First, a little history about the competition: In 2005, the Open Security Foundation launched the Oldest Vulnerability contest for one of our other projects, the Open Source Vulnerability Database, and from it came vulnerabilities dating back as far as 1965.

The winner, Ryan Russell, found a password file disclosure vulnerability from January of 1965, and helped OSVDB nail down several other old vulnerabilities. That contest resurfaced in our memories recently, and we've decided to do the same thing for DataLossDB.

What is the oldest documented data loss? As far as what is currently in DataLossDB, it is from January 10, 2000 when a hacker claimed to have stolen 300,000 credit card numbers from CD Universe.

We believe there are plenty of data loss incidents that happened prior to CD Universe. Does anyone have an older incident they can submit to DataLossDB? We want it, and we'll reward you for it!

Find us the oldest documented Data Loss Incident. The oldest three submissions will receive prizes from our wonderful sponsors. In addition, you'll be able to bask in the fame of being the researcher, or Data Loss Archeologist, who uncovered the oldest documented Data Loss Incident.

Incidents submitted don't have to be older than the CD Universe breach. For instance, the oldest Stolen Computer breach in the database occured in 2003. So, submit what you find! You might find the oldest stolen laptop breach, or the oldest accidental web exposure breach.


Submissions will be accepted starting at midnight CST, April 1st, 2009 through 11:59pm CST, May 15th, 2009.

DataLossDB Curators and their families, as well as the employees of contest sponsors and their families may participate, but are not eligible to receive prizes or placement.

Incidents must be submitted according to the participation guidelines.

The incidents submitted must be specific and we need to have sources that can be referenced. If you cannot provide an online reference then it is acceptable to scan/email or fax us the primary source. Be aware that we will painstakingly verify the authenticity of anything mailed/emailed/faxed to us, and it is at the discretion of the Open Security Foundation's to reject any primary source that is deemed suspicious.

Small or relatively minor cases of identity theft do not qualify for inclusion. The event submitted must have affected more than 10 individuals.

Incidents must have resulted in a breach of Personally Identifiable Information (PII). Specifically, incidents must have resulted in the loss of one or more of the below:

  • Social Security Numbers (or National ID)
  • Credit Card Numbers
  • Bank Account Numbers
  • Medical Records

An organization must have been the steward of the data lost. Purse snatchings, and other personal effect thefts, as a result, are ineligible. Stolen laptops or lost tapes are eligible, as the organization that owned the laptops or tapes should have physically secured them. If you are unsure that your incident qualifies please contact [email protected].

You may submit as many entries as you can find. If more than one entry of the same incident is submitted, the researcher that submitted first will be credited with the incident.

Lastly, as always.... it must pass the general 'BS' test. If our cynical minds detect shenanigans, it doesn't count. The Open Security Foundation is the judge and jury in the contest, and we reserve the right to refuse any entry that we feel does not meet our standards for inclusion in the DataLossDB project.

Winners will be determined and announced on June 1st, 2009. Prizes will be mailed out before July 1st, 2009

Prizes are not redeemable for cash. No substitution, transfer or assignment of prize permitted, except that Sponsor reserves the right to substitute a prize of equal or greater value if advertised prize is not available. All taxes, shipping costs, insurance and any other costs not stated herein are the responsibility of the winners.

All taxes, custom duties and any such expenses shall be the sole responsibility of the prize winners.

The names of the winners will be posted on this website.

All Federal, State, and Local laws supercede this agreement.


Conduct your own research and find an old data loss incident that is not already in the database.

Create an account on DataLossDB.org by filling out the form on the signup page. This is an important step as all submissions must be done while logged in to DataLossDB.org. Anonymous submissions will not be eligible for this competition for obvious reasons.

To facilitate tracking and judging, all submissions for this contest must be done via the following contest link:

Oldest Data Loss Incident Submissions

After visiting the contest link, you will then need to enter in all the information about the incident for your entry. Please include as much information as possible, and be sure to include references!

It may make sense for participants to bookmark the above link. Submissions that did not come from the above link may not qualify for the competition.


The first 85 approved submissions will receive a Wireless Mouse, generously contributed by Arcsight, as well as some stickers from OSF.

First Prize

Second Prize

Third Prize

The Sponsors

ArcSight is a leading provider of security and compliance management solutions that intelligently identify and mitigate business risk for enterprises, MSSPs and government agencies. Designed with the needs of highly complex, geographically dispersed and heterogeneous business and technology infrastructures in mind, ArcSight provides the industry's only vendor-neutral solution for intelligent identification, prioritization and network response to external security attacks, insider threats and compliance breaches.

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Every day our patented data-centric, policy-based, centrally-managed software protects the data on over 5 million devices worldwide to ensure security compliance, protect brands and enhance IT and end-user productivity. Learn more about intelligent data security for privacy compliance and avoid the damaging impact of security breaches.

Protection, Recovery, Trust. The must-have, essential tools needed to fight identity theft. It’s ideal for anyone looking for core identity theft protection.

StrikeForce Technologies is a leading provider that Specializes in Identity Theft Online solutions for consumers, industry and government. By leveraging StrikeForce's breakthrough technologies, consumers and organizations can finally secure their electronic assets while protecting their employees, business partners, suppliers and customers from malicious hacking and online theft.

When your network security technology fails where can you turn? TechShield offers comprehensive privacy and data security insurance products and risk management services to companies that use networked systems, electronic communications and ecommerce. TechShield is brought to you by Aon (NYSE: AOC), the leading global provider of risk management, insurance and reinsurance brokerage and human capital consulting.


Sponsored By: Rbs Zecurion
Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements. For more information, please e-mail [email protected] with a brief summary of how you would like to use this information; product, service, research, etc.
© 2005 - 2014, Open Security Foundation, All Rights Reserved.