Top 10 Worst Data Losses or Breaches, updated

It’s been a while since I last revised my list of the largest breaches or data loss incidents worldwide, and the end of the year seems like a good time to look back at what may have been the worst incidents ever in terms of numbers.

Remember when the stolen V.A. laptop made headlines in May 2006 as the biggest breach ever?   Now they’re down at #7 on my list.

Rank # of Records or People Entity Date of Incident or Report Type of Incident
1 130,000,000
Heartland Payment Systems 2009-01-20 Hack, Malware
2 94,000,000 TJX, Inc. 2007-01-17 Hack, Malware
3 90,000,0001 TRW/Sears Roebuck 1984-06-22 Hack
4 70,000,0002 National Archives and Records Administration 2009-10-01 Disposal
5 40,000,000 CardSystems Solutions 2005-06-17 Hack
6 30,000,0003 Deutsche Telekom 2008-11-01 Exposure
7 26,500,000 U.S. Department of Veterans Affairs 2006-05-22 Stolen Laptop
8 25,000,000 HM Revenue and Customs / TNT 2007-10-18 Lost Tapes
9 18,000,0004 2008-02-17 Hack
9 18,000,0005 National Personnel Records Center 1973-07-12 Fire
10 17,000,000 Countrywide Financial 2008-08-01 Insider
10 17,000,000 T-Mobile 2008-10-06 Lost or Stolen Disk


1 TRW’s database held credit information on 90,000,000 and was being accessed for over a year before the company became aware of the problem. The number of records actually accessed is unknown.

2 NARA does not consider this a breach (.doc)

3 The number of records actually accessed is unknown.

4 said their number is 10.8 million and not 18 million as reported by other sources.

5 This incident, involving the loss of paper records in a fire, affected many veterans who were unable to establish their right to receive benefits. Fifteen years later, duplicates of some of the records were located elsewhere and some veterans were first able to get benefits. I’m including it on my list because NPRC was warned about fire concerns during the building’s design and planning stages, but did not implement sufficient precautions to protect the data.

Notice what incidents the list doesn’t include. It doesn’t include:

  • A Taiwanese hacking ring that affected over 50,000,000 people by hacks involving a number of organizations or databases,
  • The recent hack where a hacker gained access to login details including 32,603,388 passwords in plain text, and
  • An AOL incident where names and email addresses of 30,000,000 customers were stolen and sold for spamming purposes.

Have I missed any really large data loss incidents or breaches involving personal information that should have made the Top 10 list, or did I include something that you think shouldn’t be included? If so, let me know.

Image credit: “The Big Mistake” by williamhartz/Flickr, used under Creative Commons License.

About the author: Dissent

Comments are closed.