Worst data breaches of 2014…So far

For the first half of this year that is

data breach

The Identity Theft Resource Center, which tracks data breaches, has counted   381 reported breaches and 10.8 million records exposed from the start of the year through June. We identified the worst of these for the first quarter of the year, and now we  show you the worst for April though June.

RELATED: Data breaches from the first quarter of 2014


In April, AOL said a cyberattack had compromised customer e-mail accounts, possibly tens of millions of them, and urged AOL users to change their passwords and security questions.

P.F. Chang

In June, restaurant chain P.F. Chang’s said that customer debit and credit card numbers had been stolen from stores, adding they learned of it through the Secret Service. The cause, still under investigation, may be malware-infected point of sale terminals; P.F. Chang’s said it was switching to old-fashioned manual processing of customer card information at its restaurants.

Montana Department of Public Health and Human Services

In June the Montana Department of Public Health and Human Services said a department server containing about 1.3 million records on client information, including names, addresses, birth dates, Social Security numbers and clinical information, had been broken into by hackers. It was unclear whether data had been extracted.

Butler University

In June, Butler University in Indiana said personal information related to up to 160,000 students, faculty and alumni was put at risk because of a data breach tied to a suspect in California who had a flash drive with Butler employees’ personal information, including birthdays, Social Security numbers and bank account information.


Long Island, N.Y.-based radiology practice NRAD Medical Associates said it discovered that an employee radiologist had accessed and acquired protected health information from NRAD’s billing systems without authorization. The breach was estimated to be 97,000 records of patient names and addresses, dates of birth, Social Security information, health insurance, and diagnosis information.  NRAD’s public statements indicate the employee no longer works there.


An estimated 233,000 records of individuals were compromised, including Social Security numbers and payment information, after hackers exploited a vulnerability in systems belonging to Paytime, Inc., a Pennsylvania payroll company based in Mechanicsville.

REUTERS/Beck Diefenbach

EBay in May informed the public that hackers had stolen about 145 million user names and encrypted e-mail addresses from its databases, and recommended that eBay users immediately change their passwords. 

American Express

American Express was informed by the Secret Service that several large files containing personal information amounting to about 76,608 American Express account records were posted on Internet sites by individuals claiming to be associated with the worldwide hacking collective Anonymous. AmEx in June notified California residents of the breach, and said it was working to prevent a similar compromise.


Store chain Lowe’s in May informed about 35,000 current and former employees, mostly drivers, that their personal information has been exposed due to unauthorized access to a third-party vendor’s system. Lowes said it learned that “the vendor unintentionally backed up the data to an unsecure computer server accessible from the Internet.”

 Veterans of Foreign Wars

The Veterans of Foreign Wars of the U.S. in April notified 55,000 of its veteran members that it learned in April that attackers, possibly from China seeking military information, had gained access to its systems to download tables containing name, address and Social Security numbers. The attack made use of malware such as remote access Trojans, the VFW said.

REUTERS/Sam Hodgson

After months investigating a data breach of its payment system, Michaels arts and crafts store chain said information on 3 million payment cards from customers were compromised. Plus, at its subsidiary Aaron Brothers art and framing stores, 400,000 customer payment records were compromised.

Iowa State University

Iowa State University in April said about 48,729 records of current and former students were exposed due to a server breach. However, the university also added it believes the primary purpose the attackers had in hacking into the server was to mine bitcoins.

Tufts Health Plan

Massachusetts-based Tufts Health Plan in April notified about 8,830 current and former Tufts Medicare Preferred members their personal information, including Social Security numbers, was stolen. The company didn’t state the exact cause of the theft under investigation, but said it wasn’t due to external hacking.

Central City Concern

In April, federal law enforcement alerts Portland, Or.-based Central City Concern, which assists those struggling with homelessness, poverty and drugs, that a former CCC employee had wrongfully copied personal information from what was discovered to be about 17,914 client records in order to try and process fraudulent tax returns in the names of people CCC was trying to help. 

Gingerbread Shed

In May, Gingerbread Shed Corp., the marketing, RFID access control and ticketing software company based in Tempe, Ariz., notified about 50,000 customers that an unauthorized third-party obtained access to information about them, including names, telephone numbers, e-mail addresses, credit-card information and the user names and passwords for the company’s website accounts.

Home Depot

In May, Home Depot said an employee with authorized access to its computer systems had gotten hold of 30,000 records on customer information associated with the tool-rental area and had provided some of it to unidentified third parties. That information included name, address, phone number, birth date, card brand, card account number and card expiration date.

Union Labor Life Insurance Company

Union Labor Life Insurance Company in Maryland in June disclosed that 46,771 people’s personal information may have been exposed when a laptop was stolen from the company’s offices in Silver Spring, Md.

Copyright © 2014 IDG Communications, Inc.