DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Top 10 Worst Data Losses or Breaches, updated

Posted on December 26, 2009 by Dissent

It’s been a while since I last revised my list of the largest breaches or data loss incidents worldwide, and the end of the year seems like a good time to look back at what may have been the worst incidents ever in terms of numbers.

Remember when the stolen V.A. laptop made headlines in May 2006 as the biggest breach ever?   Now they’re down at #7 on my list.

Rank # of Records or People Entity Date of Incident or Report Type of Incident
1 130,000,000
Heartland Payment Systems 2009-01-20 Hack, Malware
2 94,000,000 TJX, Inc. 2007-01-17 Hack, Malware
3 90,000,0001 TRW/Sears Roebuck 1984-06-22 Hack
4 70,000,0002 National Archives and Records Administration 2009-10-01 Disposal
5 40,000,000 CardSystems Solutions 2005-06-17 Hack
6 30,000,0003 Deutsche Telekom 2008-11-01 Exposure
7 26,500,000 U.S. Department of Veterans Affairs 2006-05-22 Stolen Laptop
8 25,000,000 HM Revenue and Customs / TNT 2007-10-18 Lost Tapes
9 18,000,0004 Auction.co.kr 2008-02-17 Hack
9 18,000,0005 National Personnel Records Center 1973-07-12 Fire
10 17,000,000 Countrywide Financial 2008-08-01 Insider
10 17,000,000 T-Mobile 2008-10-06 Lost or Stolen Disk

Notes:

1 TRW’s database held credit information on 90,000,000 and was being accessed for over a year before the company became aware of the problem. The number of records actually accessed is unknown.

2 NARA does not consider this a breach (.doc)

3 The number of records actually accessed is unknown.

4 Auction.co.kr said their number is 10.8 million and not 18 million as reported by other sources.

5 This incident, involving the loss of paper records in a fire, affected many veterans who were unable to establish their right to receive benefits. Fifteen years later, duplicates of some of the records were located elsewhere and some veterans were first able to get benefits. I’m including it on my list because NPRC was warned about fire concerns during the building’s design and planning stages, but did not implement sufficient precautions to protect the data.

Notice what incidents the list doesn’t include. It doesn’t include:

  • A Taiwanese hacking ring that affected over 50,000,000 people by hacks involving a number of organizations or databases,
  • The recent RockYou.com hack where a hacker gained access to login details including 32,603,388 passwords in plain text, and
  • An AOL incident where names and email addresses of 30,000,000 customers were stolen and sold for spamming purposes.

Have I missed any really large data loss incidents or breaches involving personal information that should have made the Top 10 list, or did I include something that you think shouldn’t be included? If so, let me know.

Image credit: “The Big Mistake” by williamhartz/Flickr, used under Creative Commons License.

Related posts:

  • Veterans Administration responds to Freedom of Information request; releases breach reports
  • Revising the Top 10 Data Loss Incidents list
  • More than 2,000 veterans had their PHI breached in April
  • Health Data Breaches in 2017: The Year in Review
Category: Breach IncidentsOf Note

Post navigation

← Opinion: Administration's shortcomings are not those of WDH
Jp: Ex-exec of matchmaking firm ‘stole personal data’ →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.