Ten of the Most Embarrassing Data Breaches


I gathered some notable data breaches in preparation for my presentation on the Massachusetts Data Privacy Law as part of my webinar on Wednesday: Preparing for the strictest privacy law in the nation: MA Privacy Law 201 CMR 17. If you wondered why there are so many state laws on data breaches, just take a look at some of these embarrassing data breaches.

Royal Navy

Imagine losing information on everyone who had applied to join the armed forces including passport numbers, medical histories, and bank details. Of course, it was not encrypted. It was just sitting in a laptop in the back of a car. That’s what happened Jan. 9, 2008, in Birmingham, U.K., when a Royal Navy Officer left the laptop in his car and it was promptly stolen.

BBC: Police probe theft of MoD laptop

UK’s Child Benefits Records

Her Majesty’s Revenue and Customs sent discs containing the entire child benefit database unregistered and unencrypted to the National Audit Office. There was no evidence that the discs fell into the wrong hands, but millions of families were told to be on alert for attempts to fraudulently use their details, which include addresses, bank account and National Insurance numbers, as well as children’s names and dates of birth.

BBC: Discs ‘worth £1.5bn’ to criminals

Veteran’s Affairs

The computer and hard drive was stolen from the home of an employee of the Department of Veterans Affairs. It contained details on no less than 26.5 million veterans. The laptop was stolen May 3rd and turned up two months later on the black market only four miles away. The purchaser bought both the laptop and the hard drive off the back of a truck.

New York Times: V.A. Laptop Is Recovered, Its Data Intact


The retailer had over 45 million customer records compromised. The current theory is that the thieves sat in the company parking lot and tapped into an unsecured wireless router.

Boston Globe:  TJX faces scrutiny by FTC


Lists containing the personal information of about 230,000 customers and advisers were compromised after a company laptop was stolen from an employee’s parked car. The laptop contained a list of reassigned customer accounts that were unencrypted.

New York Times: Ameriprise Says Stolen Laptop Had Data on 230,000 People


Digital certificate issuing company VeriSign suffered a data breach when an employee’s laptop was stolen from their car last month. The laptop contained names, social security numbers, dates of birth, salary details, phone numbers and addresses of of VeriSign employees.

The Gap

A laptop containing unencrypted personal information for 800,000 people who applied for jobs with clothing retailer Gap Inc. was stolen. The laptop was stolen from the offices of a third-party vendor the Gap hired to manage applicant data.

The Register: Data for 800,000 job applicants stolen

Boston Globe

Instead of reporting on data breaches, the Boston Globe and The Worcester Telegram & Gazette suffered their own credit card breach.  The credit card information for as many as 240,000 subscribers might have been inadvertently released.

The New York Times: Credit Data Breach at Two Newspapers

Hannaford Supermarkets

Unauthorized software that was secretly installed on servers in Hannaford Bros. Co.’s supermarkets  enabled a massive data breach that compromised up to 4.2 million credit and debit cards.

Forbes: Malware cited in supermarket data breach


A vendor lost lost tapes containing sensitive information on IBM employees. The tapes contained sensitive information including dates of birth, Social Security numbers, and addresses. Some of the tapes were not encrypted

InfoWorld: IBM contractor loses employee data

Any others that you think should be on this list? Join the webinar and let us know.

Image is by d70focus: Credit Card Theft http://www.flickr.com/photos/23905174@N00/ / CC BY 2.0