The worst data breach incidents of 2013

These businesses and government agencies lost the most personal and financial records due to hackers or security mishaps last year

data breaches

In 2013, according to the Identity Theft Resource Center which tracks this, there were 619 known data breaches nationally in business, healthcare, educational and government where about 57.9 million records related to personal and financial data were stolen or spilled due to security failures. Here are the 26 absolute worst data breaches of 2013 in terms of sheer numbers.

#1: Facebook
#1: Facebook

In June, Facebook disclosed an estimated 6 million Facebook users had e-mail addresses or telephone numbers shared with others due to a software bug in the “Download Your Information” found by a security researcher and reported to Facebook, which fixed it.

#2: Target Corp.
Credit: REUTERS/Eric Thayer
#2: Target Corp.

The retail store chain acknowledged that up to 40 million customer payment cards were compromised in a data breach that occurred in the busy Thanksgiving shopping period.

#3 Adobe
Credit: Reuters
#3 Adobe

Adobe said attacks dating to at least August had exposed user IDs, passwords and credit-card information (stored in encrypted form) on about 2.9 million customers.

#4: Maricopa County Community College District
#4: Maricopa County Community College District

The Arizona college district acknowledged 2.5 million records on individuals were exposed in a November data breach.

#5: Schnucks
#5: Schnucks

2.4 million customer payment cards were grabbed in what the Schnucks grocery store chain describes as a “cyberattack.” In April, Schnuck Markets said a hacker managed to break in and access the credit card numbers and expiration dates of more than 2 million customers in the St. Louis area, though not their names and addresses. The company CEO, Scott Schnuck, apologized.

#6: Administrative Office of the Courts in Washington state
#6: Administrative Office of the Courts in Washington state

Hackers accessed AOC’s servers to grab copies of up to 160,000 Social Security numbers and 1 million driver’s licenses.

#7: CorporateCarOnline
#7: CorporateCarOnline

A hacker break-in exposed personal and financial information on more than 850,000 customers using this limousine and Town car service.

#8 Horizon Blue Cross Blue Shield of New Jersey
#8 Horizon Blue Cross Blue Shield of New Jersey

The insurance provider acknowledged two laptop computers were stolen containing 839,711 customer records.

#9: Adventist Health System/Sunbelt
#9: Adventist Health System/Sunbelt

Adventist Health System/Sunbelt in Altamonte Springs, Fla., was hit by a class-action lawsuit for allegedly failing to protect the health database information of more than 763,000 patients after a former emergency room employee at its Celebration, Fla. was found selling patient data in a scheme that ran from 2009 to 2011. This year Dale Monroe II pled guilty to selling information on car-accident patients to a co-conspirator who used it to solicit legal and chiropractor services.

#10: JP Morgan Chase & Co. in New York
Credit: REUTERS/Mike Segar
#10: JP Morgan Chase & Co. in New York

The financial services firm said a cyberattack resulted in the compromise of personal information about almost half a million corporate and government clients who held prepaid cash cards issued by JP Morgan Chase.

#11: AMHC Healthcare
Credit: Shutterstock
#11: AMHC Healthcare

AMHC Healthcare in California disclosed protected health information on about 729,000 patients was compromised due to theft of two laptops from an office.

#12 Cbr Systems
#12 Cbr Systems

The cord-blood bank agreed to settle Federal Trade Commission charges it failed to protect customer data due to inadequate security that exposed Social Security and credit-card information on 300,000 people.

#13: Affinity Gaming
#13: Affinity Gaming

Affinity Gaming, owner of Rail City casino and other casinos in Nevada,
admitted about 280,000 customer payment cards were compromised in a security breach involving a malware-infected computer system. The company learned of a security breach by being notified by law enforcement.

#14 Texas Health Harris Methodist Hospital
#14 Texas Health Harris Methodist Hospital

Data on 277,000 former patients in older records turned up in a Dallas park instead of being destroyed by a contractor.

#15: Indiana Family and Social Services
#15: Indiana Family and Social Services

The Indiana state agency in a mailing inadvertently exposed information related to 187,533 clients, apparently due to computer programming error.

#16: SOS
#16: SOS

Travel health and security services company International SOS in November said information on 164,000 people, including their e-mail, passport numbers and travel information, was accessed by an “unauthorized third party.”

#17: Citi of Texas
Credit: REUTERS/Jessica Rinaldi
#17: Citi of Texas

The bank acknowledged 150,000 records related to bankruptcies and other legal proceedings was inadvertently exposed.


#18: Virginia Polytechnic Institute & State University
#18: Virginia Polytechnic Institute & State University

The university, known as Virginia Tech, disclosed a breach that exposed about 145,000 records of people who had applied for jobs over the past decade.

#19: TerraCom – Your Tel (lifeline)
#19: TerraCom – Your Tel (lifeline)

In May, Oklahoma City-based wireless companies TerraCom and YourTel America accused media company Scripps Howard and Scripps Howards News Service journalists of somehow accessing records on about 150,000 prospective customers illegally from a third-party vendor as part of the Scripps investigative report “Privacy on the Line,” but Scripps denied the charges. TerraCom and YourTel have acknowledged a data breach.

#20: Dept. of Social Services, state of California
#20: Dept. of Social Services, state of California

Hackers compromised the personal data of an estimated 144,493 California residents in a computer attack on the state agency for social services.

#21: Kirkwood Community College
#21: Kirkwood Community College

The Iowa-based college said hackers broke into its website and accessed a database with about 125,000 names of applications along with Social Security numbers and other personal information.

#22: St. Mary’s Bank
#22: St. Mary’s Bank

This New Hampshire-based credit union acknowledged malware on its workstations compromised information related to a potential 115,775 banking customers.

#23: Central Hudson Gas & Electric Corp.
#23: Central Hudson Gas & Electric Corp.

The New York State-based utility said it believed information on about 110,000 customers may have been impacted in a cyberattack.

#24: Crescent Healthcare
#24: Crescent Healthcare

This Walgreens company based in Anaheim notified patients and employees of a data breach that impacted 109,000 records.

#25: Dept. of Energy
#25: Dept. of Energy

The federal agency disclosed that data on 104,179 employees was compromised in a cyber-security incident in July.

#26: The IRS
#26: The IRS

The U.S. Internal Revenue Service mistakenly posted tens of thousands of names, addresses and Social Security numbers — perhaps as many as 100,000 - - on a government website, a discovery made in July by a group called Public.Resource.org.