It’s been a while since I last revised my list of the largest breaches or data loss incidents worldwide, and the end of the year seems like a good time to look back at what may have been the worst incidents ever in terms of numbers.
Remember when the stolen V.A. laptop made headlines in May 2006 as the biggest breach ever? Now they’re down at #7 on my list.
| Rank | # of Records or People | Entity | Date of Incident or Report | Type of Incident |
| 1 | 130,000,000 |
Heartland Payment Systems | 2009-01-20 | Hack, Malware |
| 2 | 94,000,000 | TJX, Inc. | 2007-01-17 | Hack, Malware |
| 3 | 90,000,0001 | TRW/Sears Roebuck | 1984-06-22 | Hack |
| 4 | 70,000,0002 | National Archives and Records Administration | 2009-10-01 | Disposal |
| 5 | 40,000,000 | CardSystems Solutions | 2005-06-17 | Hack |
| 6 | 30,000,0003 | Deutsche Telekom | 2008-11-01 | Exposure |
| 7 | 26,500,000 | U.S. Department of Veterans Affairs | 2006-05-22 | Stolen Laptop |
| 8 | 25,000,000 | HM Revenue and Customs / TNT | 2007-10-18 | Lost Tapes |
| 9 | 18,000,0004 | Auction.co.kr | 2008-02-17 | Hack |
| 9 | 18,000,0005 | National Personnel Records Center | 1973-07-12 | Fire |
| 10 | 17,000,000 | Countrywide Financial | 2008-08-01 | Insider |
| 10 | 17,000,000 | T-Mobile | 2008-10-06 | Lost or Stolen Disk |
Notes:
1 TRW’s database held credit information on 90,000,000 and was being accessed for over a year before the company became aware of the problem. The number of records actually accessed is unknown.
2 NARA does not consider this a breach (.doc)
3 The number of records actually accessed is unknown.
4 Auction.co.kr said their number is 10.8 million and not 18 million as reported by other sources.
5 This incident, involving the loss of paper records in a fire, affected many veterans who were unable to establish their right to receive benefits. Fifteen years later, duplicates of some of the records were located elsewhere and some veterans were first able to get benefits. I’m including it on my list because NPRC was warned about fire concerns during the building’s design and planning stages, but did not implement sufficient precautions to protect the data.
Notice what incidents the list doesn’t include. It doesn’t include:
- A Taiwanese hacking ring that affected over 50,000,000 people by hacks involving a number of organizations or databases,
- The recent RockYou.com hack where a hacker gained access to login details including 32,603,388 passwords in plain text, and
- An AOL incident where names and email addresses of 30,000,000 customers were stolen and sold for spamming purposes.
Have I missed any really large data loss incidents or breaches involving personal information that should have made the Top 10 list, or did I include something that you think shouldn’t be included? If so, let me know.
Image credit: “The Big Mistake” by williamhartz/Flickr, used under Creative Commons License.