The 11 Largest Data Breaches in Recent History

At the beginning of October, a defective hard drive containing the personal information of 70 million U.S. military personnel was returned to a contractor for repair and recycling … without being erased first.

“This is the single largest release of personally identifiable information by the government ever,” National Archives and Records Administration (NARA) IT manager Hank Bellomy told

But the exposure of 70 million records is only the second (maybe even third) largest loss of personal data by an organization or company in the past five years. Here’s a look back at the eleven largest data breaches in recent history.

Joel Page/Associated Press Image Source

Hannaford Bros. Supermarket Chain
(Portland, ME)

  • Date of Breach: March 17, 2008
  • Number of Records: 4.2 Million

Credit and debit card numbers were stolen during the card authorization transmission process. Malware was loaded onto Hannaford servers allowed attackers to intercept card data stored on the magnetic stripe of payment cards as customer’s used them at the check-out counter. The incident resulted 2,000 known cases of fraud.

This security breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. Hannaford acknowledged about 4.2 million credit and debit card numbers used at its supermarket stores in six states were compromised and malware was installed on servers in 300 stores. (Additional Source: Network World)


CheckFree Corporation
(Atlanta, GA)

  • Date of Breach: January 6, 2009
  • Number of Records: 5 Million

Criminals took control of several of the company’s Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine. While it appeared that approximately only 160,000 customers were initially exposed, precautions were made to warn a much larger set of customers since CheckFree operated bill payment services through other financial institutions as well as the site.

TD Ameritrade

TD Ameritrade Holding Corporation
(Omaha, NE)

  • Date of Breach: September 14, 2007
  • Number of Records: 6.3 Million

The contact information for 6.3 million TD Ameritrade customers was stolen when a database was hacked. An online advisory and letters to account holders disclosed that names, e-mail addresses, phone numbers and home addresses were taken in the data breach.

While user IDs, personal identification numbers and passwords, were not stored in the compromised database, it was determined later that SSNs had been compromised. (Additional Source: Information Week)

Fidelity National Information Services

Fidelity National Information Services
Certegy Check Services Inc.
(Jacksonville, FL)

  • Date of Breach: July 3, 2007
  • Number of Records: 8.5 Million total records

A worker at one of the company’s subsidiaries stole customer records containing credit card, bank account and other personal information. In November 2007, a former database analyst plead guilty to federal fraud and conspiracy charges and was sentenced in July 2008 to four years and nine months in jail and also fined US $3.2 million for his connection to the theft.

Bank of New York Mellon

Bank of New York Mellon
(Pittsburgh, PA)

  • Date of Breach: March 26, 2008
  • Number of Records: As many as 12.5 million customer records are thought to be compromised

Less than two weeks after the Hannaford incident, Bank of New York Mellon lost a box of computer data tapes storing personal information including names, Social Security numbers and possibly bank account numbers. The unencrypted backup tape was being sent to a storage facility and never arrived; though nine other tapes in the same transport made it.

In February 2009, the company agreed to pay Connecticut $150,000 as part of a settlement. It also agreed to provide those affected by the breach with credit monitoring and fraud alerts for a total of 36 months of protection and reimburse anyone for funds stolen from their accounts as a direct result of the data breach.

Headline Source

(Deerfield Beach, FL)

  • Date of Breach: March 8, 2006
  • Number of Records: 17,781,462 – While credit card account numbers, expiration dates, security codes, and SSNs were NOT exposed, names, numbers, e-mail addresses, etc were.

A dishonest insider or possibly malicious software linked to iBill used to post names, phone numbers, addresses, e-mail addresses, Internet IP addresses, logins and passwords, credit card types and purchase amount online.

However days later, the company said the cache of stolen consumer data uncovered by security experts did not come from its database. iBill President Gary Spaniak Jr indicated the company cross referenced the 17 million transaction database against its own, and that only three e-mail addresses matched between the two. (Additional Source: Wired)

Even still, 17 million records were exposed, regardless of database origin. Even though financial information was not disclosed, such information certainly could be valuable to other organizations or spammers.

US Dept of Veteran's Affairs

U.S. Dept. of Veteran’s Affairs
(Washington, DC)

  • Date of Breach: May 22, 2006
  • Number of Records: As many as 28.6 Million records

In early May 2006, data of all American veterans discharged since 1975 were stolen from a VA employee’s home. The data was held in a laptop and storage device that included names, Social Security numbers, dates of birth and in many cases phone numbers and addresses.

In January 2009, The Department of Veterans Affairs has agreed to pay $20 million to current and former military personnel to settle a class action lawsuit as a result of the data breach.

Headline Source

(Tucson, AZ)

  • Date of Breach: June 16, 2005
  • Number of Records: Over 40 million card accounts

Over 40 million card accounts were exposed to potential fraud due to a security breach that occurred at a third-party processor of payment card transactions. While less than a quarter million records appear to be actually exported by hackers, the data exported included names, card numbers and card security codes.

TJ Stores (TJX)

TJ Stores (TJX)
(Framingham, Mass.)

  • Date of Breach: January 17, 2007
  • Number of Records: 45.7 Million credit and debit card account numbers

For over two years, TJX held the top spot for being involved in the largest data breach in recent technology history. The TJX Companies Inc. experienced an “unauthorized intrusion” into its computer systems that process and store customer transactions.

The company reported in its SEC filing that 45.7 million credit and debit card numbers were hacked. Apparently, the break-in began in July 2005. In October 2007, court filings in a case brought by banks against TJX say the actual number of accounts affected by the thefts topped 94 million. Breach costs have been estimated at $216 million.

U.S. Military Veterans
Headline Source

U.S. Military Veterans

  • Date of Breach: October 2, 2009
  • Number of Records: 76 Million

A defective hard drive the agency sent back to its vendor for repair and recycling was sent without first destroying sensitive data, including millions of Social Security numbers dating to 1972.

Heartland Payment Systems

Heartland Payment Systems

  • Date of Breach: January 20, 2009
  • Number of Records: More than 130 million credit and debit card numbers from Heartland and Hannaford combined.

Heartland Payment Systems represents the largest data breach in history, as malicious software compromised card data across the company network.

Last August, Albert “Segvec” Gonzalez was indicted by a federal grand jury in New Jersey — along with two unnamed Russian conspirators — on charges of hacking into Heartland Payment Systems.

Gonzalez was also involved in the 2007 Hannaford data breach and is awaiting trial on the TJX hack as well. (Additional Source: Wired)

Concluding Thoughts

All in all over 340 million records containing sensitive personal information have been involved in security breaches in the U.S. since 2005. Unfortunately, the number will certainly increase as the years roll on.

This post was written using information from the Privacy Rights Clearinghouse and sources cited above. Make sure to check the Privacy Rights Clearinghouse site or applicable company web pages if you’ve been affected by a data breach and need more information.