Mar 11, 2024

Data Breach Lawsuits and Information: A Roundup

Data Breach Lawsuits and Information: A Roundup - chip

Our attorneys at Morgan & Morgan are investigating potential class action lawsuits on behalf of consumers whose information was stolen as a result of a data breach. Over the past decade, there have been hundreds of breaches in which consumers’ and employees’ social security numbers, financial information and other personal data was stolen.

When a company fails to exercise reasonable care in protecting their customers’ information and a data breach occurs as a result, those affected by the breach may be able to join together and file a class action suit against the company.

At Morgan & Morgan, our attorneys are dedicated to helping consumers who suffered financial and reputational harm file lawsuits against the companies subject to these invasive data breaches. If your credit card information, social security number or other private information was stolen as a result of a data breach, our attorneys at Morgan & Morgan would like to hear from you. For a free consultation, complete our free, no-obligation case review today.

What Can a Lawyer Do?

  • Determine if the merchant negligently failed to adopt safeguards that would have prevented the data breach from occurring, such as encrypting personal information belonging to customers.
  • Determine if the merchant notified customers as soon as possible after it learned of the data breach.
  • Work with local, state, and federal authorities, including the Federal Trade Commission.
  • Obtain a complete list of all the individuals affected by the data breach.
  • Review the company’s policies and procedures or user agreements with its customers to determine if the company violated its own policies and procedures.
  • Compare the company’s policies and procedures to commonly accepted and widely practiced industry standards.
  • Determine if any state laws have been violated. For example, Florida has a state law that requires companies that have been victims of data theft to report the breach to any customers whose data was stolen within 45 days following the discovery of the breach.

Determine the Amount of Damages You Suffered

Our attorneys can also help determine the damages you incurred as a result of the data breach and seek compensation for these losses. These damages may include the following:

  • Unreimbursed cost of replacing credit and debit cards, obtaining credit reports and credit insurance.
  • Service fees charged by companies that will help secure personal information and monitor your accounts to make sure fraudulent activity is not occurring.
  • Expenses associated with correcting erroneous information.
  • Any out-of-pocket expenses you incur as a result of the data breach.

File a Lawsuit Against the Liable Parties

Our attorneys will help you determine whether you can take legal action over the breach. In most cases, data breach lawsuits are handled as class actions, in which a single plaintiff or a small number of plaintiffs file a lawsuit on behalf of all individuals who have suffered a similar harm. Numerous high-profile class action lawsuits have been filed against Yahoo! and also Target, Neiman Marcus, Michaels Stores and other retailers who allegedly did not take adequate measures to protect their customers’ credit and debit card information.

Help For Identity Theft

According to the Department of Justice, “identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, typically for economic gain.” The Privacy Rights Clearinghouse has a checklist of what to do if you have been a victim of identity theft.

While hundreds of data breaches have been reported in recent years, below are some of the largest and most influential attacks that took place within the last nine years.

2015

CareFirst BlueCross BlueShield

CareFirst BlueCross BlueShield announced that the data of 1.1 million current and former members was stolen by hackers during a data breach that occurred in June 2014. According to a statement issued by the company, the hackers stole members’ names, website user names, birth dates, email addresses and subscriber identification numbers. Fortunately, medical information, passwords, Social Security numbers and credit card data was not stolen in the breach, the company said. The cyberattack was discovered when, in the wake of large data breaches at insurance companies Anthem Inc. and Premera BlueCross BlueShield, CareFirst hired cyber security firm Mandiant to look into the vulnerability of its information technology systems.

Premera Blue Cross

In what the company described as a “sophisticated cyberattack,” health insurer Premera Blue Cross disclosed on March 17 that as many as 11 million customers may have had their personal and medical information compromised in a data breach. In a press release, Premera said the cyber criminals may have accessed members’ and applicants’ names, birth dates, email and home addresses, phone numbers, Social Security numbers, member identification information, bank account data and claims information. Additionally, Premera said that although the data breach was only discovered on January 29, it is believed the attack occurred on May 5, 2014. At this time, the company has no explanation as to why it had not disclosed the data breach publicly—much less to its members and applicants—sooner. Premera will notify its customers and offer two years of free credit and identify theft monitoring services.

Mandarin Oriental Hotel Group

In early March 2015, high-end hotel chain Mandarin Oriental Hotel Group publicly confirmed its hotels had been hit by a data breach. In step with other recent cyber thefts, the company said the breach was brought to light after financial institutions noticed a pattern of fraud on the credit cards of customers who had all recently stayed at Mandarin hotels. The company has not yet specified how many of its more than two dozen worldwide locations were hit. According to cyber security expert Brian Krebs, however, sources within the banking industry say the breach “almost certainly” affected most if not all of Mandarin’s U.S. hotels in locations, which include Boston, Florida, New York, Washington D.C., Miami and Las Vegas. According to Krebs’ sources, the cyber attack most likely occurred just before Christmas 2014. Krebs speculated that customers’ information may have been stolen from compromised payment terminals not at front desk systems, but from pay stations at “restaurants and other businesses located inside of these hotels.”

Anthem Inc.

It was reported in early February 2015 that as many as 80 million customers of Anthem Inc., the second-largest health insurance provider in the U.S., had their account information stolen in a “very sophisticated external cyber attack.” According to reports, cyber criminals accessed Anthem’s systems and stole customers’ names, birthdays, Social Security numbers, street and email addresses, income data, and employment information. Though Anthem, in a statement, said their affected database contained information for 80 million people, the company said it’s “still investigating to determine how many people were impacted.” Fortunately, according to Anthem, it appears no actual medical information was stolen, thereby keeping this data breach out of the jurisdiction of the 1996 Health Insurance Portability and Accountability Act (HIPAA). Additionally, the company said no customer credit card information was compromised either. While the FBI investigates the data breach, Anthem has created a website{: target="_blank"} where customers can learn more about the cyber attack.

2014

Chick-Fil-A

According to online security experts, several American financial institutions have reported{: target="_blank"} a string of credit card fraud that was traced back to accounts used by customers at a number of Chick-Fil-A’s 1,850 fast food restaurants throughout the country. Though rumors of a Chick-Fil-A data breach began percolating in November 2014, a breach at an “unnamed retailer,” which reportedly lasted from December 2, 2013 until September 30, 2014, was not confirmed until credit card associations sent an alert to major financial institutions shortly before Christmas. It was then that one unidentified bank said that nearly 9,000 of its customers’ accounts were included in the aforementioned alert, and the only common point-of-purchase between the accounts was Chick-Fil-A restaurants. An anonymous banking source, who spoke to Brian Krebs in December, said Chick-Fil-A locations across the country—the restaurant has locations in 41 states—saw customers’ accounts hit, but the bulk of the hack seems to have compromised cards used in Georgia, Maryland, Pennsylvania, Texas and Virginia. As more information trickles out, Chick-Fil-A acknowledged they’ve received reports from financial institutions about a possible data breach at its point-of-sale systems and is working with online security firms and law enforcement to investigate.

Kmart

In October 2014, Kmart confirmed that its payment systems were breached and that hackers gained access to a number of shoppers’ payment card information. In a statement{: target="_blank"}, Kmart said that shoppers who used their debit or credit cards at the retailer between the beginning of September and the first week of October may have had their card numbers stolen; however, other sensitive information, including debit card PIN numbers, email addresses and social security numbers, was not accessed during the breach. Kmart reportedly told Krebs on Security{: target="_blank"} that hackers installed malicious software in the company’s point of sale systems to gain access to payment card data when shoppers’ cards were swiped, which allows thieves to create counterfeit copies of stolen cards. Following the breach, Kmart urged shoppers to actively monitor their bank account statements for any signs of fraudulent charges and said that it is offering one year of free credit monitoring protection to affected customers.

Park-n-Fly

According to online data security expert Brian Krebs, numerous banks have reported{: target="_blank"} a pattern of fraud that would suggest Park-n-Fly, an offsite airport parking service, is the latest victim of a credit card data breach. Following Krebs’ report, the Atlanta company, which allows users to reserve parking spots online before they travel, said they’ve been in touch with multiple security firms and have so far been unable to identify any breach of Park-n-Fly’s payment systems. Despite this statement, Krebs reported that two different banks have shared with him information that shows some aspect of Park-n-Fly’s online credit card payment system has been affected by a breach. Specifically, both banks saw “fraud on a significant number of customer cards” used to make parking spot reservations at more than 50 Park-n-Fly locations across the country. The details of these potentially affected cards, Krebs continued, were traced by the banks back to a large batch of for-sale stolen card data available on websites that deal with credit card theft and other illegal matters.

Bebe

The women’s clothing retailer Bebe confirmed in early December 2014 that hackers gained access to the store’s payment processing system and stole a number of customers’ credit and debit card information.  Bebe said that customers who used credit or debit cards in its stores throughout the United States, Puerto Rico and the U.S. Virgin Islands between November 8 and November 26, 2014 may be affected by the breach. In addition to obtaining account numbers, the retailer said that hackers may have also accessed cardholder names and payment card expiration dates and verification codes. While Bebe said that it has since worked with a computer security firm to stop the attack from continuing, the retailer encouraged customers to review their bank account and credit card statements for fraudulent charges.

Staples

Staples Inc. announced on October 21 that it is investigating “a potential issue” involving customers’ credit card data after several banks reported a pattern of fraudulent credit and debit activity. According to anonymous sources at these banks, this may indicate that the payment systems at several of the office supply retailer’s east coast locations had been breached by malware. Brian Krebs, who first reported{: target="_blank"} the possible data breach on his website, said that sources at numerous banks said it appears hackers successfully stole customer data from seven Staples locations in Pennsylvania, at least three in New York City, and one in New Jersey. It’s important to note, however, that the fraudulent charges picked up by the banks are believed to have occurred at other businesses, such as supermarkets and other retailers, and not necessarily at Staples stores. According to Krebs, this suggests the cash registers at certain Staples locations may have been attacked by malware that allowed the hackers to create counterfeit copies of credit and debit cards swiped at the compromised payment terminals. Staples is reportedly working closely with law enforcement in investigating the possible data breach.

Update: On December 19—nearly two months to the day after the company announced its October data breach—Staples released a list of every store that may have had customers’ credit and debit information compromised, mentioning specifically that as many as 1.16 million cards may have been affected. According to the company, malware infected checkout stations at 115 of its 1,400 stores. Though locations across the country were affected by the breach, California (16 stores), Florida (16 stores), New York (11 stores) and Pennsylvania (11 stores) were hit the hardest.

Despite only alerting the public to the breach in October, Staples says it began removing the harmful software sometime in September, and shoppers who made purchases at the store as far back as July may have had their personal information compromised and should be especially vigilant of their account activity.

Jimmy John's

Nearly two months after the company began its investigation on July 30, sandwich restaurant chain Jimmy John’s announced a potential data breach may have compromised customers’ credit and debit card information at 216 of its stores and franchised locations. According to the company, a hacker stole log-in credentials from a vendor and used this information to remotely access point-of-sale systems at certain corporate and franchised stores between June 16 and September 5, 2014. It is believed, the company continued, that more than 12 of the affected Jimmy John’s locations are in the Chicago area. Furthermore, Jimmy John’s noted potentially stolen customer information may include credit and debit card numbers, verification codes, expiration dates, and, in some instances, cardholders’ names. According to the company’s statement, only cards swiped in-store are believed to be affected, not those entered manually or online.

Jewel-Osco

For the second time in roughly two months, Jewel-Osco stores were hit with a data breach. Though this latest malware attack is believed to have affected all Jewel-Osco stores—and is related to the latest attack on SuperValu stores—its parent company, AB Acquisition, said that customers in Illinois, Indiana and Iowa should be particularly vigilant in monitoring their bank and credit card accounts for suspicious activity. At the time of its announcement, AB Acquisition could not confirm how many people’s information may have been compromised. Reports have speculated the malware used by hackers in this latest attack is different than that used in the previous data breach that was announced in mid-August. As with most data breaches, it is believed the new malware may have compromised customers’ names, account numbers, card expiration dates, and other information. Jewel-Osco representatives have yet to determine if any cardholder data was indeed stolen, adding that there is no evidence that any of the data was misused, or if especially sensitive information, such as birthdays and Social Security numbers, was taken.

Viator

Viator, the tours and activities planning website purchased earlier in 2014 by TripAdvisor, has announced that a massive data breach affecting its desktop and mobile web properties may have compromised the credit and debit card data, email addresses, and other personal information of 1.4 million customers. The company said it became aware of the security attack in early September and posted a press release online on September 19 alerting its customers to the breach. According to Viator, the company suspected it was being targeted by hackers when it noticed multiple instances of unauthorized charges appearing on customers’ payment cards. Though law enforcement and forensic investigators have not yet publicized all the details of the data breach, Viator believes customers’ physical addresses; encrypted debit and credit card numbers, including the cards’ expiration dates; email addresses; and specific Viator account information may have been compromised.

Home Depot

Home Depot worked with banks and law enforcement to investigate a potential data breach that may have allowed hackers to gain access to customers’ debit and credit card information since at least May 2014. The company’s investigation came after Krebs on Security{: target="_blank"} – the same site that broke the news of the infamous Target data breach – reported that multiple banks witnessed suspicious activity on the accounts of customers who recently shopped at the home improvement store. It is still unclear how many customers may have been affected by the potential breach; however, Krebs reported that a “preliminary analysis indicates the breach may extend across all 2,200 Home Depot stores in the United States.”

Update: Our attorneys have filed a class action lawsuit against Home Depot over its 2014 data breach. Click here to learn more about the lawsuit.

J.P. Morgan and others

In August 2014, Russian hackers stole gigabytes of customer data from the software systems of several U.S. banks, including J.P. Morgan Chase, the largest bank in America. While it is still unknown whether customers’ credit card numbers and other sensitive information may have been obtained, those briefed on the attack said that stolen account information could ultimately be used to drain these banks’ funds. Security experts suspect that the attack was the work of sophisticated hackers because the stolen data was protected under elaborate layers of security. A spokeswoman for J.P. Morgan Chase said that the bank has not noticed unusual levels of fraud following the attack, but that the bank has taken additional steps to prevent similar attacks and will be contacting any potentially affected customers.

Update: On October 2, J.P. Morgan Chase, the largest U.S. bank in terms of assets, announced that around 76 million households and seven million small business account holders — a number the New York Times says{: target="_blank"} smashes previous estimates by the bank—were affected by the massive cyber attack that occurred over the summer, making it one of the largest data breaches in history. Reports of the attack, which the Wall Street Journal described{: target="_blank"} as one of the “most sweeping disclosed breaches of a financial institution,” say the unknown hackers stole sensitive customer information, including names, email addresses, phone numbers, and home addresses. The breach allegedly affects the bulk of the bank’s customer base, an amount of people the Wall Street Journal says is equivalent to two-thirds of all American households. Perhaps most importantly, though, the bank said more detailed information— account numbers, passwords, Social Security numbers and dates of birth—were not stolen by the hackers, and that customers’ money is “safe.”

UPS Stores, Inc.

In late August, 2014, UPS Stores, Inc. announced the computer systems at 51 of its nearly 4,500 locations across the country were hit with a computer virus that potentially compromised the personal information of millions of customers. According to reports, the company was first tipped off to the threat of malware by a government bulletin. The data breach was discovered only after UPS retained an independent IT company to assess the security of its computer systems, at which time the same malware was discovered in its systems. The breach, which UPS believes occurred between January 20 and August 11, targeted customers’ names, mailing addresses and credit and debit card payment information.

Community Health Systems

On Monday, August 18, Community Health Systems announced that the data of 4.5 million patients had been stolen in a massive security breach believed to have perpetrated by hackers in China. According to reports, the compromised patient data includes names, Social Security and telephone numbers, birthdays, and addresses. It is believed, however, that no information related to patients’ credit card accounts or medical histories, such as operations or other procedures, was stolen in the breach. The company, which operates more than 200 hospital facilities across the United States, said that anyone who has been treated at a doctor’s office tied to the Community Health Systems network, as well as anyone who may have been so much as referred to their network by an outside physician, is affected by the breach.

SuperValu Supermarkets

In late summer 2014, the SuperValu grocery store chain announced it would be working with law enforcement agencies and major credit card companies to investigate a potential data breach believed to have taken place between June 22 and July 17. According to reports, the breach targeted the financial information of customers who paid for goods with their credit or debit cards at point-of-sale systems inside one of SuperValu’s more than 3,700 food and liquor stores.

Update: On September 29, 2014, SuperValu announced customers’ financial information was once again compromised. The company believes a lone hacker installed malware on the computer systems in some Albertsons stores, as well as others, that allowed him or her to gain access to customers’ sensitive information. This may include credit and debit card account numbers, expiration dates, and other information processed in the stores’ checkout lanes from August 27 to September 1. SuperValu said it does not yet know if any data was stolen; however, the company speculated that systems put in place after its first data breach may have minimized any potential damage. Some stores, the company said, namely four Cub Food stores throughout Minnesota, were particularly vulnerable to the breach because security upgrades had not been completed. According to reports, data from Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah was possibly compromised. Other stores potentially affected include ACME stores in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Markets in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island.

AT&T

Though details of the cyber attack were not shared by the company until late July, AT&T said employees of a third-party vendor posing as customers gained access to codes that would unlock U.S. smartphones from the company's network so that the phones could be sold on the secondary market overseas. The company said it does not believe the hackers were after customers’ financial and credit card accounts, but did say Social Security numbers and phone records may have been compromised. AT&T did not share how many customers it believes could have been affected by the hackers when it finally disclosed of the breach; however, California law requires companies to disclose data breaches to state regulators if it is believed at least 500 customers may have been impacted.

P.F. Chang's

Following reports that data from thousands of payment cards listed for sale on an underground online shop were all recently used at P.F. Chang’s, the Chinese-food restaurant chain announced it is investigating whether it was the victim of a security breach. According to reports, banks have confirmed that many of the stolen cards had been used between the beginning of March 2014 and May 19, 2014 at P.F. Chang’s locations in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina. The restaurant is now working with law enforcement authorities to further investigate these claims.

Lowe's

Lowe’s sent notification letters{: target="_blank"} to 35,000 delivery drivers and other employees after discovering that a third-party vendor running its E-DriverFile computer system mistakenly backed up files containing employee information to an unsecure server that could be accessed from the Internet. According to the home-improvement retailer, E-DriverFile contained Social Security numbers, driver’s license numbers, names, addresses and dates of birth for system administrators and Lowe’s vehicle drivers, and this information may have been accessed between July 2013 and April 2014. While Lowe’s said that it has not found any evidence of this information being misused, the company is offering complimentary credit protection services for its employees and is encouraging them to monitor their accounts for any traces of fraud.

eBay

Between late February and early March 2014, hackers gained access to eBay’s corporate network, compromising users’ encrypted passwords, e-mail addresses, home addresses, names, phone numbers and dates of birth. In a press release, the company said that it would be contacting its users about the “cyberattack,” urging them to change their passwords. The company also encouraged users who have the same password for multiple websites to change that information, too, because hackers may attempt to use the same passwords elsewhere. According to eBay, PayPal users’ financial and credit card information was stored in a separate database that was not affected by the breach.

Kaiser Permanente

In April 2014, Kaiser Permanente mailed patients who took part in research studies at its Northern California Division of Research a notice{: target="_blank"} saying that a server containing patients’ information had been infiltrated with malicious software. According to the notice, the server contained patients’ names, addresses, races, medical record numbers and lab results; however, patients’ Social Security Numbers were not included in the data breach. The malicious software was believed to have infected the server in 2011, but Kaiser said that there was no evidence suggesting that the sensitive information had been used or copied from it.

Sally Beauty

Discount cosmetics retailer Sally Beauty originally announced on March 5 that its network had been hacked and that no credit card or customer data appeared to be stolen. On March 17, the company acknowledged that customer data was in fact compromised, but claimed that fewer than 25,000 customers were affected by the data breach. The highly-respected data breach website Krebs on Security{: target="_blank"} believes that the actual number of customers whose credit and debit card information was stolen is at least ten time larger than the company admits and that the hacker was able to steal data from all 2,600+ Sally Beauty locations nationwide.

Michaels Stores, Aaron Brothers

In April 2014, Michaels Stores confirmed that 2.6 million customers shopping at its craft stores and 400,000 shoppers at Aaron Brothers framing stores had their debit or credit card information compromised. According to Michaels, hackers installed malware in the company’s computer system, which gave thieves access to customers’ card numbers and expiration dates; however, the company said that customers’ names, addresses and PINs were not available to the hackers. The malware has since been contained and no longer poses a threat to shoppers, the company said.

Sears Holdings Corp

Sears announced that it is investigating a potential data breach that could possibly affect millions of shoppers. While Sears has not found any evidence of a breach as of yet, the retailer is working with the U.S. Secret Service and Verizon Communications Inc.’s digital forensics unit to review its systems for any traces of hackers.

Yahoo

Criminals may have gained access to website visitors’ credit card numbers, security codes, names, addresses and Social Security numbers, as it has been reported that hackers infiltrated Yahoo’s ads with malware. This malware can provide access to users’ computers, allowing the hackers to record sensitive information users may enter online. Although an official number has not been released, it is estimated that the breach could have affected hundreds of thousands of users who visited the site between December 31, 2013 and January 3, 2014. A spokesperson for Yahoo reportedly said that those in the United States were not likely to be affected by the breach, nor were Mac users or those who accessed the website on a mobile device.

Neiman Marcus

Shoppers at the upscale department store Neiman Marcus and its Last Call outlets stores were the victims of a giant data breach in which checkout terminals were infiltrated with malware. More than 1 million shoppers who visited the stores between July 16 and October 13, 2013 could potentially feel the effects of the attack, in which criminals gained access to customers’ debit and credit card information. Major credit card companies including Visa, MasterCard and Discover have already reported more than 9,000 cases of unauthorized transactions on cards that were used at the luxury retailer during the affected time period.

White Lodging Services Corp. (Holiday Inn, Sheraton, Marriott, Radisson)

White Lodging Services Corp. , which manages certain locations of hotels including the Holiday Inn, Sheraton, Marriott and Radisson, was the victim of a security breach in which criminals stole credit and debit card information from hotel guests making purchases. Those who placed orders at food and beverage outlets in 14 of White Lodging’s locations between March 20 and December 16, 2013 may see fraudulent charges on their debit and credit card statements. While White Lodging Services has not released an estimate on how many records may have been stolen, it has been reported that thousands of accounts have already been used to make unauthorized purchases.

University of Maryland

Those who received identification cards at the University of Maryland since 1998 may be at risk for identity theft after an attack on the college’s database compromised names, Social Security numbers and dates of birth. The university’s College Park and Shady Grove campuses were both affected by the breach, and it is estimated that 300,000 faculty, staff and students affiliated with the university potentially had their personal information stolen.

2013

Target

In one of the largest data breaches ever, millions of Target customers who were holiday shopping between November 27 and December 15, 2013 may have had their debit or credit card information stolen. Target confirmed that malware was installed in checkout terminals in stores across the country and announced that 40 million customers could potentially be affected by the breach; however, reports allege that as many as 110 million shoppers’ bank accounts may have been compromised.

Update: Target has agreed to pay{: target="_blank"} $10 million to settle a class action lawsuit filed over the company’s unprecedented 2013 data breach. Under the proposed settlement, which still needs a judge’s approval, Target will contribute the $10 million into an “interest bearing escrow account” to pay individual data breach victims up to $10,000 in damages. According to reports, the terms of the settlement also call for Target to implement more stringent data security measures, such as appointing a chief information security officer and “maintaining a written information security program.”

Adobe Photoshop, Acrobat, ColdFusion

Customers with Adobe profiles for programs including Photoshop, Acrobat, ColdFusion and ColdFusion Builder may have to watch for fraudulent charges on their credit or debit cards due to a data breach. It has been reported that hackers stole part of the source code belonging to the photo editing software program Photoshop and gained access to payment card information, user IDs and passwords.

Hannaford, Heartland, 7-Eleven, JC Penney

The largest hacking scheme ever prosecuted in the United States involved the theft of more than 160 million credit card numbers used at major corporate networks worldwide. In addition, the data breach put 800,000 bank accounts at risk for unauthorized withdrawals. Shoppers at JC Penney, 7-Eleven, Hannaford, Heartland, JetBlue and NASDAQ may feel the resounding effects of this enormous data breach.

2012

State of Texas

Some Texas residents may have been put at risk for identity theft after criminals gained access to several state databases containing information on those receiving state-funded aid. More than 3.5 million residents who belong to the Teacher Retirement System of Texas, Texas Workforce Commission and Employees Retirement System of Texas may have had their Social Security numbers, names and addresses exposed. The hackers reportedly stole this information from state databases and put it on a public server, unencrypted, for more than a year.

New York State Electric & Gas Company

Nearly 2 million utility customers may have had their Social Security numbers, birth dates and account numbers exposed when an employee gained unauthorized access to databases for the New York State Electric & Gas Company and Rochester Gas and Electric. The utility company has since admitted that lack of proper practices and company systems contributed to the security breach.

Global Payments, Inc.

Global Payments, Inc., the electronic transaction processor for several big name credit card companies, was dropped by Visa after a security breach put 1.5 million customers’ at risk for fraudulent charges. The payment processor said that although credit card numbers had been compromised, hackers may not be able to reproduce the cards because the company does not store CVV codes, the three- or four-digit security codes found on the back of credit cards. In addition to Visa, Global Payments also processes transactions for credit cards including MasterCard, American Express and Discover.

2011

Sony PlayStation and Online Entertainment Networks

Sony suffered from several data breaches in 2011 that potentially affected 100 million customers on several of its networks including PlayStation and Online Entertainment. In the first breach, names and addresses for 77 million Sony PlayStation customers were stolen. The company said that it had not ruled out the potential that these customers’ debit and credit card information may have also been compromised. Two weeks later, hackers gained access to another one of the company’s gaming networks, Online Entertainment, when credit card information for more than 20,000 customers outside of the United States was compromised. Furthermore, the second breach put 25 million customers’ personal information at risk for exposure.

Valve/Steam

The 35 million customers who have accounts with Steam, Valve’s online game download service, may have been put at risk for fraudulent charges on their debit or credit cards after hackers gained access to the company’s database. Valve confirmed that, in addition to payment card information, personal information including billing addresses, usernames and passwords may have been compromised.

Citigroup

Citigroup credit card customers may have seen fraudulent charges on their statements after hackers gained access to the bank’s online account system. More than 360,000 customers may have also had their personal information such as names, account numbers and contact information compromised; however, Citigroup said that the hackers did not gain access to other valuable information that could pose risks of identity theft, such as card expiration dates, security codes or Social Security numbers.

2010

Educational Credit Management Corp

The federal student loan guarantor was hit by a data breach that potentially put more than 3.3 million students nationwide at risk for identity theft. Social Security numbers, dates of birth, names and addresses were compromised, the company confirmed. The company, which stores information on loans issued through the Federal Family Education Loan program, said that personal information was stolen from databases used in hundreds of government agencies, universities and businesses across the country.

AvMed Health Plus

Floridians with AvMed Health Insurance, including current and past subscribers and their dependents, may have been put at risk for identity theft after a massive data breach compromised more than 1.2 million customers’ records. According to the insurance company, two company laptops were stolen, which contained sensitive information including Social Security numbers, addresses, names, and phone numbers. Although it did not mention that credit card information was stolen, the company recommended that clients monitor their bank account charges.

Lincoln Financial Group

Two broker-deal subsidiaries of Lincoln National Corporation – Lincoln Financial Securities and Lincoln Financial Advisors – experienced a data breach that compromised 1.2 million users’ personal information. Hackers reportedly gained access to the Lincoln Financial Group’s portfolio information systems and were able to access over a million customers’ Social Security numbers, account numbers, names and addresses.

2009

US Military

The program responsible for allowing veterans to request copies of their health records and discharge pages, known as eVetRecs, may have exposed records belonging to more than 70 million veterans. The U.S. military said that the system’s hard drive was sent to the manufacturer for repairs, where it was determined that the drive could not be repaired; however, when the manufacturer passed the drive to another firm for recycling, the data was not properly deleted. The hard drive contained Social Security numbers dating back to 1972, which was when the military first began collecting veteran’s personal information.

MasterCard and Visa (Heartland)

The debit and credit card processor Heartland confirmed that thieves had hacked its systems, using malware to steal more than 100 million credit card numbers. After initially receiving reports from Visa and MasterCard regarding suspicious activity on clients’ cards, Heartland determined that criminals had installed malware in the company’s networks sometime during the previous year and had enough information to create counterfeit cards. It is estimated that at least 100 million customers may have been affected.

Oklahoma Department of Human Services

Oklahoma residents receiving state-funded aid may be at risk for identity theft after a company laptop from the Department of Human Services containing citizens’ Social Security numbers was stolen out of an employee’s car. The breach may have exposed the personal information of more than 1 million residents receiving aid from Medicaid, Child Care Assistance, Temporary Assistance to Needy Families, Aid to the Aged, Blind and Disabled and the Supplemental Nutrition Assistance Program.

2008

Starbucks

Nearly 100,000 Starbucks employees may have been put at risk for identity theft after a company laptop containing sensitive employee information was stolen. The company confirmed that sensitive information including Social Security numbers, names and addresses was on the stolen laptop. Several cases of identity theft were reported following the breach.

Hannaford Supermarket Chain

Millions of shoppers’ credit and debit card information was stolen after hackers gained access to the computer network at the Hannaford supermarket chain, which is based in Portland, Maine. The grocery store estimated that 4.2 million customers may have been put at risk for unauthorized charges on their payment cards, as the breach affected Hannaford stores, Sweetbay supermarkets in Florida and other retailers with Hannaford products.

University of Miami

Those who were treated at the University of Miami hospital may have been susceptible to identity theft after computer tapes containing confidential information on 2.1 million patients were stolen from a storage company’s van. The computer tapes contained information including Social Security numbers and health information for anyone who was treated at the hospital or visited the facility since 1999. The university said that 47,000 of these patients may have also had their debit or credit card information stolen.

2007

TJ Maxx, Marshalls, HomeGoods (TJX)

TJX, the parent company of TJ Maxx, Marshalls, and HomeGoods, said that some of its systems containing data for payment cards, checks and returned merchandise had been broken into, putting 45 million credit or debit card holders at risk for unauthorized charges on their accounts. The company said that the ongoing data breach lasted about 18 months, beginning around July 2005 and ending around December 2007. Other stores affected by the breach included HomeGoods and A.J. Wright, as well as stores in Canada and the U.K.

Compass Bank

Those with a Compass Bank debit or credit card needed to closely monitor their account statements after a former programmer for the bank stole a company hard drive containing confidential information. The hacker admitted that he had gained access to customer names, account numbers and passwords, which he used to make about 250 counterfeit debit cards.

Gap

Hundreds of thousands of job applicants who applied for positions at Old Navy, Banana Republic, Gap and Gap Outlet stores between July 2006 and June 2007 had their personal information exposed when a Gap company laptop was stolen. According to Gap, the computer contained Social Security numbers for 800,000 applicants who gave their personal information to the company either online or over the phone when applying for various retail positions.

2006

U.S. Department of Veteran’s Affairs

As many as 28.6 million records held by the U.S. Department of Veteran’s Affairs in Washington, DC were compromised after an employee’s laptop was stolen from his home in Maryland. The computer contained data on all American veterans discharged since 1975 and stored information including Social Security numbers, names, dates of birth, phone numbers and addresses. According to the department, the sensitive information was not encrypted when it was stolen.

Hewlett Packard

Personal information on Hewlett Packard employees was stolen when an employee at Fidelity Investments, which provides services to HP, had his company laptop stolen from an off-site location. Nearly 200,000 current and former HP employees may have been at risk for identity theft, as the laptop contained information including Social Security numbers, names, addresses and dates of birth.

2005

Mastercard (CardSystems Solutions, Inc.)

MasterCard was the first to reveal that an “unauthorized individual” had infiltrated a computer network belonging to its payment processor, CardSystems Solutions. The credit card provider claimed that the hacker may have stolen 40 million credit card numbers, an estimated 14 million of which belong to MasterCard customers; however, Social Security numbers and other sensitive information, such as birth dates, were not compromised by the breach.

Citigroup

When computer tapes containing sensitive information on 3.9 million CitiFinancial customers were stolen, millions of customers were left at risk for fraudulent charges on their accounts. The subsidiary of Citigroup said that the tapes included Social Security numbers, account numbers and payment histories. CitiFinancial said that the tapes were en route to a credit reporting agency when they were picked up by UPS and never seen again.