Apr 102009

It’s been a while since I posted a list of the largest breaches or data loss incidents. My list often does not totally match others’ lists because of different criteria and sources that I use, but we’re often pretty close in our lists. This time, however, my list will likely appear significantly different, due, in part, to the fact that I recently uncovered some old breaches and incidents that pre-date most chronologies. Indeed, it was only because of the Open Security Foundation’s fun “find the oldest incident” contest that I discovered some of these older data loss incidents.

So here’s a list of what may be the 10 largest data loss incidents involving single organizations:

Rank # of Records or People Entity Date of Incident or Report Type of Incident
1 94,000,0001 TJX, Inc. 2007-01-17 Hack
2 90,000,0002 TRW 1984-06-22 Hack
3 40,000,000 Card Systems 2005-06-17 Hack
4 30,000,000 Deutsche Telekom 2008-11-01 Exposure
5 26,500,000 U.S. Department of Veterans Affairs 2006-05-22 Stolen Laptop
6 25,000,000 HM Revenue and Customs / TNT 2007-10-18 Lost Tapes
7 18,000,0003 Auction.co.kr 2008-02-17 Hack
8 18,000,0004 National Personnel Records Center 1973-07-12 Fire
9 16,000,000 Revenue Canada 1986-11-23 Theft
10 12,500,000 Bank of New York Mellon / Archive Systems Inc. 2008-03-26 Lost Tape


1 94,000,000 or 46,500,000 depending on source.

2 TRW’s database held credit information on 90,000,000 and was being accessed for over a year before the company became aware of the problem.  The number of records actually accessed is unknown.

3Auction.co.kr said their number is 10.8 million and not 18 million as reported by other sources. If they are right, they drop off the top 10 list and the GS Caltex incident that affected 11.1 million moves to the #10 slot.

4This incident, involving paper records, affected many veterans who were unable to establish their right to receive benefits. Fifteen years later, duplicates of some of the records were located elsewhere and some veterans were first able to get benefits.

Notice what incidents the list doesn’t include. It doesn’t include:

  • The Express Scripts incident, where the breach may have affected approximately 50,000,000 individuals, as they have not revealed how many records were actually accessed or acquired as part of the extortion attempt.
  • A Taiwanese hacking ring that affected over 50,000,000 people by hacks involving a number of organizations or databases.
  • The AOL incident where names and email addresses of 30,000,000 customers were stolen and sold for spamming purposes, and
  • The Heartland Payment Systems breach, for which we have no numbers at this time, but which may turn out to be a “top 10” breach.

Have I missed any really large data loss incidents or breaches involving personal information that should have made a top 10 list, or did I include something that you think shouldn’t be included? If so, let me know.

And if you haven’t risen to the challenge of the Open Security Foundation to help them fill in their database by locating earlier breaches, I’d really encourage you all to do so. Even if we don’t win any of their sponsors’ great prizes for our submissions, we all benefit by having a more complete database of incidents. I’ve submitted about a dozen incidents for them to consider adding to their database, and I hope you’ll pitch in, too!

[Chart corrected 4-12-09 as what appeared be two Deutsche Telekom incidents may all be part of the one 2006 vulnerability. Then again, it may be a second breach involving 17,000,000. If any reader can sort that out, let me know.].

Sorry, the comment form is closed at this time.