Recent and Significant Data Breaches

Date Reported Occurred Company Number of Users Affected Data breached, leaked, etc. Action Source Additonal Information
10/14/2018 Department of Defense 30,000 Travel records Gizmodo  
10/8/2018 March 2018 Google+ 500,000 Names, email addresses, dates of birth, gender, photos, location, occupation, etc. Google is shutting down Google+. Techcrunch  
9/7/2018 8/21/2018 British Airways 380,000 Personal and financial details of customer making bookings, no passport or travel details were stolen. Contact bank for advice on how to proceed. The Guardian British Airways Statement
8/27/2018 8/20/2018 T-Mobile 2,000,000 Name, billing zip, code, phone number, email address, account number and account type. ABC Action News T-Mobile Statement
8/1/2018 Reddit Current email addresses and passwords from 11 years ago. Change your password. CNET
7/25/2018 LifeLock millions Customers’ email addresses
7/10/2018 4/26/2018-6/12/2018 Macy’s The third party likely was able to access the customer’s name, address, phone number, email address, birthday and credit or debit card number with expiration dates. The third party likely was able to access the customer’s name, address, phone number, email address, birthday and credit or debit card number with expiration dates. Chicago Tribune
6/30/2018 adidas millions “A preliminary investigation found the leaked data includes contact information, usernames and encrypted passwords” “We are alerting certain consumers who purchased on about a potential data security incident. At this time this is a few million consumers,” a spokeswoman said in an email. Bloomberg adidas statement
6/5/2018 10/26/2017 MyHeritage 92,000,000  “a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage,” See Additional Information The Verge MyHeritage Statement
5/31/2018 5/31/2018 Ticketfly 26,000,000 “some customer information has been compromised as part of the incident, including names, addresses, emails, and phone numbers of Ticketfly fans.” AP  
5/12/2018 5/11/2018 Chili’s To be determined Credit card information of some guests was compromised between April and May 2018. See Chili’s News Release. USA Today Chili’s News Release
5/3/2018 5/3/2018 Twitter 330,000,000 Not truly a breach.  Per Twitter, “We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password.” Change password and possibly enable two factor authentication. BBC Twitter Announcement
4/6/2018 September-October 2017 Delta Airlines via [24] “several hundred thousand customers” Hackers may have accessed names, addresses, credit card numbers, CVV numbers and expiration dates for “several hundred thousand” customers during that time, according to the airline. Delta created a website for customers and setup a hotline for customer questions Time Delta Statement Delta News Hub
4/6/2018 September-October 2017 Sears via [24] <100,000 Customer credit card information As a result of that investigation, we believe the credit card information for certain customers who transacted online between September 27, 2017 and October 12, 2017 may have been compromised. Customers using a Sears-branded credit card were not impacted. In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible. [24] has assured us that their systems are now secure. Time Sears Statement
4/2/2018 August 2017 Panera Bread 37,000,000 Names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number – leaked. KrebsOnsecurity  
4/1/2018 Hudson Bay -parent company of Lord and Taylor / Saks Fifth Avenue 5,000,000 Records for more than five million credit and debit cards used at all the chains’ North American locations were compromised, according to Gemini Advisory, a cybersecurity firm. Most were obtained from stores in New York and New Jersey, Gemini said. Customers won’t be liable for fraudulent charges and will be offered free identity protection services. USA Today  
3/29/2018 February 2018 Under Armour 150,000,000 MyFitnessPal app – usernames, email addresses, and hashed passwords Under Armour is requiring all users to change their password Reuters  
3/26/2018 September 2014 through 2017 300 Universities worldwide 108,000 144 US universities, 176 universities in 21 foreign countries, and 47 US and foreign companies active in various private sectors.  Officials said the group targeted the email accounts of more than 100,000 professors from all over the world, and appear to have successfully compromised 8,000 email accounts for professors at US universities. 9 Iranian hackers indicted by US Washington Post  
3/22/2018 3/22/2018 City of Atlanta City officials told Reuters that police files and financial documents were rendered inaccessible by unknown hackers who demanded $51,000 worth of bitcoin to provide digital keys to unlock scrambled files. Reuters  
3/22/2018 2016 & 2017 Orbitz (subsidiary of Expedia) 880,000 Names, credit card information, dates of birth, phone numbers, addresses Orbitz is offering 1 year of free credit monitoring for those impacted. CBS News  
3/17/2018 2014-2016 Facebook 87,000,000 Cambridge Analytica gathered data from 87 million users, then developed a software program that profiled these citizens to predict voting patterns – and, through micro-targeted ads, influence US citizens’ voting decisions. Facebook is updating their privacy rules, Congress is investigating. Techradar Statement from Mark Zuckerberg
2/28/2018 1/8/2018 St. Peter’s Surgery & Endoscopy Center Ransomware attack   St. Peter’s Surgery & Endoscopy Center – official statement
2/15/2018 February 2018 FedEx 119,000 Scanned documents including passports, drivers licenses, and security IDs FedEx Statement – “After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo.  We have found no indication that any information has been misappropriated and will continue our investigation.” KrebsOnSecurity  
2/2/2018 January 2018 CarePlus Health Plans 11,200 The information disclosed included member name, plan identification number and name, provider of service, and services provided. CarePlus has no information that any data has been inappropriately used. WFLA  
1/17/2018 Summer 2017 Aetna 12,000 This low-tech breach resulted from a mailing to HIV positive members in 23 different states. The envelope window, generally reserved for the recipient’s address, clearly revealed part of the letter reading, “filling prescriptions for HIV Medication.” NPR  
1/11/2018 12/22/2017 Jason’s Deli 2,000,000 Criminals gained access to the company’s point-of-sale terminals and installed RAM-scraping malware to steal customers’ credit card information and sell it on the dark web. Data such as cardholder name, credit or debit card number, expiration date, cardholder verification value and service code were obtained via the magnetic stripe on payment cards. As many as 2 million payment cards may have been compromised in this breach, which impacted at least 164 Jason’s Deli locations.   Jason’s Deli Statement
Ongoing Data Breaches    
11/30/2015 11/14/2015 VTech 6,400,000 Cyberattack exposed name, gender, birth date and other personal data for an estimated 6.4 million children and 4.9 million adults. 1/8/2018 – Settlement reached with FTC.  Vtech pays $650,000 penalty. Cnet VTech Press Release
September 2017 May-July 2017 Equifax 148,000,000 The release of details is ongoing.  The data that was stolen depends on when information was hacked. Equifax offered credit freezes.   Equifax – Consumer Information
2016 2013 Yahoo 3,000,000,000 For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected. Change your password and security questions. Bloomberg Yahoo Security Notice