Ten of the Most Embarrassing Data Breaches


I gathered some notable data breaches in preparation for my presentation on the Massachusetts Data Privacy Law as part of my webinar on Wednesday: Preparing for the strictest privacy law in the nation: MA Privacy Law 201 CMR 17. If you wondered why there are so many state laws on data breaches, just take a look at some of these embarrassing data breaches.

Royal Navy

Imagine losing information on everyone who had applied to join the armed forces including passport numbers, medical histories, and bank details. Of course, it was not encrypted. It was just sitting in a laptop in the back of a car. That’s what happened Jan. 9, 2008, in Birmingham, U.K., when a Royal Navy Officer left the laptop in his car and it was promptly stolen.

BBC: Police probe theft of MoD laptop

UK’s Child Benefits Records

Her Majesty’s Revenue and Customs sent discs containing the entire child benefit database unregistered and unencrypted to the National Audit Office. There was no evidence that the discs fell into the wrong hands, but millions of families were told to be on alert for attempts to fraudulently use their details, which include addresses, bank account and National Insurance numbers, as well as children’s names and dates of birth.

BBC: Discs ‘worth £1.5bn’ to criminals

Veteran’s Affairs

The computer and hard drive was stolen from the home of an employee of the Department of Veterans Affairs. It contained details on no less than 26.5 million veterans. The laptop was stolen May 3rd and turned up two months later on the black market only four miles away. The purchaser bought both the laptop and the hard drive off the back of a truck.

New York Times: V.A. Laptop Is Recovered, Its Data Intact


The retailer had over 45 million customer records compromised. The current theory is that the thieves sat in the company parking lot and tapped into an unsecured wireless router.

Boston Globe:  TJX faces scrutiny by FTC


Lists containing the personal information of about 230,000 customers and advisers were compromised after a company laptop was stolen from an employee’s parked car. The laptop contained a list of reassigned customer accounts that were unencrypted.

New York Times: Ameriprise Says Stolen Laptop Had Data on 230,000 People


Digital certificate issuing company VeriSign suffered a data breach when an employee’s laptop was stolen from their car last month. The laptop contained names, social security numbers, dates of birth, salary details, phone numbers and addresses of of VeriSign employees.

The Gap

A laptop containing unencrypted personal information for 800,000 people who applied for jobs with clothing retailer Gap Inc. was stolen. The laptop was stolen from the offices of a third-party vendor the Gap hired to manage applicant data.

The Register: Data for 800,000 job applicants stolen

Boston Globe

Instead of reporting on data breaches, the Boston Globe and The Worcester Telegram & Gazette suffered their own credit card breach.  The credit card information for as many as 240,000 subscribers might have been inadvertently released.

The New York Times: Credit Data Breach at Two Newspapers

Hannaford Supermarkets

Unauthorized software that was secretly installed on servers in Hannaford Bros. Co.’s supermarkets  enabled a massive data breach that compromised up to 4.2 million credit and debit cards.

Forbes: Malware cited in supermarket data breach


A vendor lost lost tapes containing sensitive information on IBM employees. The tapes contained sensitive information including dates of birth, Social Security numbers, and addresses. Some of the tapes were not encrypted

InfoWorld: IBM contractor loses employee data

Any others that you think should be on this list? Join the webinar and let us know.

Image is by d70focus: Credit Card Theft http://www.flickr.com/photos/23905174@N00/ / CC BY 2.0

7 Responses to Ten of the Most Embarrassing Data Breaches

  1. Golde July 28, 2009 at 2:38 pm #

    Let’s not forget the “what were they thinking” paper breaches with boxes of government documents left next to dumpsters waiting to be picked up, in an open parking lot.

  2. Mike Mintz July 28, 2009 at 10:25 pm #

    Is TJX still the biggest credit card breach at 100 million? I read this article in Computer World that Heartland may have displaced that title:


    • Doug Cornelius July 29, 2009 at 7:27 am #

      I have not been tracking by size. There are too many. I think Heartland is currently the largest.

  3. Sheila H July 29, 2009 at 6:53 pm #

    Some of these are older (the Verisign laptop thing was in 2007, not last month) but this is a better roundup than a few others I’ve seen this week. I totally forgot about the Gap one…and my cousin was actually victimized in the TJX hit (with those numbers I’m guessing a lot of cousins probably were).

    Also, don’t forget about the HP/Symantec laptop thefts, or the FAA breach:

    I was also reading about the network solution credit card data loss earlier this week.


  1. Ten of the Most Embarrassing Data Breaches — MyCreditBlog.com - July 28, 2009

    […] The other day I was perusing through a number of RSS Feeds containing the most recent data breaches, which I tend to review on a daily basis. A thought came to my mind regarding the extent of data breaches that occur EVERY single day and how the public seems to ignore them unless and until their social security number is stolen along with their identity as a result of one of those breaches. To try to bring a little more attention to these data breaches and their effect, I’d like you to review the following top ten list prepared by Doug Cornelius and Compliance Building: […]

  2. Internet Marketing Email » Blog Archive » Ten of the Most Embarrassing Data Breaches | Compliance Building - August 2, 2009

    […] Doug Cornelius added an interesting post today on Ten of the Most Embarrassing Data Breaches | Compliance BuildingHere’s a small readingTo try to bring a little more attention to these data breaches and their effect, I’d like you to review the following top ten list prepared by Doug Cornelius and Compliance Building: […] … […]

  3. Radian Compliance » Blog Archive » Some of the Most Embarrassing Data Breaches - August 13, 2009

    […] Click here to read this article. Filed under: Compliance Management, Risk Management, Security and Privacy Tags: Data Breach Leave a Comment […]