Recent and Significant Data Breaches

Date ReportedOccurredCompanyNumber of Users AffectedData breached, leaked, etc.ActionSourceAdditonal Information
10/14/2018Department of Defense30,000Travel recordsGizmodo 
10/8/2018March 2018Google+500,000Names, email addresses, dates of birth, gender, photos, location, occupation, etc.Google is shutting down Google+.Techcrunch 
9/7/20188/21/2018British Airways380,000Personal and financial details of customer making bookings, no passport or travel details were stolen.Contact bank for advice on how to proceed.The GuardianBritish Airways Statement
8/27/20188/20/2018T-Mobile2,000,000Name, billing zip, code, phone number, email address, account number and account type.ABC Action NewsT-Mobile Statement
8/1/2018RedditCurrent email addresses and passwords from 11 years ago.Change your password.CNET
7/25/2018LifeLockmillionsCustomers’ email
7/10/20184/26/2018-6/12/2018Macy’sThe third party likely was able to access the customer’s name, address, phone number, email address, birthday and credit or debit card number with expiration dates.The third party likely was able to access the customer’s name, address, phone number, email address, birthday and credit or debit card number with expiration dates.Chicago Tribune
6/30/2018adidasmillions“A preliminary investigation found the leaked data includes contact information, usernames and encrypted passwords”“We are alerting certain consumers who purchased on about a potential data security incident. At this time this is a few million consumers,” a spokeswoman said in an email.Bloombergadidas statement
6/5/201810/26/2017MyHeritage92,000,000 “a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage,”See Additional InformationThe VergeMyHeritage Statement
5/31/20185/31/2018Ticketfly26,000,000“some customer information has been compromised as part of the incident, including names, addresses, emails, and phone numbers of Ticketfly fans.”AP 
5/12/20185/11/2018Chili’sTo be determinedCredit card information of some guests was compromised between April and May 2018.See Chili’s News Release.USA TodayChili’s News Release
5/3/20185/3/2018Twitter330,000,000Not truly a breach.  Per Twitter, “We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password.”Change password and possibly enable two factor authentication.BBCTwitter Announcement
4/6/2018September-October 2017Delta Airlines via [24]“several hundred thousand customers”Hackers may have accessed names, addresses, credit card numbers, CVV numbers and expiration dates for “several hundred thousand” customers during that time, according to the airline.Delta created a website for customers and setup a hotline for customer questionsTimeDelta StatementDelta News Hub
4/6/2018September-October 2017Sears via [24]<100,000Customer credit card informationAs a result of that investigation, we believe the credit card information for certain customers who transacted online between September 27, 2017 and October 12, 2017 may have been compromised. Customers using a Sears-branded credit card were not impacted. In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible. [24] has assured us that their systems are now secure.TimeSears Statement
4/2/2018August 2017Panera Bread37,000,000Names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number – leaked.KrebsOnsecurity 
4/1/2018Hudson Bay -parent company of Lord and Taylor / Saks Fifth Avenue5,000,000Records for more than five million credit and debit cards used at all the chains’ North American locations were compromised, according to Gemini Advisory, a cybersecurity firm. Most were obtained from stores in New York and New Jersey, Gemini said.Customers won’t be liable for fraudulent charges and will be offered free identity protection services.USA Today 
3/29/2018February 2018Under Armour150,000,000MyFitnessPal app – usernames, email addresses, and hashed passwordsUnder Armour is requiring all users to change their passwordReuters 
3/26/2018September 2014 through 2017300 Universities worldwide108,000144 US universities, 176 universities in 21 foreign countries, and 47 US and foreign companies active in various private sectors.  Officials said the group targeted the email accounts of more than 100,000 professors from all over the world, and appear to have successfully compromised 8,000 email accounts for professors at US universities.9 Iranian hackers indicted by USWashington Post 
3/22/20183/22/2018City of AtlantaCity officials told Reuters that police files and financial documents were rendered inaccessible by unknown hackers who demanded $51,000 worth of bitcoin to provide digital keys to unlock scrambled files.Reuters 
3/22/20182016 & 2017Orbitz (subsidiary of Expedia)880,000Names, credit card information, dates of birth, phone numbers, addressesOrbitz is offering 1 year of free credit monitoring for those impacted.CBS News 
3/17/20182014-2016Facebook87,000,000Cambridge Analytica gathered data from 87 million users, then developed a software program that profiled these citizens to predict voting patterns – and, through micro-targeted ads, influence US citizens’ voting decisions.Facebook is updating their privacy rules, Congress is investigating.TechradarStatement from Mark Zuckerberg
2/28/20181/8/2018St. Peter’s Surgery & Endoscopy CenterRansomware attack St. Peter’s Surgery & Endoscopy Center – official statement
2/15/2018February 2018FedEx119,000Scanned documents including passports, drivers licenses, and security IDsFedEx Statement – “After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo.  We have found no indication that any information has been misappropriated and will continue our investigation.”KrebsOnSecurity 
2/2/2018January 2018CarePlus Health Plans11,200The information disclosed included member name, plan identification number and name, provider of service, and services provided.CarePlus has no information that any data has been inappropriately used.WFLA 
1/17/2018Summer 2017Aetna12,000This low-tech breach resulted from a mailing to HIV positive members in 23 different states. The envelope window, generally reserved for the recipient’s address, clearly revealed part of the letter reading, “filling prescriptions for HIV Medication.”NPR 
1/11/201812/22/2017Jason’s Deli2,000,000Criminals gained access to the company’s point-of-sale terminals and installed RAM-scraping malware to steal customers’ credit card information and sell it on the dark web. Data such as cardholder name, credit or debit card number, expiration date, cardholder verification value and service code were obtained via the magnetic stripe on payment cards. As many as 2 million payment cards may have been compromised in this breach, which impacted at least 164 Jason’s Deli locations. Jason’s Deli Statement
Ongoing Data Breaches  
11/30/201511/14/2015VTech6,400,000Cyberattack exposed name, gender, birth date and other personal data for an estimated 6.4 million children and 4.9 million adults.1/8/2018 – Settlement reached with FTC.  Vtech pays $650,000 penalty.CnetVTech Press Release
September 2017May-July 2017Equifax148,000,000The release of details is ongoing.  The data that was stolen depends on when information was hacked.Equifax offered credit freezes. Equifax – Consumer Information
20162013Yahoo3,000,000,000For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.Change your password and security questions.BloombergYahoo Security Notice