rights Clearinghouse, a nonprofit consumer education and advocacy organization founded in 1992.