Chronology of Data Breaches

Transcription

Published on Privacy Rights Clearinghouse (http://www.privacyrights.org)
Today's Date: Aug 04, 2010
Source URL (retrieved on 2010-08-04 04:30 ): http://www.privacyrights.org/data-breach
Security Breaches 2005-Present
Posted Date: April 20, 2005
Updated Date: August 3, 2010
Save or Print PDF of Entire Breach List [1] (* Including introduction.) Save or Print PDF
If you do not have access to PDF, print Chronology in landscape view.
Skip the introductory text and go directly to the listing
[3]
What does the Chronology of Data Breaches contain?
What does the Total Number indicate?
(* Select filters.)
of data breaches below.
[4]
[5]
Is the Chronology of Data Breaches a complete listing of all breaches?
Are there state-specific breach listings?
How often is the Chronology updated?
[2]
[6]
[7]
[8]
Where do you obtain information about the data breaches that are reported on this Web page?
What should I do if my personal information has been compromised in a data breach?
[9]
[10]
Are there resources for businesses and other organizations on how to avoid having sensitive data breached?
What should I do if my business or organization experiences a security breach?
[11]
[12]
Do states have laws that require those entities that experience a data breach to notify the affected individuals?
[13]
Which states have laws that require breached organizations to report breaches and submit notice letters to a central
clearinghouse? [14]
Has anyone analyzed this and other data breach listings in order to compile statistics and arrive at other observations? Have
any analyses of security breach laws been published? [15]
Are there other resources with additional information about security breaches?
[16]
Go directly to the listing of data breaches [3]
What does the Chronology of Data Breaches contain?
The data breaches noted below [3] have been reported because the personal information compromised includes data elements
useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches that
do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches.
However, we have not included the number of records involved in such breaches in the total because we want this compilation to
reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws. The
breaches posted below include only those reported in the United States. They do not include incidents in other countries.
What does the Total Number indicate?
The running total [17] we maintain at the end of the Chronology represents the approximate number of *records* that have been
compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims
of more than one breach, which would affect the totals.
In reality, the number given below should be much larger. For many of the breaches listed, the number of records is unknown.
Further, this list is not a comprehensive compilation of all breach data (see below [15] ).
1
Is the Chronology of Data Breaches a complete listing of all breaches?
No, it is not a complete listing of breaches. The list is a useful indication of the types of breaches that occur, the categories of
entities that experience breaches, and the size of such breaches. But the list is not a comprehensive listing. Most of the information
is derived from the Open Security Foundation list-serve (see below) which is in turn derived from verifiable media stories,
government web sites/pages, or blog posts with information pertinent to the breach in question. Many breaches (particularly
smaller ones) may not be reported. If a breached entity has failed to notify its customers or a government agency of a breach, then
it is unlikely that the breach will be reported anywhere. If you are aware of a breach that is not included in our list, below, feel free
to contact us here: http://www.privacyrights.org/about_us.htm [18] .
Are there state-specific breach listings?
Some states have state laws that require breaches to be reported to a centralized data base. These states include Maine,
Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic
breaches affecting more than 1,000 residents). However, a number of other states have some level of notification that has been
made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida,
Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. For details, see the Open Security Foundation Datalossdb
website: http://datalossdb.org/primary_sources [19]
How often is the Chronology updated?
We usually update this list twice each week.
Where do you obtain information about the data breaches that are reported on this Web page?
Most of the breaches summarized below on this page have been obtained from the Open Security Foundation list-serve. As of
January 2010, we have expanded our sources to also include Databreaches.net, PHI Privacy and NAID.
The Open Security Foundation's DataLossDB.org (www.datalossdb.org
[20] )
offers a free e-mail list-serve on the latest
breaches.
To subscribe to DataLoss, send a message to: [email protected] [21]
The DataLossDB.org page includes a search engine and news articles for the breaches listed below, and also provides an
open source database of its data breach records. It is a flat comma-separated value file that can be imported into a
database or spreadsheet program for your own data analysis. Visit http://datalossdb.org/download. [22]
Beginning in January 2010, we have expanded the sources of our breaches. We now include the following sources:
Databreaches.net (www.databreaches.net [23] ) is a spinoff from www.PogoWasRight.org [24] and compiles a wide
range of breach reports since January 2009.
Personal Health Information Privacy (www.phiprivacy.net/ [25] ), affiliated with Databreaches.net [23] , is a database that
compiles only medical data breaches.
National Associaion for Information Destruction, Inc (www.naidonline.org [26] ) provides monthly newsletters that include
a number of data breaches largely due to improper document destruction.
What should I do if my personal information has been compromised in a data breach?
For tips on what to do if your personal information has been exposed due to a security breach, read our guide
http://www.privacyrights.org/fs/fs17b-SecurityBreach.htm
[27]
at
[27] .
Are there resources for businesses and other organizations on how to avoid having sensitive data breached?
Learn about security and privacy protection practices for your workplace.
"How Global Organizations Approach the Challenge of Protecting Personal Data," from Accenture (released April 27, 2010)
https://microsite.accenture.com/dataprivacyreport/Pages/default.aspx [28] and
https://microsite.accenture.com/dataprivacyreport/Documents/Accenture_Data_Privacy_Report.pdf [29]
"Forrester Consulting Study, “The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise
Perceptions of Risk,” (April 2010) sponsored by RSA and Microsoft, available at www.rsa.com/CorporateSecrets. For press
release, see http://www.microsoft.com/Presspass/press/2010/apr10/04-05MSRSAPR.mspx?rss_fdn=Press%20Releases [30] .
"Data Breach and Incident Readiness Planning Guide" from the Online Trust Alliance (January 2010).
https://www.otalliance.org/resources/Incident.html [31]
"Security & Privacy -- Made Simpler,"from the Better Business Bureau
www.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf [32]
“Protecting Personal Information: A Guide for Business,”from the Federal Trade Commission.
www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf [33]
“Information Security Handbook,”from the National Institute of Standards and Technology
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf [34]
“Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace,” from the Privacy Rights
Clearinghouse
www.privacyrights.org/ar/PreventITWorkplace.htm [35]
The California Office of Privacy Protection has developed a series of Recommended Practices. Several of the guides may be
helpful in protecting your business whether or not you are located in California.
“Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements,”
www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf [36]
2
“A California Business Privacy Handbook,” www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf [36]
'“Recommended Practices for Protecting the Confidentiality of Social Security numbers,”
www.privacyprotection.ca.gov/res/docs/pdf/ssnrecommendations.pdf [37]
What should I do if my business or organization experiences a security breach?
The following resources guide businesses who have experienced a security breach through the notification process and in working
with law enforcement.
“Recommended Practices on Notification of Security Breach Involving Personal Information,” from the California Office of
Privacy Protection may be useful whether or not you are located in California.
www.privacyprotection.ca.gov/res/docs/pdf/COPP_Breach_Reco_Practices_6-09.pdf [38]
“Dealing with a Data Breach,” from the Federal Trade Commission
www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html [39]
Do states have laws that require those entities that experience a data breach to notify those affected?
Yes. The catalyst for reporting data breaches to the affected individuals has been the California law that requires notice of security
breaches. It is the first of its kind in the nation, implemented July 2003.
www.privacyrights.org/ar/SecurityBreach.htm
[40]
(description of California law, SB 1386)
http://www.privacyprotection.ca.gov/res/docs/pdf/COPP_Breach_Reco_Practices_6-09.pdf [38] (recommended practices for
compliance with the law)
More than 40 of states have since passed laws requiring that individuals be notified of security breaches. For a list of states
enacting security breach and freeze laws, visit these Web sites:
Security breach notice laws provided by Consumers Union.
www.defendyourdollars.org/2005/02/states_with_not.html [41]
Nymity map, "Breach Notification laws of the United States,"
http://www.nymity.com/FormDownload.aspx?docid=E5AE006F-1947-4163-BDAC-0BFE129E5C89
Security Breach Notification Chart (Perkins, Coie)
www.digestiblelaw.com/files/upload/securitybreach.pdf [43]
State Data Breach Notification Laws (Scott&Scott)
www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf [44]
State Data Security Breach Legislation Survey & Matrix (Mintz Levin)
[42]
(registration required)
www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf [45]
State Laws Governing Security Breach Notification (Crowell Moring)
www.crowell.com/pdf/SecurityBreachTable.pdf [46]
Security freeze laws (Consumers Union)
www.consumersunion.org/campaigns//learn_more/003484indiv.html [47]
(Note: As of November 2007, the three credit bureaus enable individuals nationwide to freeze their credit reports.)
PIRG's list of breach and freeze laws
www.pirg.org/consumer/credit/statelaws.htm
[48]
Which states have laws that require breached organizations to report breaches and submit notice letters to a central
clearinghouse?
The state of Massachusetts requires that breached entities report data breaches to the Massachusetts Office of Consumer Affairs
and Business Regulation.
Breach report, September 18, 2008, www.mass.gov/Eoca/docs/idtheft/notificationsrpt20080918.pdf [49]
The Open Security Foundation and Chris Walsh have compiled breach notice letters from the states that require breached entities
to submit such letters to a central repository. These states are: Maryland, New Hampshire, New York, North Carolina, and
Vermont. To view these letters, visit http://datalossdb.org/primary_sources [19] .
Has anyone analyzed this and other data breach listings in order to compile statistics and arrive at other observations?
Have any analyses of security breach laws been published?
STATISTICAL ANALYSES
HIMSS and Kroll study, "2010 HIMSS Analytics Report: Security of Patient Data" (April 2010).
Study, www.krollfraudsolutions.com/about-kroll/HIMSS-Security-Patient-Data-Report.aspx [50] . (Registration required)
News story, http://www.healthcareitnews.com/news/study-points-critical-gaps-hospital-data-security [51] .
Fourth Annual U.S. Cost of Data Breach study (Ponemon Institute) (January 2009)
http://blogs.findlaw.com/technologist/2010/02/data-security-breaches-cost-real-money.html [52]
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/20082009%20US%20Cost%20of%20Data%20Breach%20Report%20Final.pdf [53]
Outpacing Change: Ernst & Young's 12th Annual Global Information Security Survey (2009)
http://www.ey.com/Publication/vwLUAssets/12th_annual_GISS/$FILE/12th_annual_GISS.pdf [54]
Deloitte 2009 TMT Global Security Survey (May 14, 2009)
www.deloitte.com/dtt/article/0%2C1002%2Ccid%25253D262321%2C00.html?wt.mc_id=prDcom
[55]
3
Your Botnet is My Botnet: Analysis of a Botnet Takeover (Brett Stone-Gross, et al, UC-Santa Barbara, 2009)
http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf [56] (analysis of Torpig)
Using Science to Battle Data Loss: Analyzing Breaches by Type and Industry
(Interhack, Matthew Curtin and Lee Ayres, April 2009)
http://web.interhack.com/news/n2009/taxonomy [57]
2009 Data Breach Investigations Report (Verizon)
http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf [58]
Airport Insecurity: The Case of Lost & Missing Laptops (Larry Ponemon, June 30, 2008)
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Dell%20Executive%20Summary%20FINAL%20063008.pdf
[59]
More Than Half of Ex-Employees Admit to Stealing Company Data According to New Study,
(Symantec, Ponemon, Feb. 2009)
www.symantec.com/about/news/release/article.jsp?prid=20090223_01 [60]
Data Hemorrhages in the Health-Care Sector [on P2P networks]. (Eric Johnson, Dartmouth College, Feb. 2009),
http://mba.tuck.dartmouth.edu/digital/Research/ResearchProjects/JohnsonHemorrhagesFC09Proceedingd.pdf [61]
Data Leakage Worldwide: White Paper (Cisco, 2008),
http://cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-506224.html [62]
"Education Sector Data Breach Study"(Joseph Campana, Nov. 2008),
http://www.jcampana.com/JCampanaDocuments/EducationSectorDataBreachStudy.pdf [63]
2008 Data Breach Investigations Report (Verizon),
www.verizonbusiness.com/resources/security/databreachreport.pdf [64]
Adam Dodge has compiled a report, "ESI Year in Review - 2007," on the information security incidents occurring at colleges
and universities around the world as reported in the news during 2007(posted February 10,
2008).http://www.adamdodge.com/esi/yir_2007 [65]
For a statistical breakdown of types of breaches and an analysis by industry sector for 2006, see Beth Rosenberg's
report,www.privacyrights.org/ar/DataBreaches2006-Analysis.htm [66]
Jimmy Atkinson's "Ask the Advisor" blog features a post, "How Many Times Has Your Personal Information Been Stolen This
Year?" at www.yourcreditadvisor.com/blog/2007/07/how_many_times.html [67]
To use an online "calculator" to arrive at an estimated cost of a breach based on the number of records exposed, visit this
Web site: www.tech-404.com/calculator.html [68] (no product endorsements are implied).
LEGAL ANALYSES
Read "Breach Patrol" (Christopher Danzig, Mary Swanton and Lauren Williamson, in Inside Counsel, May 2009),
[69] www.insidecounsel.com/Issues/2009/May-2009/Pages/Breach-Patrol.aspx [69]
Data Breach Notification Law Across the World from California to Australia (Alana Maurushat,
Univ. of New South Wales Faculty of Law Research Series, 2009)
http://law.bepress.com/cgi/viewcontent.cgi?article=1153&context=unswwps [70]
Read the June 2008 study,"Do Data Breach Disclosure Laws Reduce Identity Theft?" (Sasha Romanosky et al)
http://ssrn.com/abstract=1268926 [71]
CSO Online, "Data Breach Notification Laws, State by State (with map)," (Feb. 12, 2008),
www.csoonline.com/read/020108/ammap/ammap.html [72] .
Read an analysis by California attorney Alan Mansfield about the California security breach law,
[73] www.privacyrights.org/ar/notification_laws.htm [74]
Read law school professors Schwartz and Janger's law review article on data breach notice laws,
www.paulschwartz.net/pdf/datasec_schwartz-janger.pdf [75]
Read commentary by Jeffrey Rawitz, Jones Day law firm, "Security Breach Notification Requirements"
www.jonesday.com/pubs/pubs_detail.aspx?pubID=S3225 [76]
Read an analysis [77] of state security breach notice laws by Alan Wernick, Esq., in the Journal of AHIMA (Nov.-Dec, 2006)
Read "Security Breach Notifications: a State and Federal Law Maze," (July 27, 2005) by Gibson, Dunn & Crutcher LLP
[78] www.gibsondunn.com/publications/pages/SecurityBreachNotificationsaStateandFederalLawMaze.aspx [79] For a state-bystate analysis, view this chart [80] .
Read "The Cyber Risks of Outsourcing " by Branner and Freeman (Sept. 2007)
www.findarticles.com/p/articles/mi_m0BJK/is_10_18/ai_n19521336 [81] .
Are there other resources with additional information about security breaches?
U.S. Health & Human Services list of health-related breaches
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html [82]
Maine Attorney General's Office, breach listing, as posted by Datalossdb:
http://datalossdb.org/search/primary_sources/7-maine-attorney-general [83]
Identity Theft Resource Center (contains links to news stories)
www.idtheftcenter.org/artman2/publish/lib_survey/Press_Release_-_2007_Breach_List.shtml [84]
New Hampshire Dept. of Justice Security Breach List
http://doj.nh.gov/consumer/breaches.html [85]
Adam Shostack's blog
http://emergentchaos.com/archives/category/breaches
[86]
Pogo Was Right
4
www.pogowasright.org [24]
Read more about security breaches
www.databreaches.net [87] , a service of Pogo Was Right (see above).
Educational Security Incidents (Adam Dodge)
www.adamdodge.com/esi/stolen_sungard_higher_education_laptop_contained_csu_system_student_information
[88]
Security Beat (includes links to news articles and offers free e-mail list-serve)
www.numbrx.net [89]
World Privacy Forum, Security Breaches in the Digital Medical Environment (scroll to section D of testimony)
www.worldprivacyforum.org/testimony/NCVHStestimony_092005.html [90]
Choose the Types of Breaches to Display:
Select organization Select
type(s):
year(s):
Click or unclick the boxes then select go.
BSO - Businesses
Unintended disclosure (DISC) - Sensitive information
posted publicly on a website, mishandled or sent to the
wrong party via email, fax or mail.
Hacking or malware (HACK) - Electronic entry by an
outside party, malware and spyware.
- Other
BSF - Businesses
- Financial and
Insurance Services
BSR - Businesses
Payment Card Fraud (CARD) - Fraud involving debit
and credit cards that is not accomplished via hacking. For
example, skimming devices at point-of-service terminals.
Insider ( INSD) - Someone with legitimate access
- Retail/Merchant
2005
2006
2007
2008
2009
2010
EDU - Educational
Institutions
GOV -
GO!
Select
intentionally breaches information - such as an employee or Government and
features,
contractor.
Military
then click
Physical loss (PHYS) - Lost, discarded or stolen nonMED - Healthcare GO.
electronic records, such as paper documents
- Medical Providers
Portable device (PORT) - Lost, discarded or stolen
NGO - Nonprofit
Reset
laptop, PDA, smartphone, portable memory device, CD,
Organizations
hard drive, data tape, etc
Stationary device (STAT) - Lost, discarded or stolen
stationary electronic device such as a computer or server
not designed for mobility.
Unknown or other (UNKN)
Breach Total
494,692,655 RECORDS BREACHED
(Please see explanation [91] about this total.)
from 1,651 DATA BREACHES made public since 2005
Save or Print PDF
[2]
(* Select filters.)
Save or Print PDF of Entire Breach List [1] (* Including
introduction.)
If you do not have access to PDF, print Chronology in landscape view.
Search the entire database for a
company or organization by name
Search
Date Made
Public [92]
Name
Entity
Type
August 1, 2010
Guttenberg Housing Authority
Guttenberg, New Jersey
GOV
HACK
Total Records
[93]
Unknown
An unauthorized individual may have accessed sensitive information on housing applicants and residents in late December
2009. The information may have included Social Security numbers, names and other personal identifying information.
Information
Source:
Databreaches.net
records from this breach used in our total: 0
1,101 (No reports of
5
July 31, 2010
The Center for Neurosciences
Tucson, Arizona
MED
PORT
1,101 (No reports of
SSNs or financial
information)
A visitor stole a laptop from an electromyogram and nerve conduction studies exam room on December 15, 2009. The
computer contained names, dates of birth, referring physicians and reasons for neurophysiological tests.
Information
Source:
PHIPrivacy.net
July 31, 2010
Montefiore Medical Center
Bronx, New York
MED
STAT
39,000
Two computers were stolen during the weekend of May 22nd. Names, medical record numbers, Social Security numbers,
dates of birth, insurers, and hospital admission dates for an unknown number of patients were on the computers.
UPDATE (8/3/10): One computer was from the Finance Department and had the information of 16,000 patients; the second
computer theft affected the records of 23,000 students from the School Health Program and their families.
Information
Source:
PHIPrivacy.net
July 30, 2010
records from this breach used in our total: 39,000
FIrst Advantage Tax Consulting Services (TCS)
Indianapolis, Indiana
BSF
PORT
32,842
A laptop that contained personal information was lost or stolen during an airport layover. The Social Security numbers of
people who were employed by companies that used TCS for tax help were on the laptop. The laptop did have a password
and after it was lost its access to TCS's network was blocked.
Information
Source:
Databreaches.net
July 30, 2010
Texas Children's Hospital in Houston
Houston, Texas
NGO
PORT
1600 (No SSNs or
financial information
reported)
A physician's laptop was stolen from an office on May 13th. The laptop contained personal information on cardiology
patients. Affected persons were notified that their names, dates of service, medical record numbers, diagnoses and dates of
birth were on the password-protected laptop.
Information
Source:
PHIPrivacy.net
July 29, 2010
University of Virginia
Charlottesville, Virginia
EDU
PORT
Unknown
A transient was ordered to spend time in a men's diversion program after pleading guilty to stealing credit cards and
electronics. One of the laptops he stole was a University-owned laptop. The man served 12 months in jail before being
sentenced and slept in his car and in the University library during the time of the thefts.
Information
Source:
Databreaches.net
July 29, 2010
DebtStoppers USA, Robert J. Semrad and Associates
BSF
PHYS
hundreds of documents
(At least 100)
6
July 29, 2010
Chicago, Illinois
BSF
PHYS
(At least 100)
Documents from the Joilet office were involved
A tipster led to the discovery of hundreds of personal and financial documents in a trash bin outside the attorney's office. The
documents included Social Security numbers, names, addresses, driver's license numbers, and signed debit card
authorizations from clients.
Information
Source:
Databreaches.net
July 29, 2010
Rowland Equipment Co.
Smithfield, Virginia
BSR
INSD
Over 30 customers
Linda Rowland pleaded guilty to wire fraud and identity theft. She used customer names and information to falsify loan
agreements for over 10 years.
Information
Source:
Databreaches.net
July 28, 2010
Wendy's
Tukwila, Washington
BSR
INSD
At least 135 accounts
A dishonest employee used a skimmer between September 14, 2009 and July 21, 2010 to commit identity theft and make
fraudulent charges to customer credit accounts.
Information
Source:
Databreaches.net
July 28, 2010
Time Warner Cable
New York, New York
BSR
INSD
Unknown
A former employee was convicted of installing spyware on three company computers. The employee intended to capture the
passwords of users who had access to a customer database and a billing system.
Information
Source:
Databreaches.net
July 27, 2010
Rite Aid Corporation
Camp Hill, Pennsylvania
BSR
PHYS
Unknown
Etters, PA is also mentioned as Rite Aid's headquarters
Rite Aid paid one million dollars to settle HIPAA privacy violations. Rite Aid also agreed to update corporate policies and
procedures so that patient medical information would be properly disposed, employees would be properly trained in disposal
of patient information, and employees would be held accountable if they did not dispose of patient information properly.
Information
Source:
PHIPrivacy.net
July 27, 2010
Office of Attorney David Naworski
San Antonio, Texas
BSO
PHYS
75
Attorney Naworski left legal files in a public dumpster. Naworski thought it was appropriate to dispose of the files in this way
since the accounts were old and closed. The documents contained names, addresses, bank account information, Social
7
Security numbers, driver's license numbers, and dates of birth.
Information
Source:
Databreaches.net
July 27, 2010
Cooper University Hospital
Camden,
MED
PORT
Unknown
A flash drive with the personal information of graduate medical residents and fellows was reported missing on July 23rd.
The personal information included Social Security numbers, addresses, and phone numbers.
Information
Source:
Databreaches.net
July 27, 2010
Citigroup Inc.
New York, New York
BSR
DISC
117,600 users with app
(No incidents reported)
Citigroup's mobile banking application for Apple's iphone has a security flaw that saves user account numbers, bill payments
and security access codes into a hidden file on the iphone and the user's computer. An upgrade that will fix the problem is
available.
Information
Source:
Media
July 26, 2010
United States Post Office Batesburg-Leesville
Batesburg-Leesville, South Carolina
GOV
PHYS
Two employees
reported
Improperly reusing office paper led to the mailing out of names and Social Security numbers of two post office employees.
Two women reported receiving the personal information, which was probably from a timecard, on the back of a post office
receipt.
Information
Source:
Databreaches.net
July 26, 2010
Natchez Police Department
Natchez, Mississippi
GOV
INSD
Unknown
A police officer with the Natchez department fraudulently used and encouraged others to use stolen credit and debit cards.
Information
Source:
Databreaches.net
July 24, 2010
University of Texas Arlington
Arlington, Texas
EDU
HACK
27,000 (2,048 SSNs
reported)
Student records dating from 2000 to June 21, 2010 were compromised on a University file server on four separate occasions
within the last two years. The server contained student health center prescription records.
Information
Source:
Databreaches.net
8
July 23, 2010
Thomas Jefferson University Hospitals
Philadelphia, Pennsylvania
EDU
PORT
Approximately 21,000
A password-protected laptop was stolen from the office of an employee on June 14th. The computer should not have
contained protected health information, but did. It also contained patient name, birth date, gender, ethnicity, diagnosis,
Social Security number, insurance information, and hospital account number.
Information
Source:
Databreaches.net
July 23, 2010
University of California San Francisco (UCSF) Medical Center
San Francisco, California
EDU
INSD
Possibly hundreds
A former employee used the Social Security numbers of his colleagues to obtain vouchers for Amazon.com purchases. He
secretly used the Social Security numbers to create hundreds of accounts and complete 382 online surveys in exchange for
$100 online vouchers.
Information
Source:
Databreaches.net
July 22, 2010
The Loft and Comedy Club
Columbus, Georgia
BSR
DISC
60 customers
Names, addresses, phone numbers, and credit card information from customers of The Loft and Comedy Club were
discovered through a Google search. Customer data from 2004 to 2008 was posted. The Loft fixed the problem and is
working on having the site removed.
Information
Source:
Databreaches.net
July 22, 2010
Colorado Department of Health Care Policy and Financing
Denver, Colorado
GOV
PORT
105,470 (0 SSNs and
reported)
A hard drive containing personal information for clients enrolled in state-provided health insurance was stolen from the
Colorado Office of Information Technology. The information included names, state ID number and the name of the client's
program. The Agency is certain that contact information, financial information and Social Security numbers were not
involved.
Information
Source:
Databreaches.net
July 22, 2010
Arizona Federal Credit Union
Phoenix, Arizona
BSF
INSD
At least 4
A former employee is accused of using bank member information to run credit checks on victims and apply for credit in their
names. The former employee was fired and arrested on identity theft charges.
Information
Source:
Databreaches.net
July 22, 2010
Iowa Department of Agriculture and Land Stewardship
Des Moines, Iowa
GOV
PORT
3,404
A laptop containing personal information from Iowa residents was stolen from a locked state vehicle. The computer was
9
encryption protected and contained names, addresses, phone numbers and Social Security numbers. Iowa residents who
participate in the Iowa Horse and Dog Breeding Program were notified.
Information
Source:
Databreaches.net
July 21, 2010
Lincoln National Life Insurance
Radnor, Pennsylvania
BSF
PHYS
26,840
A vendor printed a user name and password for agents and authorized brokers in a brochure. The brochure was also
posted on an agent's public website. The login information enable access to a website containing medical records and other
personal information form individuals seeking life insurance. Applicant name, Social Security number, address, policy
number, driver's license number and credit information is also on the website.
Information
Source:
Databreaches.net
July 20, 2010
Long Island Consultation Center (LICC)
Rego Park, New York
MED
PORT
800 (0 reports of SSNs
or financial information)
A computer device containing doctor reports was reported missing from a secured area at LICC on May 24th. Names, dates
of birth, diagnostic information and treatment information of some patients may have been included on the device.
Information
Source:
PHIPrivacy.net
July 20, 2010
South Shore Hospital
South Weymouth, Massachusetts
MED
PORT
800,000 (unknown
number of SSNs and
financial information)
Computer files containing personal, health and financial information of volunteers, patients, vendors, business partners and
employees from January 1996 through January 2010 may have been lost by a professional data management company.
Depending on the person's association with the hospital, the information exposed could be full name, address, phone
number, date of birth, Social Security number, driver's license number, medical record number, patient number, bank
account information, credit card number, diagnoses and treatment.
Information
Source:
PHIPrivacy.net
July 20, 2010
Maryland Department of Human Resources
Baltimore, Maryland
GOV
INSD
3,000 clients
An employee posted Social Security numbers and other personal information of around 3,000 clients on an outside website.
The organization provides food stamps and other benefits and aid to clients. The employee was placed on administrative
leave.
Information
Source:
Databreaches.net
July 19, 2010
LV Financial Services
Orlando, Florida
BSF
PHYS
Unknown
Dozens of boxes of files from medical offices that hired LV to collect unpaid bills were found in an Orlando public dumpster.
The files contained names, addresses, Social Security numbers, driver's license copies and credit reports. The collection
10
agency went out of business in 2005 and the location of the files prior to this incident is unknown.
Information
Source:
Dataloss DB
July 16, 2010
United Healthcare (UnitedHealthcare), Deere and Company
Minneapolis, Minnesota
MED
PHYS
1,097 (no SSNs or
reported)
Deere and Company is headquartered in Moline, Illinois
United Healthcare notified members of a Deere and Company employee benefits plan of a mistake that led to claims
summary statements being sent to the wrong addresses. Dates of services, categories of service, cost of service, and
physician names were included.
Information
Source:
PHIPrivacy.net
July 16, 2010
Buena Vista University
Storm Lake, Iowa
EDU
HACK
93,000
Someone gained unauthorized access to a BVU database. The database contained records of names, Social Security
numbers, and driver's license numbers of BVU applicants, current and former students, parents, current and former faculty
and staff, alumni and donors. These records go back as far as 1987.
Information
Source:
Databreaches.net
July 16, 2010
Connecticut Department of Labor
Bridgeport, Connecticut
GOV
PORT
5,000
A highly encrypted laptop was stolen from the office of the Connecticut Department of Labor. The laptop contained
confidential information about unemployment insurance claims, wage discrepancy complaints and some Bridgeport area
employers.
Information
Source:
Databreaches.net
July 15, 2010
Office of Dr. Thomas K. Lee
Barstow, California
MED
PHYS
Hundreds of records
An anonymous tipster called the Sheriff's Department and reported unattended boxes of personal records outside the dental
office. The boxes contained patient records from the early 1990's to the present. These records had personal information
such as Social Security numbers, names, birth dates, credit card numbers, and addresses. The Sheriff's Department
destroyed the records and warned patients of dentists Lee, Sang H. Yoon and Patricia Patterson.
Information
Source:
Databreaches.net
July 15, 2010
Prince William County Intellectual Disabilities Case Management
Woodbridge, Virginia
GOV
PORT
669
On June 18th or 19th, a government-issued Blackberry was stolen from an employee's car. The Blackberry had personal
information on patients enrolled in the program. The County notified residents that their Social Security numbers, names,
addresses, dates of birth, phone numbers, and Medicaid numbers may have been accessed.
11
Information
Source:
PHIPrivacy.net
July 15, 2010
Utah Department of Workforce Services
Salt Lake City, Utah
GOV
INSD
1,300 (Unknown
number of SSNs)
A leak that allowed anti-immigration activists to post and circulate the names, Social Security numbers, medical information,
addresses, workplaces, and phone numbers of alleged illegal immigrants in Utah has been linked to Utah's Department of
Workforce Services. A large number of employees had access to this information.
Information
Source:
Databreaches.net
July 15, 2010
Nix Check Cashing
Manhattan Beach, California
BSF
STAT
Unknown (over one
hundred from New
Hampshire)
The May 17th theft of a computer resulted in the exposure of customer names, addresses, phone numbers, Social Security
numbers and driver's license numbers. Affected customers were notified on June 30th.
Information
Source:
Databreaches.net
July 15, 2010
NBTY
Bohemia, New York
BSR
DISC
Unknown
An email containing current and former employees' and plan participants' personal information was sent to the wrong
recipient on June 15th. The information in the email included names, dates of birth, and Social Security numbers.
Information
Source:
Databreaches.net
July 15, 2010
Alcoa Global Mobility Group
New York, New York
BSO
DISC
Unknown
An electronic folder containing personal information on current and former expatriates and others who received assistance
from Alcoa's Global Mobility Group was shared as a public folder within its network. The personal information included
names, dates of birth, family members' names and dates of birth, salary compensation, Social Security numbers, and some
people's medical information.
Information
Source:
Databreaches.net
July 14, 2010
SunBridge Healthcare
Albuquerque, New Mexico
MED
PORT
3,830
Residents of Arizona, Colorado, Montana, California, New Mexico, Oklahoma, Idaho, Washington, Wyoming and Utah
affected
A laptop containing Social Security numbers, medical record numbers, dates of service, health insurance numbers and
names was stolen in May. The laptop was password-protected.
Information
Source:
PHIPrivacy.net
12
July 14, 2010
Oregon State University
Corvallis, Oregon
EDU
HACK
34,000 current and
former employees
(unknown number of
SSNs)
A University computer containing personal information of current and former employees was found to be infected by a virus.
Employee records from 1999 to 2005 contained Social Security numbers.
Information
Source:
Databreaches.net
July 14, 2010
Carle Clinic Association
Urbana, Illinois
MED
PHYS
Approximately 1,300
(no SSNs or financial
information reported)
An impostor posing as a representative of the organization's recycling service removed several barrels of purged x-ray films
and film jackets. The health information included patient names, dates of birth, gender, clinic medical numbers, internal
accession numbers, site locations, physician or provider names, and internal provider numbers.
Information
Source:
PHIPrivacy.net
July 14, 2010
Blue Island Radiology
Blue Island, Illinois
MED
PORT
2,000 (number and
type of financial
account numbers and
SSNs unknown)
A backup data tape and compact disc containing protected health information were never received. Individuals demographic,
financial and clinical information were on the CD.
Information
Source:
PHIPrivacy.net
July 14, 2010
Blue Cross Blue Shield Association
Chicago, Illinois
MED
PHYS
(0 SSNs and financial
An error in the quarterly address update process resulted in the mailing of protected health information to incorrect
addresses. The information in the letters included demographic information, explanation of benefits, clinical information, and
diagnoses. The returned mail was collected and the organization verified whether or not it had been delivered.
Information
Source:
PHIPrivacy.net
July 14, 2010
VHS Genesis Lab
Berwyn, Illinois
MED
PHYS
Over 500 (0 SSNs and
involved)
A month's worth of client invoices went missing. It does not appear that they were mailed. The invoices contained health
information such as names, dates of birth, and medical testing information.
Information
13
Source:
PHIPrivacy.net
July 14, 2010
University of Pittsburgh Student Health Services
Pittsburgh, Pennsylvania
EDU
INSD
8,000 (Not included
because no specific
type of financial
information stated)
An employee dishonestly took documents containing names and financial information. The employee was fired.
Information
Source:
PHIPrivacy.net
July 14, 2010
Tomah Memorial Hospital
Tomah, Wisconsin
MED
INSD
600
A nurse used patient names and account numbers to illegally obtain narcotics. The nurse was fired.
Information
Source:
PHIPrivacy.net
July 13, 2010
Carolina Center for Development and Rehabilitation
Charlotte, North Carolina
MED
PHYS
Approximately 1,590
After a doctor left office cleaning to his sons, they mistakenly threw out hundreds of medical records. The medical records
were left in a public recycling bin and included medical histories, pictures of patients and Social Security numbers.
UPDATE (7/31/10): The psychologist has contacted 1,590 of his patients.
Information
Source:
NAID
July 12, 2010
Connecticut Department of Education, State Teachers' Retirement Board
Hartford, Connecticut
GOV
PORT
Unknown
An encrypted flash drive containing 2007-2008 member annual statement data has been lost or stolen. It is unlikely that
outside parties could read the pension and employment credit.
Information
Source:
Databreaches.net
July 12, 2010
Marsh and Mercer
Washington, District Of Columbia
BSF
PORT
At least 3,000
Marsh and Mercer's Seabury and Smith, Inc. and Mercer Health and Benefits LLC operations were involved. The list of
known organizations with affected employees includes Idaho Power, Saint Luke's health System and Saint Alphonsus
Regional Medical Center.
The location is listed as Seabury and Smith's office.
The insurance broker and benefits consulting firm reported the loss of a backup tape during transport. The tape contained
employee benefits information for companies that used Marsh and Mercer for consultation. Names, addresses, Social
Security numbers, dates of birth, account information and driver's license numbers were on the tape.
Information
Source:
Databreaches.net
14
July 10, 2010
Ohio Department of Developmental Disabilities
Columbus, Ohio
MED
DISC
200
Within a two week period personal information of 200 people using the Department's services was accidentally posted
online. The Social Security numbers, names, addresses, medical records, and treatment information were only available for
viewing through the state computer network.
Information
Source:
PHIPrivacy.net
July 10, 2010
Village of Big Bend
Big Bend, Wisconsin
BSO
PORT
Unknown
A laptop containing payroll information for the village's employees was stolen from the car of the village's payroll provider in
Milwaukee. Police have not recovered the laptop. The provider reported the theft and sent letters to employees to inform
them their personal information was not secure. The provider recommended that employees contact a credit bureau that
would place a 90-day alert on their information to prevent identity theft.
Information
Source:
Dataloss DB
July 10, 2010
Cisco Live 2010
Las Vagas, Nevada
BSO
HACK
Unknown
Someone hacked the list of attendees for the recent Cisco Live 2010 users' conference, a security breach that led Cisco to
notify the customers as well as a broader group who have dealings with the company. A vendor told Cisco that someone had
made "an unexpected attempt to access attendee information through ciscolive2010.com," the event Web site. That lead to
the general notification that Cisco sent to attendees and others who had been invited but did not attend. According to Cisco,
details about less than 20% of those on the list were compromised. The breach was closed quickly, "but not before some
conference listings were accessed." The compromised information consisted of Cisco Live badge numbers, names, titles,
company addresses and e-mail addresses. "No other information was available or accessed," according to the warning
Cisco Live's event team sent via e-mail.
Information
Source:
Dataloss DB
July 9, 2010
Emily Morgan Hotel
San Antonio, Texas
BSO
PHYS
17,000 hotel guests
Identity thieves obtained stacks of credit card receipts from one of the hotel's storage rooms in 2006. Hundreds of
thousands of dollars in fraudulent charges were then made in three different states. Investigators first became aware of a
large identity theft issue in the area during the beginning of 2009.
Information
Source:
Databreaches.net
July 8, 2010
Waukesha County
Big Bend, Wisconsin
GOV
PORT
Unknown
A laptop was stolen from a payroll services provider of the county. It is unknown what types of Big Bend employee payroll
information were contained on the laptop.
Information
Source:
Dataloss DB
15
July 7, 2010
University of Hawaii
Honolulu, Hawaii
EDU
STAT
53,000
53,000 people may have had their personal information exposed after a breach to the University of Hawaii computer system
was discovered. The university released statement that more than 40,000 Social Security numbers and 200 credit card
numbers were part of the exposed information that was housed on a computer server used by the Manoa campus parking
office.
Information
Source:
Dataloss DB
July 7, 2010
Massachusetts Secretary of State, Securities Division
Boston, Massachusetts
GOV
PORT
139,000
The Massachusetts Secretary of State's office accidentally released confidential personal information earlier this year on
139,000 investment advisers registered with the state. The data, including the advisers' Social Security numbers, were on a
CD-ROM sent to IA Week, an investment industry publication that had requested public information from the Securities
Division. Secretary of State IA Week had asked for a list of registered investment companies. The Securities Division
responded by sending a list of individual investment professionals. In addition to their names and Social Security numbers,
this list included their dates and locations of birth, height, weight, hair color, and eye color.
Information
Source:
Dataloss DB
July 6, 2010
Massachusetts Secretary of State Office
GOV
PHYS
139,000 investment
advisers
In an attempt to release public information from the Securities Division, the Massachusetts Secretary of State's office
released the Social Security and driver's license information of 139,000 investment advisers registered with the state. The
information was sent on a CD-ROM sent to IA Week, an investment industry publication.
Information
Source:
Databreaches.net
July 6, 2010
University of Florida
Gainesville, Florida
EDU
PHYS
2,047
Social Security numbers or Medicaid identification numbers were shared with a telephone survey company and included on
address labels sent out to request research participation. The letters were sent through the U.S. Postal Service on May 24th
and the issue was discovered on June 6th.
Information
Source:
PHIPrivacy.net
July 6, 2010
DentaQuest
Chicago, Illinois
MED
DISC
76,000
In a statement datelined out of Nashville, DentaQuest reported the laptop theft occurred March 20 in Chicago and was
informed of the incident April. DentaQuest reported the laptop contained a database which held the personal information of
approximately 76,000 clients. The contractor advised most of the data is not considered sensitive, but the device did contain
the first names, last names and Social Security Numbers of about 21,000 individuals. Some 10,500 are Tennessee
residents.
Information
Source:
Dataloss DB
16
July 4, 2010
AMR Corporation
Fort Worth, Texas
BSO
PORT
79,000
American Airlines parent company said Friday the personal information of about 79,000 retirees, former and current
employees has been compromised after a hard drive was stolen from its Fort Worth headquarters. No customer data was
affected. The data was held by the company's pension department. The drive contained images of microfilm files, which
included names, addresses, dates of birth, Social Security numbers and a "limited amount" of bank account information.
Some health insurance information may have also been included -- mostly enrollment forms, but also details about
coverage, treatment, and other administrative information. The data spans a period from 1960 to 1995. AMR also believes
some of the employee files also contained information on beneficiaries, dependents and other employees from 1960 to
1995.
Information
Source:
Dataloss DB
July 4, 2010
Beautiful Brands International
West Lafayette, Indiana
BSR
HACK
Unknown
Computer hackers have infiltrated the credit card processing system.
Information
Source:
Dataloss DB
July 2, 2010
AMR Corporation
Fort Worth, Texas
BSO
STAT
79,000
Retirees, current, and former employees who participated in AMR's pension plan may have had their names, Social Security
numbers, addresses, dates of birth, and other personal information stolen by the theft of a hard drive containing microfilm
files. Employees and beneficiaries of employees who were enrolled between 1960 and 1995 are at risk.
Information
Source:
Databreaches.net
July 2, 2010
Cornerstone
Nashville, Tennessee
NGO
PHYS
1,537 clients
According to Cornerstone: "During the weekend of April 30th, 2010, flood waters broke windows of our administrative office
for School-Based Services... As a result of the unprecedented flooding that occurred, some clinical record information, along
with name, Centerstone ID#, Social Security number, and date of birth, may have been removed from the building by flood
waters."
Information
Source:
PHIPrivacy.net
July 1, 2010
NYU Langone Medical Center Hospital for Joint Diseases
New York, New York
MED
PORT
2,563 (no SSNs or
reported)
An unencrypted portable USB was lost or stolen sometime around May 12th. It contained patient names, medical record
numbers, sex, age, procedure, attending physician, time of arrival in recovery room and time of discharge from recovery
room.
Information
Source:
PHIPrivacy.net
17
June 30, 2010
Lincoln Medical and Mental Health Center
Bronx, New York
MED
PORT
130,495 patient
Multiple CDs containing patient personal information were lost in transit by FedEx. Information included dates of birth,
driver's license numbers, descriptions of medical procedures, addresses, and Social Security numbers. Siemens Medical
Solutions USA, the Hospital's billing contractor, shipped the CDs around March 16th. They were never received.
Information
Source:
PHIPrivacy.net
June 29, 2010
University of Oklahoma
Norman, Colorado
EDU
HACK
Unknown
The university's Information Technology department noticed unusual Internet activity on a laptop computer associated with
its network. It determined the computer belonged to an employee and was infected with a virus known as Zeus or Z-Bod.
The employee's laptop had access to computer files that contain student names and Social Security numbers.
Information
Source:
Dataloss DB
June 29, 2010
University of Maine
Orono, Maine
EDU
HACK
4,585
Hackers compromised the personal information of 4,585 students who received services from the school's counseling
center. The center provides students with support and mental health services. The information on the servers included
names, Social Security numbers and clinical information on every student who sought counseling services from the center
between August 8, 2002 and June 21 of this year.
Information
Source:
Dataloss DB
June 29, 2010
Destination Hotels & Resorts
Englewood, Colorado
BSO
HACK
700 customers
Hackers have broken into the payment processing system of Destination Hotels & Resorts, a high-end chain best known for
its resort hotels in destinations such as Vail, Colorado; Lake Tahoe, California; and Maui, Hawaii. Destination has uncovered
a malicious software program inserted into its credit card processing system from a remote source. Destination Hotels is in
the process of notifying victims but will not say how many people have had their credit card numbers stolen. The attackers
appear to have hit only point-of-sale processing systems, where credit cards are swiped for purchases. Personal information
such as guests' home addresses was not compromised.
UPDATE (7/2/2010): Around 700 customers were affected nationwide by the hack; including dozens of customers of the
Driskill Hotel of Austin, Texas.
Information
Source:
Dataloss DB
June 29, 2010
Cal State San Bernardino (CSSB)
San Bernardino, California
EDU
DISC
36 students
Information such as names and Social Security numbers was exposed to the public through a web server. The students
affected were on the class roster for a computer science and engineering course. The files were discovered and removed on
June 10th.
Information
Source:
Databreaches.net
18
June 29, 2010
Sparta Board of Education
Sparta Township, New Jersey
GOV
DISC
At least 200
Several vendor Social Security numbers and tax identification numbers were accidentally sent out via email to a local activist
requesting information on Sparta Board of Education vendors.
UPDATE (7/8/10): The activist mentioned is Jesse Wolosky and he has not returned the information because "they could get
lost in cyberspace or go to the wrong inbox." Wolosky also claims that state agencies are looking into the matter. The
number of Social Security numbers is still unknown since Wolosky claims 600-800 and the district claims 200-300.
Information
Source:
Databreaches.net
June 29, 2010
Brooklyn Tech High School
Brooklyn, New York
EDU
HACK
2,416; 103 Social
Security numbers
Hackers accessed PSAT information from the school and posted the names, home addresses, citizenship status, and Social
Security numbers of students. The information was discovered on the school's website.
Information
Source:
Databreaches.net
June 29, 2010
Merrimack Mortgage
Greer, South Carolina
BSF
PHYS
Unknown
Personal documents from Merrimack Mortgage were found in an unsecured public dumpster. The documents were not
shredded and contained Social Security numbers, credit scores, bank information, and other personal information.
Information
Source:
Databreaches.net
June 29, 2010
A Woman's Place
Ketchikan, Alaska
MED
DISC
Around 400 (0 SSNs
reported)
An ACLU lawsuit claims that police acted inappropriately during a raid of A Woman's Place clinic. The lawsuit claims that
police not only confiscated medical records, but read them and revealed sensitive medical information about patients to
outside parties.
Information
Source:
PHIPrivacy.net
June 29, 2010
Ridgefield High School
Ridgefield, Connecticut
EDU
HACK
Unknown (the students
of a few teachers)
Two students were arrested for hacking into their school's computer system. Their goal appears to be changing their own
grades; but they had access to the grades and personal information of other students.
Information
Source:
Databreaches.net
June 28, 2010
Children's Hospital of Orange County
Orange, California
MED
PHYS
Unknown
19
The Hospital is checking its database for accuracy after discovering that patient files have been faxed to the wrong location
at least twice. Patient records were faxed to an auto shop in 2009, and the wrong doctor on a separate occasion.
Information
Source:
PHIPrivacy.net
June 28, 2010
Eastern Connecticut Health Network Pension Plan
Manchester, Connecticut
BSF
PHYS
3,178
Mercer, the firm's consulting group, provided a subcontractor with a file containing Pension Plan participant addresses and
Social Security numbers. The Social Security numbers were exposed on the mailing label.
Information
Source:
PHIPrivacy.net
June 26, 2010
Federal Aviation Administration
GOV
DISC
3,000,000 airmen and
airwomen
An investigation into the Federal Aviation Administration found that the medical and personal information of airmen and
airwomen is at risk. Names, addresses, Social Security numbers, mental and physical health certification information and
other personal information is vulnerable to unauthorized access from former staff and could be accessed through the
installation of malicious codes. The computer system was hacked in 2009.
Information
Source:
PHIPrivacy.net
June 25, 2010
records from this breach used in our total: 3,000,000
University Hospital
Augusta, Georgia
MED
PORT
13,000 patient records
Two backup tapes containing personal information have gone missing. The hospital does not suspect theft and does believe
that there is a very low probability that the personal information on the tapes can be misused. However, credit monitoring
services are being offered to those who were affected. The hospital gave up looking for the tapes on May 7th and began
notifying patients in late June.
Per phone interview with University Hospital, Social Security number were involved but they are unaware of any financial
data involved in this breach.
Information
Source:
Dataloss DB
June 23, 2010
Anthem Blue Cross, WellPoint
Pasadena, California
BSF
DISC
470,000
More than 200,000 Anthem Blue Cross customers this week received letters informing them that their personal information
might have been accessed during a security breach of the company's website. Only customers who had pending insurance
applications in the system are being contacted because information was viewed through an on-line tool that allows users to
track the status of their application. Social Security and credit card numbers were potentially viewed. Anthem Blue Cross
merged with WellPoint in 2004.
UPDATE (6/29/10): Around 470,000 customers in 10 states were notified of the breach. The original story states that only
applicants were affected, but existing customers also received notification of a possible breach of their information.
UPDATE (7/12/10): 20,000 Louisville, Kentucky residents received notification that a security mistake online resulted in the
exposure of their Social Security numbers and financial information. It is unclear whether these residents are included in the
original 470,000 customers. Only customers who were self insured were affected. WellPoint is claiming that this and other
recent breaches were committed by an attorney or attorneys attempting to gain information for a lawsuit against WellPoint.
Information
Source:
20
Dataloss DB
June 23, 2010
Florida International University
Miami, Florida
EDU
DISC
19,495
Florida International University is in the process of sending notification letters to 19 407 students and 88 faculty members
after the university’s IT Security Office discovered personal data may have been exposed over the internet via a database’s
external search function. An announcement posted on the FIU website lists the personal data as GPAs, test scores, and
Social Security numbers that were stored on the College of Education’s E-Folio software app. This database kept track of
student data related to state mastery standards, grade tracking, assignments, and Social Security numbers for both students
and faculty.
Information
Source:
Dataloss DB
June 22, 2010
Oregon National Guard
Portland, Oregon
GOV
PORT
Over 3,500
A laptop belonging to an Oregon National Guard member was stolen and the military is contacting service members who
might be affected by the theft. According to the Oregon National Guard, the laptop was stolen from a vehicle. The Guard
member had been using the laptop to conduct work from home. Although this laptop is password protected, there is still
potential for exposure of individual personal information.
UPDATE (7/1/10): The 3,500 National Guard members who were affected have been notified.
Information
Source:
Dataloss DB
June 21, 2010
TeleTech, Sony Electronics
Englewood, Colorado
BSR
UNKN
Unknown
Customers who placed orders through Sony Style Telesales Department between May 23rd and June 3rd 2010 may have
had their credit card information illegitimately copied and sent to parties outside of the TeleTech network. TeleTech is a third
party service provider of Sony.
Information
Source:
Databreaches.net
June 20, 2010
Mercy Willard Hospital
Willard, Ohio
MED
INSD
Unknown
A former employee kept patient photographs, videos, memos, schedules, and forms. Some of the documents included
patient Social Security numbers and other personal information. The employee is also being accused of voyeurism and
possession of child pornography; though this is unrelated to these findings.
Information
Source:
PHIPrivacy.net
June 18, 2010
St. Francis Federal Credit Union
Tulsa, Oklahoma
BSF
PORT
8,400
Saint Francis Federal Credit Union has notified 8,400 customers that a backup tape containing customer information was
lost. SFFCU believes the tape was accidentally destroyed and that no member information has been misused as a result of
the loss.
Information
21
Source:
Databreaches.net
June 18, 2010
University of Nevada
Reno, Nevada
EDU
STAT
7,526 patients
Some patient information from the University Health System may have been accessed after the theft of computer equipment
at the Reno office on June 11th. Patient names, Social Security numbers, patient account numbers, medical information,
birth dates and addresses may have been viewed.
Information
Source:
Databreaches.net
June 18, 2010
Family Care Center
Clinton, Washington
MED
PORT
8,000 (0 SSNs
reported)
Operations in Clinton, Freeland, and Oak Harbor
A thief or thieves entered the physical therapy office on June 12th. Cash, other items, and a laptop containing encrypted
patient information such as names and account numbers were stolen. It appears that a door was left unlocked.
Information
Source:
PHIPrivacy.net
June 18, 2010
Ebony Medical Equipment and Supplies, Inc.
Tyler, Texas
MED
INSD
Unknown
The owner used patient medical information to fraudulently obtain over $70,000 from Medicare and Medicaid. The owner is
also charged with buying patient information.
Information
Source:
PHIPrivacy.net
Over 11,388 students June 17, 2010
Ocean Lakes High School
Virgina Beach, Virginia
EDU
HACK
calculated from the
Virginia Beach City
County Public Schools
page of
publicschoolreview.com
Schools that may have been accessed: Advanced Technology Center, Corporate Landing Middle School, Creeds
Elementary School, Fairfield Elementary School, Indian Lakes Elementary School, Kellam High School, Kingston Elementary
School, Landstown Middle School, Linkhorn Park Elementary School, Lynnhaven Middle School, New Castle Elementary
School, Ocean Lakes Elementary School, Ocean Lakes High School, Red Mill Elementary School, Renaissance Academy,
Rosemont Elementary School, Salem Elementary School, Technical & Career Education Center, Thalia Elementary School,
Three Oaks Elementary School, Windsor Oaks Elementary School
Because of an incorrect security setting, an Ocean Lakes High School student was able to access a temporary file on a
server that contained the names, addresses and Social Security numbers of students at 22 schools. The breach was
discovered when the student tried to print some of the information in the school library. In addition to names, addresses and
Social Security numbers, the student files also contain parent names, phone numbers, class schedules, birth dates and
student ID numbers.
Information
Source:
Dataloss DB
Quantum Corporation
22
June 17, 2010
Quantum Corporation
Bellevue, Washington
BSR
PORT
At least 4
Laptops were stolen on June 13th. One of the laptops was password protected and contained sensitive employee
information such as Social Security numbers, addresses, and names.
Information
Source:
Databreaches.net
June 16, 2010
AT&T
Dallas, Texas
BSR
DISC
Unknown
AT&T customers who were using their own usernames and passwords to log into their accounts reported being sent to the
accounts of other AT&T customers. The account information did not include Social Security numbers or credit card
informaiton.
Information
Source:
Databreaches.net
June 14, 2010
Frankling County Treasurer's Office
Columbus, Ohio
GOV
DISC
0
Although it has a newer and better protected website for paying property taxes, the Franklin County Treasurer's Office
continues to allow taxpayers to use an older URL which was recently discovered to be vulnerable to hackers. This may
expose taxpayer credit card and checking account numbers.
Information
Source:
Databreaches.net
June 13, 2010
Butler County Department of Job and Family Services
Middle, Ohio
GOV
PHYS
10,600
The Agency learned in 2008 that confidential records were being left in public dumpsters without being shredded.
Documents from Medicaid, Food Stamps, Ohio Works First, and child care programs included information such as Social
Security number, name, address, phone number and pay stub. The agency failed to notify those who were affected.
Information
Source:
Databreaches.net
June 12, 2010
J.P. Morgan Chase
Hackettstown, New Jersey
BSF
INSD
12
A Chase bank teller sold twelve customer account profiles to outside parties between 2008 and 2009. These customer
accounts were then fraudulently charged over $60,000. The former employee and the outside parties were all caught.
Information
Source:
Databreaches.net
June 12, 2010
Middle Township Municipal Hall
Middle Township, New Jersey
GOV
PHYS
Unknown
Personal information from Municipal Hall was found in a public dumpster. The information was not shredded and included
police reports, Social Security numbers, home addresses, telephone numbers, names, and tax records. The improper
disposal of information continued after the first dumpster discovery.
Information
Source:
23
Source:
Databreaches.net
June 11, 2010
Payless Shoe Store
Bellmore, New York
BSR
INSD
11
An employee used a skimming device to obtain customer credit card information. He made fraudulent purchases totaling
nearly $11,000 and was charged with grand larceny, possession of a forged device, and identity theft.
Information
Source:
Databreaches.net
June 10, 2010
Durham County Government
Durham, North Carolina
GOV
PHYS
8,700 employees
A group of people obtained a list of Durham employees which included Social Security numbers, birth dates, and
employment information. They then used their personal information to commit credit card fraud and identity theft. Police
report that more than 200 employees were victims.
Information
Source:
Databreaches.net
June 10, 2010
City of Springfield
Springfield, Illinois
GOV
DISC
Unknown
The city of Springfield put documents online that contained sensitive information such as Social Security numbers, driver’s
license numbers, home and work telephone numbers, bank account numbers and the name of someone who called the
state anonymously to report suspected child abuse. The documents were posted on the city’s website in response to
Freedom of Information Act requests as part of an initiative to make public information available to anyone with a computer.
But personal information such as home phone numbers, Social Security numbers and driver’s license numbers are exempt
from disclosure under state law.
Information
Source:
Dataloss DB
June 9, 2010
Apple Inc.
Cupertino, California
BSR
HACK
Unknown
A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They—and every
other buyer of the cellular-enabled tablet—could be vulnerable to spam marketing and malicious hacking. The breach
exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes
thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC
News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm
Emanuel's information was compromised. It doesn't stop there. According to the data we were given by the web security
group that exploited vulnerabilities on the AT&T network, we believe 114,000 user accounts have been compromised,
although it's possible that confidential information about every iPad 3G owner in the U.S. has been exposed.
Information
Source:
Dataloss DB
June 9, 2010
TennCare, New Mexico Human Services Department
Chicago, Illinois
76,000 9,600 from New
MED
PORT
Mexico; over 10,000
from Tennessee
This theft affects people in Tennessee and New Mexico.
An employee from a subcontractor company called West Monroe Partners was robbed of a laptop containing information for
a Medicaid billing company named DentaQuest. DentaQuest was responsible for dental benefits of the New Mexico Human
24
Services Department and TennCare. Around 21,000 people had their full names and Social Security numbers on the stolen
laptop. Approximately 55,000 others had some form of personal information on the laptop.
Information
Source:
Databreaches.net
June 9, 2010
Office of Dr. David Brown
St. John, Missouri
MED
DISC
Unknown
Patient files were found outside the office of Dr. David Brown. Dr. Brown admitted to failing to shred the old papers and
claimed that he ran out of space for the files.
Information
Source:
NAID
June 8, 2010
Bank of America
Sun City, Florida
BSF
INSD
Uknown
An employee in one of Bank of America's customer call centers has admitted he stole sensitive account information and tried
to sell it for cash. The man met with two individuals whom he later learned were undercover FBI agents and offered to sell
them names, dates of birth, telephonic passwords, and other details for Bank of America customers, according to court
records. He was looking for accomplices who knew how to milk the accounts by establishing phony credit cards in the
customers' names or through other means.
Information
Source:
Dataloss DB
June 8, 2010
Tri-City Medical Center
Oceanside, California
MED
INSD
Unknown
Employees shared patient information on Facebook. Differing reports leave it unclear if these employees were nurses, and
whether or not they were fired.
Information
Source:
PHIPrivacy.net
June 8, 2010
Los Angeles County Department of Public Social Services
Los Angeles, California
GOV
INSD
155
A dishonest employee used welfare beneficiary information to file for two million dollars worth of tax refunds. The employee
was caught and charged with 11 counts of identity theft and 11 counts of making false claims to the United States.
Information
Source:
Databreaches.net
June 7, 2010
Wal-Mart, Sam's Club
Bentonville, Arkansas
BSR
HACK
117
Sam's Club and Wal-Mart stores in Connecticut, New Jersey, Massachusetts, Rhode Island, New Hampshire, New York,
Pennsylvania, Maryland, Delaware, and Puerto Rico
During a credit card fraud scheme, a man obtained and misused customer information. His scheme involved using customer
information to impersonate customers and open new lines of store credit in their names. Total loses amounted to
$781,571.80.
Information
Source:
25
Databreaches.net
June 7, 2010
New York City Department of Education
New York City, New York
EDU
HACK
Unknown
The New York City’s Special Commissioner Office revealed a hacker stole more than $640,000 from the Department of
Education’s petty cash account at JP Morgan Chase and distributed the codes to others to use to pay for student loans, gas
bills and other purchases. The hacker allowed individuals to pay personal bills through EFTs and, in turn, he was given cash.
The scam was discovered when an unidentified woman informed Chase someone was trying to pay bills using the account.
Information
Source:
Dataloss DB
June 7, 2010
Nursing Visioned Medical Services
MED
PHYS
At least 2,000
Thousands of patient records, surgery information, Social Security numbers and bank information were found dumped
behind Nashville Center Point Church of the Nazarene. The documents came from the now defunct and bankrupt Nursing
Visioned Medical Services group. Maryland-based Impulse Monitoring, Inc. bought the assets to NVMS last year when they
filed bankruptcy. They said they are not responsible for the patient information because the services NVMS provided were
one-time services. The old owners had shredded a bunch of old documents and the more recent ones had been passed on
to the company (Impulse) that bought NVMS back in January. It is unclear where the documents came from.
Information
Source:
Dataloss DB
June 6, 2010
Offices of Doctors J. and M. Vyas
Chino Hills, California
MED
PHYS
600 patient files (0
reports of SSNs or
financial information)
Confidential medical files were found in a dumpster near the medical office of the two doctors. The doctors were in the
process of moving to a new location.
Information
Source:
PHIPrivacy.net
June 5, 2010
National Highway Traffic Safety Administration (NHTSA)
GOV
DISC
Unknown
A limited search of NHTSA's public complaint database uncovered Social Security numbers, names, birth dates, addresses,
VINs, and drivers' license numbers. Public access to the database of 792,000 complaint cases was temporarily ended.
Information
Source:
Databreaches.net
June 5, 2010
Marco's Restaurant
BSR
HACK
500
The encrypted Internet connection of a restaurant was breached by hackers outside of the organization. Customer credit
and debit card information was lost and fraudulently used.
Information
Source:
Databreaches.net
Digital River Inc.
26
June 4, 2010
Digital River Inc.
Eden Prairie, Minnesota
BSF
HACK
200,000
A massive data theft from the e-commerce company Digital River Inc. has led investigators to hackers in India and a 19year-old in New York who allegedly tried to sell the information to a Colorado marketing firm for half a million dollars. The
Eden Prairie company obtained a secret court order last month to block Eric Porat of Brooklyn from selling, destroying,
altering or distributing purloined data on nearly 200,000 individuals. Digital River suspects that the information was stolen by
hackers in New Delhi, India, possibly with help from a contractor working for Digital River.
Information
Source:
Dataloss DB
June 3, 2010
Penn State
University Park, Pennsylvania
EDU
DISC
15,806, 25,000 more
later discovered
The Pennsylvania State University sent data breach notification letters to 15 806 individuals who at one time had their
personal information, including Social Security numbers, stored in a university database. Penn State issued a press release
statement on Wednesday informing the university community that a computer in its Outreach Market Research and Data
office was found to be actively communicating with a botnet CNC. According to the statement, the database used by the
office had previously contained Social Security numbers on individuals. The university, which discontinued use of SSNs for
identification purposes in 2005, nevertheless found that an archived copy of the information went undetected in the
computer’s cache.
UPDATE (6/8/2010): An additional 25,000 individuals may have been affected.
Information
Source:
Dataloss DB
June 3, 2010
Safe Harbor Med
Santa Cruz, California
MED
PORT
Unknown
Burglars stole client records, a suitcase and two bags of cookies from a medicinal marijuana referral office. Burglars also
stole a computer hard drive that contained a client database, including Social Security numbers, ID numbers and other
sensitive information. The burglars apparently cut power to the building — so the alarm didn't go off — and shattered a
window to get into the office.
Information
Source:
Dataloss DB
June 2, 2010
Avalon Center
Cheektowaga, New York
MED
DISC
Unknown
Sensitive medical information was dumped outside of a DMV office. The medical information came from a eating disorder
clinic that had recently closed. Patient information such as medical treatment and Social Security number was exposed. It is
unknown how the information ended up in the dumpster.
Information
Source:
Databreaches.net
June 2, 2010
Rainbow Hospice and Palliative Care
Park Ridge, Illinois
MED
PORT
Unknown
http://www.rainbowhospice.org/protection/ [94]
According to their website: "On April 12, 2010, one of our laptop computers, which contained personal information, was
stolen during a patient visit. The laptop had security measures in place, but there is a very small chance that protected
information such as name, address, date of birth, Social Security number, insurance information, medications, treatment,
and diagnoses may have been inappropriately accessed."
27
Information
Source:
Dataloss DB
June 2, 2010
Roanoke City Public Schools
Roanoke, Virginia
EDU
PORT
2000
Personal information of more than 2,000 Roanoke City Public Schools employees may be at risk. School officials said the
hard drives of eight computers were not removed before the units were sold as surplus. "We believe that we have recovered
all of the hard drives," said Superintendent Rita Bishop. The drives contained the names, school locations and Social
Security numbers of the division's employees as of November 2006. The division will be setting up a hotline for employees to
call with questions and concerns. Free credit monitoring service will be offered to affected employees.
Information
Source:
Dataloss DB
June 2, 2010
University of Louisville
Louisville, Kentucky
EDU
DISC
709
A University of Louisville database of 708 names that included Social Security numbers and dialysis details was available on
the Internet without password protection for nearly a year and a half. The Web site was disabled on May 17 when the
university discovered the flaw. University officials said in a statement that accessing the database would not have been easy,
and no direct links to the database were discovered. The information was available so long because the U of L doctor who
set up the Web site thought the information was protected by a password and other precautions. U of L was finally notified
when someone outside the university sent an e-mail about open access to the information. The Web site was shut down an
hour later.
Information
Source:
Dataloss DB
June 1, 2010
Brew HaHa!
Wilmington, Delaware
BSR
HACK
Over 30
Outdated and improperly managed software caused customer debit and credit cards to be exposed to fraudulent charges.
Between 20 and 30 customers of one bank had fraudulent charges from overseas added to their statements. It is not
known how many other customers were affected.
Information
Source:
Databreaches.net
May 28, 2010
Aetna
South Windsor, Connecticut
BSO
PHYS
6,372 clients from New
Jersey and
Pennsylvania
A cabinet full of documents with sensitive information was found sitting on the side of the road. A woman made the discovery
about a month ago and gave the documents to investigators with Aetna Insurance Co. The woman said she saw a bureau
on the side of the road in front of Admiral Storage in South Windsor with a sign that said "free." She brought it home and
discovered the documents. There were eight bags of nothing but Social Security numbers, names, and death benefits.
Information also included patient records and medications. Aetna responded by saying, "Aetna is committed to protecting the
privacy of our members and we take this situation seriously. We have policies for properly safeguarding our members’
information, and we are investigating how this incident occurred, but it appears to be human error. The woman contacted us
via e-mail on the evening of May 5, and we immediately responded the next morning. She has consistently declined to give
us her name or phone number, or to make arrangements to allow us to retrieve the documents at a place convenient for her,
or to return them to us. As of today, we now have the files, and will go through each of them to determine the contents and
whether any member information has been breached. If it has been, we will notify those members and take steps to mitigate
any potential harm."
28
The woman attempted to arrange the hand-off, however, a short time after she got off the phone with the company, three
men from Aetna showed up at her workplace, unannounced, and asked for the documents immediately. The woman said,
"But when they sent the three guys to my work yesterday, it was an intimidation tactic and I didn't appreciate it. So that told
me what I was going to do. That they were going to try and hide it."
Aetna said someone from the company made a "serious human error," and it will now go through the files to make sure no
sensitive information was lost. What's more troubling, the woman said, is that the bureau wasn't the only piece of furniture
offered for free that day. "Out of the pieces that were up for grabs, whose to say that I've got the only piece that was full of
Aetna papers." The woman has also contacted the state to investigate the situation. Aetna has clients across the country.
UPDATE (8/2/10): Aetna notified 7,250 clients of the breach and reported that 6,372 were affected.
Information
Source:
Dataloss DB
May 28, 2010
Cincinnati Children's Hospital Medical Center
Cincinnati, Ohio
61,000 (0 SSNs and
MED
PORT
reported)
A laptop containing the names, medical record numbers, and medical services provided of patients was stolen from an
employee's car while it was parked at his or her home. As a precaution, no additional laptops will be allowed outside the
hospital unless they are encrypted.
Information
Source:
Databreaches.net
May 28, 2010
Interior National Business Center
Denver, Colorado
GOV
PORT
7,500 (0 SSNs
reported)
A disc containing employee information was lost or stolen. The Interior Department reported that it was encrypted and
password-protected personally identifiable federal employee information.
Information
Source:
Databreaches.net
May 26, 2010
Inovis
Alpharetta, Georgia
BSO
PORT
Unknown
On May 4th a laptop containing employee information was stolen from an employee of GXS who was helping with their
merger. A letter notified an unknown number of Inovis employees that their addresses, Social Security numbers, names and
salary information were on the laptop.
Information
Source:
Databreaches.net
May 26, 2010
Children's Hospital and Research Center at Oakland
Oakland, California
MED
PHYS
1000 (0 SSNs
reported)
http://www.childrenshospitaloakland.org/EnhancedPatientPrivacyProtection... [95]
Approximately 1,000 patients were mailed information about themselves and other patients. According to the Hospital's
website "equipment designed to generate, fold and stuff documents for mailing was programmed to fold and stuff two pages
rather than one. This programming error caused guarantor billing statements prepared on May 25 and May 26 to be collated
and mailed incorrectly."
Information
Source:
29
PHIPrivacy.net
May 25, 2010
Loma Linda University Medical Center
Loma Linda, California
MED
PHYS
500
(877) 558-6208
A thief has stolen personal information regarding more than 500 surgical patients of Loma Linda University Medical Center,
according to hospital officials. A desktop computer containing the information disappeared April 5 from the department of
surgery's administrative office on Campus Street. The missing information includes each patient's name, medical record
number, diagnosis, surgery date, and the type of procedure.
Information
Source:
Dataloss DB
May 25, 2010
AT&T/Ferrell Communication
Jacksonville, Florida
BSO
DISC
Unknown
A woman got quite a surprise when she looked in her recycle bin. Someone had dumped hundreds of files of people's
personal information. The manila folders that were found contained personal information of AT&T cell phone customers,
including credit card numbers, driver's licenses and Social Security numbers. It appears the information was collected by
another company called Ferrell Communication, which was located in a strip mall. It's no longer there, and the phone
number listed isn't valid. The information is contracts for AT&T wireless service customers dating back to 1999 or 2000. The
information is old, but could still be valid.
Information
Source:
Dataloss DB
May 25, 2010
City of Charlotte
GOV
PHYS
5,220
(888) 435-6031
The city of Charlotte says the personal information of 5,220 current and former city employees and elected officials has been
lost. The loss affects individuals who received health insurance from the city in early 2002. Two DVDs containing the Social
Security numbers of the affected individuals failed to arrive at the offices of Towers Watson & Co., the city’s benefits
consulting firm, in Atlanta. The discs also contained prescription-drug information for five individuals.
Information
Source:
Dataloss DB
May 25, 2010
Local Coffee
San Antonio, Texas
BSR
HACK
Unknown
Hackers may have gained access to credit and debit card information by exploiting Aloha software weaknesses. After a
purchase at Local Coffee, a customer's debit card was canceled. This prompted Local Coffee to temporarily stop using
Aloha. Another San Antonio eating establishment, Aldaco, also encountered hacking problems while using Aloha software.
Information
Source:
Databreaches.net
May 25, 2010
Lincoln Financial Group
BSF
DISC
1,286 (0 SSNs
reported)
In 2002, 2008, and 2010 records of correspondence between agents and clients were misplaced. Technical errors caused
the names, addresses, policies or contract numbers, account values, trade and transaction activities, and dates of birth of
the clients to be accessible.
30
Information
Source:
Databreaches.net
May 25, 2010
Wells Fargo
BSF
INSD
1,023
A former stock broker left the firm with the personal information of 1,023 clients. Names, addresses, Social Security numbers
and brokerage account numbers were taken.
Information
Source:
Databreaches.net
May 25, 2010
Wells Fargo
BSF
INSD
At least 5
A former Wells Fargo employee inappropriately held the pers onal information of clients . Law enforcement found documents containing
names , dates of birth, Social Security numbers and mortgage loan account numbers when acting on a s earch warrant for the home of a
former Wells Fargo team member.
Information
Source:
Databreaches.net
May 24, 2010
Cheesecake Factory
BSR
INSD
Unknown
Three servers from the Cheesecake Factory at 5345 Wisconsin Avenue were charged with using skimming devices to make
over $117,000 in fraudulent charges to customer credit card accounts.
Information
Source:
Databreaches.net
May 24, 2010
Lake Ridge Middle School
Woodbridge, Virginia
EDU
PORT
Over 1,200 (0 SSNs
reported)
A USB drive containing student names, identification numbers, phone numbers, and medical information was stolen from the
unlocked car of a school administrator at the employee's home.
Information
Source:
Databreaches.net
May 22, 2010
Staff Jennings Boats
Portland, Oregon
BSR
DISC
Unknown, at least two
cases of SSN
Sales documents dating back 20 years were found in a dumpster. The personal financial information of customers included
Social Security numbers and information on purchases. Staff Jennings went out of business in April of 2010.
Information
Source:
Databreaches.net
May 21, 2010
Aldaco's Mexican Cuisine
San Antonio, Texas
BSR
HACK
Unknown
31
Aldaco's Mexican Cuisine at Stone Oak had a data security breach. Customers were notified of fraudulent charges; some
were from places outside of the U.S. Aldaco urged customers who had used their credit cards at the restaurant to cancel
them.
Information
Source:
Databreaches.net
May 21, 2010
Tufts University
Medford, Massachusetts
EDU
HACK
"Thousands" of alumni
records, at least 2,000
Campus computers with former student files were exposed to a virus. Alumni may have had their Social Security numbers
and other information exposed.
Information
Source:
Databreaches.net
May 20, 2010
Rockbridge Area Community Services
Lexington, Virginia
MED
STAT
500
On March 3rd, at least one computer and one laptop containing personal information were stolen. Information such as
names and Social Security numbers may have been compromised.
Information
Source:
Databreaches.net
May 20, 2010
Strong Memorial Hospital
Rochester, New York
Around 1250 (0 SSNs
MED
DISC
and credit cards
involved)
Around half of all patient medical bills were sent to the wrong address. The billing statements included patient names, name
and address of the person responsible for paying the bill, description of services received and the dates of services, dollar
amount owed, health insurance plan and subscriber number.
Information
Source:
Databreaches.net
May 18, 2010
The Vine Tavern and Eatery
Tempe, Arizona
Unknown, "thousands
BSR
PHYS
of pages of sensitive
information"
Personal documents including applicant names, Social Security numbers, and dates of birth were found in a dumpster.
Customer checks with banking information and credit card receipts were also found.
Information
Source:
NAID
May 18, 2010
Capitol One
McLean, Virginia
BSF
UNKN
Unknown
A fraud ring may have accessed customer information. The information included names, addresses, Social Security
numbers, and other personal information. It is not known how the information was obtained or how many customers were
affected. The information may have been accessed sometime between December of 2009 and February of 2010.
32
Information
Source:
Databreaches.net
May 17, 2010
Edward Waters College
EDU
DISC
At least 210
Staff and prospective student names, Social Security numbers, driver's license numbers, and addresses were accessible to
the public through a Google or Yahoo! search. The cause was a mistake in setting up software.
Information
Source:
Databreaches.net
May 17, 2010
Silicon Valley Eyecare Optometry and Contact Lenses
Santa Clara, California
MED
STAT
40,000
A computer and a plasma TV were stolen from the office on Friday April 2nd, 2010. The computer server contained patient
names, addresses, phone numbers, email addresses, birth dates, family member names, medical insurance information,
medical records, and in some cases, Social Security numbers. The data were password protected.
Information
Source:
Databreaches.net
May 15, 2010
Los Angeles Firemen's Credit Union
BSF
DISC
Unknown
An extremely small percentage” of member files were “not properly moved” when the CU relocated from an old location. The
data that could have been compromised included members names, addresses, phone numbers, account numbers, Social
Security numbers and other identifiers. The CU sought to reassure members that it did not believe any of their information
had been compromised and that the CU had “state of the art protocols” available to validate member identifies. The CU also
arranged for CU members who chose to do so to be able to enroll in a credit monitoring service for the next two years at no
cost to them.
Information
Source:
Dataloss DB
May 15, 2010
Mellow Mushroom
Warner Robins, Georgia
BSR
HACK
2,000
Customers of the Mellow Mushroom eatery had their credit and debit card information hacked sometime around March 11th.
Customers of other merchants have been affected, but a hack of Mellow Mushroom's processor is believed to be the source.
Information
Source:
Databreaches.net
May 14, 2010
Department of Veterans Affairs
GOV
PORT
616
The Department of Veterans Affairs has suffered another possible breach of private data as a thief recently stole an
unencrypted laptop that had held the Social Security numbers and other information of 616 veterans. Theft of the laptop was
owned by a contractor and not the VA.
Information
Source:
Dataloss DB
33
May 14, 2010
Principal Financial Group
Des Moines, Iowa
BSF
HACK
Unknown, at least two
from New Hampshire
An unauthorized person using a valid employer password and user name accessed group contract number, member name,
Social Security number, age and employment status of certain individuals with a connection to Principal Life Insurance.
Information
Source:
Databreaches.net
May 13, 2010
Army Reserve/Serco Inc.
Morrow, Georgia
GOV
PORT
207,000
A laptop containing the names, address and Social Security numbers of more than 207,000 Army reservists has been stolen
from a government contractor in Georgia. A CD-Rom containing the personal identifiable information was in one of three
laptops stolen from the Morrow, Ga., offices of Serco Inc., a government contractor based in Reston, Va. The other laptops
did not contain sensitive personal information. Serco had a contract with the U.S. Army's Family and Morale, Welfare and
Recreation Division, so some of the pilfered information also could belong to reservists' family members.
Information
Source:
Dataloss DB
May 11, 2010
New Mexico Medicaid
Santa Fe, New Mexico
GOV
PORT
9,500
(877) 453-8424
A employee of a subcontractor for the company that processes claims and provides dental benefits for the State’s Medicaid
program, filed a stolen car report for a vehicle whose trunk contained an ”unencrypted” laptop loaded with patient
information. The patient information in the laptop included name, health plan identification number, which in some cases is
the individual’s Social Security number, and a provider identification number but not the name of the provider. The agency
sent out a message today saying that it was in the process of notifying 9,500 New Mexicans who use its Medicaid Salud plan
of a possible security breach.
Information
Source:
Dataloss DB
May 10, 2010
Monarch High School, Plantation High School
Coconut Creek, Florida
EDU
INSD
6 from Plantation and
Monarch, 7 victims total
A former teacher of Monarch High School received six months of house arrest for opening or attempting to open 17 credit
cards in other people's names.
Information
Source:
Databreaches.net
May 7, 2010
FHG Finance
Pleasant Hill, California
BSF
DISC
300
The financial and personal details of about 300 property loan applicants were compromised when confidential documents
were mistakenly tossed into an outdoor waste bin. The documents, which contained bank account and Social Security
numbers, were found by employees at a neighboring store, who alerted FHG. The company padlocked the trash bin until the
documents could be shredded.
Information
Source:
Dataloss DB
34
May 7, 2010
Fast Cash
Knoxville, Tennessee
BSF
PHYS
Unknown
Hundreds, maybe thousands, of documents with personal information were dumped behind a shopping center. The
documents scattered around a dumpster behind the business listing Social Security numbers, names, addresses, bank
account numbers and signatures.
Information
Source:
Dataloss DB
May 7, 2010
Bureau of Engraving and Printing
BSF
HACK
Unknown
Hackers have caused the Bureau of Engraving and Printing (BEP), a part of the US Department of the Treasury, to shut
down a number of websites. The BEP confirmed to IT PRO that the hosting company it uses experienced an intrusion and as
a result of the breach numerous websites were affected, including non-BEP sites. Those URLs are: bep.gov; bep.treas.gov;
moneyfactory.gov and moneyfactory.com. BEP has since suspended the website. The chief research officer at IT security
company AVG, indicated that the BEP websites had a line of code injected into them. Upon accessing the US Treasury
website (treas.gov, bep.gov, or moneyfactory.gov), the iframe silently redirects victims through statistic servers and exploit
packs which will carry the victim onto the second stage of the attack. The exploit kit determined that Java was the “best
method” for infecting his test machine. Once infected, users' web browsers will start directing them to ads and “other nasty
things” like rogueware.
Information
Source:
Dataloss DB
May 4, 2010
Millennium Medical Management Resources
Westmont, Illinois
MED
PORT
180,111
Health records belonging to patients were stolen in a break-in. The records were on a portable hard drive and stolen from
the Westmont office of Millennium Medical Management Resources. Millenium believes the hard drive contained personally
identifiable information about EHP patients including name, address, phone, date of birth, and Social Security number. In
some cases other information such as diagnosis, procedure (and/or codes), medical record number, account number,
drivers license number and health insurance info. It was NOT encrypted.
Information
Source:
Dataloss DB
April 30, 2010
Our Lady of Peace
MED
PHYS
24,600
A flash drive containing personal information on 24,600 patients is missing from Our Lady of Peace psychiatric hospital. The
drive contained the following information on patients admitted since 2002: patient names, room numbers, insurance
company names and admission and discharge dates. It didn’t include diagnoses or treatments, Social Security numbers,
dates of birth, telephone numbers or addresses for these patients. The drive also included the following information on
patients assessed since 2009 but never admitted: name, date of assessment, date of birth and the time they left the hospital.
For these patients, the information on the drive didn’t include diagnoses or treatments, Social Security numbers, telephone
numbers, addresses or insurance information.
Information
Source:
Dataloss DB
April 30, 2010
North Country Health Services
Bemidji, Minnesota
MED
HACK
349
The online bill payment website was hacked. The credit card and debit card account information of customers who paid
online was exposed.
35
Information
Source:
PHIPrivacy.net
April 29, 2010
St. Jude Heritage Medical Group
Orange, California
MED
PHYS
20,000
(800) 627-8106
20,000 patients may have had their personal information stolen after a break-in at the St. Jude Heritage Healthcare Clinical
Management Services building in Fullerton. The thieves stole five computers. The stolen patient data included Social
Security numbers, dates of birth and in some cases, health related information.
Information
Source:
Dataloss DB
April 28, 2010
The Medical Center
Bowling Green, Kentucky
MED
PORT
5,418
The Medical Center at Bowling Green is notifying 5,418 patients whose medical information may have been breached when
a computer hard drive was stolen. The computer hard drive was taken from the hospital's mammography suite and
contained information from patients who underwent bone density testing between 1997 and 2009.
Information
Source:
Dataloss DB
April 28, 2010
Montana Tech
Butte, Montana
EDU
DISC
260
A Montana Tech employee mistakenly included the personal information of former students in an e-mail message sent to
faculty, staff and students last week. The e-mail was an invitation to watch students present their research projects. But the
file that this year's information was taken from included the names, addresses, Social Security numbers and in some cases
birth dates of students whose research projects were done from 1998 through 2005.
Information
Source:
Dataloss DB
April 26, 2010
South Carolina Department of Health and Environmental Control
Columbia, South Carolina
GOV
PHYS
At least 1,824 (0 SSNs
and financial
Over 1,800 people's information was found in a dumpster. It is not known what kind of personal information was included in
the documents.
Information
Source:
NAID
April 23, 2010
ESB Financial
Ellwood City, Pennsylvania
BSF
DISC
3,097
ESB Financial officials announced that a data backup seven years ago had inadvertently been sent to an unauthorized
storage source. Only checking and money-market account information was backed up to the incorrect outside data-storage
company. A total of 3,097 customers could have been affected by the backup. Names, addresses, account numbers and, in
some cases, Social Security numbers, would have been available to someone who found them on the Internet. However, the
jumble of numbers would not have been easily recognizable and ESB was not identified as the source of the information.
Information
36
Source:
Dataloss DB
April 23, 2010
Blippy.com
Palo Alto, California
BSO
DISC
Unknown
Blippy is a social Web service that lets users share with the world all their credit card transactions. One big problem though:
Blippy appears to have inadvertently published some of its users' credit card numbers. Google search resulted in viewing of
some of the credit card numbers.
Information
Source:
Dataloss DB
April 23, 2010
Chattanooga State
Chattanooga, Tennessee
EDU
PHYS
1,700
Nearly two thousand students records from Chattanooga State are missing. The company hired to scan the documents,
mishandled them. The school took the records to a company, United Imaging in Walker County, where the papers would be
converted to computer discs. The school was contacted by individuals who said there was something awry going on at this
scanning site. That's when the school found their records in disarray, and brought them back. The papers included students'
names, Social Security numbers, addresses, phone numbers, some even contained high school transcripts. Chattanooga
State went through each item, hand by hand, and found nearly 2000 missing documents from 2007.
Information
Source:
Dataloss DB
April 23, 2010
DRC Physical Therapy Plus
Monticello, New York
MED
PHYS
Unknown
Officials have seized hundreds, perhaps thousands, of files containing Social Security numbers and other private patient
information found dumped outside the shuttered office of DRC Physical Therapy Plus. The manila folders, dating back to at
least 1998, include information sheets showing the names, addresses and birth dates of patients and, in some cases, Social
Security numbers. Deputies impounded a dump truck loaded with patient files and about a dozen or so boxes stacked inside
the bucket of a front-loader.
Information
Source:
Dataloss DB
April 23, 2010
Hutcheson Medical Center
MED
PHYS
Unknown
Anyone who peered inside the mixed paper bin at the Dupont Recycling Center in May of 2009 got an eyeful. Files, in plain
sight, which contained sensitive medical and identity information. Authorities don't know how those thousands of files got
there. Some of the records came from Hutcheson and a plastic surgery office in the area. The information inside those files
included graphic photos, and Social Security numbers.
Information
Source:
Dataloss DB
April 22, 2010
JE Systems Inc.
Fort Smith, Arkansas
BSF
HACK
Unknown
The company in Arkansas lost more than $110,000 this month when hackers stole the firm’s online banking credentials and
drained its payroll account. On Wednesday, Apr. 7, Ft. Smith based JE Systems Inc. received a call from its bank stating that
the company needed to move more money into its payroll account. Over the course of two days, someone had approved two
batches of payroll payments — one for $45,000 and another for $67,000. A few days later, the First National Bank of Fort
Smith sent JE Systems a letter saying the bank would not be responsible for the loss. It was their internet address that was
used to process the payments, and their online banking user name and password.
37
Information
Source:
Dataloss DB
April 21, 2010
Massachusetts Eye and Ear Infirmary
MED
PORT
3,526
On February 19, 2010, a laptop belonging to a physician affiliated with the Massachusetts Eye and Ear Infirmary was stolen
while the physician was lecturing in South Korea. The laptop belonged to a neurologist with a particular focus on ringing in
the ears, or tinnitus. The following types of information about affected individuals associated with Mass. Eye and Ear may
have been present on laptop, Names, Addresses, Telephone numbers, E-mails, Date of birth and age, Sex, Medical record
numbers, Dates of service, Medical information, including diagnoses, symptoms, test results, and prescriptions, Name and
contact information for patient pharmacies, and Research participant status. In addition, four individuals’ information also
included their pharmacy insurance account number.
Information
Source:
Dataloss DB
April 21, 2010
US Army Reserve
Fort Totten, New York
GOV
PHYS
12,000
The Army is warning about 12,000 military and civilian personnel once associated with a reserve command based at Fort
Totten that they should check their credit records, after discovering that it cannot locate files containing information that
could make them vulnerable to identity theft. The records cover reservists from Long Island, New York City and upstate who
were assigned to the 77th Regional Readiness Command and its subordinate units from 2001 until the unit was absorbed by
the 99th Regional Support Command in 2008. The files were discovered missing when the new command asked for an
accounting of the old unit’s records. They could have been burned, shredded or stolen.
Information
Source:
Dataloss DB
April 21, 2010
Affinity Health Plan
Bronx, New York
MED
PORT
409,262
Affinity Health Plan, a New York managed care service, is notifying more than 400,000 current and former customers
employees that their personal data might have been leaked through the loss of an unerased digital copier hard drive. Some
personal records were found on the hard drive of a copier found in a New Jersey warehouse. The copier had previously
been leased by Affinity and was then returned to the leasing company. Affinity Health Plan says it has not had a chance to
review the data found on the copier. The figure of 409,262 notifications includes former and current employees, providers,
applicants for jobs, members, and applicants for coverage.
Information
Source:
Dataloss DB
April 21, 2010
Brooke Army Medical Center
San Antonio, Texas
MED
PORT
1,272
An Army three-ring binder that may have included detailed information on soldiers and families being treated at Brooke Army
Medical Center was stolen on Oct. 16 from a car belonging to a case manager. Names, phone numbers and health
information of 1,272 patients being treated at hospitals may have been breached by the car break-in.
Information
Source:
Dataloss DB
April 21, 2010
St. Mary and Elizabeth Hospital Women's Center
MED
STAT
77 patients (0 SSNs
reported)
38
A hard drive was stolen from a locked area. Medical information such as biopsy images, patient names, and medical exams
were on the stolen hard drive.
Information
Source:
PHIPrivacy.net
April 18, 2010
Rapid Return Tax
San Antonio, Texas
BSF
PHYS
Dozens
Dozens of legible tax documents were found among ashes in a dumpster outside of a tax return business. Social Security
numbers may have been on the documents. This appears to be the result of a failure to burn all of the documents.
Information
Source:
Databreaches.net
April 16, 2010
Blue Cross and Blue Shield of Rhode Island (BCBSRI)
Providence, Rhode Island
MED
PHYS
A filing cabinet containing survey information from approximately 12,000 BlueCHIP for Medicare members was donated to a
local nonprofit organization. The surveys were from 2001 to early 2004 and contained information such as names, Social
Security numbers, telephone numbers, addresses and Medicare Identification numbers.
Information
Source:
Databreaches.net
April 16, 2010
Higher Education Serives Corp.
Albany, New York
BSF
DISC
1,433
A "process error" may have lead to Social Security numbers and last names going through Internet servers outside of
HESC's control. Those who may have been affected received letters and free credit monitoring services.
Information
Source:
Databreaches.net
April 14, 2010
Strategic Workforce Solutions, Tatum SFN division
New York, New York
BSO
PORT
Unknown
The Tatum division of SFN (Strategic Workforce Solutions) notified employees that a portable electronic device was stolen
from the trunk of a car. The device contained unencrypted files with names, addresses and Social Security numbers.
Information
Source:
Databreaches.net
April 14, 2010
Lam Research Corp.
Fremont, California
BSO
PORT
Unknown
A laptop containing the information of people regularly employed at Lam Research Corp. on or after January 1, 2009 was
stolen from an employee's car. Temporary employees and contractors from August 1, 2007 and beyond may have also
been affected. The information included names and Social Security number; however, it was protected by passwords and
fingerprints checks.
Information
Source:
Databreaches.net
39
April 14, 2010
Bay Pines VA Medical Center
Bay Pines, Florida
GOV
PHYS
Nearly 800 (unknown
number of SSNs)
Up to 800 police files were left in an area where the general public could easily access them. Some of the files contained
Social Security numbers, patient addresses, and treatment information.
Information
Source:
Databreaches.net
April 13, 2010
Virginia Beach Dept. of Social Services
Virginia Beach, Virginia
GOV
INSD
Unknown
At least eight human services employees, including supervisors, have been fired or disciplined in the past year for wrongfully
accessing confidential and personal information about former employees, family members and clients. The violations include
a boss who forced her employees to gather information from a state database about her husband's child and a worker who
checked on the status of a dead client's Medicaid benefits to help the client's family. Most of the cases stemmed from the
agency's financial assistance department, which handles food stamps, Medicaid assistance, grants for the disabled and
emergency relief for needy families. As part of their jobs, the 330 employees in the department who provide social services
have varying degrees of access to secured databases. They need the information to determine whether a client qualifies for
financial help.
Information
Source:
Dataloss DB
April 13, 2010
St. Peter's Hospital
Albany, New York
MED
INSD
Unknown
An East Greenbush man who worked as a medical records clerk at St. Peter's Hospital is accused of stealing personal
information from patient's files to open credit card accounts. The man allegedly stole Social Security numbers and other
personal information from patient's records, then used the data to open credit card accounts for making personal purchases
online. The man was charged April 12 with five counts of felony second-degree forgery, three counts of felony seconddegree identity theft and three counts of misdemeanor second-degree criminal impersonation.
Information
Source:
Dataloss DB
April 13, 2010
Lorillard Tobacco, General Agencies Welfare Benefits Program, National Gypsum,
Towers Watson
BSR
PORT
At least 1,874
Greensboro, North Carolina
Two unencrypted DVDs containing employee information were lost in transit by a benefits consulting firm. Multiple
organizations were involved. Benefits consulting firm Towers Watson notified Lorillard and the General Council on Finance
and Administration, which administers the General Agencies Welfare Benefits Program, of the loss in February. The DVDs
contained names, addresses, dates of birth, and Social Security numbers of current and former employees and their family
members.
UPDATE (6/22/2010): National Gypsum notified the New Hampshire Attorney General Office of the possible exposure of
employee data related to this incident in June.
Information
Source:
Databreaches.net
April 13, 2010
Room Store
Annapolis, Maryland
BSR
PHYS
Unknown
A Maryland man found his own credit application lying on the ground near a dumpster. The dumpster contained thousands
of old credit applications and some newer ones. The information included Social Security numbers, driver's licence
numbers, names, addresses, and phone numbers. Room Store employees were doing a massive cleanup and unknowingly
40
dumped the bag of documents without shredding them.
Information
Source:
Databreaches.net
April 13, 2010
Atlanta Firefighters
Atlanta, Georgia
GOV
DISC
1000
While attending a seminar on security, Atlanta police officers were astonished to discover that personal information from city
firefighters was being used as an example of what could be found on the Internet. The information included Social Security
numbers, names and addresses. It is believed that the information was hacked and/or uploaded to a file sharing website
from a city employee's off-site laptop.
Information
Source:
Databreaches.net
April 12, 2010
Kern County Employee's Retirment Asociation
Bakersfield, California
GOV
INSD
37,000
A former employee was convicted of using the Social Security number of a member to create a false identity. The county
employee opened a line of credit and had committed felonies before being hired at KCERA in a position with access to
retirees' personal information.
Information
Source:
Databreaches.net
April 9, 2010
Hollywood Video
Sparks, Nevada
BSR
PHYS
Unknown
This Hollywood Video like many others has closed. Hundreds, perhaps thousands of pieces of paper, receipts, records and
worst of all membership forms, were exposed. It appears they were not even placed in the dumpster, but left out in the open
and scattered everywhere by the wind. On these forms were names, addresses, birth dates, I-D numbers, credit card
numbers and signatures.
Information
Source:
Dataloss DB
April 9, 2010
Mad Capper Saloon & Eatery
Stillwater, Minnesota
BSR
HACK
200
Police have received about 80 complaints of victims' whose credit cards have been compromised. The police have
connected the scam to cards used at the Mad Capper Saloon & Eatery. The owner of the Mad Capper Saloon & Eatery has
been cooperating with police, he is frustrated that somehow his 30-year-old business is linked to identity theft. The
restaurant's owner, has taken steps to make sure his customers are protected. "We've looked into our credit card
processing. We've looked into our software program -- our routers in the building, We've scanned everything -- combed it
with a fine tooth comb and we can't find anything off of it, so its frustrating."
UPDATE (4/10/10): The number of people affected is now nearing 200.
Information
Source:
Dataloss DB
April 9, 2010
Charles Schwab
Albany, New York
BSF
HACK
Unknown
A Russian national was sentenced to 37 months in prison for hacking into victims' brokerage accounts at Charles Schwab,
laundering more than $246,000 and sending a portion back to co-conspirators in Russia. The man also sold approximately
41
180 stolen credit card numbers to a cooperating witness and directed that they be fabricated into credit cards. According to
the indictment, from approximately September 2006 through December 2007 two men participated in a scheme to steal
funds from bank and brokerage accounts by hacking into those accounts through the Internet, using personal financial
information obtained through a Trojan computer viruses and then laundering the stolen proceeds.
Information
Source:
Dataloss DB
April 9, 2010
Woodbury Financial Services
Woodbury, Minnesota
BSF
PORT
At least three
A USB containing client names, Social Security numbers, addresses, and dates of birth went missing. The data was
unencrypted. Woodbury is a broker with The Hartford.
Information
Source:
Databreaches.net
April 8, 2010
St. Francis Hospital
Tulsa, Oklahoma
MED
INSD
60
A Sand Springs woman has been indicted on allegations that she used personal identifying information she copied from her
then-employer's computer system as part of a scheme involving fraudulent credit cards and stolen mail. The indictment,
released Wednesday in federal court in Tulsa, a 45 year old woman, exceeded her computer-access authority at St. Francis
Hospital to obtain information such as Social Security numbers and dates of birth of at least 60 people.
Information
Source:
Dataloss DB
April 8, 2010
H&R Block
Bronx, New York
BSF
INSD
At least 20
Police are investigating whether former H&R Block employees received fraudulent tax refunds by using customer
information. At least customers 20 have come forward, but there could be many more customers who were affected.
Information
Source:
Databreaches.net
April 8, 2010
HBDirect.com
Waterbury Center, Vermont
BSO
HACK
Unknown
A security breach resulted in the possibility that hackers accessed customer names, addresses, credit card information,
email addresses and phone numbers. Customers who used the site between December 1, 2009 and February 10th, 2010
may have been affected.
Information
Source:
Databreaches.net
April 8, 2010
ManorCare Health Services
Wheaton, Maryland
MED
INSD
Unknown
Montgomery County's Department of Health and Human Services is looking into how numerous Wheaton nursing home
papers containing sensitive patient information have made their way into nearby neighbors' yards over the past few months.
The county sent a nursing home inspector to investigate complaints from residents in the Wheaton Regional Park Civic
Association who said they have found internal documents from the nearby ManorCare Health Services that contain patient
conditions, names and Social Security numbers. The inspector cited ManorCare for inappropriate conduct.
Information
42
Source:
Dataloss DB
April 7, 2010
Bank of America
BSF
INSD
Unknown
An IT staff member of Bank of America plead guilty to installing illegal software on Bank of America ATMs. The software
caused the ATMs to erroneously dispense money; some of it may have affected customer accounts.
Information
Source:
Databreaches.net
April 6, 2010
Amarillo Tex's Steakhouse
Alton, Illinois
BSO
CARD
At least four
An employee made a deal with an outside party to allow a skimmer device to collect customer credit card information. Four
people reported identity theft to the police, but it is unknown how many were affected.
Information
Source:
Databreaches.net
April 6, 2010
Pediatric Sports and Spine Associates
Brentwood, Tennessee
MED
PORT
955
A laptop was stolen from an employee on February 10. The theft occurred off-site. The laptop contained names, addresses,
phone numbers, dates of birth, medical information and Social Security numbers.
Information
Source:
PHIPrivacy.net
April 6, 2010
Providence Hospital
Southfield, Minnesota
MED
PORT
12
The hospital has sent letters alerting patients that a hard drive used for backing up data has been "lost or stolen from a
locked office suite. The hospital explained that the data included patient names, medical record numbers and/or clinical
information, addresses and phone numbers of some employees, and what the hospital called proprietary businesses
information. The hospital would not comment on how many patients may be affected, but said only 12 patients' Social
Security numbers were on the hard drive.
Information
Source:
Dataloss DB
April 5, 2010
John Muir Physician Network
Walnut Creek, California
MED
PORT
5,450
John Muir Health, the Walnut Creek-based hospital system, has begun notifying 5,450 patients by mail of a potential breach
of their personal and health information. Two months ago two laptop computers at the John Muir Physician Network
Perinatal office in Walnut Creek were stolen. The laptops were password protected and contained data in a format that
would not be readily accessible. External vendors and internal experts discovered that the missing laptops contained
personal and health information going back more than three years.
Information
Source:
Dataloss DB
April 3, 2010
Middletown City Public Works and Utilities
Middletown, Ohio
GOV
PHYS
Unknown
43
Middletown, Ohio
A mound of city documents containing Social Security numbers, phone numbers and carbon copies of checks filled a
Dumpster at Smith Park, where they were accessible to anyone. Countless junked records containing personal information
for Middletown residents, along with blueprints, contracts and tax papers were found. Most appear to have originated in the
city’s public works and utilities department, with a few from the police and finance departments. Somebody made a mistake
and threw something away that should have been shredded.
Information
Source:
Dataloss DB
April 3, 2010
Middletown City Government Building: Public Works, Utilities, Police, and
Finance Departments
GOV
PHYS
Unknown
Middletown, Ohio
Personal documents that originated from the city building were left in a dumpster. The documents contained Social Security
numbers, phone numbers, and carbon copies of checks.
Information
Source:
Databreaches.net
April 2, 2010
Naval Facilities Engineering Service Center
Port Hueneme, California
GOV
PHYS
244
More than 200 employees were notified that a non-government entity may have seen their personal information. The nongovernment entity were lawyers for two of three workers who fought a security access suspension against them. It take the
Navy 17 months to inform employees at the Naval Facilities Engineering Service Center in Port Hueneme, Calif., that their
Social Security numbers had been inadvertently released.
Information
Source:
Dataloss DB
March 30, 2010
Three Rivers Community College
Norwich, Connecticut
EDU
HACK
Unknown
Three Rivers Community College may have suffered a security breach due to unauthorized access to its computer network.
Data made vulnerable in the breach included names and Social Security numbers. Those affected would have been involved
in the following programs during these years:
1997-2009: Participants in
the
the
the
the
Real Estate programs
Life Long Learners programs
Patient Care Technicians programs
Certified Nursing Assistant programs
2004-2005: Participants in the Electric Boat academic programs
2007-2008: Participants in the Bridges to Health Care Careers programs
2006-2008: Participants in the Photons for Educators programs
2004-2009: Faculty or staff members of the Three Rivers Continuing Education office.
Information
Source:
Dataloss DB
March 30, 2010
Boulder Community Hospital, Family Medical Associates
Lafayette, Colorado
MED
PHYS
At least 14
Anonymous letters were sent to at least 14 patients of the Family Medical Associates clinic in Lafayette. The letters
contained Social Security numbers, medical records, dates of birth and names. The sender claimed that the clinic was
improperly disposing patient personal information.
Information
Source:
PHIPrivacy.net
44
March 29, 2010
Proxima Alfa Investments LLC
New York, New York
BSF
PORT
Unknown
In November the firm discovered that several backup tapes were missing from its office. The tapes contained customer
information such as names, e-mail addresses, addresses, phone numbers, Social Security numbers, bank account
information, passport numbers and sometimes scans of passports. The firm ceased operations in mid-2009.
Information
Source:
Databreaches.net
March 29, 2010
University MRI Diagnostic Center, Holy Cross Hospital, North Ridge Medical
Center, and Oncology and Hematology Associates of West Broward
, Florida
MED
INSD
Unknown
In Fort Lauderdale and Tamarac Florida
A former employee of these organizations was involved in a identity theft scheme involving at least three other partners. The
woman had access to patient records such as names, dates of birth, Social Security numbers, Medicare numbers, and
addresses. The stolen information was used to obtain Care Credit accounts and Chevron Visa credit cards. Victims lost a
total of approximately $162,000.
Information
Source:
Databreaches.net
March 29, 2010
Griffin Hospital
Derby, Connecticut
MED
INSD
957 (0 SSNs and
financial documents
reported)
A former employee appears to have continued accessing patient names, medical information, dates of birth and medical
record numbers. Patients received soliciting phone calls from a physician at another hospital.
Information
Source:
PHIPrivacy.net
March 27, 2010
Laboration Corporation of America LabCorp
Burlington, North Carolina
MED
PHYS
Thousands
Thousands of medical documents fell out of a truck bed while in transit. The scattered documents contained billing
information and possibly medical records from 1993 or later.
Information
Source:
Media
March 26, 2010
Educational Credit Management Corporation
ST. Paul, Minnesota
BSF
PORT
3,300,000
ECMC, a guarantor of federal student loans, said that a theft has occurred from its headquarters involving portable media
with personally identifiable information. The data was in two stolen safes and contained information on approximately 3.3
million individuals and included names, addresses, dates of birth and Social Security numbers. No bank account or other
financial account information was included in the data.
UPDATE (4/16/10): The information was recovered shortly after the theft and discovered weeks later in a police evidence
room.
Information
45
Source:
Dataloss DB
March 25, 2010
Evergreen Public Schools
Vancouver, Washington
EDU
INSD
5,000
A 21-year-old former Evergreen Public Schools student has pleaded guilty to criminal charges in connection with a
computerized payroll security breach that put more than 5,000 past and current Vancouver district school employees at risk
of identity theft. The man had "shoulder-surfed" a password from an Evergreen school employee while still a student there.
Information
Source:
Dataloss DB
March 25, 2010
Northwestern Medical Faculty Foundation
Chicago, Illinois
(877) 705-5544
[email protected]
MED
INSD
At least 245
[96]
The Cook County Sheriff’s Department has uncovered an identity theft ring, a limited part of which may involve an employee
of Millard Cleaning Service, the service contracted to clean the Foundation’s offices. The suspect may have stolen
information from paper records, including names, dates of birth, Social Security numbers, and addresses. NMFF has
reviewed the Sheriff’s Department’s list of identity theft victims in Illinois and other states. It has identified approximately 65
people who were recent patients of NMFF, and it is contacting those who are known identity theft victims and offering
assistance. While the Sheriff’s Department has identified hundreds of other identity theft victims, the majority of them have
no connection to NMFF and their personal information was not stolen from NMFF.
UPDATE (3/25/10): At least seven individuals linked to the Millard Cleaning Service janitor have been connected to the theft
ring.
Information
Source:
Dataloss DB
March 25, 2010
New York State DMV
, New York
Over 200 (0 reports of
GOV
INSD
SSNs or financial
information)
Two employees from the New York City office
Seven people, including two former New York State DMV employees from New York City, were indicted in a theft ring. The
identify fraud ring involved New York State driver's licenses, learner's permits, and identification cards. The information was
then sold to felons. Fifteen other people were charged with buying the stolen information.
Information
Source:
Databreaches.net
March 25, 2010
Valencia High School
Valencia, California
EDU
INSD
Unknown
A student gained access to the entire district of Hart's system, but only went into his high school's portion. The student
claimed he changed some things and then returned them. The student most likely used a password, but it is not known
whether he used a district computer or a personal one. The district is providing one year of free credit monitoring services.
Information
Source:
Databreaches.net
46
March 25, 2010
Yuma Proving Ground
Yuma, Arizona
GOV
HACK
700
A home computer that contained personnel data may have picked up a virus from the Internet. This breach puts employee
names and Social Security numbers at risk.
Information
Source:
Databreaches.net
March 25, 2010
Johns Hopkins University School of Education
Baltimore, Maryland
EDU
DISC
Unknown
A file containing student enrollment information was accessible online. Student names, races, genders, Social Security
numbers, identification numbers and dates of birth were accessible for at least one month.
Information
Source:
Databreaches.net
March 24, 2010
Wachovia
Alexandria, Washington
BSF
CARD
Unknown
A skimming device was spotted outside a Wachovia branch in Alexandria, Washington. It is estimated that over $60,000 in
fraudulent charges was stolen from ATM customers of the Wachovia King Street branch.
Information
Source:
Databreaches.net
March 23, 2010
H&R Block
Chicago, Illinois
BSF
INSD
60
After Highland, Ind., police pulled over a driver for suspicion of driving under the influence. A search of the car uncovered a
treasure-trove of evidence: a file box full of H&R Block client information, numerous blank W-2 forms, more than 100 debit
cards and yellow legal pads with columns of Social Security numbers, PIN numbers, dates of tax filings and whether the
returns had been accepted or rejected. The two women stole the identities of more than 60 H&R Block customers from the
East Chicago branch. Fraudulent tax returns were then filed in their names since January, and refunds went to bank
accounts set up by the two, the complaint alleged. IRS agents have found 17 bank accounts with deposits totaling almost
$290,000.
Information
Source:
Dataloss DB
March 23, 2010
Connecticut Office of Policy and Management
GOV
INSD
11,000
Police are investigating the theft of personal information — including Social Security numbers, names and addresses — from
as many as 11,000 people who had applied for furnace rebate programs with the state. The investigation by Hartford and
state police has led them to a woman who worked at the state Office of Policy and Management from May 2008 until May
2009. There have been no arrests. The state collected Social Security numbers because the refunds are federally taxable
and the state was required to send a 1099 tax form to the recipients.
Information
Source:
Dataloss DB
March 23, 2010
Montefiore Medical Center
Bronx, New York
MED
PORT
625 (Unknown number
of SSNs and financial
accounts)
47
A laptop containing private health information was stolen on February 20th.
Information
Source:
PHIPrivacy.net
March 22, 2010
Arkansas Crime Information Center
Little Rock, Arkansas
BSO
INSD
Unknown
It appears that the owner of a bail bonds business accessed criminal, family, and financial background information by
misusing a police password. The Arkansas Crime Information Center database was fraudulently accessed 1,200 times in
less than one year.
Information
Source:
Databreaches.net
March 22, 2010
Yuma Proving Ground
Yuma, Arizona
BSO
HACK
700
The personal information of more than 700 Yuma Proving Ground employees may be at risk of identity theft because a
home computer that contained their data may have been compromised. According to YPG spokesman, personnel
information from 2005-2007, which included the names and Social Security numbers of the employees at that time, was
being stored on the personal home computer of an employee of the installation's Resource Management Division. That
information, which was being maintained by the Department of the Army, could have been compromised and possibly
accessed during that time because the employee's computer may have picked up a virus from the Internet.
Information
Source:
Dataloss DB
March 19, 2010
PNC Financial Services Group Inc.
Dayton, Ohio
BSF
HACK
Unknown
PNC Financial Services Group is investigating a possible security breach involving some debit cards issued by the former
National City Corp., which it acquired in December 2008. The problem surfaced when former National City customers began
reporting unauthorized charges on their accounts. The breach involves a small number of cards in the Cincinnati area, and it
appears to have been committed by someone outside PNC or National City prior to the merger. It doesn’t involve any PNCbranded cards or longtime PNC customers. PNC has shut down National City debit cards in the Cincinnati area and asks that
customers who have not yet done so activate their PNC debit cards. PNC is working one-on-one with customers to refund
accounts, and has been returning funds within 24 hours.
Information
Source:
Media
March 19, 2010
National Realty and Investment Advisors, LLC
Hoboken, New Jersey
BSF
HACK
Unknown
Certain consumer information was accessed without proper authorization on March 9, 2010. Names and addresses were
accessed, as well as additional information that may have included Social Security numbers, dates of birth and/or account
numbers.
Information
Source:
Dataloss DB
March 19, 2010
MyPilotStore.com
Scottsdale, Arizona
BSO
HACK
Unknown
48
In February, it was discovered that a database containing customer names, addresses, e-mails, telephone numbers, and
credit card information had been hacked. Some customers received phony charges to their accounts as a result of this hack.
Information
Source:
Databreaches.net
March 18, 2010
California State University, Los Angeles (Cal State Los Angeles)
EDU
STAT
232
Cal State Los Angeles has notified 232 former students that a computer stolen from the mathematics department office last
month may have contained personal information such as their Social Security numbers and grades.
Information
Source:
Dataloss DB
March 18, 2010
Vanderbilt University
EDU
STAT
7,174
A professor's desktop computer, containing the names and Social Security numbers of 7,174 current and former students
was stolen some time during the weekend of Feb. 6.
Information
Source:
Dataloss DB
March 18, 2010
Mary's Pizza Shack
Sonoma, California
BSO
HACK
50
The Plaza location of Mary's Pizza Shack has been identified as the target of Internet hackers who penetrated the
restaurant's computer system with a "logger" virus that captured credit card numbers at the transaction terminal. Only credit
card numbers were taken by the virus, Albano emphasized, no personal identification information, such as Social Security
numbers or bank account records were exposed, although VISA and MasterCard debit accounts were apparently raided.
Trustwave identified and removed the virus doing the damage.
Information
Source:
Dataloss DB
March 17, 2010
Medical Office of Michael Branch, M.D.
Lake Mary, Florida
MED
PHYS
Unknown
Police were looking for evidence of another crime when they found personal documents in the dumpster outside of a doctor's
office. The doctor specializes in treating the ear, nose, and throat and claims there was nothing about patients in the
documents. The doctor agreed to shred the documents while the police investigated whether or not patient information was
compromised.
Information
Source:
NAID
March 16, 2010
Albany Police Department (ADP Georgia)
Albany, Georgia
GOV
DISC
Unknown
Sensitive city documents were found near a garbage can in an alley. The documents may have contained Social Security
numbers. It is believed that officers failed to shred the documents and dispose of them properly.
Information
Source:
Databreaches.net
49
March 15, 2010
Pizza Hut
Littleton, Colorado
BSR
DISC
5
Littleton Colorado Pizza Hut employee information was left in an envelope in a trash can. The envelope contained
employment applications, Social Security numbers, and tax information. It also contained invoices.
Information
Source:
Databreaches.net
March 13, 2010
St. Louis Metropolitan Police Department
St. Louis, Missouri
GOV
HACK
24
24 people may have had their personal information compromised following the cyber attack of one computer in the St. Louis
Metropolitan Police Department. The attack came through an e-mail. The department’s website was not attacked. The
names, addresses and Social Security numbers of the 24 people may have been viewed.
Information
Source:
Dataloss DB
March 13, 2010
John Hancock Financial Services
BSF
PORT
At least 1,085
A CD that contained customer names, Social Security numbers, and dates of birth went missing. The CD was password
protected and encrypted and credit monitoring services were offered to customers who may have been affected.
Information
Source:
Databreaches.net
March 13, 2010
Beer and Wine Hobby
Woburn, Massachusetts
BSR
HACK
35,000 (0 complete
credit card numbers
reported)
Personal information may have been accessed during a breach of Beer and Wine Hobby's computer system. The personal
information included partial credit card numbers.
Information
Source:
Databreaches.net
March 13, 2010
TD Bank
Mount Laurel, New Jersey
BSF
INSD
Unknown
A former TD Bank employee provided information to outside accomplices who stole over $200,000 from customer accounts.
The insider passed along driver's license numbers and bank account numbers.
Information
Source:
Databreaches.net
March 13, 2010
California Pizza Kitchen
Plymouth Meeting, Pennsylvania
BSR
CARD
Unknown
A credit card thief and his partner used skimming devices to obtain credit card account information. The thief provided his
partner with a skimming device while she worked at a California Pizza Kitchen in Plymouth Meeting, Pa. from 2008 to 2009.
Around 26 customer credit cards were fraudulently charged.
Information
50
Source:
Databreaches.net
March 13, 2010
Beecher Carlson
BSO
PORT
1,012
Two laptops were stolen from employees attending an off-site company meeting in January. The laptops contained names
and Social Security numbers for employees of Beecher Carlson’s clients, including 1,012 people who live in Massachusetts.
Information
Source:
Dataloss DB
March 13, 2010
Nuance Communications Inc.
Burlington, Massachusetts
BSO
PORT
1,191
Nuance Communications Inc., a Burlington speech technology company, reported a laptop stolen from a locked car in
Burlington may have contained personal information such as names and Social Security numbers of 1,191 Massachusetts
residents.The company notified its employees, installed security and encryption software on laptops, and purchased credit
monitoring services for those workers whose information was on the laptop.
Information
Source:
Dataloss DB
March 12, 2010
Beecher Carlson Holdings Inc.
Atlanta, Georgia
BSF
PORT
At least 1,012
Two laptops were stolen from employees while they were off-site. The laptops contained employee names and Social
Security numbers. Many more people may have been affected since the total number of Massachusetts residents affected is
1,012.
Information
Source:
Databreaches.net
March 11, 2010
monoprice.com
Rancho Cucamonga, California
BSR
HACK
Unknown
The company took their web site offline, after it received e-mails and phone calls from several customers complaining about
fraudulent charges on their debit and credit cards that they had used on monoprice.com.
Information
Source:
Dataloss DB
March 11, 2010
First Convenience Bank
Killeen, Texas
BSF
INSD
Unknown
A former employee sold customer information which led to the theft of at least $53,000 from customer accounts.
Information
Source:
Databreaches.net
March 11, 2010
Bennett College
EDU
HACK
1,100
A payroll computer was breached. Names, Social Security numbers, birth dates, pay rates, and bank transit numbers were
exposed.
51
Information
Source:
Databreaches.net
March 10, 2010
Atlanta Veterans Affairs Medical Center
Atlanta, Georgia
MED
INSD
Unknown
An assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included
three years' worth of patient data and another held 18 years of medical information. The physician assistant's laptop was
never connected to the VA network and any data she recorded on her laptop was hand entered. The department has not
disclosed the number of patients involved in the incident, what kind of personal data was copied, or whether it plans to notify
the veterans whose records were downloaded.
Information
Source:
Media
March 10, 2010
Thrivent Financial for Lutherans
Mechanicsburg, Pennsylvania
BSF
PORT
Unknown
Thrivent Financial for Lutherans, Minneapolis, experienced a break-in at one of its offices in Pennsylvania. A laptop
computer was among the items stolen. The laptop had safeguards to protect sensitive information, including strong
password protection and encryption. But Thrivent Financial says the information stored on the laptop may be at risk. The
information on the laptop included personal information, including names, addresses, Social Security numbers and health
information.
Information
Source:
Dataloss DB
March 10, 2010
Wickenburg Unified School District
EDU
Wickenburg, Arizona
DISC
1,438
State auditors found that the District's network was accessible to unauthorized users. Backup servers were kept in an easily
accessible room. Names, Social Security numbers, addresses and birth dates of students were left exposed.
Information
Source:
Databreaches.net
March 9, 2010
LPL Financial
BSF
PORT
Unknown
An unencrypted portable hard drive was stolen from a car of an LPL representative. As a result of the theft, private client
information, including names, addresses, dates of birth and Social Security numbers may have been breached.
Information
Source:
Dataloss DB
March 8, 2010
Arrow Electornics
Melville, New York
BSR
PORT
4,004
A laptop containing current and former employee personal information was stolen. The information included names, Social
Security numbers, addresses, telephone numbers, and some corporate and personal credit cards.
Information
Source:
Databreaches.net
52
March 8, 2010
Huntington Place Senior Community
Chalmette, Louisiana
MED
DISC
Unknown
Personal documents were found in the abandoned nursing home. The documents included names, Social Security numbers,
medical records and dates of birth of patients.
Information
Source:
PHIPrivacy.net
March 8, 2010
McNair Eye Center
Heber Springs, Arkansas
MED
STAT
9,000
A computer server with patient personal information was stolen.
Information
Source:
PHIPrivacy.net
March 8, 2010
Arrow Electronics
Melville, New York
BSO
PORT
4,004
The theft of a laptop from the office of Arrow Electronics has resulted in the company notifying 4,004 current and former
employees that their personal information was on the laptop. The laptop was stolen during a break-in on February 18.
Personal information on the laptop included names, addresses, telephone numbers, and for some of those who used
company Blackberry, wireless AirCard and calling card services, their Social Security numbers, some credit card information
such as last four digits, security code, and expiration date.
Information
Source:
Media
March 7, 2010
Randle Eastern Ambulance Service inc.
Miami, Florida
MED
INSD
Unknown
A man and his wife who were previously charged with selling patient information in 2009, were charged with stealing
personal informaiton of individuals transported by Randle Eastern Amubulance Service inc. (American Medical Response).
The information was then sold to South Florida personal injury attorneys and clinics. The stolen information included names,
telephone numbers, medical diagnoses, and addresses. They used the help of a former AMR employee.
Information
Source:
Databreaches.net
March 6, 2010
Westin Bonaventure Hotel & Suites
BSO
HACK
Unknown
Westin Bonaventure Hotel & Suites four restaurants in Lake View Bistro, Lobby Court Bar, Bonavista Lounge and L.A.
Prime., along with its valet parking operation, may have been hacked at some time between April and December, disclosing
names, credit card numbers and expiration dates printed on customers' debit and credit cards.
Information
Source:
Dataloss DB
March 5, 2010
Arkansas Army National Guard
Camp Robinson, Arkansas
GOV
PORT
35,000
An external hard drive has gone missing. Approximately 35,000 current and former members of the Arkansas Army National
Guard are affected by the loss. The drive included names, Social Security numbers and other personal information which
potentially places the affected soldiers at risk for identity theft.
53
UPDATE (5/18/10): The external hard drive containing personal information on over 32,000 current and former Arkansas
Guardsmen that was reported missing on February 22 has now been recovered and destroyed. The drive was reported
missing by an Arkansas Soldier who used the device as a personal backup of his work related information. This included a
copy of the Guard's personnel database which contained personal information on all Soldiers who have served in the
Arkansas Army National Guard since 1991.
Information
Source:
Dataloss DB
March 5, 2010
UT Southwestern Medical Center
Dallas, Texas
MED
INSD
200
UT Southwestern recently sent out a mass mailing to 10,000 of its patients, claiming that a former employee disclosed
patients' information to a third party that intended to use it for credit, loans and open bank accounts. UT Southwestern
representatives claim 200 patients were actually affected.
Information
Source:
Dataloss DB
March 5, 2010
University of Texas Southwestern Medical Center
Dallas, Texas
GOV
INSD
At least 200
A former employee was arrested on patient information and identity theft. The stolen patient information includes names,
Social Security numbers, birth dates, addresses, phone numbers and financial data. The employee allegedly sold patient
information to an outside party for the purpose of creating bank accounts and misusing credit and loans.
Information
Source:
Databreaches.net
March 5, 2010
Hancock Fabrics
Baldwyn, Mississippi
BSR
DISC
Unknown
Employee documents were found near a dumpster behind the Huntsville, Alabama store. The documents were not shredded
and contained payroll records dating back to 2005 with Social Security numbers, names, and pay rates.
Information
Source:
Databreaches.net
March 4, 2010
Wake Forest United Baptist Medical Center (WFUBMC)
Winston-Salem, North Carolina
MED
PORT
554
A bag containing a document with the names and Social Security numbers of 554 patients was stolen from an employee's
locked car.
Information
Source:
Databreaches.net
March 4, 2010
Courage to Change
Houston, Texas
MED
INSD
Unknown
The owner of the business used patient Medicaid information to fraudulently claim $968,583 from Medicaid between January
of 2003 and September of 2006.
Information
Source:
PHIPrivacy.net
54
March 4, 2010
Akel Business Services (also Silva Bookkeeping and Tax Services)
La Mesa, California
BSF
INSD
At least 32
A dishonest business owner filed fraudulent tax returns by using his clients' information. He also created fictitious identities
by using the Social Security numbers of his clients' children.
Information
Source:
Databreaches.net
March 3, 2010
Small Dog Electronics
Waitsfield, Vermont
BSR
HACK
3,000
After Small Dog began collecting and matching customer donations for Haiti relief efforts, a hacker breached the website and
began stealing customer credit card information. The breach lasted from December of 2009 to January of 2010.
Information
Source:
Databreaches.net
March 2, 2010
Shands at UF
MED
PORT
12,500
Shands at UF sent notification letters to about 12,500 people Monday warning them that a laptop containing their personal
and medical information was stolen. An employee had uploaded the information onto his home laptop for work-related
purposes. The laptop held information about patients referred to the gastroenterology clinical services department. Included
were names, addresses, medical record numbers, and in the case of 650 patients, Social Security numbers.
Information
Source:
Dataloss DB
March 2, 2010
Open Door Clinic of Greater Elgin
Elgin, Illinois
MED
HACK
260
According to a lawsuit, the clinic stores patient information, including Social Security numbers, addresses, telephone
numbers, insurance information and medical history on a file-sharing network. That network is accessible to employees’
personal laptops and home computers. A spreadsheet with information of about 260 of its patients was leaked as a result of
the installation and use of file sharing software on computers containing patients’ personally identifiable information.
Information
Source:
Dataloss DB
March 2, 2010
Family Health Center
Reston, Virginia
MED
DISC
Unknown
Boxes containing patient information ended up in a dump. The easily accessible information included health history,
surgeries performed, test results, pictures, insurance cards, bank account information and addresses. The boxes were
traced back to Family Health Center on Town Center Parkway.
Information
Source:
PHIPrivacy.net
March 2, 2010
Diabetes Direct Inc
Juniper, Florida
MED
INSD
Unknown
A former employee is accused of stealing patient information to commit identity theft. The former employee also had multiple
driver's licenses and was able to open utility, bank and credit accounts.
55
Information
Source:
Databreaches.net
March 1, 2010
US Bank
Cleveland, Ohio
BSF
PORT
Unknown
A laptop was stolen from the desk of a financial adviser. The laptop contained personal information about bank customers.
This occurred at the 5154 Wilson Mills branch in Cleveland, Ohio.
Information
Source:
Databreaches.net
February 28,
2010
Wyndham Hotels & Resorts
Dallas, Texas
BSO
HACK
Unknown
International hotel group Wyndham Hotels and Resorts (WHR) has suffered yet another serious data breach after hackers
broke into its computer systems, stealing customer names and payment card information.
UPDATE (5/18/10): An open letter from Wyndham to its customers: www.wyndhamworldwide.com/customer_care/dataclaim.cfm [97]
Information
Source:
Dataloss DB
February 27,
2010
AT&T
Chicago, Illinois
BSF
INSD
Unknown
A former employee of an unknown service provided for AT&T removed documents that contained customer credit card
information. The information may have also included Social Security numbers, driver's license numbers, names and
addresses.
Information
Source:
Databreaches.net
February 27,
2010
GroupM
New York, New York
BSO
PORT
1,501
Eight laptops were stolen from an office. They most likely contained unencrypted employee information such as Social
Security numbers and bank account information.
Information
Source:
Databreaches.net
February 27,
2010
California Business Bureau Inc., Medical Billing Services
Monrovia, California
MED
INSD
8,861
A former employee accessed unencrypted files between December of 2006 and March of 2008. The files contained patient
Social Security numbers, names, addresses, and dates of birth.
Information
Source:
PHIPrivacy.net
February 27,
2010
Ameripath
Palm Beach Gardens, Florida
MED
PORT
Unknown
56
A laptop containing sensitive information was stolen from an employee. The data included names, Social Security numbers,
and addresses for patients, employees, or both.
Information
Source:
PHIPrivacy.net
February 25,
2010
Wyoming Department of Health
Cheyenne, Wyoming
GOV
DISC
9,000
The personal information of about 9,000 children in the state's children's health insurance program could have been
exposed on the Internet. The error resulted in the names, birthdays, Social Security numbers, addresses and phone
numbers of Kid Care CHIP participants being accessible on an unsecured Web page for months.
Information
Source:
Dataloss DB
February 25,
2010
Logic World Medical
Houston, Texas
MED
INSD
Unknown
The owner and operator of Logic World Medical used the names, addresses, and account numbers of Medicaid beneficiaries
to file false claims for payment of services and goods that he never provided. Approximately $1,101,865.37 was fraudulently
claimed between April of 2004 and August of 2006.
Information
Source:
PHIPrivacy.net
February 24,
2010
Citigroup
New York, New York
BSF
DISC
600,000
AR-M450_20100223_180300223.pdf [98]
About 600,000 Citigroup customers got a shock earlier this month when they received their annual tax documents with their
Social Security numbers printed on the outside of the envelope. The digits were not identified as a Social Security number,
and they were printed at the lower edge of the mailing envelope with other numbers and letters that together resembled a
mail routing number.
Information
Source:
Dataloss DB
February 24,
2010
University of Washington Medical Center (UWMC)
Seattle, Washington
MED
INSD
210
The UWMC sent letters to patients telling them that their Social Security numbers, credit card information, birth dates and
addresses were accessed by dishonest persons. The personal information was found in the possession of a convicted felon
who had ties to an employee who works with the hospital. The employee worked at NCO Financial Systems, a company
which UWMC uses to process patient payments.
Information
Source:
Databreaches.net
February 24,
2010
7-Eleven
Sandy, Utah
BSR
CARD
Unknown
A skimming device monitored transactions at a gas station pump in Sandy, Utah. The device could have been active for 60
days before being discovered and was used to steal over $11,000.
Information
Source:
57
Databreaches.net
February 22,
2010
SunTrust Bank
Atlanta, Georgia
BSF
CARD
Well over 200
Throughout the summer of 2009, four men put skimming devices on SunTrust Bank ATMs in the Florida counties of
Hillsborough and Pinellas.
Information
Source:
Databreaches.net
February 19,
2010
TennCare
MED
DISC
3,900
An electronic error caused information such as Social Security numbers for about 3,900 enrollees to be sent to incorrect
addresses. The error was the result of a modification to the system that pulls addresses into an electronic file for TennCare,
the state's expanded Medicaid program. Letters and cards that contained one or more pieces of personal information were
sent to incorrect addresses.
Information
Source:
Dataloss DB
February 19,
2010
Valdosta State University
Valdosta, Georgia
EDU
HACK
170,000
http://www.valdosta.edu/notify/ [99]
A Valdosta State server that was reported as being breached could have exposed the information of up to 170,000 students
and faculty. Valdosta State officials reported the discovery of a breach on Dec. 11 and estimated it began on Nov. 11. The
university said the grades and Social Security numbers of up to 170,000 students and faculty were exposed in the breach.
Information
Source:
Dataloss DB
8,000 Not included in
February 17,
2010
Cardiology Consultant Inc.
Pensacola, Florida
MED
PORT
total because Social
Security numbers and
not involved.
Cardiology Consultants Inc. today reported that a laptop used to process ultrasound images was stolen from one of its
Pensacola offices. The computer did not contain patient financial information or Social Security numbers. The stolen
computer did contain the first and last names, dates of birth, medical record numbers, exam dates and in some cases, the
reason for the ultrasound.
Information
Source:
Dataloss DB
February 17,
2010
Southern Illinois University
Carbondale, Illinois
EDU
HACK
900
A computer security breach at Southern Illinois University may have put hundreds of alumni at risk of identity theft. A faculty
member's computer in the Mathematics Department was found to be infected with malicious software. When the computer
files were searched, university officials discovered there were Social Security numbers for approximately 900 students who
took introductory math classes at SIU in 2004 and 2005 stored on the hard drive.
Information
58
Source:
Dataloss DB
February 17,
2010
Dairy Queen
Hanceville, Alabama
BSO
HACK
Unknown
Hanceville police are cautioning residents to be on guard against a sophisticated debit card wire scam that has leached
hundreds of thousands of dollars from customers whose card numbers have been stolen remotely from pay terminals at one
or more local businesses. The primary target in the theft so far has been the Dairy Queen restaurant. It's unsure whether
this is ultimately involving other businesses. At the Dairy Queen location, somebody has apparently tapped into the Internet
server and hacked into the debit card system. They are printing the customers’ debit card numbers and using them all over
California and Georgia.
Information
Source:
Dataloss DB
February 17,
2010
T.G.I. Friday's (TGIF)
Coon Rapids, Minnesota
BSR
CARD
At least 5
A former employee used a skimming device to gain credit card information from customers of the Coon Rapids T.G.I.
Friday's. The dishonest employee was involved with a partner who used skimming devices in a variety of locations
throughout Minnesota.
Information
Source:
Databreaches.net
February 16,
2010
New York Social Security Administration
New York, New York
GOV
PORT
969
A computer disc containing detailed personal information about 969 New Yorkers was lost by a Social Security Administration
employee traveling to Queens from the Bronx. The disc was lost as the employee was going to the Queens Social Security
hearing office, and the information on it included administrative decisions, medical evidence and internal agency documents
containing people’s names and Social Security numbers.
Information
Source:
Dataloss DB
February 16,
2010
Eclipse Property Solutions
St. Petersburg, Florida
BSO
INSD
Unknown
A St. Petersburg man has been charged with stealing customers' credit card numbers from a marketing company he worked
for to buy nearly $30,000 in dinners, limos and other luxuries. The man and another employee, listened from their cubicles
as co-workers repeated customer credit card information aloud to confirm accounts.
Information
Source:
Dataloss DB
February 15,
2010
West Memphis Police Department
Memphis, Tennessee
GOV
INSD
Unknown
FBI is investigating, after the security of the West Memphis Police Department's computer network was apparently
compromised. The FBI had information that somebody had used a computer that shouldn't have used it. The suspect in the
breach was a detective in the police department. Files containing the names and Social Security numbers of police
department employees were stored on the computer network, making the employees vulnerable to identity theft.
Information
Source:
59
Dataloss DB
February 12,
2010
Galeton, Gloves Inc.
Mansfield, Massachusetts
BSR
HACK
At least 89
The Gloves Inc. website for Galeton was hacked. Customer names, addresses, credit card numbers and expiration dates
were exposed.
Information
Source:
Databreaches.net
February 12,
2010
Daedalus Books Inc.
Columbia, Maryland
BSR
HACK
At least 1,285
A hacker accessed a database with customer information. The information included names, addresses, and credit card
numbers from people who made orders between August 25, 2009 and November 23, 2009.
Information
Source:
Databreaches.net
February 12,
2010
ING Fund
Amsterdam,
BSF
DISC
106
Customer information was accessible through a web search from August of 2008 through January of 2010. The information
included names, Social Security numbers, addresses, and account numbers of shareholders in New Hampshire and other
locations.
Information
Source:
Databreaches.net
February 11,
2010
Equifax
Atlanta, Georgia
BSF
DISC
Unknown
An unknown number of current and former employees of credit reporting firm Equifax received W-2 forms in the mail with
their Social Security numbers visible through a window on the envelope. Some of the tax forms mailed by Equifax's payroll
vendor through the U.S. Postal Service had the Social Security number in a Control Number field, which was partially or fully
viewable through the return address window.
Information
Source:
Dataloss DB
February 11,
2010
University of Texas Medical Branch
Galveston, Texas
MED
INSD
2,400
The University of Texas Medical Branch has mailed letters notifying 1,200 patients that sensitive information about them had
been available to a woman charged with identity theft in an unrelated case. Officials sent out the letters this week after
MedAssets, which the medical branch hired to assist with billing from third-party payers, warned of a security breach by one
of its employees. Law enforcement officials notified MedAssets that a former employee had been arrested and charged with
identity theft. The person also was alleged to have used a stolen identity to misrepresent herself and gain employment at
Georgia-based MedAssets and had been involved in other instances of identity theft. That employee is implicated in a
widespread identity theft investigation involving cases from Texas to Wisconsin and losses upward of $1 million.
Update (3/9/10): 1,200 more letters were sent out to people who's financial information may have been exposed.
Information
Source:
Dataloss DB
60
February 11,
2010
Lawrence Welk Resort
BSR
Escondido, California
HACK
1,427
After its security system was disabled, customer credit and debit card information was exposed. The exposure of the
information led to some unauthorized transactions.
Information
Source:
Databreaches.net
February 11,
2010
Sandwich Board Cafe
Greenwood Village, Colorado
BSO
INSD
Unknown
An employee used customer credit card information to purchase $200,000 worth of Wal-Mart shopping cards.
Information
Source:
Databreaches.net
February 10,
2010
Wellpoint, Anthem/Blue Cross and Blue Shield
Chicago, Illinois
MED
INSD
Unknown
A former employee accessed health care professionals' Social Security numbers, names, dates of birth, and home
addresses. Between 2007 and 2010, the employee created fictitious identities and created e-mail addresses, opened bank
accounts and credit card accounts.
Information
Source:
Databreaches.net
February 9, 2010
California Department of Health Care Services
Sacramento, California
GOV
DISC
50,000
The personal security of nearly 50,000 people may have been breached by the California Department of Health Care
Services. Social Security numbers were printed on the address labels of letters that were mailed by the department. State
employees mistakenly included the numbers in a list of patient addresses. The list was sent to an outside contractor, who
printed and mailed the envelopes.
Information
Source:
Dataloss DB
February 9, 2010
Ohio Department of Administrative Services
Columbus, Ohio
GOV
DISC
6,000
Personal banking information for 6,000 state employees was inadvertently included in a e-mail distributed to dozens of
payroll officers of state agencies. The e-mail from an unnamed administrative-services employee included an attached
spreadsheet listing 6,000 state employees whose bank accounts are to be moved from National City Bank, which was
bought by PNC Bank.
Information
Source:
Media
February 9, 2010
Kansas City Art Institute
Kansas City, Kansas
EDU
STAT
145
About 145 employees at the Kansas City Art Institute have been notified of potential identity theft in connection with the
disappearance of a computer from the campus. An Apple computer that contained Social Security numbers, dates of birth
and other personal information about the school's professors and staff employees was stolen from the human resource
61
office.
Information
Source:
Dataloss DB
February 6, 2010
University of Texas, El Paso
El Paso, Texas
EDU
DISC
15,000
University of Texas at El Paso is notifing students that their Social Security number were visible when their tax form was sent
out. The University notified 15,000 students but they don't know exactly how many students were affected. UTEP blames a
glitch in a machine used to fold letters when student’s forms were sent out. Some of the forms were folded in such a way that
the document shifted on the envelope and allowed for the Social Security numbers to be visible through the mailing window
on the envelope.
Information
Source:
Dataloss DB
February 6, 2010
AvMed Health Plans
208,000
MED
PORT
Additional 860,000
added June 3rd
AvMed Health Plans announced that personal information of some current and former subscribers may have been
compromised by the theft of two company laptops from its corporate offices in Gainesville. The information included names,
addresses, phone numbers, Social Security numbers and protected health information. The theft was immediately reported
to local authorities but attempts to locate the laptops have been unsuccessful. AvMed determined that the data on one of the
laptops may not have been protected properly, and approximately 80,000 of AvMed's current subscribers and their
dependents may be affected. An additional approximate 128,000 former subscribers and their dependents, dating back to
April 2003, may also have been affected.
UPDATE (6/3/2010): The theft of the laptops compromised the identity data of 860,000 more Avmed members than
originally thought. The total now nears 1.1 million.
Information
Source:
Dataloss DB
February 5, 2010
Wyoming Department of Health Kid Care CHIP
Cheyenne, Wyoming
GOV
DISC
About 5,000
Applicants of the Wyoming Kid Care CHIP program had their information exposed online. Family home addresses and the
Social Security numbers of children involved were available to the general public via a Google search.
Information
Source:
Databreaches.net
February 4, 2010
Highmark Insurance
MED
PHYS
3,700
Highmark was notifying some 3,700 members that documents containing their names, policy identification and Social
Security numbers were missing, the second such data spill involving the region’s dominant health insurer in four months. In
January, the company mailed a premium billing statement to Boscov’s Department Store, a client in Reading, according to
Highmark. The envelope arrived damaged and torn and pages were missing. The pages included the names and other
identifying information for some 3,700 members.
Information
Source:
Dataloss DB
February 4, 2010
Ozarks Area Community Action Corporation
Springfield, Missouri
NGO
DISC
250
62
The organization printed two 1099 forms on one piece of paper. They were supposed to separate them and send each to
the rightful owner. Instead one person got both. The mistake sent tax forms and Social Security numbers to strangers. More
than 500 landlords work with OACAC. On January 28, 2010, half of those landlords didn't receive tax forms. The other half
got their forms and someone else's private information.
Information
Source:
Dataloss DB
February 4, 2010
Ceridian Corporation
Bloomington, Minnesota
BSF
HACK
27,000
A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security
numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies
nationwide. In a Jan. 29 letter to an affected worker obtained by the Star Tribune, Ceridian said a hacker attacked its Internet
payroll system Dec. 22 and 23
Information
Source:
Dataloss DB
February 4, 2010
HyCentral Medical Supplies and Equipment
Derry, New Hampshire
MED
INSD
Unknown
The owner of the business used Medicare client information to obtain approximately $1.6 million worth of fraudulent claims.
Information
Source:
PHIPrivacy.net
February 3, 2010
Memorial Hermann Hospital
Houston, Texas
MED
INSD
At least one
A former employee stole a document that contained the name, Social Security number, date of birth, and address from a
deceased patient's medical records.
Information
Source:
Databreaches.net
February 3, 2010
Dr. Barry Bupp's Dental Practice in Medical Commons One
Greensburg, Pennsylvania
MED
PORT
Unknown
A laptop containing patient information was stolen.
Information
Source:
Databreaches.net
February 3, 2010
Dr. Elie Abdallah's office in Medical Arts Building
MED
PORT
Unknown
A laptop containing patient information was stolen.
Information
Source:
Databreaches.net
February 1, 2010
West Virginia University
Morgantown, West Virginia
EDU
DISC
53
Around 53 West Virginia University students’ personal information was available to others following an "operational error"
during a routine update of tax information. The students’ 1098-T forms, which include their Social Security number and tax
identification numbers, among others, were uploaded to the University’s 1098-T Web site. The forms are distributed to WVU
students who are U.S. citizens who paid tuition during the 2009 calendar year. They can be used to claim federal tax credit.
Students can typically access their forms on the site for tax purposes, but the error made the information viewable to any
63
WVU student on the site.
Information
Source:
Dataloss DB
January 31, 2010
Iowa Racing and Gaming Commission
Des Moines, Iowa
GOV
HACK
80,000
The Iowa Racing and Gaming Commission says someone gained access to a computer server that holds more than 80,000
records containing casino employee information. The person who hacked into the system had used a computer with an
external account. The server contains records including names, birth dates and Social Security numbers.
Information
Source:
Dataloss DB
January 30, 2010
Ameriquest Mortgage Company
Apple Valley, Minnesota
BSF
INSD
100
A man working for Ameriquest Mortgage Company as a mortgage associate for only six weeks. Turned out to be a pretty
fruitful month and a half for him -- and a pretty costly one to nearly 100 people and several financial institutions. Using
personal information he lifted from the mortgage applications of nearly 100 people -- as well as mail and even items taken
from gym lockers of a couple of hundred more. The man eventually stole more than $150,000 from at least eight banks. The
man used stolen personal information to create fraudulent identification documents and checks, which he then used to
obtain cash, pay for services and buy items. For example, he used one victim's identification to obtain a credit card through
U.S. Bank. With that card, he wound up withdrawing $30,529.63 in cash from ATMs throughout Minnesota. Those
withdrawals were charged to the victim
Information
Source:
Dataloss DB
January 28, 2010
PricewaterhouseCoopers
New York, New York
BSO
UNKN
77,000
The names, birth dates and Social Security numbers of 77,000 people were lost in their Chicago office. The people at risk for
identify theft are those who were in the PERS and TRS system in 2003-04 as active or inactive employees or retirees.
PricewaterhouseCoopers has agreed in a settlement to pay for credit monitoring and other security measures and cover any
losses to individuals caused by its mishandling of the information.
Information
Source:
Dataloss DB
January 28, 2010
Humboldt State University
Arcata, California
EDU
HACK
3,500
A Humboldt State University computer infected with a virus may have exposed the personal information of 3,500 people
employed by the school between 2002 and 2006. The computer was found to have a sophisticated virus that is used to steal
login information.
Information
Source:
Dataloss DB
January 28, 2010
University Medical Clinics
Port St. Lucie, Florida
MED
PHYS
Unknown
Files containing Social Security numbers, phone numbers, patient names, and addresses were found in a trash bin outside
of the clinic. A woman found the files and notified police after receiving an anonymous tip.
64
Information
Source:
NAID
January 27, 2010
Department of Commerce
GOV
DISC
Unknown
A Department of Commerce employee inadvertently transmitted over the Internet a file containing the Personally Identifiable
Information (PII) of Commerce employees to other Department employees. Although the Department employees were
authorized to send and receive the PII, the transmission of the PII over the Internet in unencrypted form may have
compromised their name and Social Security numbers.
Information
Source:
Dataloss DB
University of California, San Francisco (UCSF) School of Medicine
January 27, 2010
MED
PORT
the total because
information did not
contain any Social
Security numbers or
other financial data
A laptop containing files with information on 4,400 patients was stolen from a UCSF School of Medicine employee.
Information “potentially exposed” included name, medical record number, age and clinical information, but the stolen laptop
did not contain any Social Security numbers or other financial data. The same laptop also contained data for approximately
2,900 patients at Beth Israel Deaconess Medical Center in Boston
Information
Source:
Dataloss DB
January 27, 2010
Seattle Municipal Court
Seattle, Washington
GOV
INSD
Unknown
A former customer service representative sold the names and credit card information of court customers to ID thieves who
then used the information to make fake credit cards in the victims' names.
Information
Source:
Databreaches.net
January 27, 2010
Methodist Hospital
Houston, Texas
MED
PORT
689
Methodist Hospital notified people that someone stole a laptop from an office at the Smith Tower in the Texas Medical
Center. A thief took the laptop on January 18. The computer was attached to a medical device that tests pulmonary function
and contained private health information and Social Security numbers.
Information
Source:
Dataloss DB
January 22, 2010
Brio Tuscan Grille in Country Club Plaza
Kansas City, Missouri
BSR
CARD
20
A man used a skimming device to obtain the credit card information of customers while working as a waiter at Brio Tuscan
Grille of Kansas City, Missouri.
UPDATE (7/26/10): The former employee was sentenced to three years of federal prison time for credit card fraud and mail
fraud. He originally gained access to the customer information during July and August of 2008. His fraudulent purchases
65
totalled thousands of dollars.
Information
Source:
Databreaches.net
January 21, 2010
Columbus Public Health
Columbus, Ohio
GOV
UNKN
Unknown
An investigation is under way after hundreds of city health workers’ personal information was stolen. Investigators have
identified a person of interest in connection with the stolen information. The person of interest was an employee within the
department over the past three years. Current employees and those who previously worked at the department within the last
three years may be affected
Information
Source:
Dataloss DB
January 21, 2010
University of Missouri System
Columbia, Missouri
EDU
DISC
75,000
About 100 people responded to an e-mail notifying students that their Social Security numbers may have been visible in the
envelope window of a tax form sent by the University of Missouri System. More than 75,000 Form 1098-Ts were mailed. The
four-campus system has no way of assessing how many envelopes displayed the numbers. Form 1098-T is an Internal
Revenue Service form that reports tuition billed and paid. Campus Mail Services committed the folding errors.
Information
Source:
Dataloss DB
January 19, 2010
CHASE
BSF
DISC
Unknown
CHASE customer information that was sold to another business was accidentally posted on a website. The information
included names, addresses and bank account numbers.
Information
Source:
Databreaches.net
January 18, 2010
Goodwill Industries of Grand Rapids
Grand Rapids, Michigan
NGO
PORT
Unknown
A man broke into a Goodwill store and stole a safe, but instead of money that thief got the names, addresses, dates of birth,
and Social Security numbers from thousands of people.
Information
Source:
Dataloss DB
January 18, 2010
City of Oakridge
Oakridge, Oregon
GOV
DISC
Unknown
A list of the names, addresses and Social Security numbers of employees of the City of Oakridge was sent out with monthly
water bills in this town of about 1,400 households. The city has signed up all employees for a credit monitoring service. The
city does not know how many people received the list of employee information in a newsletter included with their water bill
Information
Source:
Dataloss DB
18,000 Not added to
Defense Finance and Accounting Service/ Defense Department’s Document
January 14, 2010 Automation and Production Service
GOV
DISC
total No Social Security
numbers or financial
66
Automation and Production Service
Arlington, Virginia
information was on the
statements
Pay statements containing names and sensitive information about the finances of about 18,000 recipients of a special pay
for disabled retirees were sent to wrong addressees. The statements, a page of which contained information about annual
increases in Concurrent Retirement and Disability Pay, mistakenly listed data including at least a portion of another
recipient’s name, their bank or insurance company name, the amount of their allotment and the allotment type. There is “no
indication” that any Social Security numbers, bank account numbers or phone numbers were listed on the erroneously
mailed pages.
Information
Source:
Media
January 14, 2010
Lincoln National Corporation
BSF
INSD
1,200,000
Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have
compromised the account data of approximately 1.2 million customers. In a disclosure letter sent to the Attorney General of
New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information
system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source. The unidentified
source sent FINRA a username and password to the portfolio management system. "This username and password had
been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies," the letter
says. "The sharing of usernames and passwords is not permitted under the LNC security policy."
Information
Source:
Media
January 14, 2010
BlueCross BlueShield
MED
PORT
220,000
Additional locations: Memphis, Jackson, Knoxville, Nashville and additional locations in Tennessee
The theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility last October has put at risk the private
information of approximately 500,000 customers in at least 32 states. The hard drives containing 1.3 million audio files and
300,000 video files. The files contained customers' personal data and protected health information that was encoded but not
encrypted, including: Names and BlueCross ID numbers. In some recordings-but not all-diagnostic information, date of birth,
and/or a Social Security number. BCBS of TN estimates that the Social Security numbers of approximately 220,000
customers may be at risk.
UPDATE (4/29/10): The number of plan members whose data were exposed has grown from 521,761,an estimate made in
March, to nearly 1 million, as of April 2, according to a report issued by Mary Thompson, spokeswoman for the Tennessee
Blues.
Information
Source:
Dataloss DB
January 14, 2010
Perinton Square Post Office
Perinton, New York
GOV
PHYS
20
A group of thieves was able to obtain letters from an outdoor mailbox. They used the information to forge around $75,000
worth of checks; and affected 20 victims.
Information
Source:
Databreaches.net
January 12, 2010
Suffolk County National Bank
Long Island, New York
BSF
HACK
8,373
Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security
67
and accessing a server that hosted its online banking system. The intrusion at Suffolk County National Bank happened over
a six-day period that started on November 18. It was discovered on December 24 during an internal security review. In all,
credentials for 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB's total customer
base.
Information
Source:
Dataloss DB
January 12, 2010
SouthTrust
Bossier, Louisiana
BSF
PHYS
Unknown
The financial planning company left sensitive retirement information in a publicly accessible dumpster. The information
included account ID numbers, personal addresses, and Social Security numbers. Information about people living in
Shreveport, Haughton, Minden, Monroe, Farmerville, Eros and Downsville, Louisiana was found. Information from people
living in Orange, Port Neches, Vidor and Deweyville, Texas was also found.
Information
Source:
NAID
15,500 Not added to
January 12, 2010
Valley Kaiser, Kaiser Permanente
MED
total because no Social
Security numbers or
PORT
financial information of
patients were on the
device
Additional location: Fresno, CA
An electronic storage device stolen from an employee's car in Sacramento last month contained health information from
15,500 patients, including about 800 in the Fresno area. Information included patient names, medical-record numbers and,
for some individuals, ages, dates of birth, gender, phone numbers and other information related to their care and treatment.
Information
Source:
Dataloss DB
January 6, 2010
Eugene School District
Eugene, Oregon
[email protected]
[100] ,
EDU
HACK
Unknown
(541) 790-7730
Hackers breached the security of a computer server containing the names, phone numbers and employee ID numbers of
current and former Eugene School District employees. The server in question did not contain other personal information but
was attached to servers that contain Social Security numbers and other sensitive data. It is possible that the individuals
responsible may have accessed names, addresses, dates of birth, Social Security numbers, tax identification numbers and
direct-deposit bank account information for current and former staff members.
Information
Source:
Dataloss DB
January 5, 2010
Housing Authority of New Orleans (HANO)
Algiers, Louisiana
GOV
PHYS
Unknown
Personal documents relating to section 8 were left in an unsecured and abandoned office. The documents included copies
of birth certificates, driver's license numbers, pay stubs, and Social Security cards.
Information
Source:
NAID
68
January 5, 2010
Metropark
BSR
DISC
Unknown
Personal documents were found at the Palisades Mall in West Nyack, New York. The documents had names, Social Security
numbers, contact information, and other personal information. They appeared to be mishandled applications from a clothing
store called Metropark.
Information
Source:
Databreaches.net
January 3, 2010
Logan International Airport
GOV
INSD
16
A Lynn couple is accused of selling the identities of at least 16 TSA workers at Logan. The ID data was taken by a female
TSA contract worker who is related to one of the two Lynn suspects. The couple got the stolen TSA employee names from
their niece, a contract clerical worker in the TSA human resources department at Logan. She no longer works there. The
couple sold the names, Social Security numbers and dates of birth for $40 each to a contact who set up phony cable, gas
and cell phone accounts
Information
Source:
Dataloss DB
January 1, 2010
collective2.com
Tenafly, New Jersey
BSO
HACK
25,000
Users of the do-it-yourself trading site collective2.com received an “urgent” e-mail notifying them that the company's
computer database had been breached by a hacker and that all users should log in to change their passwords immediately.
That e-mail stated that the information accessed by the hacker included names, e-mail addresses, passwords and credit
card information.
Information
Source:
Media
January 1, 2010
Washington Department of Corrections
Tumwater, Washington
GOV
PHYS
43
A briefcase full of sensitive personnel records was stolen from the vehicle of a Larch Corrections Center manager. Larch
human resources manager reportedly took the records home over last weekend to review them, then left his briefcase on
the seat of his car while he worked out at the 24-Hour Fitness Center. While he was inside, someone smashed a window in
the car. He returned to find the briefcase and 43 files missing. Others had spilled out of the briefcase inside the car. He took
the files home to conduct an annual review required by the U.S. Department of Homeland Security. The files contained forms
known as I-9s, which provide documentation that employees are legally able to work in the United States. They included
driver’s license and Social Security information such as home addresses and dates of birth.
Information
Source:
Dataloss DB
January 1, 2010
Netflix
Los Gatos, California
BSO
UNKN
100 million not added
to total
A class action suit was filed against Netflix, Inc., in United States District Court for the Northern District of California. Plaintiffs
in the suit are claiming that Netflix has “perpetrated the largest voluntary privacy breach to date.” According to the Complaint,
Netflix knowingly and voluntarily disclosed the sensitive and personal information of approximately 480,000 Netflix
subscribers when Netflix provided participants in a contest initiated to improve Netflix’s movie recommendation systems with
data sets containing over 100 million subscriber movie ratings and preferences. Netflix has claimed that the data sets
provided to the contest participants were anonymized and that the subscribers’ movie ratings were accompanied only by “a
69
numeric identifier unique to the subscriber” (as opposed to the subscriber’s name or other personal information). However,
the complaint cites the results of several researchers who, in fact, were able to crack Netflix’s anonymization process and
identify individual subscribers.
Information
Source:
Media
December 31,
2009
Eastern Washington University
Cheney, Washington
EDU
HACK
130,000
Eastern Washington University is trying to notify up to 130,000 current or former students whose names, Social Security
numbers and dates of birth were on a computer network involved in a security breach. The student information goes back to
1987. The notification process could take up to two weeks. The University recently discovered the breach during an
assessment of its network. Information-technology staff also discovered that the hacker installed software to store and share
video files on the system.
Information
Source:
Dataloss DB
December 31,
2009
Time Inc.
New York, New York
MED
INSD
Unknown
A customer service center employee may have misused customer credit card information.
Information
Source:
Databreaches.net
December 28,
2009
Providence Health
Portland, Oregon
MED
DISC
4,500
Providence Health Plans is re-issuing thousands of insurance cards after personal information was accidentally sent to the
wrong policy-holders. Officials with Providence Health Plans say about 4,500 mailings were sent out with the incorrect group
and member ID numbers, meaning that some policy holders received others’ information. Officials noticed the problem
Monday.
Information
Source:
Dataloss DB
December 23,
2009
Penn State University
EDU
HACK
30,000
The University sent out letters notifying those potentially affected by malware infections, which are believed responsible for
breaches. The areas and extent of the records involved in the malicious software attack included Eberly College of Science,
7,758 records; the College of Health and Human Development, 6,827 records; and one of Penn State's campuses outside of
University Park, approximately 15,000 records.
Information
Source:
Dataloss DB
December 22,
2009
Western Michigan University
Kalamazoo, Michigan
EDU
DISC
Unknown
University officials discovered that student employee information was viewable online. The information included names,
addresses and Social Security numbers.
Information
70
Source:
Databreaches.net
December 18,
2009
Dickinson School of Law
Carlisle, Pennsylvania
EDU
HACK
261
A computer in the Dickinson School of Law that contained 261 Social Security numbers from an archived class list was found
to be infected with malware that enabled it to communicate with an unauthorized computer outside the network.
Information
Source:
Dataloss DB
December 17,
2009
North Carolina Libraries
Raleigh, North Carolina
EDU
HACK
51,000
Library users at 25 campuses, were the victims of a security breach in August. The libraries collect drivers license and Social
Security numbers to help identify computer users. The information is stored on a central server in Raleigh. Other campuses
affected are Alamance, Beaufort, Bladen, Blue Ridge, Brunswick, Central Carolina, College of the Albemarle, Gaston,
Halifax, Haywood, Lenoir, Martin, Nash, Pamlico, Piedmont, Richmond, Roanoke-Chowan, Rowan-Cabarrus, Sandhills,
Southwestern, Tri-County, Vance Granville and Wilson.
Information
Source:
Dataloss DB
December 15,
2009
U.S. Army
Fort Belvoir, Virginia
GOV
PORT
42,000
http://www.army.mil/-news/2009/12/16/31955-laptop-containing-personal-information-about-mwr-customers-stolen/ [101]
A laptop computer belonging to a Family and Morale, Welfare and Recreation Command (FMWRC) employee was stolen.
Types of information compromised included name, Social Security number, home address, date of birth, encrypted credit
card information, personal e-mail address, personal telephone number and family member information.
Information
Source:
Dataloss DB
December 15,
2009
RockYou
Redwood City, California
BSR
HACK
Unknown
The security firm Imperva issued a warning to RockYou that there was a serious SQL Injection flaw in their database. Such a
flaw could grant hackers access to the the service's entire list of user names and passwords in the database. Imperva said
that after it notified RockYou about the flaw, it was apparently fixed over the weekend. But that's not before at least one
hacker gained access to what they claim is all of the 32 million accounts. 32,603,388 to be exact. The database included a
full list of unprotected plain text passwords and email addresses.
Information
Source:
Dataloss DB
December 15,
2009
The Beijing Center for Chinese Studies
Chicago, Illinois
EDU
PORT
Unknown
(877) TBS-5060
http://www.thebeijingcenter.org/securityqns [102]
A Stolen laptop exposes applications for study abroad students. Names and Social Security numbers exposed. unknown
number of NH residents affected.
71
Information
Source:
Dataloss DB
December 15,
2009
Detroit's Health Department
Detroit, Michigan
GOV
PORT
5,000
(877) 737-4780
Police are investigating two incidents in which patients' medical records -- including social security numbers -- were stolen
from the city's health department. The first theft occurred in late October when a flash drive was stolen from a health
department employee's car. It contained files with birth certificate information for babies born in 2008 and the first half of
2009 whose parents reside in the 48202 and 48205 zip codes. Also a part of the files were information on the mothers'
names and health conditions, the fathers' names, addresses, Medicaid numbers and social security numbers. The second
incident happened over the Thanksgiving break when five computers were stolen from the immunization program at the
department's Herman Kiefer Health Complex. One of the computers contained Medicare and Medicaid seasonal flu billing
information for 2008.
Information
Source:
Dataloss DB
December 11,
2009
Lookout Services
Bellaire, Texas
BSO
DISC
500
The state of Minnesota has directed all of its agencies to stop using a Texas company state officials hired to verify the
identities of new employees. A state official told MPR News that it is notifying some 500 employees that their personal data -including names, dates of birth and Social Security numbers -- may have been accessible on the company's Web site. For
more than three months, state agencies have used Lookout Services of Bellaire, Texas, to verify that new hires are
authorized to work in the United States. The state had paid the company $1.50 a name to run employee data through the
federal Department of Homeland Security's E-Verify program, which confirms that a worker has legal status and a valid
Social Security number.
Information
Source:
Dataloss DB
December 10,
2009
Bushland Elementary School
Bushland, Texas
EDU
PHYS
100
A Potter County school district has improved security protecting its student records after paperwork containing Social
Security numbers, family incomes and student addresses was discovered at a recycling site in Canyon. The documents
listed names of about 100 students at Bushland Elementary School who were eligible for free or reduced-price meals
through a federal program during the 2003-04 and 2005-06 school years. Applications for subsidized meals from more than
20 families included their Social Security numbers, incomes, addresses and phone numbers.
Information
Source:
Dataloss DB
December 7,
2009
Gateway Community College
New Haven, Connecticut
EDU
HACK
Unknown
The College attempted to notify potential victims of a breach caused by malware discovered on campus computers. College
alumni who donated to the College, potential donors, and students receiving scholarships between 2004 and 2006 may have
been affected.
Information
Source:
Databreaches.net
December 5,
Wake County Schools
EDU
DISC
5,000
72
2009
EDU
DISC
5,000
The Wake County school system accidentally sent out about 5,000 postcards with students' Social Security Numbers printed
on the front. Wake schools mailed about 15,000 reminders asking parents to specify if they want to keep their children in
magnet or traditional calendar schools. About a third of those cards had the Social Security Numbers printed alongside the
child's name - a holdover from recent years when those nine-digit numbers were used to identify students.
Information
Source:
Dataloss DB
December 4,
2009
Eastern Illinois University
Charleston, Illinois
EDU
HACK
9,000
A computer was compromised by a virus. That caused the university’s Office of Admissions server to be infected with a
number of viruses, including several that could allow an external person to access the server. The incident was discovered
during a routine security check. The investigation later determined the breach extended to two other computers with
personal data from student files or applications.
Information
Source:
Dataloss DB
December 4,
2009
MedSolutions
MED
DISC
Unknown
For a period of time that has not been clearly defined the name, address, email, and taxpayer ID number (which in some
cases is the physician’s Social Security number) for an undetermined number of NC physicians could be viewed on the
MedSolutions website. Access to this information apparently was not limited to physicians or physician staff. Based on the
information available at the time of this posting, any person with an email address could enter physician names and view the
information.
Information
Source:
Dataloss DB
December 4,
2009
University of Nebraska
Omaha, Nebraska
EDU
HACK
1,400
A computer in the College of Education and Human Sciences at the Lincoln campus was breached. The security breach was
discovered last month at the University of Nebraska involving the names, addresses and Social Security Numbers of 1,400
Hinsdale High School District 86 graduates. The University's investigation revealed the computer had not been adequately
secured, allowing unauthorized external access to the computer and its information.
Information
Source:
Dataloss DB
December 4,
2009
EDU
HACK
9,000
A computer was compromised by a virus. That caused the University’s Office of Admissions server to be infected with a
number of viruses, including several that could allow an external person to access the server. The incident was discovered
during a routine security check. The investigation later determined the breach extended to two other computers with
personal data from student files or applications.
Information
Source:
Dataloss DB
December 4,
Deo B. Colburn Foundation Scholarship
EDU
DISC
341
73
2009
Lake Placid, New York
EDU
DISC
341
If you received the Deo B. Colburn scholarship for the 2003-04 academic year, your Social Security number may have been
made public. Hundreds of Social Security numbers of former students from all over the northern Adirondacks, including Lake
Placid, were released onto the Internet, potentially compromising those people's credit and financial status. Information
included names, addresses, academic institutions, the amount of money recieved and Social Security numbers of the
scholarship recipients.
Information
Source:
Dataloss DB
December 1,
2009
Children's Hospital of Philadelphia
MED
PORT
942
A laptop computer containing Social Security Numbers and other personal information was stolen from a car outside an
employee's home on Oct. 20. The billing information on the computer was password-protected, but an analysis found it was
possible to decode the security controls on the laptop and gain access to the personal information.
Information
Source:
Dataloss DB
November 29,
2009
Salem Housing and Community Services
Salem, Oregon
GOV
DISC
Unknown
Sloppy handling of confidential records by a state agency in Salem left people's names, Social Security numbers, ages and
addresses exposed in an open recycling bin outdoors. In a separate security lapse by another state agency, confidential
records with the names and Social Security numbers of former state parks and recreation employees landed in the same
recycling bin.
Information
Source:
Dataloss DB
November 26,
2009
Penn State
EDU
HACK
303
A Penn State professor's grade book from 2001 to 2004 that contained 303 students' Social Security numbers, among other
personal information, was found to be compromised by a computer virus.
Information
Source:
Dataloss DB
November 25,
2009
Aurora St. Luke's Medical Center
Milwaukee, Wisconsin
MED
PORT
6,400
6,400 people who were in-patients at St. Luke's are being warned that their name, Social Security number and other
information may have landed in the hands of thieves, due to a stolen laptop computer. All of the at-risk individuals were
cared for there at some point by a hospitalist, a physician other than the patient's primary care doctor, who works for an
independent physician group called Cogent Healthcare. The computer was stolen from a locked office in a secure physician
office building that is located adjacent to the hospital; the computer belonged to an employee of Cogent Healthcare of
Wisconsin.
Information
Source:
Dataloss DB
November 24,
2009
ACORN
San Diego, California
BSO
DISC
Unknown
74
Documents that contained personnel information were accidentally thrown away in a dumpster. San Diego staff were doing
an office clean-up in preparation for a major 10-station phone bank program being set up in their offices; it appears that
included in the piles of garbage being thrown out there were some documents containing private information.
Information
Source:
Dataloss DB
November 23,
2009
Hancock Fabrics
Baldwyn, Mississippi
BSR
HACK
At least 140
Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that are tied to transactions
conducted with the Hancock Fabrics retail chain. The Hancock Fabrics store in Napa was the "common thread" among the
numerous people who reported credit and debit card fraud. The store had recently replaced its point-of-sale machines. At
about the same time, as many as 70 Wisconsin victims reported suspicious ATM withdrawals from their accounts.
Information
Source:
Dataloss DB
November 21,
2009
Notre Dame University
Notre Dame, Indiana
EDU
DISC
Unknown
Notre Dame is warning university employees to keep an eye on their bank accounts after a security breach.Personal
information of some past and current employees - including name, Social Security number and birth date - was accidentally
posted onto a public website. The error was corrected and the information removed from the website.
Information
Source:
Dataloss DB
November 20,
2009
University Medical Center
Las Vegas, Nevada
MED
INSD
Unknown
Someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential
information — including names, birth dates, Social Security numbers and injuries. Private information about accident victims
treated at University Medical Center has apparently been leaking for months, allegedly so ambulance-chasing attorneys
could mine for clients.
UPDATE (4/29/10): A man was indicted today by a federal grand jury in an alleged conspiracy to pay a University Medical
Center employee for private information about traffic accident victims that was used to drum up clients. The man was
indicted on one count of conspiracy to illegally disclose personal health information, in violation of the Health Insurance
Portability and Accountability Act, better known as HIPAA. Between January and November 19, 2009 the man allegedly
conspired with people, including a UMC employee, to use hospital "face sheets" to solicit personal injury cases for attorneys.
The UMC employee faxed the registration sheets of trauma patients to the man on at least 55 occasions and was paid about
$8,000, the indictment said. The U.S. Attorney's press release said theh man has been summoned for a May 14 hearing. If
convicted, he faces up to five years in prison and a $250,000 fine.
Information
Source:
Dataloss DB
November 20,
2009
Johns Hopkins Medicine
Baltimore, Maryland
MED
INSD
100
A woman who worked as a patient services coordinator for Johns Hopkins Medicine has been sentenced to 18 months in
prison for stealing patient information. Thirty-one-year-old woman of Baltimore was also ordered to pay more than $200,000
in restitution. According to her plea agreement and court documents, from August 2005 to April 2007, the woman provided a
conspirator with names, Social Security numbers and other identifying information of more than 100 current and former
patients of Johns Hopkins. That information was used to apply for credit.
Information
Source:
75
Dataloss DB
November 19,
2009
TAD Gear
[email protected]
BSR
HACK
Unknown
[103]
TAD Gear recently learned that their database was illegally accessed from an external source, and it appears that some
customer data was taken, which may include customer names, contact information and credit card data. The possibility of a
security breach came to their attention when certain customers notified them that unauthorized charges had appeared on
their credit cards. Upon learning of the potential breach of security, TAD Gear immediately initiated an investigation, and took
corrective steps.
Information
Source:
Dataloss DB
November 19,
2009
FCI USA
Manchester, New Hampshire
BSO
PORT
2,000
An employee's laptop was stolen. The laptop contained a spreadsheet with Social Security numbers, dates of birth and
names for 2,000 employees.
Information
Source:
Databreaches.net
November 18,
2009
Universal American Action Network
St. Petersburg, Pennsylvania
MED
DISC
80,000
Thousands of Pennsylvanians are at risk for identity theft because postcards were sent to their homes with their Social
Security numbers printed in plain view. The postcards were from the Universal American Action Network, a subsidiary of
Universal American Insurance. 80,000 postcards with SSNs on them were sent to Universal clients throughout the country.
More than 10,000 were mailed to Medicare participants in Pennsylvania.
Information
Source:
Dataloss DB
November 18,
2009
Health Net
Shelton, Connecticut
MED
PORT
1,500,000
The personal information for almost half a million Connecticut residents could be at risk after a portable disk drive
disappeared from Health Net six months ago. Health Net is a regional health plan and the drive included health information,
Social Security number and bank account numbers for all 446,000 Connecticut patients, 1.5 million nationally. The
information had been compressed, but not encrypted, although a specialized computer program is required to read it.
Patients in Arizona, New Jersey and New York were also affected.
UPDATE(1/22/10): Connecticut Attorney General (AG) Richard Blumenthal is suing Health Net of Connecticut for failing to
secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify
consumers exposed by the security breach. The AG is seeking a court order blocking Health Net from continued violations of
HIPAA by requiring that any protected health information contained on a portable electronic device be encrypted. This case
marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for
Economic and Clinical Health (HITECH) Act, which authorized state attorneys general to enforce HIPAA.
UPDATE(7/7/10): Health Net and the Connecticut AG reached a $250,000 settlement in connection with this incident.
Information
Source:
Dataloss DB
November 17,
Nebraska Workers' Compensation Court
GOV
HACK
Unknown
76
2009
Omaha, Nebraska
GOV
HACK
Unknown
Someone broke into a server that temporarily held injury reports. Whenever a worker has a job-related injury, a report is filed
with the Workers' Compensation Court and the information is temporarily stored on that server. Personal information,
including birth dates and Social Security numbers, would have been on the server.
Information
Source:
Dataloss DB
November 10,
2009
Obsidian Financial Group
Woodbury, New York
BSF
INSD
Unknown
A former employee broke into a Woodbury financial services company, photocopied customers' Social Security numbers and
bank reference numbers and took the photocopied data with him when he left.
Information
Source:
Dataloss DB
November 7,
2009
Renal Treatment Centers Southeast, DaVita Inc.
Denver, Colorado
MED
STAT
Unknown
Multiple desktop computers were stolen from a facility in Dallas. The computers contained the names, addresses, Social
Security numbers, insurance numbers, and other personal information of patients.
Information
Source:
PHIPrivacy.net
November 6,
2009
National Archives and Records Administration
College Park, Maryland
GOV
STAT
250,000
The National Archives and Records Administration violated its information security policies by returning failed hard drives
from systems containing personally identifiable information of current government employees and military veterans back to
vendors. By agency policy, NARA is supposed to destroy the hard drives rather than return them. On two separate occasions
the agency sent defective disk drives back to vendors under a maintenance contract, rather than destroying and disposing of
them in-house.
UPDATE (1/12/2010):There was a rather large amount of data on this hard drive -- as much as two terabytes of data. The
NARA is having to, in effect, do a forensic analysis to try to identify individuals and their information. They had a rolling
production of notices to individuals. It had been 26,000, and then their forensic contractor came up with a new group, which
was as many as 150,000 names.
UPDATE (1/27/2010) Media stories now put the number of records involved at 250,000.
Information
Source:
Dataloss DB
November 6,
2009
Chaminade University
Honolulu, Hawaii
EDU
DISC
4,500
www.chaminade.edu/infosecure
[104] [email protected]
Chaminade University inadvertently posted confidential information, including Social Security numbers, of thousands of
students, on its Web site for months. An investigation determined the report was placed on obscure -- though publicly
accessible -- Web pages because of human error, according to a university news release. The information was accessible
for about eight months, although there is no evidence of its use, officials said. The university estimates that personally
identifiable data for 4,500 students were in the report. Those affected include undergraduate students who attended the
university from 1997 to 2006.
77
Information
Source:
Dataloss DB
November 6,
2009
MassMutual
Springfield, Massachusetts
BSF
HACK
Unknown
According to MassMutual, a "limited amount" of personal employee information maintained in a database by an outside
vendor may have been subject to unauthorized access. The vendor engaged a forensics team to investigate, and at this time
they believe that no misuse of the information or fraudulent activity involving the data has occurred. This database does not
include client or field representative information; it also did not contain personal Social Security or bank account information,
according to the company.
Information
Source:
Dataloss DB
October 27, 2009
Baptist Hospital East
Loiuisville, Kentucky
MED
DISC
350
Hundreds of people in Kentuckiana are worrying about identity theft after their employer accidentally released their Social
Security numbers. 350 names and Social Security numbers of hospital employees appear on a list that was circulated in an
e-mail.
Information
Source:
Dataloss DB
October 27, 2009
FirstMerit Bank
Streetsboro, Ohio
BSF
PHYS
Unknown
Additional locations; Westlake and Elyria, OH
Police in three Ohio cities are investigating the theft of three large storage bins from bank branches earlier this month. The
storage bins were used to store paper waiting to be shredded. Three branches of the FirstMerit Bank in Streetsboro,
Westlake and Elyria, OH each reported a bin missing beginning on October 7. One of the three bins contained personal
documents of bank customers.
Information
Source:
Media
October 26, 2009
CalOptima
Orange County, California
MED
PORT
68,000
Personally identifiable information on members of CalOptima, a Medicaid managed care plan, may have been compromised
after several CDs containing the information went missing. The unencrypted data on the CDs includes member names,
home addresses, dates of birth, medical procedure codes, diagnosis codes and member ID numbers, and an unspecified
number of Social Security numbers. The discs had been put in a box and sent via certified mail to CalOptima by one of its
claims-scanning vendors, according to a statement by the health plan. CalOptima received the external packaging material
minus the box of discs.
Information
Source:
Dataloss DB
October 21, 2009
Bullitt County Public Schools
Shepherdsville, Kentucky
EDU
DISC
676
A Bullitt County Public Schools employee accidentally sent an e-mail message to about 1,800 school district workers that
included the names and Social Security numbers of 676 district employees. The employees were identified as not having
completed the district's 2010 open-enrollment process for insurance, and the e-mail was intended as a reminder to complete
78
the process.
Information
Source:
Dataloss DB
October 21, 2009
Roane State Community College
Harriman, Tennessee
EDU
PORT
14,783
Hotline (865) 882-4688, (866) 462-7722 ext. 4688
Roane State Community College has announced that the names and Social Security numbers of 9,747 current or former
students were on a data storage device stolen from an employee's vehicle, along with 1,194 current/former employees'
information. The Social Security numbers alone, with no names, were also stolen for 5,036 additional current or former
students. The data was on a 4GB USB drive used for work-related purposes. An employee took it home to do work after
hours, and left it in the car. The employee forgot to lock the car doors. The USB drive was stolen along with a personal handheld device.
Information
Source:
Dataloss DB
October 20, 2009
ChoicePoint
BSO
Alpharetta, Georgia
http://www.ftc.gov/opa/2009/10/choicepoint.shtm
DISC
13,750
[105]
ChoicePoint has been fined $275,000 by the U.S. Federal Trade Commission for a data breach that exposed personal
information of 13,750 people last year. In April 2008, ChoicePoint turned off a key electronic security tool that it used to
monitor access to one of its databases and failed to notice the problem for four months, according to an FTC statement.
During that period, unauthorized searches were conducted for 30 days on a ChoicePoint database that contained Social
Security numbers and other sensitive information.
Information
Source:
Dataloss DB
October 17, 2009
Feeney Insurance Agency
BSF
STAT
Unknown
A break in resulted in the theft of an unencrypted computer. The computer contained contact information, Social Security
numbers, birth dates, and driver's license numbers.
Information
Source:
Databreaches.net
October 15, 2009
Virginia Department of Education
Richmond, Virginia
EDU
PORT
103,000
(877) 347-5224
A flash drive containing the personal information of more than 103,000 former adult education students in Virginia was
misplaced. The information included names, Social Security numbers and employment and demographic information. The
flash drive contained information on all students who finished an adult education course in Virginia from April 2007 through
June 2009 or who passed a high school equivalency test between January 2001 and June 2009.
Information
Source:
Dataloss DB
October 15, 2009
Halifax Health
Daytona Beach, Florida
MED
PORT
33,000
79
A laptop computer from a Halifax Health employee's vehicle in Orange County was stolen -- which might have contained
password protected patient information.
Information
Source:
Dataloss DB
October 15, 2009
PayChoice
Moorestown, New Jersey
BSF
HACK
Unknown
Hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that
information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order
to maintain uninterrupted access to onlineemployer.com. The plug-in was instead malicious software designed to steal the
victim's user names and passwords.
Information
Source:
Dataloss DB
October 13, 2009
Pitt County Memorial Hospital
Greenville, North Carolina
MED
PORT
1,700
(877) 676-0376
Patient names and Social Security numbers were placed onto a portable computer storage device, used to move the
information between different computer systems. Employees have since discovered that USB flashdrive is missing from
where it was stored.
Information
Source:
Dataloss DB
October 7, 2009
CLP Skilled Trade Solutions
Palm Springs, Florida
BSO
PHYS
Unknown
Boxes full of documents that had the CLP Skilled Trade Solutions logo on them were found in a dumpster in the back of a
Newport Café. Some of the information found included Social Security cards, tax papers, driver's licenses and home IDs.
Many of the documents were from a company that CLP acquired a few years ago.
Information
Source:
Dataloss DB
October 6, 2009
BlueCross BlueShield Assn.
Chicago, Illinois
MED
PORT
187,000
A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan
was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. The file included the name, address, tax
identification number and national provider identifier number for about 850,000 doctors. Some 16% to 22% of those
physicians listed -- as many as 187,000 -- used their Social Security numbers as a tax ID or NPI number.
Information
Source:
Dataloss DB
October 5, 2009
U.S. Army Special Forces
Fort Bragg, North Carolina
GOV
DISC
463
A recent breach involved a U.S. Army Special Forces document containing the names, Social Security numbers, home
phone numbers and home addresses of 463 soldiers. The document also contained names and ages of soldiers' spouses
and children. The document was discovered in connection with a Congressional move to address the continuing risk of data
80
leaks on peer-to-peer (P2P) networks. Through its research, the firm, Tiversa, turned up the document among 240 others
belonging to federal government agencies and military branches, all sitting on P2P networks.
Information
Source:
Media
October 4, 2009
Suffolk Community College
Selden, New York
EDU
DISC
300
Suffolk Community College has agreed to pay a company for the next year to monitor the credit of 300 students whose last
names and Social Security numbers were mistakenly listed in an attachment to an e-mail sent to those students last month.
Information
Source:
Dataloss DB
October 2, 2009
U.S. Military Veterans
GOV
PORT
76 Million
The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying
the data. The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and
discharge papers. When the drive failed last year, the agency returned the drive to GMRI, the contractor that sold it to them,
for repair. GMRI determined it couldn't be fixed, and ultimately passed it to another firm to be recycled. The drive was part of
a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions
of Social Security numbers dating to 1972, when the military began using individuals' Social Security numbers as their
service numbers.
Information
Source:
Dataloss DB
September 28,
2009
Penrose Hospital
Colorado Springs, Colorado
MED
PHYS
175
Officials at Penrose Hospital believe someone has stolen the personal information of 175 patients. The missing information
consists of names, addresses, phone numbers, Social Security numbers and the reason for the patients' visits. The
information was stored on a computer print-out and kept in a binder stored in a cabinet. The print out has gone missing.
Information
Source:
Dataloss DB
September 25,
2009
University of North Carolina, Chapel Hill
Chapel Hill, North Carolina
EDU
HACK
236,000 (Only 163,000
was added to the total.)
A hacker has infiltrated a computer server housing the personal data of 236,000 women enrolled in a UNC Chapel Hill
research study. Among the information exposed: the Social Security numbers of 163,000 participants. The data is part of the
Carolina Mammography Registry, a 14-year-old project that compiles and analyzes mammography data submitted by
radiologists across North Carolina.
Information
Source:
Dataloss DB
September 25,
2009
Doctors' offices in Tennessee
GOV
DISC
Unknown
Doctors' offices in Tennessee have been accidentally sending patient information, including Social Security numbers and
medical histories, to an Indiana businessman's fax machine for the past three years. The sensitive medical information was
81
supposed to be sent to the Tennessee Department of Human Services, but the owner of SunRise Solar Inc. in Indiana, says
hundreds of confidential medical faxes having been coming to him.
Information
Source:
Dataloss DB
September 23,
2009
Eastern Kentucky University
Richmond, Kentucky
(859) 622-7777, [email protected]
EDU
DISC
5,045
[106]
The names and Social Security numbers of about 5,000 Eastern Kentucky University faculty, staff and student workers were
posted inadvertently on the Internet last September, where they have been displayed for a year.
Information
Source:
Dataloss DB
September 22,
2009
Bernard Madoff Investors
Dallas, Texas
BSF
PORT
2,246
More than 2,200 Bernard Madoff investors are learning that some of their personal and financial information has potentially
been breached after the theft of a laptop in Dallas. The names, addresses, Social Security numbers and some Madoff
account information on 2,246 investors was contained in a computer stolen from the car of an employee of AlixPartners Llp.
Information
Source:
Dataloss DB
September 22,
2009
Sagebrush Medical Plaza/Kern Medical Center
Bakersfield, California
MED
PHYS
31,000
Thousands of patients at a Kern County health clinic have been warned their personal information could have been stolen. A
break-in happened at the Sagebrush Medical Plaza in July, and Kern Medical Center officials have notified 31,000 patients to
take precautions against possible identity theft. One or more unknown individuals broke into a locked storage area that
contained confidential patient information. All patient information has now been moved to a location inside the clinic building.
Information
Source:
Dataloss DB
September 21,
2009
Rocky Mountain Bank
Pinedale, Wyoming
BSF
DISC
1,325
A customer of the Rocky Mountain Bank asked a bank employee to send certain loan statements to a representative of the
customer. The employee, however, inadvertently sent the e-mail to the wrong Gmail address. Additionally, the employee had
attached a sensitive file to the e-mail that should not have been sent at all. The attachment contained confidential
information on 1,325 individual and business customers that included their names, addresses, tax identification or Social
Security numbers and loan information.
Information
Source:
Dataloss DB
September 17,
2009
Akron Children's Hospital
Akron, Ohio
MED
HACK
Unknown
A 38-year-old Avon Lake, Ohio, man is set to plead guilty to federal charges after spyware he allegedly meant to install on
the computer of a woman he'd had a relationship with ended up infecting computers at Akron Children's Hospital. He
allegedly sent the spyware to the woman's Yahoo e-mail address, hoping that it would give him a way to monitor what she
was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery
82
department, creating a regulatory nightmare for the hospital. Between March 19 and March 28 the spyware sent more than
1,000 screen captures via e-mail. They included details of medical procedures, diagnostic notes and other confidential
information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital
employees as well, the plea agreement states.
Information
Source:
Dataloss DB
September 16,
2009
Downeast Energy & Building Supply
Brunswick, Maine
BSO
HACK
800
Downeast sent a notice after discovering that hackers had broken in and stolen more than $200,000 from the company's
online bank account. Sometime prior to September, attackers planted keystroke logging malware on Downeast's computer
systems, and stole the credentials the company uses to manage its bank accounts online. Hackers had gained access to the
bank account the company uses to let customers pay for fuel with electronic transfers from their checking accounts. Then,
on or around Sept. 2, the hackers used that access to initiate a series of sub-$10,000 money transfers out of the company's
account to at least 20 individuals around the United States who had no prior business with Downeast Energy. The personal
information to which the thieves had access included customers' names, banks and checking account numbers
Information
Source:
Dataloss DB
September 14,
2009
EDU
DISC
25
(866) 876-HIPA (4472)
In August, the University's Privacy Office was notified of a privacy breach after the discovery of an unprotected computer file
containing 34 names and 25 Social Security numbers. It's believed the personal information belongs to trainers working with
the Florida Traffic and Bicycle Safety Education program in 2006. The file was immediately removed.
Information
Source:
Dataloss DB
September 14,
2009
Jones General Store/Root of the Hill
Boulder, Colorado
BSR
PHYS
Unknown
Boulder police are investigating two burglaries on University Hill that could have compromised some local shoppers' personal
and credit card information. A manager for Jones General Store called police to report an overnight break-in and theft of
credit card receipts. A short time later, an owner of Root of the Hill, a business in the same building, called officers to report a
break-in, theft and extensive vandalism.
Information
Source:
Dataloss DB
September 7,
2009
School for the Physical City
New York, New York
EDU
PHYS
Unknown
Boxes of student records were piled in the street in front of the old home of the School for the Physical City. Some records
contained the Social Security numbers, grades, signatures and even psychological reports of former students of the public
intermediate high school. The boxes were sitting next to a trash bin filled with old desks and other discarded school supplies.
The School for the Physical City moved to a new location over the summer and apparently the records were thrown out with
the trash during the relocation.
Information
Source:
Dataloss DB
83
September 5,
2009
Mitsubishi Corp.
New York, New York
BSR
HACK
52,000
A Mitsubishi Corp. Internet shopping unit lost credit card details on 52,000 customers after its servers were hacked from
overseas. The company has informed customers and relevant authorities of the leaks and has suspended the Web site until
it can improve the system.
Information
Source:
Dataloss DB
September 2,
2009
Bluegrass Community and Technical College
Danville, Kentucky
EDU
UNKN
100
A file containing the personal information including Social Security numbers of nearly 100 students at the Bluegrass
Community and Technical College has been stolen.
Information
Source:
Dataloss DB
September 2,
2009
Naval Hospital Pensacola
Pensacola, Florida
MED
PORT
38,000
Naval Hospital Pensacola will be notifying thousands of beneficiaries who use its pharmacy services, following the
disappearance of a laptop computer. The computer's database contains a registry of 38,000 pharmacy service customers'
names, Social Security numbers and dates of birth on all patients that used the pharmacy in the last year. It does not contain
any personal health information.
Information
Source:
Dataloss DB
August 21, 2009
Battleground Urgent Care/Prompt Med
MED
PHYS
623
Medical files were found in a dumpster. It seems a third party moving company was hired to transfer the boxes from one
warehouse to another. It is unknown at this time how the files ended up in the dumpster. The information in the files
contained Social Security numbers, driver's license copies, medical histories, and employers.
UPDATE (5/24/10): Prompt Med agreed to pay a $50,000 fine to the state of North Carolina.
Information
Source:
Dataloss DB
August 21, 2009
University of Massachusetts
Amherst, Massachusetts
EDU
HACK
Unknown
Nearly a year ago, hackers broke into a computer server that contained Social Security numbers and a very limited amount
of credit card information for graduates of University of Massachusetts. Hackers gained access to one server on the
university's computer system, which held information of students who attended UMass between 1982 and 2002, as well as a
few who attended before 1982. A UMass spokesman declined to say how many people's records were exposed, except that
it was a large number of undergraduate and graduate students who attended the university during the 20-year period.
Information
Source:
Dataloss DB
August 20, 2009
Cal State Los Angeles
EDU
PORT
600
84
August 20, 2009
EDU
PORT
600
(800) 883-4029
The theft of two desktop and 12 laptop computers from an office at Cal State Los Angeles is causing identity theft concerns
for more than 600 students and faculty members. Someone broke a window in the office of the university's Minority
Opportunities in Research program to steal the computer. The computers stolen contained individual names, Social Security
numbers and addresses, according to campus.
Information
Source:
Dataloss DB
August 15, 2009
Northern Kentucky University
Highland Heights, Kentucky
EDU
PORT
200
A Northern Kentucky University employee's laptop computer - which contained personal information about some current and
former students -- was stolen from a restricted area. The personal information stored on the employee's computer included
Social Security numbers of at least 200 current and former students.
Information
Source:
Dataloss DB
August 14, 2009
American Express
New York, New York
BSF
INSD
Unknown
Some American Express card members' accounts may have been compromised by an employee's recent theft of data. The
former employee has been arrested and the company is investigating how the data was obtained. American Express
declined to disclose any more details about the incident. The company has put additional fraud monitoring and protection
controls on the accounts at issue.
Information
Source:
Media
August 14, 2009
Calhoun Area Career Center
Battle Creek, Michigan
EDU
DISC
455
Personal information from 455 students at Calhoun Area Career Center during the 2005-2006 school year was available
online for more than three years. The information included names, Social Security numbers, 2006 addresses and telephone
numbers, birth dates and school information. There were about 1,000 students at the career center during that time, but an
investigation by the Calhoun County Intermediate School district found that information for 455 students was available.
Information
Source:
Dataloss DB
August 13, 2009
National Guard Bureau
Arlington, Virginia
GOV
PORT
131,000
An Army contractor had a laptop stolen containing personal information on 131,000 soldiers. on the stolen laptop contained
personal information on soldiers enrolled in the Army National Guard Bonus and Incentives Program. The data includes
names, Social Security numbers, incentive payment amounts and payment dates.
Information
Source:
Dataloss DB
August 11, 2009
Bank of America Corp.
BSF
CARD
Unknown
85
Charlotte-based BofA (NYSE:BAC) and Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling
them that their account numbers may have been compromised. Account information from certain Bank of America debit
cards may have been compromised at an undisclosed third-party location. Bank officials are not certain if this is a new
breach or a previously disclosed one.
Information
Source:
Media
August 11, 2009
Citigroup Inc.
New York, New York
BSF
CARD
Unknown
Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have
been compromised. Citigroup told credit-card customers in Massachusetts your account number may have been illegally
obtained as a result of a merchant database compromise and could be at risk for unauthorized use. Bank officials are not
certain if this is a new breach or a previously disclosed one.
Information
Source:
Media
August 11, 2009
University of California, Berkeley School of Journalism
Berkeley, California
https://security.berkeley.edu/jschool-info
EDU
HACK
493
[107]
Campus officials discovered during a computer security check that a hacker had gained access to the journalism school's
primary Web server. The server contained much of the same material visible on the public face of the Web site. However,
the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who
applied for admission to the journalism school between September 2007 and May 2009.
Information
Source:
Dataloss DB
August 4, 2009
New Hampshire Department of Corrections
Laconia, New Hampshire
GOV
PHYS
1,000
A 64-page list containing the names and Social Security numbers of about 1,000 employees of the state Department of
Corrections ended up under the mattress of a minimum security prisoner. The prison contracts with vendors to shred
documents and investigators are trying to find out why documents were not destroyed.
Information
Source:
Dataloss DB
August 3, 2009
National Finance Center
GOV
DISC
27,000
An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees' personal
information to a co-worker via e-mail in an unencrypted form. The names and Social Security numbers of at least 27,000
Commerce Department employees were exposed.
Information
Source:
Media
August 1, 2009
Williams Cos. Inc.
Tulsa, Oklahoma
BSO
PORT
4,400
A laptop containing personal and compensation information for more than 4,400 current and former employees was stolen
from a worker's vehicle. The computer had names, birth dates, Social Security numbers and compensation data for every
86
Williams employee since Jan. 1, 2007.
Information
Source:
Dataloss DB
July 31, 2009
Jackson Memorial Hospital
Miami, Florida
MED
INSD
Unknown
A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the
past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims.
Information
Source:
Media
July 29, 2009
University of Colorado, Colorado Springs
EDU
PORT
766
The university is notifying nearly 800 students and alumni that some of their personal information may have been on a stolen
laptop. That laptop was taken from a professor's home on July 5th after the home was burglarized. The laptop contained
class roster information - name, student ID number, e-mail address, graduating class year and grade information - for
current and past UCCS students. No financial information was stored on the laptop, but there is a possibility that Social
Security numbers may have been involved for students enrolled prior to summer, 2005.
Information
Source:
Dataloss DB
July 24, 2009
Hampton Redevelopment and Housing Authority
Hampton, Virginia
NGO
PHYS
900
The Social Security numbers and other personal information of nearly 900 people who were banned from public housing in
Hampton were accidentally given to a resident who requested the information. A housing authority employee printed a
spreadsheet and mailed it but forgot to exclude the personal information.
Information
Source:
Dataloss DB
July 24, 2009
Network Solutions
Herndon, Virginia
BSO
HACK
573,000
Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue
code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months.
Network Solutions discovered that attackers had hacked into Web servers the company uses to provide e-commerce
services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly
mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial
information for customers who purchased from those stores.
Information
Source:
Dataloss DB
July 22, 2009
A Honolulu hospital
Honolulu, Hawaii
MED
INSD
Unknown
In June 2009, a Hawaii woman was sentenced to a year in prison for illegally accessing another woman's medical records
and posting on MySpace that she had HIV. The State of Hawaii brought charges under a state law that criminalizes
unauthorized access to a computer as a class B felony. The defendant was employed by a hospital and had access to
patient medical records.
87
Information
Source:
Media
July 20, 2009
St. Vincent Health System
MED
INSD
1
A physician and two former employees of the St. Vincent Health System pleaded guilty today to misdemeanor federal
charges for accessing the medical records of slain television anchor Anne Pressly. All three said they accessed Pressly's files
out of curiosity.
Information
Source:
Media
July 17, 2009
Francis Howell School District
EDU
St. Charles, Missouri
PORT
1,700
A laptop computer theft could have compromised personal information. Tthe computer could have contained names and
Social Security numbers for 1,700 noncertified employees. Anyone who worked for the district from 2005 through 2008 could
be affected. The computer belonged to a Francis Howell employee in the district human resources department.
Information
Source:
Dataloss DB
July 16, 2009
Moores Cancer Center
MED
HACK
30,000
A hacker breached the Center's computers and gained access to patients' personal information. A letter was sent to 30,000
patients informing them that their personal information may have been in the compromised databases. Types of information
in breach included names, dates of birth, medical record number, diagnosis and treatment dates and some Social Security
numbers. The majority of patients' information did not include Social Security numbers.
Information
Source:
Dataloss DB
July 16, 2009
Elance
BSO
Mountain View, California
HACK
Unknown
http://www.elance.com/p/trust/account_security.html>http://www.elance.com/p/trust/account_security.html [108]
A warning from Elances customer service was emailed, saying that the site has been hacked or attacked in some way. The
data accessed was contact information - specifically name, email address, telephone number, city location and Elance
username. This incident did not involve any credit card, bank account, social security or tax ID numbers.
Information
Source:
Media
July 14, 2009
Canyons School District
Cottonwood Heights, Utah
EDU
PORT
6,000
Canyons School District officials are investigating the disappearance of a thumb drive that contained the personal
information of more than 6,000 current and recent employees. The USB flash drive is believed to have contained employee
addresses, phone numbers, dates of birth and Social Security numbers. A district-level worker was using it to transfer data
for apparently legitimate, job-related purposes.
Information
Source:
Dataloss DB
88
Dataloss DB
July 14, 2009
Leander School District
Leander, Texas
EDU
UNKN
Unknown
School officials sent a notice home with special needs students to alert parents that someone gained access to private
information. It appears that one individual gained unauthorized electronic access to confidential information.
Information
Source:
Media
July 13, 2009
Florida Department of Education
Tallahassee, Florida
GOV
PHYS
475
The agency is notifying 475 student-loan borrowers that their financial records have been exposed to identity theft because
the OSFA managed to lose 1,186 promissory notes that they signed when they were going to school, and have now fallen
behind. The missing files bear Social Security numbers, names and addresses, birth dates, personal references and lots of
other little tidbits that could come in handy for an identity thief.
Information
Source:
Dataloss DB
July 13, 2009
LexisNexis
Dayton, Ohio
BSO
UNKN
13,329
LexisNexis has warned more than 13,000 consumers that a Florida man who is facing charges in an alleged mafia
racketeering conspiracy may have accessed some of the same sensitive consumer databases that were once used to track
terrorists. The accused would provide names, addresses and account numbers as part of a fake check-cashing operation.
But he's also accused of using computer databases to get information on potential extortion or assault targets as well as
individuals suspected by the Enterprise members of being involved with law enforcement.
Information
Source:
Dataloss DB
July 10, 2009
Northern California dumpsters Bay Area to Central Valley
BSF
PHYS
1,500
A criminal complaint filed against 30-year-old suspect claims that he made more than 1,000 fake ID cards that he used to rip
off people, stores and banks. He also allegedly admitted to stealing the identities of more than 500 people all across
Northern California, ranging from the Bay Area to the Central Valley. Federal agents say the man said it was easy to find
new victims: All he needed to do was visit a local bank and search their dumpsters. Using the sensitive materials he found in
the trash, He was able to use a computer to mock up fake identification cards and blank checks, according to authorities. He
also allegedly confessed to stealing between one to two million dollars in cash and merchandise.
Information
Source:
Media
July 9, 2009
Mountain Medical Center
Salt Lake, Utah
MED
PHYS
Unknown
Names, credit card numbers, Social Security numbers were found in a dumpster. A man was throwing away some stuff in a
dumpster and found it was chock full of medical records. There's everything in there from canceled checks to routing
numbers, he said. Salt Lake Police packed away perhaps twenty boxes of papers, and said they would protect the
documents, as they dug into the matter.
Information
Source:
Media
89
July 8, 2009
AT&T
Chicago, Illinois
BSO
INSD
2,100
A temporary employee for AT&T was arrested today on charges she stole personal information on 2,100 co-workers and
then pocketed more than $70,000 by taking out short-term payday loans in the names of 130 of them.
Information
Source:
Dataloss DB
July 1, 2009
Carrell Clinic
Dallas, Texas
MED
HACK
Unknown
An Arlington security guard was arrested on federal charges for hacking into hospital's computer system. The defendant
allegedly posted video of himself compromising a hospital's computer system on YouTube. The system and computers
contained confidential patient information.
Information
Source:
Media
July 1, 2009
Bike Nashbar
Asheville, North Carolina
[email protected]
[109] ,
BSR
HACK
Unknown
1-800-NASHBAR
The company's computer servers were hacked and credit card information was compromised. Letters with more details will
be mailed to affected customers.
Information
Source:
Media
June 30, 2009
Sutter Health
MED
PORT
6,000
Hundreds of current and former employees with Sutter Health had their personal data compromised. The company's
Sacramento Sierra region were contacted by a computer repair shop. The repair people did the right thing and told us they
had our laptop, said Sutter Communication Coordinator . The laptop contained names and Social Security numbers of 6,000
Sutter Health workers.
Information
Source:
Dataloss DB
The University sent
June 26, 2009
University of Central Missouri Police Department (UCM)
Warrensburg, Missouri
EDU
INSD
letters to 7,000
students, but the final
number of victims
appears to be closer to
250
After two documents containing student personal information were stolen, it was discovered that a former University police
officer and his wife were responsible. They used the names, Social Security numbers, and birth dates of students enrolled in
2005 and 2006 summer sessions. The thieves fraudulently opened bank accounts, received student loans, and applied for
credit and debit cards. The losses total more than $30,000.
Information
Source:
Databreaches.net
90
June 24, 2009
Florida Department of Revenue
GOV
PORT
2,828
The names, addresses and Social Security numbers of about 3,000 people employed by a handful of state businesses were
on a password-protected flash drive stolen from the car of a Florida Department of Revenue employee in Georgia. The
people were current or past employees of six large corporations that are being audited by the state.
Information
Source:
Dataloss DB
June 24, 2009
Battle Creek City
GOV
DISC
65
Some Battle Creek city employees are getting free identity protection help after the mayor posted a document with personnel
information to a public Web site. Information on city workers, including Social Security numbers, was listed on a city check
registry that the mayor put online and linked to using his Twitter.com account. The registry is no longer online and the city
has worked with law enforcement and Twitter, to remove any archived references to the information.
Information
Source:
Media
June 23, 2009
Cornell University
Ithaca, New York
EDU
PORT
45,277
A stolen Cornell University computer has compromised the personal information of thousands of members of the University
community. The computer contains the names and Social Security numbers of current and former students as well as
current and former faculty and staff members.
Information
Source:
Dataloss DB
June 22, 2009
Baptist Medical Center
Montgomery, Alabama
MED
PHYS
Unknown
Folder upon folder were found in a land fill dump site, labeled Radiology Department, Baptist Medical Center. Hundreds of
medical records were out in the open, all with sensitive information. Sensitive patient information that was thrown out
included names, x-rays, ultrasounds, MRIs and Social Security numbers. Baptist was quickly pointed out at fault, while files
from at least 5 other facilities were found at the same site.
UPDATE (8/5/08): Former Hospital Employee Convicted for Aggravated Identity Theft. A former employee of an Alabama
hospital has been sentenced to two years and one day in federal prison for wire fraud and stealing the identities of patients,
according to a Department of Justice press release. Adrienne Denise Stovall, 30, pled guilty in January to one count of wire
fraud and one count of aggravated identity theft, which carries a mandatory sentence of two years. Stovall worked at
Montgomery's Baptist Hospital from August 2006 to early 2007. Her position gave her access to the hospital's computer
system, containing confidential information including patient names, dates of birth and Social Security numbers. Stovall used
the information to apply for credit and credit cards.
http://www.justice.gov/usao/alm/press/current_press/2010_05_05_stovall.pdf [110]
Information
Source:
Media
June 22, 2009
Broadridge Financial Solutions, Inc.
Jersey City, New Jersey
BSF
DISC
Unknown
Broadridge Financial Solutions, Inc. provides proxy services for clients, including the processing, distribution and tabulation
of Annual Meeting Proxy materials for registered shareholders of publically traded companies. The firm inadvertently
disclosed Dynegy shareholder information including name, address, Social Security number and other account information to
another client. The total number of shareowners affected was not reported.
91
Information
Source:
Media
56,000 Not added to
June 18, 2009
Suncoast Schools Federal Credit Union
Tampa, Florida
BSF
HACK
the total because it's
included in the huge
number already
attributed for
Heartland.
Some members of Suncoast Schools Federal Credit Union have been notified that their debit card accounts were exposed to
fraud. It is the latest casualty of last year's breach of Heartland Payment Systems, one of the country's largest credit card
processors, where information from more than 100 million credit and debit card transactions was exposed. Not until the end
of May did Suncoast discover that some of its customers who use Visa Check Cards could be in danger. The Tampa credit
union is issuing new cards to all members whose accounts were compromised.
Information
Source:
Media
June 17, 2009
Blackbaud Inc.
Charleston, South Carolina
BSO
PORT
84,000
A computer that was stolen from a car in Charleston, SC, last year contained personal financial information on 84,000
University of North Dakota donors. The missing laptop belonged to Daniel Island-based software giant Blackbaud Inc., which
stressed that all of the information was password-protected and encrypted.
Information
Source:
Media
June 16, 2009
Redondo Beach Arco Gas Station
Redondo Beach, California
BSR
INSD
1,000
An organized-crime ring that police believe is Russian or Armenian targeted a high-volume Redondo Beach Arco gas station,
assigned a low-level soldier to infiltrate it and waited eight months while he worked himself into a position where he could
implant a tiny, high-tech skimmer to steal customers' credit-card information. Armed with a fresh batch of personalinformation numbers, the gang began draining thousands of Southern California bank accounts soon after Erick, the model
employee who was by then entrusted with opening the station every day at 5 a.m., vanished in late April along with 1,500
packs of cigarettes, $1,000, a laptop, his employee application form - and the two digital video recorders used for
surveillance. The skimmer scam left a string of more than 1,000 victims, stretching from Santa Barbara to Newport Beach.
Information
Source:
Media
June 15, 2009
Beam Global Spirits & Wine Inc.
Deerfield, Illinois
BSR
INSD
Unknown
Unauthorization access to a human resources payroll database by a former employee exposes names, addresses and
Social Security numbers of past and present employees.
Information
Source:
Dataloss DB
June 12, 2009
Kirkwood Community College
Cedar Rapids, Iowa
EDU
PORT
1,600
92
Someone took a storage device from a counselor's office in Iowa City. That device contained names and Social Security
numbers for participants in the PROMISE JOBS program.
Information
Source:
Dataloss DB
June 12, 2009
Oregon Health & Science University
Portland, Oregon
EDU
PORT
1,000 (Not added to
total)
A physician's laptop was stolen from a car parked at the doctor's Washington County home. Patient names, treatment dates,
short medical treatment summaries and medical record numbers were stored on the computer. There were no home
addresses, billing information or Social Security numbers stored on the laptop.
Information
Source:
Dataloss DB
June 7, 2009
T-Mobile USA
BSO
HACK
Unknown
T-Mobile USA is investigating claims that a hacker has broken into its data bases and stolen customer and company
information. Someone anonymously posted the claims on the security mailing list Full Disclosure. In that post, the hacker
claims to have gotten access to everything -- their databases, confidential documents, scripts and programs from their
servers, financial documents up to 2009. They claim they have been in touch with the carrier's competitors trying to sell the
data, but have been unsuccessful. They threatened to sell it to the highest bidder. T-Mobile later confirmed a hacker
obtained a document.
Information
Source:
Media
June 6, 2009
Ohio State Dining Services
Columbus, Ohio
EDU
DISC
350
Student employees had their Social Security numbers accidentally leaked in an e-mail. The hiring coordinator for Dining
Services, an OSU student, received an e-mail with an attachment that included students' names and SSNs. He accidentally
sent the attachment in an e-mail reminding student employees to sign their waivers for the Ohio Employees Retirement
System. After realizing the mistake, the hiring coordinator called the Office of Information Technology, which stopped the emails before all of them were sent.
Information
Source:
Dataloss DB
June 5, 2009
Virginia Commonwealth University
Richmond, Virginia
EDU
STAT
17,214
A desktop computer was stolen from a secured area within Cabell Library in mid-April. The computer may have contained
student names, Social Security numbers and test scores dating from October 2005 to the present. VCU discontinued use of
Social Security numbers as ID numbers in January 2007. An additional 22,500 students are being notified that their names
and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but
computer-generated student ID numbers may have been.
Information
Source:
Dataloss DB
June 4, 2009
Maine Office of Information Technology
Augusta, Maine
GOV
PHYS
597
93
Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including
Social Security numbers belonging to another person. We received a print job and were running it, and there was an
equipment malfunction, Thompson said. In restarting the piece of equipment, a mistake was made and it started one page
off. It was an error and our quality assurance didn't pick it up. Recipients received one page with their own information and
another page with information belonging to a different person.
Information
Source:
Dataloss DB
June 3, 2009
Aviva
Concord, New Hampshire
BSF
HACK
550
The data breach affected customers who opened accounts in the U.S. or beneficiaries of accounts opened in the U.S. The
breach, caused by malware on an Aviva computer, happened between Dec. 30 and Feb. 24. A vendor helping Aviva locate
policyholders and beneficiaries whose mail was undeliverable found 3 Aviva USA customers' Social Security numbers and
other personal information while searching for them. The company believed 550 customers had their Social Security
numbers exposed in this manner. Aviva says it has removed the compromised hardware and taken steps to prevent future
malware attacks.
Information
Source:
Dataloss DB
June 1, 2009
University of Nevada
Las Vegas, Nevada
EDU
HACK
20
A UNLV computer was compromised and may have allowed loss of some personal data. The College of Sciences recently
sent a letter to about 20 students as officials became aware of a virus affecting a computer in the College. The College found
no information was leaked, but for legal reasons they still sent the letter.
Information
Source:
Media
May 28, 2009
Aetna
MED
HACK
65,000
Aetna has contacted 65,000 current and former employees whose Social Security numbers may have been compromised in
a Web site data breach. The breach was a spam campaign showing that the intruders successfully harvested e-mail
addresses from the Web site, although it's not clear if SSNs were also obtained. The spam purported to be a response to a
job inquiry and requested more personal information. Aetna sent letters last week notifying the 65,000 people whose SSNs
were on the site of the breach.
UPDATE (6/11/09): Hartford health insurer Aetna Inc. is being sued. The class-action suit was filed in a Pennsylvania District
Court and demands credit monitoring, punitive damages, costs and other relief for current, former and potential employees.
Information
Source:
Dataloss DB
May 27, 2009
Batteries.com
Carmel, Indiana
BSR
HACK
865
On March 13th, Batteries.com received notice from a customer about potential unauthorized activity on their credit card.
They later discovered the Batteries.com network had been breached from around February 25, 2009 to April 9, 2009. The
hackers stole names, addresses and credit card information.
Information
Source:
Dataloss DB
94
May 27, 2009
Warren County Virtual Community School
Lebanon, Ohio
EDU
PHYS
140
Contractors installing fiber on a near by street to the school say they found a four-page list in a recycling dumpster when
they went to dump some trash. The list had more than 140 students' names, addresses, Social Security numbers and birth
dates listed. Their parents names were on the list too.
Information
Source:
Dataloss DB
May 23, 2009
Indianapolis Department of Workforce Development
GOV
DISC
4,500
The Department of Workforce Development is notifying approximately 4,500 unemployment recipients concerning the
accidental disclosure of their Social Security number to the incorrect employer. The release occurred during the printing of
DWD's Statement of Benefit Charges by print vendor, Pitney Bowes Management Services Inc. This form is sent to
companies listing those who are collecting unemployment benefits against that employer's account. The misprinted
statements contained information from individuals who did not work for that company. Approximately 1,200 companies
received incorrect statements.
Information
Source:
Dataloss DB
May 21, 2009
Texas Lottery Commission
Austin, Texas
GOV
INSD
140
A former Texas lottery worker was arrested while training for a new job and charged with illegally possessing personal
information on 140 lottery winners and employees, including their names and Social Security numbers. The man was still
working for the Lottery Commission in 2007 when he allegedly took the information, which was discovered last year on a
state computer at the Comptroller of Public Accounts where he later was employed.
Information
Source:
Media
May 21, 2009
Internal Revenue Service
GOV
PHYS
Unknown
Additional locations: several IRS document disposal facilities in the U.S.),
http://www.treas.gov/tigta/auditreports/2009reports/200930059fr.pdf [111]
The U.S Treasury Inspector General for Tax Administration found in a fiscal year 2008 audit that in more than a dozen IRS
document disposal facilities, old taxpayer documents were being tossed out in regular waste containers and dumpsters. In
addition, the investigation found that IRS officials failed to consistently verify whether contract employees who have access to
taxpayer documents had passed background checks. Further, investigators had difficulty finding anyone responsible for
oversight of most of the facilities that the IRS contracted with to burn or shred sensitive taxpayer documents. The review was
performed at IRS offices in Phoenix, Tempe, and Tucson, Arizona New Carrollton, Maryland Holtsville, Garden City, and
Westbury, New York and Ogden, Utah, and included questionnaires to 14 Territory Managers across the country during the
period September 2007 through May 2008.
Information
Source:
Media
May 19, 2009
CompuCredit
Atlanta, Georgia
BSF
DISC
120 (0 SSNs were
accessed)
A computer processing error created a single image file of 120 account statements for the month of April. Statement files are
delivered to the cardholder through the website in Adobe PDF format. Because of a load error, the system failed to detect
page breaks between the account statements, thus resulting in the system believing that all of the pages belonged to a
95
single statement. As a result, the PDF image file contained 119 statements in addition to the cardholder's statement. (Note:
Monthly account statements do not include customers' Social Security numbers or PINs.)
Information
Source:
Dataloss DB
May 19, 2009
National Archives
GOV
PORT
Unknown
The National Archives lost a computer hard drive containing massive amounts of sensitive data from the Clinton
administration, including Social Security numbers, addresses, and Secret Service and White House operating procedures.
The Archives had been converting the Clinton administration information to a digital records system when the hard drive
went missing. The hard drive was left on a shelf and unused for an uncertain period of time. When the employee tried to
resume work, the hard drive was missing.
Information
Source:
Dataloss DB
May 19, 2009
Rudder
BSF
Houston, Texas
DISC
Unknown
Rudder, a financial management company, erred in sending users' confidential financial information to the wrong individuals.
Through an online financial planning application, hundreds of individuals were able obtain the full details on others' finances their salary, debts, bank balance, and where they shop. Bank account numbers were apparently not exposed.
Information
Source:
Media
May 18, 2009
NJ Department of Labor and Workforce Development
Trenton, New Jersey
GOV
DISC
28,000
Unemployed New Jersey residents may have had their name and Social Security number accidentally delivered to an
employer for which you did not work. The error occurred when department staff last month sent first-quarter reports to
businesses that included a list of former employees receiving unemployment benefits. Because some companies had laid off
a significant number of employees, the reports were longer than usual, requiring staff members to stuff the envelopes by
hand rather by machine. Some reports were placed in the wrong envelopes.
Information
Source:
Dataloss DB
May 18, 2009
Anderson Kia Car Dealership
Boulder, Colorado
BSR
PHYS
Unknown
Police have chained up 10 recycling bins outside Boulder's now-defunct Anderson Kia car dealership after learning that the
bins were stuffed with personal information from the dealership's former customers. Green recycling bins were piled full with
folders, each headed with an individual's name. All of the folders contained Social Security numbers, driver's license
information, photos, phone numbers and financial information for Kia customers.
Information
Source:
Dataloss DB
May 15, 2009
Kaiser Permanente Bellflower Medical Center
Bellflower, California
MED
INSD
1
The California hospital where Nadya Suleman's octuplets were born has been fined $250,000 for failing to stop employees
from snooping into medical files on the famous case. Hospital officials discovered that 23 unauthorized workers examined
96
Suleman's medical records.
UPDATE (7/21/09): The Kaiser Permanente hospital in Bellflower has been hit with a $187,500 fine for failing for a second
time to prevent unauthorized access to confidential patient information.
Information
Source:
Media
May 13, 2009
United Food and Commercial Workers Union 555
Tigard, Oregon
NGO
PORT
19,000
A union employee's laptop was stolen on the East Coast. The laptop may have contained personal information of Local 555
members, including birth dates and Social Security numbers.
Information
Source:
Dataloss DB
May 12, 2009
Johns Hopkins Hospital
Baltimore, Maryland
MED
INSD
10,000
An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create
fake drivers' licenses in Virginia. The employee had access to information such as name, address, telephone number,
mother and fathers names, dates of birth and Social Security numbers, but not to any health or medical information.
Information
Source:
Media
May 11, 2009
Office of the State Superintendent of Education D.C.
EDU
DISC
2,400
The D.C. agency that handles college financial aid requests had accidentally e-mailed personal information from 2,400
student applicants to more than 1,000 of those applicants. An employee of the agency's Higher Education Financial Services
Program inadvertently attached an Excel spreadsheet to an e-mail. The information included student names, e-mail and
home addresses, phone and Social Security numbers and dates of birth.
Information
Source:
Dataloss DB
May 11, 2009
Multiple financial institutions
New York, New York
BSF
CARD
Unknown
A band of brazen thieves ripped off hundreds of New Yorkers by rigging ATMs to steal account and password information
from bank customers. The first - a skimmer - went over the slot where customers insert their ATM cards. The skimmer read,
and stored, the personal information kept in the magnetic strip on the back of the bank card. The second device was a tiny
camera hidden in the lighted signs over the ATM. The pinhole camera lens pointed directly onto the ATM keypad and filmed
victims typing in their supposedly secret PIN codes. The thieves would then create their own phony ATM cards and use their
victims' PINs to access accounts.
Information
Source:
Media
May 7, 2009
University of California, Berkeley
http://datatheft.berkeley.edu
EDU
HACK
160,000
[112]
Hackers infiltrated restricted computer databases. Personal information of 160,000 current and former students and alumni
97
may have been stolen. The University says Social Security numbers, health insurance information and non-treatment
medical records dating back to 1999 were accessed. The breach was discovered April 21, 2009, when administrators
performing routine maintenance identified messages left by the hackers. They found that restricted electronic databases had
been illegally accessed by hackers beginning on October 9, 2008 and continued until April 6, 2009. All of the exposed
databases were removed from service to prevent further attacks.
Information
Source:
Dataloss DB
May 5, 2009
East Burke Christian Ministries
Hildebran, North Carolina
NGO
PORT
1,000
A thief broke into a charity in Burke County and stole a laptop containing more than 1,000 Social Security numbers of
individuals seeking help.
Information
Source:
Dataloss DB
May 5, 2009
Fulton County Board of Registration and Elections
Atlanta, Georgia
GOV
PHYS
99,000
Boxes were found in a trash bin at Atlanta Technical College. They contained about 75,000 voter registration application
cards and 24,000 precinct cards. Many of the documents contained personal information on active voters, such as full
names and Social Security numbers.
Information
Source:
Dataloss DB
May 5, 2009
Spencer House Apartment Complex
Beaverton, Oregon
BSO
PHYS
Unknown
Residents at an apartment complex blamed apartment management Monday for leaving their personal information out in the
open. The documents were found in an unlocked public container that was sitting off a side street in their apartment
complex. The documents included Social Security numbers, addresses, phone numbers, immigration numbers and names.
Information
Source:
Dataloss DB
May 4, 2009
Kapiolani Community College
Honolulu, Hawaii
EDU
HACK
15,487
More than 15,000 students at Kapiolani Community College face an identity theft risk because of an Internet security breach.
School officials found a computer with the personal information of 15, 487 students who applied for financial aid between
January 2004 and April 15 that was infected with malware that can steal sensitive data. The computer did not have sensitive
information, but it was hooked up to a network that had access to names, addresses, phone numbers dates of birth and
Social Security numbers.
Information
Source:
Dataloss DB
May 4, 2009
Virginia Prescription Monitoring Program
Richmond, Virginia
MED
HACK
531,400
The FBI and Virginia State Police are searching for hackers who demanded that the state pay them a $10 million ransom for
the return of millions of personal pharmaceutical records they say they stole from the state's prescription drug database. A
notice posted on the DHP Web site acknowledged that the site is currently experiencing technical difficulties which affect
98
computer and e-mail systems. Some customer identification numbers, which may be Social Security numbers, were
included, but medical histories were not.
UPDATE (6/4/09): The state is mailing individual notifications to 530,000 people whose prescription records may have
contained Social Security numbers. In addition, 1,400 registered users of the database, mostly doctors and pharmacists,
who may have provided Social Security numbers when they registered for the program, are being notified. The database
that was hacked contained records of more than 35 million prescriptions dispensed since 2006 for certain federally controlled
drugs with a high potential for abuse.
Information
Source:
Media
May 1, 2009
LexisNexis, Investigative Professionals
Miamisburg, Ohio
BSO
CARD
40,000
Companies Lexis Nexis and Investigative Professionals have notified up to 40,000 individuals whose sensitive and personally
identifiable information may have been viewed by individuals who did not have legitimate access. The data breach is linked
to a Nigerian scam artist who used the information to incur fraudulent charges on victims' credit cards. Of the 40,000
individuals whose information was accessed, up to 300 were compromised and used to obtain fraudulent credit cards. The
private information viewed included names, dates of birth and possibly Social Security numbers.
Information
Source:
Dataloss DB
April 29, 2009
Orleans Parish Public Schools
New Orleans, Louisiana
EDU
PHYS
Unknown
The confidential records of Orleans Parish public-school employees have been discovered in an abandoned and unsecured
warehouse in New Orleans. Personnel files, payroll records, and other documents with private data were uncovered. Inside
were countless boxes filled with confidential information, not to mention stacks of other documents lying on the ground,
listing payroll information, worker evaluations, notices of personnel action, and investigations into employee discrimination.
Also found were full names, home addresses, and Social Security numbers on document after document.
Information
Source:
Media
April 29, 2009
Oklahoma Housing Finance Agency
Oklahoma City, Oklahoma
GOV
PORT
225,000
A laptop computer containing the personal information of about 225,000 Oklahomans was stolen from a city home last week.
The names, Social Security numbers, tax identification numbers, birth dates and addresses of clients of the Section 8
Housing Voucher Program were on an employee's laptop that was stolen.
Information
Source:
Dataloss DB
April 29, 2009
llinois Department on Aging
GOV
DISC
170
A spreadsheet with worker names and Social Security numbers was found on the Internet. The data, prepared for an outside
auditing firm, was released to a so-called peer-to-peer network during a music transfer to an agency laptop. 160 employees
and another 10 or so former staffers were alerted to the breach.
Information
Source:
Dataloss DB
April 28, 2009
West Virginia State Bar
NGO
HACK
Unknown
99
April 28, 2009
Charleston, West Virginia
NGO
HACK
Unknown
The West Virginia State Bar has hired forensic computer experts in hopes of finding those responsible for hacking into the
group's website and internal computer network. Information about the State Bar's current and former members may have
been compromised. The hacker was able to access the group's internal database server where there was information
concerning lawyer identification numbers, names, mailing addresses, email addresses and some Social Security numbers.
Information
Source:
Dataloss DB
April 27, 2009
Federal Reserve Bank of New York
New York, New York
BSF
INSD
Unknown
A former employee at the Federal Reserve Bank of New York and his brother were arrested on suspicion of obtaining loans
using stolen identities. The former employee previously worked as an IT analyst at the bank and had access to sensitive
employee information, including names, birthdates, Social Security numbers and photographs. A thumb drive attached to his
computer had applications for $73,000 in student loans using two stolen identities. They also found a fake drivers license
with the photo of a bank employee who wasn't the person identified in the license.
Information
Source:
Media
April 23, 2009
Oklahoma Department of Human Services
GOV
PORT
1,000,000
(866) 287-0371
Some personal information may have been contained on a laptop computer stolen from an agency employee. Information on
the stolen computer included names, Social Security numbers and dates of birth for people who receive DHS services.
Information
Source:
Dataloss DB
April 22, 2009
Marian Medical Center
Santa Maria, California
MED
PORT
3,200
Recent patients of the emergency room and Urgent Care Center have been alerted that a Blackberry containing patient
information was stolen from the hospital. The Blackberry contained an email message that included patient information, such
as Social Security numbers, dates of birth and medical histories.
Information
Source:
Dataloss DB
April 22, 2009
New York State Tax Department
New York, New York
GOV
INSD
2,000
A former New York state tax department worker was accused of stealing the identities of thousands of taxpayers and running
up more than $200,000 in fraudulent charges. The former employee gathered credit card, brokerage account and Social
Security numbers that he used to open more than 90 credit card accounts and lines of credit between 2006 and 2008.
Investigators searched the employee's home, they found more than 700 state tax forms containing identifying taxpayer
information. They also found more than 300 birth certificates, more than 1,000 Social Security cards, credit card statements
and applications, and some 2,000 notes with Social Security numbers, many accompanied by handwritten notes such as
good prospect, had money and go with this one.
Information
Source:
Media
100
April 20, 2009
FairPoint Communications Inc.
BSO
PORT
4,400
A worker's failure to abide by security precautions caused a portable data-storage device containing employee information to
disappear. The device contained information for all current FairPoint employees and some former employees, or about
4,400 individuals in total. Such data may have included names, home addresses and phone numbers, Social Security
numbers, birth dates and certain compensation and employment information.
Information
Source:
Dataloss DB
April 16, 2009
MySpace
BSO
INSD
Unknown
(877) 369-1369
Confidential employee information, including at least name, Social Security numbers and compensation, was taken by an
employee in the company's benefit's department without authorization, beginning in June 2008 or earlier. The information
was used to annoy selected individuals and the now former employee was arrested and is being prosecuted by the High
Tech Crimes Division of the Los Angeles County District Attorneys Office.
Information
Source:
Dataloss DB
April 16, 2009
Fox Entertainment Group
BSO
INSD
Unknown
An employee was caught accessing the Social Security numbers, names, compensation information and other personal
information of employees. The former employee misused the information within the organization; but it is not known if they
gave it to outside parties.
Information
Source:
Dataloss DB
April 13, 2009
Irving Independent School District
Irving, Texas
EDU
PHYS
Unknown
Identity thieves using the names and Social Security numbers of Irving Independent School District employees have made
thousands of dollars in credit card purchases. At least 64 of the 3,400 teachers and other employees names were on an old
benefits report that somehow ended up in the trash.
UPDATE (2/4/10): At least one woman involved in the crime was caught in January of 2009 and sentenced on February 4,
2010.
Information
Source:
Media
April 13, 2009
Moses Cone Hospital
MED
PORT
14,380
Moses Cone Hospital is offering free credit monitoring to 14,380 patients after a laptop computer containing confidential
information was stolen from a VHA employee's car. The information on the laptop, including patients' Social Security
numbers.
Information
Source:
Dataloss DB
101
April 12, 2009
CBIZ Medical Management Professionals
MED
STAT
Unknown
The office of CBIZ Medical was broken into on Feb. 23. Among the items stolen was a computer belonging to the hospital
with stored radiology reports related to some patients. Patients between December 2007 and Feb. 23, 2009, may have had
records saved on the stolen computer.
Information
Source:
Dataloss DB
April 11, 2009
Peninsula Orthopaedic Associates
Salisbury, Maryland
MED
PORT
100,000
As many as 100,000 patients of Peninsula Orthopaedic Associates are being warned to protect themselves against identity
theft after tapes containing patient information were stolen. Patients also were advised to keep an eye on benefits
statements from their health insurance companies since they may also be at risk for medical identity theft. The records from
Peninsula Orthopaedic were stolen March 25 while in transport to an off-site storage facility. Patients' personal information
including their Social Security numbers, employers and health insurance plan numbers may have been among the
information stolen.
Information
Source:
Dataloss DB
April 10, 2009
Borrego Springs Bank, Vavrinek, Trine, Day and Co.
Borrego Springs, California
BSF
PORT
Unknown
The theft of seven laptop computers from an auditing firm has led the Borrego Springs Bank to send warning letters to all of
its customers saying their personal financial information may be in the hands of criminals. The bank would not comment on
the name of the accounting firm that was auditing the records or how or where the thefts occurred. The computer files
contain sensitive personal financial information including account name, number and balance.
Information
Source:
Dataloss DB
April 9, 2009
Penn State Erie/Behrend College
Erie, Pennsylvania
EDU
HACK
10,868
On March 23, the University confirmed that 10,868 Social Security numbers in historical data on a computer at Penn State
Erie, The Behrend College, could have been breached. Longstanding security measures, designed to protect the network
and systems from malicious software, alerted the University to the potential breach. As soon as the University became aware
of the malicious software on this computer, the computer was immediately taken off line, data was examined and information
was removed.
Information
Source:
Dataloss DB
April 8, 2009
Metro Nashville School/Public Consulting Group
EDU
DISC
18,000
(615) 259-INFO (4636)
Metro Nashville students' names, Social Security numbers, addresses and dates of birth and parents' demographic
information were available by searching Google. A private contractor unintentionally put student data on a computer Web
server that wasn't secure. The data was available online from Dec. 28 to March 31.
Information
Source:
Dataloss DB
102
April 8, 2009
Hawaii Department of Transportation
Kapolei, O'ahu, Hawaii
GOV
PORT
1,892
Holders of Hawai'i commercial driver's licenses are being warned to take measures to prevent identity theft after a state
computer containing personal information was stolen three weeks ago. The laptop computer contained the names,
addresses, Social Security numbers and other personal information of 1,892 commercial vehicle license drivers.
Information
Source:
Dataloss DB
April 6, 2009
City of Culpeper
Culpepper, Virginia
GOV
DISC
7,845
Personal information for 7,845 town taxpayers was exposed on the Internet due to a vendor's mistake. The unidentified
vendor had the records to reformat the town's personal property tax file for billing purposes. The files containing the names,
addresses and Social Security numbers of residents were on a password-protected site that was compromised.
Information
Source:
Dataloss DB
April 3, 2009
Policy Studies, Inc., Tenn. Dept. of Human Services
GOV
INSD
1,600
A former child support worker was arrested after attempting to sell the personal information - including names, Social
Security numbers and bank account numbers - of 1,600 people. He sold a total of 35 names, dates of birth and Social
Security numbers between October 2008 and last month, all to an undercover operative of the Tennessee Bureau of
Investigation. He claimed to the operative that he had similar information that he was willing to sell for an additional 1,500
people, and was arrested while meeting with the operative to deliver the information.
Information
Source:
Dataloss DB
April 1, 2009
Palo Alto Medical Foundation
MED
PORT
1,000
A laptop computer recently stolen at the Palo Alto Medical Foundation's Santa Cruz office contained personal and medical
information of 1,000 Santa Cruz County patients.
Information
Source:
Dataloss DB
April 1, 2009
State of Maryland
, Maryland
GOV
PHYS
8,000
The names, Social Security numbers and other personal information of about 8,000 state employees could be compromised.
The potential problem came to light when a torn and empty envelope from the company that manages the state's health
savings account program arrived by U.S. mail. The envelope was missing an invoice that contains confidential information.
Information
Source:
Dataloss DB
March 31, 2009
Symantec
BSO
INSD
200
Symantec is warning a small number of customers that their credit card numbers may have been stolen from an Indian call
103
center used by the security vendor. Symantec sent out warning letters , after the BBC reported that it managed to purchase
credit card numbers obtained from Symantec's call center from a Delhi-based man. The letters were sent to just over 200
customers. Most of those notified are in the U.S., but the company also notified a handful of customers in the U.K. and
Canada.
Information
Source:
Dataloss DB
March 27, 2009
Pacific University
Forest Grove, Oregon
EDU
PORT
Unknown
Student Life (503) 352-2212, Faculty and staff (503) 352-1511, Legal Affairs (503) 352-2236
A University-owned laptop was stolen from a staff member's residence. The stolen laptop was password protected and there
is no factual evidence that any private information was stored on the laptop. The computer contained names and some
personal information. It does not appear that any Social Security numbers were stored on the system.
Information
Source:
Media
March 24, 2009
Massachusetts General Hospital
MED
PHYS
66
Massachusetts General Hospital has put dozens of patients on notice that it has lost some of their confidential medical
records, which were left on an MBTA Red Line train by a hospital employee. The MGH employee left the hospital, taking the
records with her to do billing work on them over the weekend. The records belonged to at least 66 patients and included
private information such as the patients' diagnoses, their names, birth dates and billing information.
Information
Source:
Dataloss DB
March 23, 2009
Maryland Federal Court
Baltimore, Maryland
GOV
DISC
226
A filing error in Maryland's federal court resulted in health insurance information for 226 people - including 42 Social Security
numbers - being made available to the public for more than two weeks. The private information of Washington area
residents was included in requests for warrants to search the doctors' offices in Suitland, La Plata, Oxon Hill and Falls
Church as part of a health care fraud investigation. The warrants were marked as being sealed and, therefore, were not
supposed to be made public.
Information
Source:
Media
March 19, 2009
Bailey Middle School
EDU
PHYS
21
A Nashville mother who was walking along found confidential paperwork that lists Metro school students' names, Social
Security numbers and disabilities. The Metro Schools spokeswoman said they will trace the documents and try to figure out
how they got where they weren't supposed to be.
Information
Source:
Media
March 18, 2009
Central Ohio Transit Authority
Columbus, Ohio
GOV
DISC
900
More than 900 current and former COTA employees recently learned their Social Security numbers had been sent to dozens
104
of health-insurance companies. Central Ohio Transit Authority officials notified administrative employees who have or had
worked for COTA since 2004 that personnel workers gave 51 companies their names and identification numbers. The
information went to companies proposing to bid on providing long-term disability insurance to COTA. In 2006, COTA also
sent information on union employees to 39 potential insurance providers.
Information
Source:
Dataloss DB
March 18, 2009
University of West Georgia
Carrollton, Georgia
EDU
PORT
1,300
University of West Georgia officials have notified nearly 1,300 students and faculty members that their personal information
was on a laptop stolen from a professor traveling in Italy. The laptop was taken last summer, but university officials say they
only recently learned that the computer contained sensitive information, including names, addresses, phone numbers and
Information
Source:
Dataloss DB
March 18, 2009
Walgreens Health Initiative
Deerfield, Illinois
MED
DISC
28,000
(866) 292-9063
Names, dates of birth and Social Security numbers of roughly 28,000 state retirees were e-mailed to the Kentucky
Retirement Systems without being properly encrypted for security purposes by its pharmacy benefit provider. The e-mail
contained dates of birth, Social Security numbers and health insurance claim numbers but not personal health information.
The file contained information only on members who were both Medicare-eligible and used the retiree pharmacy benefit
through Walgreens in 2007.
Information
Source:
Dataloss DB
March 18, 2009
New York City Housing Authority
New York, New York
GOV
PHYS
Unknown
Dozens of confidential files with city public housing residents' birth dates, Social Security numbers, and eviction notices were
dumped on an East New York street. City Housing Authority officials are investigating to determine how the files ended up
scattered along Atlantic Ave. near Pennsylvania Ave.
Information
Source:
Dataloss DB
March 17, 2009
Penn State Office of Physical Plant
EDU
HACK
1,000
The Social Security numbers of employees working for the Penn State Office of Physical Plant in 2000 may have been
stolen. A virus infiltrated an administrative computer that contained more than 1,000 Social Security numbers of OPP
employees.
Information
Source:
Dataloss DB
March 16, 2009
University of Toledo
Toledo, Ohio
EDU
STAT
24,450 Only 450 were
added to the total.
105
A computer stolen from the University of Toledo contained personal information for about 24,000 students and 450 faculty
during the 2007-08 and 2008-09 academic years. The student data was directory and educational information, such as
student identification numbers and grade point averages. The faculty information, however, was more personal and included
names, Social Security numbers, birth dates, and more.
Information
Source:
Dataloss DB
March 16, 2009
Comcast
4,000 Not added to
total. SSNs and
BSO
DISC
financial account
numbers were not
accessed.
A list of over 8,000 Comcast user names and passwords were available to the public via Scribd for two months, before a
Wilkes University professor discovered it over the weekend after doing a search for his identity online. Comcast is saying it
looks like the result of a phishing scam and isn't an inside job, and that there are so many duplicate entries on the list that it's
closer to 4,000 customers who were exposed.
Information
Source:
Media
1,600 (Not added to
total. It does not
March 12, 2009
US Army
GOV
HACK
appear that SSNs or
financial account
numbers were
exposed.)
An Army database that contains personal information about nearly 1,600 soldiers may have been penetrated by
unauthorized users. The information that may have been breached includes the service members' names, e-mail messages,
phone numbers, home addresses, awards received, ranks, gender, ethnicity, and dates the soldiers deployed and returned
from their deployment.
Information
Source:
Media
March 12, 2009
Dezonia Group
Chicago, Illinois
BSO
PORT
63,000
The city of Chicago bills people for ambulance rides -- $600 and up. It uses a third party, Dezonia Group, for billing. An
employee's laptop, containing patient names, addresses and Social Security numbers, was stolen from the company.
Reports differ as to whether or not the data was encrypted.
Information
Source:
Dataloss DB
March 11, 2009
Binghamton University
Binghamton, New York
EDU
STAT
100,000
Binghamton University kept payment information for every student, possibly dating back at least ten years in a storage area
next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. The
information itself contained Social Security numbers, credit card numbers, scans of tax forms, business information
(including Social Security numbers and salary information for employees of students' parents), asylum records and more, all
kept in a haphazard and disorganized fashion, sprawled out in boxes, in unlocked (yet lockable) filing cabinets and shelving
units. If the information inside the room pertained only to the current students enrolled and their parents that would mean the
story would effect, roughly, forty-two thousand people. However, because the information goes back at least ten years, if not
106
more, the potential number of people effect lies well in the hundred thousands.
Information
Source:
Media
Unknown (1000's) (Not
added to total. It does
March 11, 2009
Sprint
Overland Park, Kansas
BSO
INSD
not appear that SSNs
or financial account
numbers were
exposed.)
(800) 300-6868
Sprint is warning several thousand customers that a former employee sold or otherwise provided their account data without
permission. It appears this employee may have provided customer information to a third party in violation of Sprint policy and
state law. They have terminated this employee. The information that may have been compromised includes your name,
address, wireless phone number, Sprint account number, the answer to your security question, and the name of the
authorized point of contact on your account.
Information
Source:
Dataloss DB
March 7, 2009
Idaho National Laboratory
Idaho Falls, Idaho
GOV
PORT
59,000
Idaho's Congressional Delegation this week announced a potential identity theft threat involving information from 59,000
present and former workers at the Idaho National Laboratory at Idaho Falls. DOE notified delegation members that an
encoded disc containing personal data from the employees was either lost or stolen in transit via United Parcel Service. The
package, originally shipped from New York to Maryland, was found damaged.
Information
Source:
Dataloss DB
March 7, 2009
Google
(Not added to total. It
does not appear that
BSO
DISC
SSNs or financial
account numbers were
exposed.)
http://googledocs.blogspot.com/2009/03/on-yesterdays-email.html [113]
Google contacted some of its users to let them know about a situation that affected its Google Docs users. They believe the
problem affected less than 0.05% of all documents. Google identified and fixed a bug where a small percentage of users
shared some of their documents inadvertently. The bug occurred when the document owner, or a collaborator with sharing
rights, selected multiple documents and presentations from the documents list and then changed the sharing permissions.
The bug did not affect spreadsheets.
Information
Source:
Media
March 7, 2009
Oklahoma Department of Human Services
Shawnee, Oklahoma
GOV
PHYS
Unknown
The state Department of Human Services is investigating how a child welfare worker's records ended up with a local TV
station. The files, which included names, Social Security numbers, contact information and details on child abuse
investigations, reportedly were left behind when a DHS worker was evicted from a rent house in Guthrie.
107
Information
Source:
Dataloss DB
March 6, 2009
Federal Emergency Management Agency Region 5 Office
Griffith, Indiana
GOV
PORT
50
A laptop containing Social Security numbers and other personal information from dozens of victims of last September's
floods was reported stolen from a housing inspector's car. Representatives from the Federal Emergency Management
Agency alerted roughly 50 flood victims from Gary, Hammond, Highland, Griffith and Munster whose information was stored
in the laptop after they applied for federal disaster assistance. The password-protected laptop was stolen from a housing
inspector's car in Griffith on Nov. 4, containing names, Social Security numbers, dates of birth, addresses and phone
numbers of people who applied for assistance.
Information
Source:
Dataloss DB
March 5, 2009
St. Rita's Medical Center
Lima, Ohio
MED
PHYS
242
A home-health employee for St. Rita's Medical Center had a bag stolen during an automobile break-in. The bag contained
information on some patients, including names, dated of birth, addresses, phone numbers, patient identification numbers,
and the names of case managers and physicians. In some cases it also included Social Security numbers and the type of
treatment being provided, according to a letter given to the patients involved.
Information
Source:
Dataloss DB
March 4, 2009
Elk Grove Unified School District
Elk Grove, California
EDU
PHYS
520
A document with the Social Security numbers of more than 500 Elk Grove Unified School District employees was lost by a
district employee.
Information
Source:
Dataloss DB
March 4, 2009
New York Police Department
New York, New York
GOV
INSD
80,000
A civilian employee of the department's pension fund is accused of stealing eight tapes containing the Social Security
numbers and direct-deposit information for 80,000 current and retired cops. The employee, who served as the pension
fund's director of communications, has been charged with computer trespass, burglary and grand larceny. He is accused of
removing the tapes from a backup data warehouse on Staten Island after disabling security cameras. Police found the
missing tapes at his home before arresting him.
Information
Source:
Dataloss DB
March 3, 2009
Western Oklahoma State College
Altus, Oklahoma
EDU
DISC
1,500
A computer breach at Western Oklahoma State College may have exposed Social Security numbers and other identifying
information for 1,500 campus library users. An unauthorized program known as a rootkit was installed on a server
administered by an outside party. There is no indication that any of the data on the machine was actually compromised only that the opportunity for someone to access it existed.
108
Information
Source:
Dataloss DB
March 1, 2009
City of Muskogee
Muskogee, Oklahoma
GOV
PORT
4,500
The city of Muskogee recently discovered that a computer zip disk containing personal information has been in public
circulation since 2000. The disk in some cases contained phone numbers and in other cases contained Sociel Security
numbers. It's believed that a forgetful employee scooped up the disk while putting together surplus items no longer used by
the city.
Information
Source:
Dataloss DB
February 26,
2009
Steamboat Springs School District
EDU
Steamboat Springs, Colorado
PORT
1,300
Social Security numbers for 1,300 past and present employees was compromised when a laptop was stolen from the
Steamboat Springs School District office. The laptop had a spreadsheet containing the Social Security numbers and names
of their owners. The spreadsheet was created as part of a requirement from a past district audit. The laptop was passwordprotected, but district officials are warning their employees to be on the lookout for any potential identity theft.
Information
Source:
Dataloss DB
February 23,
2009
EDU
DISC
101
(877) 657-9133 <a href=http://privacy.ufl.edu/incidents/2009/ldap>http://privacy.ufl.edu/incidents/2009/ldap</a>
An undated statement on the University's Web site indicates that on January 20, an LDAP Directory Server configuration
error allowed outside access to a directory containing Social Secerity numbers and other personal data. Personal data
belonging to about 101 people might have been compromised as a result.
Information
Source:
Dataloss DB
February 23,
2009
Seaview Financial
Corona Del Mar, California
BSF
PHYS
Unknown
Folders with personal information for numerous clients of a local mortgage broker sat for days at a public recycling site. The
files contained bank account statements, completed tax forms, credit reports and Social Security numbers.
Information
Source:
Dataloss DB
February 20,
2009
Del Mar College
Del Mar, California
EDU
PHYS
53
A class roster containing the names and Social Security numbers of some 53 Del Mar College students has been stolen. The
roster was taken out of a professor's vehicle parked at Cole Park. The G.E.D. teacher was taking work home Sunday, when
he stopped at Cole Park and his car was broken into.
Information
Source:
Dataloss DB
109
February 20,
2009
Arkansas Department of InformationSystems, Information Vaulting Services
GOV
PORT
807,000
(888) 682-0411 <a href=http://notify.arkansas.gov>http://notify.arkansas.gov</a>
A computer storage tape with data from criminal background checks dating back to the mid-1990s is missing from an
information-protection company's vault. The background-check information includes names, dates of birth, Social Security
numbers and addresses.
Information
Source:
Dataloss DB
February 19,
2009
EDU
HACK
97,200
(877) 657-9133
A foreign hacker gained access to a University of Florida computer system containing the personal information of students,
faculty and staff. The files included the names and Social Security numbers of individuals who used UF's Grove computer
system since 1996.
Information
Source:
Dataloss DB
February 19,
2009
Northeast Orthopaedics, MRecord
MED
DISC
1,000
Records of more than 1,000 patient visits to Northeast Orthopaedics, a large Albany surgical practice, have been posted on
the Internet. The records appeared on the Web site visvabpo.com, which seems to be a defunct outsourcing company in
India called Visva BPO. Those records include patient names, birth dates and Social Security numbers.
Information
Source:
Dataloss DB
February 18,
2009
CVS Pharmacies
Woonsocket, Rhode Island
MED
PHYS
Unknown
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html [114]
The CVS Pharmacy chain, the largest in the country with 6,300 outlets, has agreed to a $2.25 million settlement with the U.S.
Dept. of Health and Human Services. Indianapolis TV station WTHR engaged in an extensive investigation beginning in 2006
of local CVS Pharmacies and their pharmacies in other cities nationwide including Boston, Chicago, Cleveland, Detroit,
Dallas, Louisville, Miami, New Haven (Conn.), Philadelphia, Phoenix, and CVS headquarters in Woonsocket, RI. They found
that CVS pharmacies were disposing of documents, such as labels from prescription bottles and old prescriptions, in
unsecured dumpsters. The HHS's Office of Civil Rights charged that CVS failed to implement adequate policies and
procedures to reasonably and appropriately safeguard protected health information during the disposal process failed to
adequately train employees on how to dispose of such information properly and did not maintain and implement a sanctions
policy for members of its workforce who failed to comply with its disposal policies and procedures. In a coordinated action,
CVS Caremark Corporation, the parent company of the chain, also signed a consent order with the Federal Trade
Commission to settle potential violations of the FTC Act.
UPDATE (7/16/00): A state board has given final approval to settlements with Indiana's two largest drugstore chains for
leaving patient information in the trash. CVS has paid a $2.25 million fine to settle a probe by the U.S. Office of Civil Rights.
Also CVS will donate a $1,000 to charity as part of the state settlement.
Information
Source:
Dataloss DB
February 18,
Rio Grande Food Project
NGO
PORT
36,000
110
2009
NGO
PORT
36,000
A food pantry is warning its clients that tens of thousands of them are at risk for identity theft after a laptop computer
containing their personal information was stolen. The computer contained sensitive personal data including addresses, birth
dates and Social Security numbers.
Information
Source:
Dataloss DB
February 17,
2009
Broome Community College
EDU
DISC
14,000
Broome Community College, sent out a mailing last week with Social Security number posted prominently on the back cover.
The winter/spring 2009 alumni magazine was mailed to 28,000 people, it assumed that less than 14,000 copies had Social
Security numbers on the magazine.
Information
Source:
Dataloss DB
February 16,
2009
Wyndham Hotels & Resorts
BSO
Parsippany, New Jersey
http://www.wyndhamworldwide.com/customer_care/data-claim.cfm
HACK
21,000
[97]
In mid-September 2008, the company discovered that a sophisticated hacker penetrated the computer systems of one of the
hotels. By going through the centralized network connection, the hacker was then able to access and download information
from several, but not all, of the other WHR properties and create a unique file containing payment card information of a small
percentage of WHR customers. Potentially exposed through this breach are guest and/or cardholder names and card
numbers, expiration dates and other data from the card's magnetic stripe.
Information
Source:
Dataloss DB
February 13,
2009
University of Alabama
Tuscaloosa, Alabama
EDU
HACK
37,000
Seventeen of 400 databases were tapped by hackers. Personal information may have been stolen. One of those computers
contained lab results for people tested at the campus medical center. The servers had a database containing 37,000 records
of lab data. They contain the names, addresses, birthdates and Social Security numbers of each person who has had lab
work, such as a blood or urine test, done on the UA campus since 1994.
Information
Source:
Dataloss DB
February 11,
2009
Los Alamos National Laboratory
Los Alamos, New Mexico
GOV
STAT
Unknown
The Los Alamos nuclear weapons laboratory in New Mexico is missing 69 computers, including at least a dozen that were
stolen last year. The computers are a cybersecurity issue because they may contain personal information like names and
addresses. But Los Alamos claims they did not contain classified information. Also missing are three computers that were
taken from a scientist's home and a BlackBerry belonging to another employee that was lost in a foreign country considered
sensitive.
Information
Source:
Dataloss DB
February 10,
SemGroup LP
BSO
DISC
160
111
2009
Tulsa, Oklahoma
BSO
DISC
160
Online banking bandits pulled thousands of dollars from the accounts of current and former employees after personal
information was inadvertently left on a bankruptcy court document made public.
Information
Source:
Dataloss DB
February 9, 2009
Parkland Memorial Hospital
Dallas, Texas
MED
PORT
9,300
A laptop computer that may have contained the names, birthdates and Social Security numbers of 9,300 employees of
Parkland Memorial Hospital was stolen.
Information
Source:
Dataloss DB
February 9, 2009
Federal Aviation Administration
GOV
HACK
43,000 Total increased
to 48,000
Hackers broke into the Federal Aviation Administration's computer system, accessing the names and Social Security
numbers of employees and retirees.
Information
Source:
Dataloss DB
February 9, 2009
U.S. Postal Service Santee
Santee, California
GOV
INSD
Unknown
A mail carrier in San Diego County is accused of stealing dozens of gift cards, debit cards and Social Security documents
sent through the mail. Deputies found 30 gift cards, stolen mail, debit cards and money when the carrier was arrested after
he finished his route. Detectives also found Social Security documents and W-2 wage and tax statements at carrier's home.
Information
Source:
Dataloss DB
February 8, 2009
Kaspersky
Woburn, Massachusetts
BSO
HACK
Unknown
An unidentified hacker gained access to databases used by the usa.kaspersky.com Web site, allowing access to users'
accounts, activation codes and possibly personal data about Kaspersky customers. Kaspersky Lab is a security software
company.
Information
Source:
Media
February 6, 2009
Catskill Regional Medical Center
Harris, New York
MED
INSD
431
A woman was fired for allegedly spying. The employee had access to company files. The files included Social Security
numbers, birth dates, addresses and financial information.
Information
Source:
Dataloss DB
112
February 6, 2009
Kaiser Permanente
Oakland, California
MED
UNKN
29,500
(877) 281-3573
A law enforcement agency seized a computer file with Kaiser data from a person who was subsequently arrested. The
suspect was not a Kaiser employee. Kaiser Permanente is notifying nearly 30,000 Northern California employees that the
security breach may have led to the release of their personal information. The stolen information included names,
addresses, dates of birth and Social Security numbers for Kaiser employees.
Information
Source:
Dataloss DB
February 6, 2009
Purdue University
EDU
DISC
962
http://news.uns.purdue.edu/Payroll0901.html [115]
A mailing error has resulted in 1099 tax forms being sent to the wrong recipients. The incident affected 248 companies and
962 individuals. Those affected by the incident received letters notifying them that their tax information had either been sent
to another or that they themselves had received someone else's information by mistake.
Information
Source:
Dataloss DB
February 5, 2009
Mooresville's Dry Cleaning Station
Mooresville, North Carolina
BSO
INSD
Unknown
A Mooresville dry cleaner skipped town, taking her clients' clothes and credit card numbers with her.
Information
Source:
Dataloss DB
February 5, 2009
phpBB.com
BSO
HACK
400,000 Not added to
total; SSNs were not
accessed.
A popular bulletin board software package has been taken offline following a security breach that gave an attacker full
access to a database containing names, email, address, and hashed passwords for its entire user base. The attacker gained
access through an unpatched security bug in PHPlist, a third-party email application.
Information
Source:
Media
February 4, 2009
Womancare Inc.
Lathrup Village, Michigan
MED
PHYS
unknown
Medical records were improperly disposed of. Pro-Life Society found the records in a dumpster behind the office.
Information
Source:
Dataloss DB
February 4, 2009
Texas Veterans Commission
Waco, Texas
GOV
DISC
20
113
A Waco individual received a packet in the mail with the application for her daughter's tuition benefits. At the bottom of the
packet, was a claims log that listed more than 20 veterans names, Social Security numbers and medical claim information.
The Waco Veterans Commission and the VA's regional office were not able to explain how the veterans' personal
information found its way into the envelope containing the unrelated information about the tuition benefits for the woman's
daughter.
Information
Source:
Dataloss DB
February 3, 2009
Baystate Medical Center
MED
PORT
Unknown
(413 )794-4722
Several laptops were stolen from Baystate Medical Center's Pediatrics department. Some of those computers had patient
information on them. All of the information is password protected and the computers had no financial or Social Security
information on them.
Information
Source:
Dataloss DB
February 3, 2009
SRA International
Fairfax, Virginia
BSO
HACK
Unknown
Malicious software may have allowed hackers to get access to data maintained by SRA, including employee names,
addresses, Social Security numbers, dates of birth and healthcare provider information.
Information
Source:
Dataloss DB
February 3, 2009
Georgia State Board of Pardons and Paroles
Atlanta, Georgia
GOV
STAT
Unknown
The offices of a state contractor in Roswell were burglarized and a computer was stolen. Information regarding current and
past parolees that was lost in a burglary includes names, dates of birth and Social Security numbers.
Information
Source:
Dataloss DB
February 2, 2009
Southern Satellite
Orange City, Florida
BSO
PHYS
Unknown
Hundreds of folders containing names, addresses, Social Security numbers and credit card information were found in a
dumpster.
Information
Source:
Dataloss DB
February 2, 2009
St. Anthony Central Hospital
Denver, Colorado
MED
INSD
150
Boxes, filing cabinets and trash bags full of hundreds of U.S. passports, birth certificates, driver's licenses, Social Security
cards and other documents - most stolen within the past two years were found in a storage unit. A hospital employee
admitted to stealing the records. Also found were hospital records containing dates of birth, Social Security numbers and
copies of the driver's licenses of 150 patients who had been admitted into the emergency room or general surgery.
114
Information
Source:
Dataloss DB
January 31, 2009
Columbia University
New York, New York
EDU
PORT
1,400
About 1,400 current, former and prospective students at Columbia University have been told that their personal information,
including Social Security numbers, is vulnerable following a security breach. The university said information about the
students, as well as some current and past employees, was on three password-protected notebook computers that were
stolen from a Columbia College.
Information
Source:
Dataloss DB
January 31, 2009
HoneyBaked Ham
BSR
PHYS
Unknown
A computer server stocked with credit-card information was stolen from a store. Customers might be at risk.
Information
Source:
Dataloss DB
January 31, 2009
Ball State University
Muncie, Indiana
EDU
DISC
19
A employee sent out an e-mail, to verify contact information, to 91 special events staff with an excel spreadsheet attachment
that, unbeknownst to the employee, included the Social Security number of 19 of the workers.
Information
Source:
Dataloss DB
January 30, 2009
Kansas State University
Manhattan, Kansas
EDU
DISC
45
(785) 532 4441
Students who were enrolled in an agricultural economics class in spring 2001 inadvertently had some personal information
exposed on the Internet through a K-State departmental Web site. Names, Social Security numbers and grades of those
students have been exposed since 2001.
Information
Source:
Dataloss DB
January 30, 2009
Coos Bay Department of Human Services
Coquille, Oregon
GOV
HACK
45
A scammer made off with Social Security numbers after sending a virus online to a computer at the Department of Human
Services office. An application that was installed recorded keystrokes and sent them to an external address. The information
was taken from Coos County residents.
Information
Source:
Media
January 30, 2009
Indiana Department of Administration
GOV
DISC
8,775
115
Social Security numbers of current and former state employees were accidentally posted on a state Web site for about two
hours. The Social Security numbers were erroneously included in a contract solicitation file posted on the department's
procurement Web site.
Information
Source:
Dataloss DB
January 28, 2009
CityStage
NGO
DISC
60
A computer system might have exposed credit card information of customers on the Internet. The probably occurred in
December while the theater's Web contractor was changing servers. Credit card numbers might have been compromised.
Information
Source:
Dataloss DB
January 27, 2009
U.S. Consulate
,
GOV
PHYS
Unknown
Hundreds of files - with Social Security numbers, bank account numbers and other sensitive U.S. government information were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction.
Information
Source:
Media
January 27, 2009
Beaumont City
Beaumont, Texas
GOV
DISC
500
Personal information of current and former Beaumont city workers was accidentally posted online. The information, including
birth dates and Social Security numbers.
Information
Source:
Dataloss DB
January 27, 2009
Citi Habitats
New York, New York
BSO
PHYS
Unknown
During a refurbishing of their office, paper that should have been shredded was improperly placed as trash. Information
found blowing in the street included bank statements, 401k statements, credit reports, tax returns, driver's licenses, names,
phone numbers and Social Security numbers.
Information
Source:
Dataloss DB
January 26, 2009
Madison, WI. Human Resources Department
Madison, Wisconsin
GOV
PORT
500
An oversight by the city of Madison's personnel office is the reason Social Security numbers of city employees were stored
on a laptop computer stolen from a city office. Any official or employee - except those in the police, fire and transit
departments - who was issued a new or replacement city identification card from the start of 2004 through 2007 may be at
risk. Data on the laptop included photos, names and Social Security numbers.
Information
Source:
Dataloss DB
116
January 26, 2009
U.S. Military
GOV
UNKN
60
A New Zealand man accesses US military secrets on an MP3 player he bought from an Oklahoma thrift shop for $18. When
the 29-year-old hooked up the player he discovered a playlist he could never have imagined - 60 files in total, including the
names and personal details of American soldiers.
Information
Source:
Media
January 23, 2009
Monster.com
BSO
Maynard, Massachusetts
http://help.monster.com/besafe/ [116] , http://help.monster.com/besafe/jobseeker/index.asp
HACK
Unknown
[117]
Their database was illegally accessed and user IDs, passwords, names, e-mail addresses, birth dates, gender, ethnicity, and
in some cases, users' states of residence were stolen.
Information
Source:
Media
First Interstate Mortgage Corporation (FIM), Nevada One Corporation (Nevada
January 21, 2009 One)
BSF
PHYS
Unknown
, Nevada
http://www.ftc.gov/opa/2009/01/navone.sht [118]
These mortgage brokers have discarding consumers' tax returns, credit reports, and other sensitive personal and financial
information in an unsecured dumpster in December of 2006. Approximately 40 boxes containing consumer records were
found in a publicly-accessible dumpster. The records included tax returns, mortgage applications, bank statements,
photocopies of credit cards, drivers' licenses, and at least 230 credit reports. The defendant, who has owned numerous
companies that handle sensitive consumer information, kept the documents in an insecure manner in his garage before
improperly disposing of them.
UPDATE (1/20/10): The mortgage broker paid a $35,000 civil penalty to settle FTC charges. The mortgage broker will also
have to hire an independent security professional to review the security process every year for 10 years.
Information
Source:
NAID
January 21, 2009
Missouri State University
Springfield, Missouri
EDU
DISC
565 Not included in
total -- not known how
many students have
SSNs.
Personal information, including Social Security numbers for 565 foreign students at MSU was leaked this month when a
university office sent an e-mail message soliciting their help with language tutoring. The email message they got had a
spreadsheet attachment that contained names and Social Security numbers for international students.
Information
Source:
Dataloss DB
January 20, 2009
Kanawha-Charleston Health Department
GOV
INSD
11,000
People who received flu shots from the agency since October are being warned that their personal information may have
been stolen by a former department temporary worker. Information included their names, Social Security numbers,
addresses and other personal information.
117
Information
Source:
Dataloss DB
January 20, 2009
Heartland Payment Systems
Princeton, New Jersey
http://www.justice.gov/opa/pr/2009/August/09-crm-810.html [119] , http://www.2008breach.com
BSF
HACK
More than 130 million
[120]
After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, the company last
week found evidence of malicious software that compromised card data that crossed Heartland's network. This incident may
be the result of a global cyberfraud operation.
UPDATE (1/26/09): Heartland Payment Systems has been sued. The lawsuit seeks damages and relief for the inexplicable
delay, questionable timing, and inaccuracies concerning the disclosures with regard to the data breach, which is believed to
be the largest in U.S. history.
UPDATE(2/12/09): According to BankInfoSecurity.com, the number of financial institutions [121] that have come forward to say
they have been contacted by their credit card companies Visa and MasterCard in relation to the breach has jumped from
fewer than 50 to more than 200.
UPDATE (6/4/09): While it's hard to get a handle on just how many consumers were affected by the Heartland Payment
Systems (HPY) data breach, the total number of institutions now reporting card compromises is at 656.
UPDATE (6/16/09): Heartland lawsuits to be heard in Texas. The Judicial Panel on Multidistrict Litigation in Louisville, KY
issued its decision to consolidate the class action suits. The lawsuits will be heard in the Southern District Court of Texas in
Houston. Thirty-one separate lawsuits, on behalf of consumers, investors, banks and credit unions, have been filed against
Princeton,N.J.-based Heartland.
UPDATE (7/6/09): Heartland Payment Systems successfully completed the first phase of an end-to-end encryption pilot
project designed to enhance its security.
UPDATE (8/20/09): Albert Segvec Gonzalez has been indicted by a federal grand jury in New Jersey - along with two
unnamed Russian conspirators - on charges of hacking into Heartland Payment Systems, the New Jersey-based card
processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the
indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in
the TJX hack.
Total records breached: 100 million transactions per month. It is unclear how many account numbers have been
compromised, and how many are represented by multiple transactions. The number of records breached is an estimate,
subject to revision.
UPDATE (8/20/09): According to the court document [122] , hackers stole more than 130 million credit and debit card numbers
from Heartland and Hannaford combined.
UPDATE (5/12/10): The costs to Heartland Payment Systems Inc. from the massive data breach that it disclosed in January
2009 appear to be steadily adding up. Quarterly financial results released by Heartland last week show that the card
payment processor has accrued $139.4 million in breach-related expenses. The figure includes a settlement totaling nearly
$60 million with Visa, another of about $3.5 million with American Express and more than $26 million in legal fees. That total
also includes $42.8 million that Heartland has set aside to fund proposed settlements with several other litigants over the
breach. One example of what the fund is set up for is Heartland's offer to settle several consumer class action lawsuits
against it for $4 million. So far, Heartland has recovered about $30 million from insurance companies.
UPDATE (6/2/10): Heartland Payment Systems has made a third settlement deal, this time with MasterCard, related to a
massive data breach two years ago at the card payments processor. As part of the deal, Heartland has agreed to pay as
much as US$41.1 million to MasterCard issuers that lost money as a result of the data breach. The deal is contingent on
financial institutions representing 80 percent of the affected MasterCard accounts accepting the offer by June 25.
MasterCard is recommending that issuers accept the offer.
Information
Source:
Dataloss DB
January 16, 2009
Southwestern Oregon Community College
Coos Bay, Oregon
EDU
PORT
200
A laptop computer was stolen from the campus putting former and current students at risk.
118
Information
Source:
Dataloss DB
January 14, 2009
Occidental Petroleum Corporation
Dallas, Texas
BSO
INSD
Unknown
(800) 733-0085
A former employee emailed himself (to personal email account) a spreadsheet of employee names, addresses, empolyee
identification numbers, birth dates, starting dates, retirement dates and Social Security numbers.
Information
Source:
Dataloss DB
January 13, 2009
University of Oregon
Eugene, Oregon
EDU
PORT
Unknown
(541) 346-2510
A laptop computer containing data files for Youth Transition Program (YTP) participants was stolen. Those files contained
names and social security numbers.
Information
Source:
Dataloss DB
January 13, 2009
Innodata Isogen, Inc.
Hackensack, New Jersey
BSO
PORT
Unknown
Laptop stolen from an employee's car contained names, addresses, Social Security numbers of current and former
employees.
Information
Source:
Dataloss DB
January 13, 2009
Seventh-Day Adventist Church
Silver Spring, Maryland
NGO
PORT
292
A Laptop stolen and recovered contained names and Social Security numbers.
Information
Source:
Dataloss DB
January 13, 2009
Continental Airlines
Neward, New Jersey
BSO
PORT
230
A laptop containing fingerprints, Social Security numbers, names, addresses, was stolen from a locked Newark office.
Information
Source:
Dataloss DB
January 13, 2009
Blue Ridge Community Action
Morganton, North Carolina
NGO
PORT
300
Social Security numbers were on an external computer hard drive that is missing or stolen. The hard drive contained
information on clients from four counties who have used the organization's services in the past four or five years. The
119
external hard drive was used to back up information on clients.
Information
Source:
Dataloss DB
January 12, 2009
Columbus City Schools
EDU
Columbus, Ohio
PHYS
100
Columbus City Schools experienced a security breach, resulting in employees' Social Security numbers being at risk. CPD
officers went to serve drug and auto-theft felony warrants. During the arrest officers learned there might be stolen personal
information in the house and found personal information on district employees. It is believed the suspects either stole or
intercepted part of a mailing from the payroll division that was en route to annuity companies.
Information
Source:
Dataloss DB
January 11, 2009
University of Rochester
EDU
Rochester, New York
HACK
450
Personal information including Social Security numbers of about 450 current and former University of Rochester students
was stolen by hackers this week from a UR database. The information was taken from a non-academic student database
and copied illegally to an off-campus IP address.
Information
Source:
Dataloss DB
January 7, 2009
Genica, Geeks.com
BSO
(888) 529-6261 http://www1.ftc.gov/opa/2009/02/compgeeks.shtm
HACK
Unknown
[123]
Genica dba Geeks.com (Genica) recently discovered that customer information, including Visa credit card information, may
have been compromised. In particular, it is possible that an unauthorized person may be in possession of your names,
addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers. They
are still investigating the details of this incident, but it appears that an unauthorized individual may have accessed this
information by hacking the eCommerce website.
Information
Source:
Dataloss DB
January 6, 2009
CheckFree Corp.
Atlanta, Georgia
BSF
HACK
5,000,000
CheckFree Corp. and some of the banks that use its electronic bill payment service say that criminals took control of several
of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine. The
company believes that about 160,000 consumers were exposed to the Ukrainian attack site. However, because the company
lost control of its Web domains, it doesn't know exactly who was hit. It has warned a much larger number of customers. This
breach was reported back in Dec. 3, 2008.
Information
Source:
Dataloss DB
January 5, 2009
Library of Congress
Washington, Delaware
GOV
INSD
10
An employee in the human resources department of the Library of Congress was charged with conspiring to commit wire
fraud in which he stole information on at least 10 employees from library databases. He passed the information to a relative,
120
who used it to open the accounts. Together, the two are alleged to have bought $38,000 worth of goods through the
accounts.
Information
Source:
Dataloss DB
January 2, 2009
Merrill Lynch
BSF
New York, New York
STAT
Unknown
A third-party consulting services firm working on behalf of Merrill Lynch reported, one of their employees was burglarized.
The burglars took various items, including a computer, which had on it the names and Social Security numbers of current
and former Financial Advisors and some applicants for employment.
Information
Source:
Dataloss DB
January 2, 2009
Pepsi Bottling Group
BSR
Somers, New York
PORT
Unknown
For More Info Contact: David Yawman <a href=mailto:[email protected]>[email protected]</a> (914)
767-7620 or (866) 578-5410
A portable data storage device, which contained personal information, including the names and Social Security numbers of
employees in the US is missing or stolen.
Information
Source:
Dataloss DB
December 31,
2008
New Hampshire's Lakes Region General Hospital
Laconia, New Hampshire
MED
PHYS
1,500
A package containing personnel medical information on patients is missing. UPS recently shipped the parcel from a Woburn,
Mass. central processing agent to the hospital, but the package never arrived. Information contained in the package includes
patient names, possible Social Security numbers, dates of service and diagnosis code numbers for different diagnosis or
medical procedures.
Information
Source:
Dataloss DB
December 31,
2008
Ohio State University
Columbus, Ohio
http://www.studentlife.osu.edu/dataexposure
EDU
DISC
18,000
[124]
Ohio State University has notified 18,000 current and former students that their personel information was mistakenly stored
on a computer server exposed to the Internet. The data included student names, Social Security numbers, addresses and
coverage dates for those enrolled in the health insurance plan for three quarters in 2005-06.
Information
Source:
Dataloss DB
December 29,
2008
RBS WorldPay
Atlanta, Georgia
BSF
HACK
1.1 million
http://www.rbsworldpay.us/RBS_WorldPay_Press_Release_Dec_23.pdf [125] ,
http://louisville.bizjournals.com/louisville/othercities/atlanta/stories/2008/12/22/daily24.html [126]
121
RBS WorldPay belatedly admitted that hackers broke into their systems. In the US up to 1.1 million Social Security numbers
were exposed as a result of the breach. Pre-paid cards including payroll cards and open-loop gift cards were affected. RBS
stated that PINs for all PIN-enabled cards have been reset.
UPDATE (2/3/09): Hackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering
$9 million from ATMs in 49 cities worldwide. Alleged hackers are still at large and could orchestrate another attack.
UPDATE (2/10/09): "Certain personal information" of 1.5 million card holders and Social Security numbers of 1.1 million
people were compromised. A class action law suit has been filed against RBS WorldPay.
UPDATE (5/28/09): RBS WorldPay says it has returned to Visa's and MasterCard's lists of validated service providers. It was
recently certified as compliant with Payment Card Industry Data Security Standard (PCI DSS) version 1.2.
UPDATE (4/05/10): Russian authorities have nabbed the man accused of masterminding a coordinated global ATM heist of
$9.5 million from Atlanta-based card processing company RBS WorldPay.
Information
Source:
Dataloss DB
December 25,
2008
Pulte Homes Las Vegas Division
Las Vegas, Nevada
BSO
PHYS
16,000
A box containing computer backup tapes was stolen. Computer tapes holding private customer information including names,
addresses, driver's license numbers and financial account numbers were stolen from a Pulte Homes office in Las Vegas.
Information
Source:
Dataloss DB
December 24,
2008
Federal Emergency Management Agency
New Orleans, Louisiana
GOV
DISC
16,857
An unauthorized breach of private information resulted in the information release of 16,857 names, Social Security numbers,
phone numbers, and other private details of people who had applied for benefits. The information was flashed on a pair of
privately run Web sites, but for how long was unclear.
Information
Source:
Dataloss DB
December 23,
2008
Cedars-Sinai Medical Center
MED
INSD
1,000
A former billing department employee is in custody on $895,000 bail for allegedly stealing the personal information of 1,000
hospital patients and using it to bilk insurance companies.
Information
Source:
Dataloss DB
December 23,
2008
Ohio University-Chillicothe
Chillicothe, Ohio
EDU
PORT
38
An external computer hard drive was discovered missing or stolen. Current and former wellness center members' Social
Security numbers were on the hard drive.
Information
Source:
Dataloss DB
December 22,
2008
University of North Carolina School of the Arts
Winston-Salem, North Carolina
EDU
DISC
2,700
122
Names and Social Security numbers may have been accidentally exposed in a security breach involving a university
computer server. The security breach occurred in May of 2006 and affected students who were enrolled between 2003 and
2006.
Information
Source:
Dataloss DB
December 21,
2008
Connecticut Department of Motor Vehicles
Wethersfield, Connecticut
GOV
PHYS
155
The Connecticut Department of Motor Vehicles is notifying customers that their personal information may have been on a
computer stolen from a mobile service center vehicle while it was being repaired. Personal data on the computer included
names, addresses, date of birth, license numbers, photo and signature.
Information
Source:
Media
December 19,
2008
Austin Peay State University
Clarksville, Tennessee
EDU
PHYS
750
Two computers containing personal information were stolen. The computers contained names and Social Security numbers
of students.
Information
Source:
Dataloss DB
December 18,
2008
Bill Dube Ford/Toyota
Dover, New Hampshire
BSR
PORT
10,000
Personal information from thousands of people in New Hampshire and Massachusetts has been compromised after a data
backup tape was stolen. The data include names, addresses, Social Security numbers and driver's license information.
Information
Source:
Dataloss DB
December 17,
2008
New Hampshire Deptartment of Health and Human Services
GOV
DISC
9,300
Health and Human Services mistakenly released the Social Security numbers and other personal information of Medicare
Part D recipients. The information was mistakenly attached to a e-mail to health care organizations including nursing homes.
Information
Source:
Dataloss DB
December 15,
2008
University of North Carolina
EDU
HACK
Unknown
A breach of the accounting computer systems at UNC-Greensboro may have exposed personal employee information to
intruders. The breach was detected on a computer in the Accounting Services office, in the form of a virus that may have
allowed unauthorized access.
Information
Source:
Dataloss DB
123
December 15,
2008
Louisiana Department of Revenue
Baton Rouge, Louisiana
GOV
DISC
299
The Louisiana Department of Revenue accidentally divulged the personal information of taxpayers to other people with tax
debts. The department says letters mailed to taxpayers who owe money also listed the name, address, Social Security
number and debt for a different taxpayer on the other side of the paper.
Information
Source:
Dataloss DB
December 14,
2008
Zyacorp Entertainment Cinemagic Stadium
Merrimack, New Hampshire
BSR
HACK
Unknown
Hackers broke into a Merrimack movie theater's servers and stole customers' credit card information.
Information
Source:
Dataloss DB
December 12,
2008
DJO, Empi Recovery Services
St. Paul, Minnesota
MED
PORT
68,857
A laptop was stolen from an employee's car in Minneapolis. The laptop contained the names, addresses, account balances,
insurance company, and Social Security numbers of patients.
Information
Source:
PHIPrivacy.net
December 12,
2008
Oregon Health & Science University
Portland, Oregon
EDU
PORT
890
A laptop stolen in Chicago this week contained health records. It was stolen from a hotel while an OHSU employee was there
on business. The data could include medical record numbers, names, telephone numbers, dates of birth, gender, Social
Security numbers, addresses.medical diagnosis category and category of treatment - but not the specific treatments.
Information
Source:
Dataloss DB
December 11,
2008
Hewlett-Packard, Symantec
Houston, Texas
BSR
PORT
Unknown(1000's)
Several thousand employee records were contained on a laptop that was stolen from an HP employee based in the Houston
area. At first HP thought that there was no sensitive information on the laptop, but after looking into back-up files, the
company realized that it contained names and Social Security numbers of current and former employees.
Information
Source:
Dataloss DB
December 5,
2008
Cal Poly Pomona
Pomona, California
EDU
DISC
675
A student informed the university that he accessed an Excel file containing his personal information and others while on the
Internet. The information includes names, addresses, phone numbers and Social Security numbers.
Information
Source:
Dataloss DB
124
December 3,
2008
Central California Appellate Program
NGO
PORT
Unknown
A backup computer disk was in a safe taken by thieves who broke into a storage facility. Besides Social Security numbers,
the disk contained tax identification numbers, addresses, telephone numbers and e-mail addresses.
Information
Source:
Dataloss DB
December 2,
2008
US Army
GOV
PORT
6,000
A possible security breach regarding the personal information stored on a lost laptop computer affecting more than 6,000
beneficiaries. Names, Social Security numbers and health information of at least 26 individuals were stored on the laptop.
However, information on approximately 6,000 other patients also may have been on the missing computer.
Information
Source:
Dataloss DB
December 2,
2008
Florida Agency for Workforce Innovation
GOV
DISC
259,193
Employment information and more than a quarter million Social Security numbers were posted online. The breach occurred
when several thousand Excel and text files containing millions of employment records were posted in the course of
developing a new website.
Information
Source:
Dataloss DB
November 26,
2008
Luxottica Group, Things Remembered
Mason, Ohio
BSR
HACK
59,419
A routine check by the information technology department discovered that a hacker had been inside a computer mainframe
and downloaded the personal information of former workers. The victims lost names, addresses and Social Security
numbers to the hacker.
Information
Source:
Dataloss DB
November 25,
2008
Weber State University
Ogden, Utah
GOV
PHYS
70
In a break in, thieves made off with approximately $1,600 in cash, three computers and a postal scale. Hard-copy records of
post office box rental information was also taken from the center. Some of the stolen rental cards contained names,
addresses and Social Security numbers for members of the campus community who rented post office boxes in the union
building during the past eight years.
Information
Source:
Dataloss DB
November 24,
2008
Starbucks Corp.
Seattle, Washington
BSR
PORT
97,000
A laptop containing private information on employees was stolen. The information included names, addresses and Social
Security numbers.
125
Information
Source:
Dataloss DB
November 22,
2008
Maryland Department of the Environment
Baltimore, Maryland
GOV
PORT
1,367
Two laptop computers containing the names and Social Security numbers of people formerly employed by the Maryland
Department of the Environment were stolen.
Information
Source:
Dataloss DB
November 21,
2008
Jackson-Madison County School System
Jackson, Tennessee
EDU
PORT
200
A computer disk containing Social Security numbers and test scores was stolen from a principal's car.
Information
Source:
Dataloss DB
November 21,
2008
B.J. Accessories and Tax Preparation
New Bern, North Carolina
BSO
STAT
70
A computer was stolen containing identity information on about 70 people. Information on the computer may have had Social
Security Numbers on it.
Information
Source:
Dataloss DB
November 20,
2008
Law office of former Texas attorney
Rio Grande Valley, Texas
BSO
STAT
627
An individual purchased a used computer and memory stick from a pawn shop. He discovered sensitive information on the
computer and traced it to the law office of a Texas attorney who no longer practices law. The attorney, Aaron Pena, Jr., is
now a Texas State Representative. His spokesperson told news sources that the computer's hard drive had been wiped
before the machine was donated to charity. The news team visited other pawn shops and found several other used
computers which also contained sensitive personal information.
Information
Source:
Media
November 12,
2008
University of Florida College of Dentistry
EDU
HACK
330,000
Some current and former dental patients have been notified that an unauthorized intruder recently accessed a College of
Dentistry computer server storing their personal information. College information technology staff members were upgrading
the server and found software had been installed on it remotely. Information stored on the server included names,
addresses, birth dates, Social Security numbers and, in some cases, dental procedure information for patients dating back to
1990.
Information
Source:
Dataloss DB
126
November 12,
2008
Pinellas County and Florida state agency offices
GOV
Pinellas County, Florida
PHYS
Unknown
Documents with Social Security numbers, medical information and other legally protected data were found in trash
containers at government buildings. Also found were hundreds of improperly discarded records were found that included
medical data, privileged communications between attorneys and clients, juvenile defendant records and child abuse
materials.
Information
Source:
Media
November 11,
2008
Sinclair Community College
EDU
Dayton, Ohio
DISC
1,000
The names and Social Security numbers of almost 1,000 employees were inadvertently left open to public view on the
Internet for about a year. A spreadsheet with information on people who worked at the school in 2000 and 2001 was placed
in a computer folder by an employee. The employee didn't realize the folder could be viewed on the Internet.
Information
Source:
Dataloss DB
November 9,
2008
Texas A&M University
Corpus Christi, Texas
EDU
DISC
1,430
Through an Internet search on the university's Web site, a student viewed a document that listed admissions applicants from
2005. The page listed names and Social Security numbers.
Information
Source:
Dataloss DB
November 9,
2008
City of Charlottesville
Charlottesville, North Carolina
GOV
PORT
25,000
Two laptops containing voter registration information were stolen from a building at Tonsler Park in Charlottesville sometime
after the polls closed. The information on the computers included names, addresses, date of birth and DMV customer
number.
Information
Source:
Media
November 7,
2008
Christus Health Care
Houston, Texas
MED
PORT
Unknown
(800) 877-9056
Two computer back-up tapes were stolen. Someone broke into a car in a Houston parking lot and took the tapes. The
information on the tapes included patient names, Social Security numbers, demographic information, and in some cases,
diagnosis codes.
Information
Source:
Dataloss DB
November 7,
2008
Arizona's Department of Economic Security
Phoenix, Arizona
GOV
PORT
40,000
(DES) is notifying the families of about 40,000 children that their personal data may have been compromised following the
127
theft of several hard drives from a commercial storage facility. The information stored on the stolen disks included the
names, addresses and phone numbers of families whose children were referred to the DES for early intervention services
over the past several years. In the cases of families that had applied for and received services from the agency, their records
also included Social Security numbers.
Information
Source:
Dataloss DB
November 6,
2008
Express Scripts
St. Louis, Missouri
BSO
UNKN
700000
Express Scripts has received a letter demanding money from the company under the threat of exposing records of millions
of patients. The letter, included personal information on 75 people covered by Express Scripts, including birth dates, Social
Security numbers and prescription information. Express manages prescription benefits for roughly 50 million people.
UPDATE 10/1/09: Express Scripts notified about 700,000 consumers that their records may have been breached.
Information
Source:
Dataloss DB
November 6,
2008
Harvard Law School
Cambridge, Massachusetts
EDU
PORT
21,000
A computer tape containing Social Security numbers, addresses, and financial information was either lost or stolen. About
8,000 records of present and former clients contained Social Security numbers another 13,000 had other identification
information that was contained on the tape.
Information
Source:
Dataloss DB
November 5,
2008
North Carolina Dept. of Health and Human Services
GOV
PORT
Unknown
A laptop computer belonging to a Division of Aging and Adult Services employee was stolen. The computer contained
information about people receiving home and community services.
Information
Source:
Media
November 3,
2008
Genesee Intermediate School District
Mundy Township, Michigan
EDU
PORT
total.
A laptop stolen had been used for background checks on school workers and included their fingerprints and some personal
information such as their names, addresses, birthdates and race. The laptop did not have Social Security numbers and the
data was stored in files that require a password to be opened.
Information
Source:
Media
November 1,
2008
Seattle School District
Seattle, Washington
EDU
DISC
5,000
Personal information, including Social Security numbers, was inadvertently released to a local union representing some
district workers. The 5,000 employees are more than half the district's work force. Included were about 700 members of
International Union of Operating Engineers Local 609, which represents custodial, nutritional services, security- and alarmmonitoring workers.
128
Information
Source:
Dataloss DB
November 1,
2008
Veterans Affairs Medical Center
Portland, Oregon
MED
DISC
1,600
Personal information, including some Social Security numbers, of patients at the Veterans Affairs Medical Center in Portland
was inadvertently posted on a public Web site.
Information
Source:
Dataloss DB
November 1,
2008
Baylor Health Care System Inc.
Dallas, Texas
MED
PORT
100,000 (7,400 were
SSN)
(800) 554-5281
A laptop computer containing limited health information on 100,000 patients was stolen from an employee's car. Included
were 7,400 patients whose Social Security numbers were stored on the computer.
Information
Source:
Dataloss DB
October 31, 2008
U.S. State Department
GOV
INSD
383
Passport applicants in the D.C. area were notified of a breach in a database that allowed a ring of thieves to obtain
confidential information so they could fraudulently use credit cards stolen from the mail. The compromised included
information Social Security numbers, physical descriptions, names and places of birth of the applicants' parents.
Information
Source:
Dataloss DB
October 27, 2008
Shell Oil Co.
Houston, Texas
BSR
INSD
Unknown
An IT contractor used the personal data of four Shell workers as part of an unemployment insurance claims scam.
Employees of a third-party contractor misused information stored in a corporate database. The database includes records
for a majority of current and former Shell employees. Misused data included names, dates of birth and Social Security
numbers.
Information
Source:
Dataloss DB
October 24, 2008
Shenendehowa Transportation Employees
Shenendehowa, New York
EDU
HACK
250
A Shenendehowa sophomore was arrested after he allegedly accessed the personal data of some 250 transportation
employees due to a school district error in configuring information on a new computer server. The student was able to use
his student password to access an employee domain and 250 names of past and present Shenendehowa transportation
employees, their Social Security numbers, driver's license numbers and more.
Information
Source:
Dataloss DB
129
October 23, 2008
Medical Mutual of Ohio
Columbus, Ohio
MED
PORT
36,000
Eleven computer disks containing personal information on Ohio retirees and employees are missing, disks are most likely
somewhere in the postal system. It seems insufficient postage was placed on the envelopes [containing the disks], therefore
they are believed that they are likely to still be safe within the postal system.
Information
Source:
Dataloss DB
October 22, 2008
KRM Management
Fresno, California
BSO
PORT
5,700
Offices of KRM Management were broken into and stole two dozen computers, on one of those hard drives were Social
Security numbers, birthdates and addresses. One missing laptop computer is causing the most concern. It contained
sensitive and confidential information on close to 5700 city employees who filed worker's comp claims dating back to 1973.
Hundreds are or were police officers.
Information
Source:
Dataloss DB
October 19, 2008
Mary Washington Hospital
Fredericksburg, Virginia
MED
DISC
803
A security breach in an online computer system exposed the private medical information of some of its maternity patients.
Social Security numbers, phone numbers, address, insurance carrier, birth dates and doctor's names were exposed.
Information
Source:
Dataloss DB
October 18, 2008
City of Goodyear
Goodyear, Arizona
GOV
PHYS
570
A list of their Social Security numbers was stolen from the car of a staffer who had taken the data home. Burglars took the list
while the employee's car was parked at her home.
Information
Source:
Dataloss DB
October 17, 2008
The Planet
Houston, Texas
BSO
UNKN
25,000
A security breach that may have affected the customer portal account and server passwords, was discovered. The Planet
identified the methods by which the systems were compromised and have closed those holes. Only two user accounts were
definitely affected, and no credit card information is believed to have been compromised.
Information
Source:
Media
October 15, 2008
City of Indianapolis
GOV
DISC
3,300
A spreadsheet containing the names, Social Security numbers and dates of birth for people charged with minor offenses in
2006 and 2007 was accidentally posted on the city of Indianapolis' new Web site.
130
Information
Source:
Dataloss DB
October 13, 2008
Southwest Mississippi Community College
Summitt, Mississippi
EDU
DISC
1,000
Former Southwest Mississippi Community College students had some of their personal information made available
temporarily on the Internet. The breach involved names, addresses, and in some cases, Social Security numbers.
Information
Source:
Dataloss DB
October 7, 2008
University of North Dakota Alumni Association
Grand Forks, North Dakota
EDU
PORT
84,554
A laptop computer containing sensitive personal and financial information on alumni, donors and others was stolen from a
vehicle belonging to a software vendor retained by the UND. The information, included individuals' credit card and Social
Security numbers,
Information
Source:
Dataloss DB
October 7, 2008
West Virginia Dept. of Administration
GOV
PORT
535
A laptop was taken from an auditor's vehicle. It contains payroll and benefits information for 425 employees of the state
Insurance Commission and 110 employees of the Department of Health and Human Resources' Bureau of Medical Services
and Child Support Enforcement Division. The information includes full names or first names and Social Security numbers.
Information
Source:
Dataloss DB
October 1, 2008
Foothills Parks and Recreation District
Littleton, Colorado
GOV
HACK
Unknown
The district noticed unusual activity last week which they believe was caused by a virus introduced to cover up the actions of
an intruder. Some customer information, including credit card information, may have been compromised.
Information
Source:
Dataloss DB
September 30,
2008
Dormitory Authority's
New York City, New York
GOV
PORT
3,600
On the trip from the Albany headquarters of this New York based construction organization, to their data center in New York
City 5 tapes had fallen out of their yellow mailing envelope. The tapes contained personal private or sensitive information of
over 600 employees and approximately 3,000 vendors. Social Security numbers and tax ID numbers were compromised.
Information
Source:
Media
September 30,
2008
University of Indianapolis
EDU
HACK
11,000
131
A hacker attacked the University of Indianapolis' computer system and gained access to personal information and Social
Security numbers for 11,000 students, faculty and staff,
Information
Source:
Dataloss DB
September 30,
2008
Blue Cross & Blue Shield
MED
DISC
1,700
A document containing the personal data was accidentally attached to a general e-mail being sent out to brokers notifying
them of a software upgrade. Information such as Social Security numbers, phone numbers and addresses were exposed.
Information
Source:
Dataloss DB
September 26,
2008
Fort Wayne Community Schools
Fort Wayne, Indiana
EDU
UNKN
3,348
A man arrested on forgery and counterfeiting charges may have used some employees' personal information in his
possession. A 94-page document containing personal information belonging to 3,348 FWCS employees was found by police.
The information included names, Social Security numbers, dates of birth and salary.
Information
Source:
Dataloss DB
September 23,
2008
Texas Lottery Commission
Austin, Texas
GOV
INSD
89,000
A former Texas Lottery Commission computer analyst has been arrested for copying the personal data of Texas lottery
winners. He downloaded his own work files off his computer and took them to his next job. The names and Social Security
numbers of 27,075 mid-level lottery winners -- people who have won prizes from $600 up to around $1 million -- were on the
employee's hard drive.
UPDATE 10/31/08: 89,000 lottery winners are being notified their personal information, including Social Security numbers,
may have been breached.
Information
Source:
Dataloss DB
September 22,
2008
Sonoma State University
Sonoma, California
EDU
DISC
600
Social Security numbers have been exposed to the public through an internal department website.
Information
Source:
Dataloss DB
September 19,
2008
College Station, Texas
EDU
HACK
31
A class roster was among some documents located on a computer server that was hacked. The class roster was for
Economics-2301 held during the first summer session of 2004. Social Security numbers were part of the information on
those documents.
Information
Source:
Dataloss DB
132
September 15,
2008
Forever21
BSR
HACK
98,930
(888) 757-4447, http://www.forever21.com/notice/notice.html [127]
If you shopped at the stores between November 26, 2003, and October 24, 2005, criminals may have hijacked your credit
and debit card numbers from its computers. Approximately 20,500 of these numbers were obtained from the Fresno store
transaction data. The data included credit and debit card numbers and in some instances expiration dates and other card
data, but did not include customer name and address.
Information
Source:
Dataloss DB
September 13,
2008
State Farm Insurance
Surprise, Arizona
BSO
INSD
137
An employee of State Farm fraudulently used customer information to open credit-card accounts. Customers' Social Security
numbers, driver's license numbers, addresses and possibly financial account numbers could have been accessed.
Information
Source:
Dataloss DB
September 12,
2008
Tennessee State University
EDU
PORT
9,000
A flash drive containing the financial information and Social Security numbers of students was reported missing. The flash,
which contained financial records of TSU students dating back to 2002.
Information
Source:
Dataloss DB
September 11,
2008
Marshall University
EDU
DISC
198
The names and Social Security numbers of Marshall University students were openly available on the Internet.
Information
Source:
Dataloss DB
September 11,
2008
University of Iowa College of Engineering
Iowa City, Iowa
EDU
HACK
500
Some students are being notified by the College that their personal information may have been exposed in a recent
computer breach. The compromised computer contained a file with names and Social Security numbers of students stored
on its hard drive.
Information
Source:
Dataloss DB
September 10,
2008
Ivy Tech Community College
Bloomington, Indiana
EDU
DISC
Unknown
http://www.ivytech.edu/about/security/ [128]
An employee of the college used an internal file sharing system to send a file that consisted of students enrolled in the spring
133
2008 semester for distance education courses. The employee intended to share the file with a single employee of the
college. Instead, due to a clerical error, the invitation to view the file was sent to a list of all Indianapolis region employees.
Information
Source:
Dataloss DB
September 10,
2008
Franklin Savings and Loan
Cincinnati, Ohio
BSF
HACK
25,000
(877) 579-2267, (513) 605-4378
An unauthorized person gained access to a database on a company web site containing personal information such as
names, addresses, phone numbers, account numbers, account balances and Social Security numbers.
Information
Source:
Dataloss DB
September 9,
2008
University of Pittsburgh
EDU
PORT
Unknown
A laptop containing personal information including names and Social Security numbers was stolen. The laptop, stolen from
Mervis Hall was being used by an employee to conduct surveys of alumni that are used in college rankings.
Information
Source:
Dataloss DB
September 5,
2008
East Burke High School
Morganton, North Carolina
EDU
DISC
163
For the past five years, East Burke High School's web site exposed files containing personal information including names,
Social Security numbers, addresses, phone numbers, job titles, email addresses and unlisted phone numbers of teachers,
bus drivers, custodians and other staff members on the Internet.
Information
Source:
Dataloss DB
September 2,
2008
Clarkson University
Potsdam, New York
EDU
DISC
245
A non-malicious student intruder gained access to a restricted server and promptly reported the vulnerability to campus
authorities. Approximately 245 employees and former employees had personal information, including name, social security
number, and date of birth, compromised during the security breach. The file containing personal information was a record of
employees that had university credit cards known as purchase cards (or p-cards). Any university member requesting a pcard must provide their Social Security number and date of birth on the application form.
Information
Source:
Dataloss DB
August 30, 2008
Ohio Police & Fire Pension System
Columbus, Ohio
GOV
INSD
13,000
A former mailroom supervisor at the Ohio Police & Fire Pension System forwarded the names, addresses and Social
Security numbers from his work e-mail address to his personal e-mail address before quitting his job. The file contains
information for 13,000 of the approximately 24,000 retired members of the Ohio Police & Fire Pension System, most of
whom are former police officers.
Information
134
Source:
Dataloss DB
August 30, 2008
National Technical Institute for the Deaf Rochester Institute of Technology FAQ,
incl. ASL video, <a href=http://www
EDU
PORT
13,800
Rochester, New York
RIT Hotline through 9/26/08 (866) 624-8330, RIT Public Safety (585) 475-2853
http://www.rit.edu/news/?v=46283
[129]
A recently stolen laptop contained the names, birth dates and Social Security numbers of about 12,700 applicants to the
National Technical Institute for the Deaf and another 1,100 people at Rochester Institute of Technology. The laptop
belonged to an employee and was stolen on Monday from an office at NTID. People at RIT, who are not affiliated with NTID,
are affected because their personal information was being used as part of a control group in an internal study.
Information
Source:
Dataloss DB
August 30, 2008
Southwest Medical Association
Las Vegas, Nevada
MED
PHYS
Unknown
Thousands of medical charts were found in an abandoned storage unit that was purchaced for $25.
Information
Source:
Media
August 29, 2008
Louisiana Real Estate Commission
GOV
DISC
13,000
A glitch during a computer upgrade caused the names, addresses and Social Security numbers of licensed agents to be
exposed on the Internet. The commission was transferring its online programs to a new server when the sensitive electronic
file, which is not normally posted on the Internet, was left unsecured and slipped in among the commission materials that
could be seen online.
Information
Source:
Dataloss DB
August 29, 2008
Wachovia Bank
Cape Coral, Florida
BSF
CARD
Unknown
It was confirmed that the Camelot branch, at Cape Coral Parkway and Chiquita Boulevard, has had several debit cards'
identities stolen because someone placed what's known as a skimming device on the ATM. The device collected each
person's card information, including personal identification numbers, and allowed the suspect to create different debit cards
with that information.
Information
Source:
Media
August 28, 2008
The Washington Trust Co.
Westerly, Rhode Island
BSF
HACK
1,000
The Washington Trust Co. has notified about 1,000 customers that their debit and credit card accounts might have been
compromised in a suspected security breach at an unidentified MasterCard merchant. The company is investigating a
suspected security breach of a U.S. e-commerce-based merchant's Web server which contained debit card data.
Information
Source:
135
Media
August 28, 2008
Reynoldsburg Ohio City School District
Reynoldsburg, Ohio
EDU
PORT
4,259
Reynoldsburg school officials were phasing out the use of Social Security numbers in the district's student database when
someone stole a laptop containing that information. The district laptop, taken from a computer technician's car, also included
names, addresses and phone numbers for two-thirds of the district's enrollment.
Information
Source:
Dataloss DB
August 27, 2008
YMCA
Champaign, Illinois
NGO
UNKN
Unknown
Customers who paid for items at a YMCA fund-raiser with checks or credit cards are being warned about a burglary at which
credit and debit card numbers were taken.
Information
Source:
Media
August 27, 2008
Kansas State University
Manhattan, Kansas
EDU
PHYS
86
An instructor for classes offered through the Division of Continuing Education, taught through the UFM Community Learning
Center, reported an overnight theft of numerous items from a car, which was parked outside a Manhattan residence. Items
taken included a backpack with a list of names and Social Security numbers of 86 K-State students who had taken that
instructor's classes from fall 2007 through summer 2008.
Information
Source:
Dataloss DB
August 26, 2008
Pennsylvania Department of Public Welfare
Harrisburg, Pennsylvania
GOV
DISC
2,845
Paper jams in a state Department of General Services mail inserter caused benefit renewal packets to go to the wrong
Pennsylvania welfare client's homes. Nearly half of them included the intended recipients' Social Security numbers.
Information
Source:
Dataloss DB
August 26, 2008
Prince William County Public Schools
Manassas, Virginia
EDU
DISC
2,600
Personal information of some students, employees and volunteers was accidentally posted online by a Prince William County
Public Schools employee. Information for more than 2,600 people was exposed through a file-sharing program by an
employee working from home on a personal computer. The compromised information included: names, addresses and
student identification numbers of more than 1,600 students names and Social Security numbers of 65 employees other
confidential information for about 250 employees and the names, addresses and e-mail addresses of more than 700
volunteers.
Information
Source:
Dataloss DB
August 22, 2008
Liberty McDonald's Restaurant
Liberty, Kentucky
BSR
INSD
Unknown
136
Liberty, Kentucky
An employee at a Liberty McDonald's restaurant, took credit or debit cards from drive-through customers and used a device
she had hidden near the window to swipe the cards to record their numbers. The information on the device then was
downloaded and used to make new cards either in the names of the persons to which the original cards belonged or in the
names of the perpetrators.
Information
Source:
Media
August 19, 2008
Kingston Tax Service
Kingston, Washington
BSO
PORT
Unknown
Office computers were stolen from the business. On each of the computers is information which can be used by identity
thieves including credit card information and Social Security numbers.
Information
Source:
Dataloss DB
August 18, 2008
Dominion Enterprises
Richmond, Virginia
BSO
HACK
92,095
(757) 351-7951
A computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in
Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November
2007 and February 2008. The data intrusion resulted in the potential exposure of personal information, including the names,
addresses, birth dates, and Social Security numbers of 92,095 applicants who submitted credit applications to IFMG's family
of special finance Web sites.
Information
Source:
Dataloss DB
August 18, 2008
Keller High School
Keller, Texas
EDU
DISC
45
Keller family's received a mailing from Keller High School last week. Upon opening it, they found two enrollment forms. One
was an emergency-care authorization form. But the other was a student information form containing another classmate's
Social Security number, student ID number, home address, phone number and contact information for his parents at home
and at work. They quickly realized that their child's private information, which they used to set up their college fund and other
accounts, was mailed to someone else.
Information
Source:
Dataloss DB
August 18, 2008
The Princeton Review
New York, New York
EDU
DISC
108,000
The test-preparatory firm accidentally published the personal data and standardized test scores of tens of thousands of
Florida students on its Web site. One file on the site contained information on about 34,000 students in the public schools in
Sarasota, Fl. Another folder contained dozens of files with names and birth dates for 74,000 students in the school system of
Fairfax County, Va.
Information
Source:
Dataloss DB
August 14, 2008
Wuesthoff Medical Center
Rockledge, Florida
MED
HACK
500
137
Hundreds of people in Brevard County found out their personal information was stolen. Names, Social Security numbers and
even personal medical information were posted on the Internet.
Information
Source:
Dataloss DB
August 13, 2008
Charter Communications
Greenville, South Carolina
BSO
PORT
9,000
Computers were stolen from the company's Greenville offices and contained records of more than 9,000 Charter employees
nationwide. The information included Social Security numbers, dates of birth and driver's license numbers.
Information
Source:
Dataloss DB
August 12, 2008
Wells Fargo
BSF
HACK
5,000
Wells Fargo is notifying customers that hackers have accessed their confidential personal data by illegally using its access
codes. Personal information including names, addresses, dates of birth, Social Security numbers, driver's licence numbers
and in some cases, credit account information was accessed by unauthorised persons.
Information
Source:
Dataloss DB
August 12, 2008
Child Protective Services
San Antonio, Texas
GOV
PHYS
Unknown
Hundreds of private, personal records were discarded with the trash, including records detailing medical histories of clients
with diseases and drug addictions. Documents showing sexual abuse and information that could be used for identity theft,
such as Social Security numbers, were also found in the trash.
Information
Source:
Media
August 7, 2008
Harris County Hospital
Houston, Texas
MED
PORT
1,200
A lower-level Harris County Hospital District administrator downloaded medical and financial records for patients with HIV,
AIDS and other medical conditions onto a flash drive that later was lost or stolen. This may have been a violation of law. The
data on the device included the patients' names, medical record numbers, billing codes, the facilities where the office visits
occurred and other billing information. It also included the patients' Medicaid or Medicare numbers, which can indicate their
Social Security numbers or those of their spouses.
Information
Source:
Dataloss DB
August 5, 2008
The Clear Program Fast-pass Registered Travel program for airline passengers,
operated by Verified Identity Pass for the U.S. Transportation Security Admin.
New York, New York
BSO
PORT
33,000
A laptop containing personal information for about 33,000 people was reported stolen in a possible security breach for the
Clear Program. The laptop was stolen at San Francisco International Airport. The stolen information included names,
addresses, dates of birth, and driver's license numbers or passport numbers.
138
Information
Source:
Media
August 4, 2008
Arapahoe Community College
Littleton, Colorado
EDU
PORT
15,000
A contractor who manages the student information database had a flash drive lost or stolen. Information on the drive
included the names, addresses, credit card numbers and Social Security numbers.
Information
Source:
Dataloss DB
August 3, 2008
Oakland School District
Oakland, California
EDU
STAT
Unknown
Thieves stole 10 desktop computers containing employees' personal information from the Oakland school district's main
office. District officials are still determining what information was on each computer, but the machines may contain personal
information provided to the district when employees were hired. It is unknown how many employees' records were on the
computers.
Information
Source:
Media
August 2, 2008
Countrywide Financial Corp.
BSF
Calabasas, California
INSD
2,000,000
The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal
and sell sensitive personal information, including Social Security numbers. The breach occurred over a two-year period
though July. The insider was a senior financial analyst at Full Spectrum Lending, Countrywide's subprime lending division.
The alleged data thief was said to have downloaded about 20,000 customer profiles each week and sold files with that many
names for $500, according to the affidavit. He typically would e-mail the data in Excel spreadsheets to his buyers, often using
computers at Kinko's copying and business center stores. Some, perhaps most, and possibly all the names were being sold
to people in the mortgage industry to make new pitches.
UPDATE (1/30/09): Bank of America will pay Connecticut $350,000 as part of a settlement. The bank will also provide at
least $25,000 to reimburse Connecticut residents forced to pay for freezing and unfreezing their credit reports.
UPDATE (4/09/10): Employees of Countrywide Financial stole and sold "tens of thousands, or millions" of customers'
personal financial information, invading their privacy and exposing them to identity theft, according to class action claims in
Ventura County Court, Calif. Sixteen named plaintiffs sued Countrywide Financial, Countrywide Home Loans, and Bank of
America, which bought Countrywide, the poster boy for the subprime mortgage crisis.
UPDATE (5/08/10): For information about the settlement, visit www.CWdataclaims.com
[130]
or call (866) 940-3612.
Information
Source:
Dataloss DB
August 1, 2008
Tennessee Valley Authority
GOV
PORT
Unknown
A laptop stolen from TVA contained Social Security numbers and reflects generally inadequate policies and procedures for
tracking computers at the agency. The laptop was one of approximately 26 computer and computer-related items stolen
from TVA between May 26, 2006, and Nov. 30, 2007, according to the IG, although the report stated it was unclear whether
sensitive information was present on any of the laptops or PCs stolen from TVA.
Information
Source:
Media
August 1, 2008
Ohio Department of Job & Family Services, Delphi Automotive
Columbus, Ohio
BSO
PORT
2,600
139
A flash drive with Social Security numbers and other personal information from former Dayton-area Delphi workers was
removed from the unattended laptop of a state employee and is missing. The drive included the names, addresses,
telephone numbers as well as the Social Security numbers of the workers.
Information
Source:
Dataloss DB
July 31, 2008
City of Yuma
Yuma, Arizona
GOV
DISC
300
The Social Security numbers of about 300 city of Yuma employees were unintentionally released in an e-mail sent to city
administrative personnel.
Information
Source:
Dataloss DB
July 31, 2008
University of Texas, Dallas
Dallas, Texas
EDU
HACK
9,100
http://www.utdallas.edu/infosecurity/ [131]
A security breach in UTD's computer network may have exposed Social Security numbers along with names, addresses,
email addresses or telephone numbers: 4,406 students who were on the Dean's List or graduated between 2000 and 2003;
3,892 students who were contacted to take part in a survey by the Office of Undergraduate Education in 2002; 88 staff
members from Facilities Management; 716 faculty and staff members listed in a space inventory record from 2001.
Information
Source:
Dataloss DB
July 29, 2008
Blue Cross and Blue Shield of Georgia
Atlanta, Georgia
MED
DISC
202,000
(866) 800-8776
Benefit letters containing personal and health information were sent to the wrong addresses last week. The letters included
the patient's name and ID number, the name of the medical provider delivering the service, and the amounts charged and
owed. A small percentage of letters also contained the patient's Social Security numbers.
Information
Source:
Dataloss DB
July 29, 2008
Anheuser-Busch
St. Louis, Missouri
BSR
PORT
Unknown
(800) 913-4502
A laptop containing personal information of current and former employees, including some from Hampton Roads, was stolen
from a St. Louis-area Anheuser-Busch office. Information contained on the computer included employees' Social Security
numbers, home addresses and marital status.
Information
Source:
Dataloss DB
Unknown 80 million Not
July 28, 2008
Facebook
BSO
DISC
added to total since the
breach is not SSNs or
140
financial account data.
Facebook accidentally publicly revealed personal information about its members, which could be useful to identity thieves.
The full dates of birth of many of Facebook's 80 million active users were visible to others, even if the individual member had
requested that the information remained confidential.
Information
Source:
Media
July 26, 2008
Connecticut College, Wesleyan University, Trinity College
Middletown, Connecticut
EDU
HACK
2,815
A Connecticut College library system was breached by hackers apparently looking to set up chat rooms or send spam emails. The system's database included the names, addresses and Social Security or driver's license numbers of
approximately 2,800 Connecticut College library patrons, 12 Wesleyan University patrons and three from Trinity.
Information
Source:
Dataloss DB
July 25, 2008
Grady Memorial Hospital
Atlanta, Georgia
MED
INSD
Unknown
Hospital records were stolen, although it remains unknown how many patient records were compromised, which patients
were affected or how the records were stolen. The records pertained to recorded physician comments that Grady sent to a
vendor to transcribe into medical notes. The records were stolen from a subcontractor employed by the vendor.
Information
Source:
Media
July 25, 2008
Ohio University College of Osteopathic Medicine
Columbus, Ohio
EDU
DISC
492
http://www.ohiocore.org/answers [132] , (866) 437-8698
A clerical error led to the online posting of the names and Social Security numbers of people who spoke at Ohio University's
Centers for Osteopathic Research and Education. A spreadsheet that contained the information had been accessible since
March 20 and was discovered when a nurse found the information last week while conducting online research. In addition to
names and Social Security numbers, the spreadsheet included contact numbers, addresses, their speaking topics and
federal employer identification numbers.
Information
Source:
Dataloss DB
July 24, 2008
Village of Tinley Park
Chicago, Illinois
GOV
PORT
20,400
Computer backup tapes that contain thousands of Social Security numbers of Tinley Park residents have been lost. The
tapes containing information from as long ago as 15 years were lost while being transferred from the village hall to another
site within the Chicago suburb.
Information
Source:
Dataloss DB
July 24, 2008
Saint Mary's Regional Medical Center
Reno, Nevada
MED
HACK
128,000
141
An unauthorized person may have accessed the Saint Mary's database. The database, used for Saint Mary's health
education classes and wellness programs, contained personal information such as names and addresses, limited health
information and some Social Security numbers. The database did not contain medical records or credit card information.
Information
Source:
Dataloss DB
July 24, 2008
Hillsborough Community College
Tampa, Florida
EDU
PHYS
2,000
Hillsborough Community College warned its employees to monitor their bank accounts because an HCC programmer's
laptop was stolen from a hotel parking lot in Georgia. The programmer had been working on a payroll project for a group of
employees using their names, bank-routing numbers, retirement information and Social Security numbers.
Information
Source:
Dataloss DB
July 24, 2008
University of Houston
Houston, Texas
EDU
DISC
259
The names and Social Security numbers of University of Houston students were inadvertently posted on the Internet for
more than two years. The posting occurred when a math department lecturer posted student grades on a UH Web server in
October 2005.
Information
Source:
Dataloss DB
July 23, 2008
San Francisco Human Services Department
GOV
PHYS
Unknown
Potentially thousands of files contaning personal information was exposed after a San Francisco agency left confidential files
in unsecured curbside garbage and recycling bins. In some cases entire case files were discarded. Blown up copies of social
security cards, driver's licenses, passports, bank statements and other sensitive personal information were all left in these
unlocked bins.
Information
Source:
Media
July 19, 2008
Minneapolis Veterans Home
GOV
STAT
336
A backup computer server stolen from the Minneapolis Veterans Home contained telephone numbers, addresses, next-ofkin information, dates of birth, Social Security numbers and some medical information, including diagnoses for the home's
336 residents.
Information
Source:
Dataloss DB
July 17, 2008
Bristol-Myers Squibb
BSO
PORT
42,000
A backup computer-data tape containing employees' personal information, including Social Security numbers, was stolen
recently. The backup data tape was stolen while being transported from a storage facility. The information on the tapes
included names, addresses, dates of birth, Social Security numbers and marital status, and in some cases bank-account
information. Data for some employees' family members also were on the tape.
142
Information
Source:
Dataloss DB
July 17, 2008
University of Maryland
EDU
DISC
23,000
University of Maryland accidentally released the addresses and Social Security numbers of thousands of students. A
brochure with on-campus parking information was sent by U.S. Mail to students. The University discovered the labels on the
mailing had the students' Social Security numbers on it.
Information
Source:
Dataloss DB
July 17, 2008
Department of Consumer Affairs
GOV
INSD
5,000
A Consumer Affairs personnel specialist in Sacramento, emailed an alpha personnel file containing names and Social
Security numbers of the department's more than 5,000 staff to a personal Yahoo email account at the end of the day, her
last day at the department.
Information
Source:
Dataloss DB
July 16, 2008
Greensboro Gynecology Associates
MED
PORT
47,000
A backup tape of patient information was stolen from an employee who was taking the tape to an off-site storage facility for
safekeeping. The stolen information included patients' names, addresses, Social Security numbers, employers, insurance
companies, policy numbers and family members.
Information
Source:
Dataloss DB
July 16, 2008
Indiana State University
Terre Haute, Indiana
EDU
PORT
2,500
A password-protected laptop computer containing personal information for current and former Indiana State University
students was stolen. The laptop contained data for students who took economics classes from 1997 through the spring
semester 2008. The information includes names, grades, e-mail addresses and student identification numbers and in some
cases Social Security numbers.
UPDATE(7/22/08) :The laptop computer was mailed anonymously back to the professor it was stolen from six days after it
was stolen along with other personal items.
Information
Source:
Dataloss DB
July 15, 2008
Weber Law Firm
Houston, Texas
BSO
PHYS
Unknown
Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in
northwest Houston. Box after box of records including personal financial records, documents with Social Security numbers,
people's medical files and more were found in the dumpster.
Information
Source:
Dataloss DB
143
July 15, 2008
Missouri National Guard
Jefferson City, Missouri
GOV
UNKN
2,000
(888) 526-6664 ext. 7888, (312) 555-9500 ext. 7888 Soldier deployed overseas
The Missouri National Guard has called for a criminal investigation after it learned that the personal information of as many
as 2,000 soldiers had been breached. The Guard would not release how the personal information had been taken -- whether
by computer hackers or other means -- because it has asked for a full law enforcement investigation into the matter.
Information
Source:
Dataloss DB
July 15, 2008
University of Texas, Austin
Austin, Texas
EDU
DISC
2,500
The personal information of University of Texas students and faculty has been exposed on the Internet. An independent
watchdog discovered more than five dozen files containing confidential graduate applications, test scores, and Social
Security numbers. The files were inadvertently posted by at least four different UT professors to a file server for the School
of Biological Sciences.
Information
Source:
Dataloss DB
July 14, 2008
Washington Metropolitan Area Transit Authority
GOV
DISC
4,700
Metro accidentally published the Social Security numbers of past and present employees on its Web site. The numbers were
posted with a solicitation to companies for workers' compensation and risk management services.
Information
Source:
Dataloss DB
July 10, 2008
Williamson County (TN) Schools
Franklin, Tennessee
EDU
DISC
5,100
Social Security numbers and other personal information of 4,000 children were posted on the Internet.
UPDATE 7/11/08 : 5, 100 students' information may be compromised.
Information
Source:
Dataloss DB
July 9, 2008
Wichita Radiological Group
Wichita, Kansas
MED
INSD
Unknown
A former employee stole patient records before being fired from the Wichita Radiological Group. Tens of thousands of
patient records were in the database could have been compromised.
Information
Source:
Media
July 9, 2008
Wagner Resource Group
McLean, Virginia
BSF
DISC
2,000
Sometime late last year, an employee of a McLean investment firm used the online file-sharing network LimeWire. In doing
144
so, he inadvertently opened the private files of his firm to the public. That exposed the names, dates of birth and Social
Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court
Justice Stephen G. Breyer.
Information
Source:
Dataloss DB
July 9, 2008
Division of Motor Vehicles Colorado
, Colorado
GOV
DISC
3.4 million
The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to
properly limit access to its database, according to a recent audit. At one point, 33 former DMV employees could access
names, addresses, dates of birth and Social Security numbers.
Information
Source:
Media
July 8, 2008
LPL Financial (formerly Linsco Private Ledger)
BSF
HACK
10,219
http://www.sec.gov/litigation/admin/2008/34-58515.pdf [133]
Hackers obtained clients' unencrypted names, addresses and Social Security numbers from July 17, 2007, to February 15,
2008. They compromised the logon passwords of 14 financial advisers and four assistants.
UPDATE (9/11/08) : The U.S. Securities & Exchange Commission (SEC) fined LPL $275,000 and required that LPL
strengthen its security safeguards involving customer information. It was found that the hacker(s) placed, or attempted to
place, 209 unauthorized trades in 68 customer accounts of several of LPL's registered representative, for more than
$700,000 in trades in securities of 19 different companies. LPL reversed or eliminated the trades and compensated the
customers for the resulting trading losses, which totaled approximately $98,900.
Information
Source:
Dataloss DB
July 7, 2008
Florida Agency for Health Care Administration
GOV
DISC
55,000
A computer flaw in the Organ and Tissue Donor Registry database may have exposed thousands of donors' personal
information, including their Social Security numbers. Other data included donors' names, addresses, birth dates and drivers'
license numbers.
Information
Source:
Dataloss DB
July 4, 2008
US Army
Fort Lewis, Washington
GOV
PORT
800-900
A laptop computer that was reported stolen from an Army employee's truck contained personal information on Fort Lewis
soldiers. A 500 GB removable hard drive was also taken in the theft.
UPDATE (7/11/08) :A 17-year-old Lacey boy faces a charge of suspicion of possession of stolen property after Tumwater
police uncovered items from vehicle prowls, including a stolen Army laptop containing information on Fort Lewis soldiers.
Information
Source:
Dataloss DB
July 4, 2008
Clark County Nevada District Court
Las Vegas, Nevada
GOV
DISC
380
145
A contracted vendor released personal information on about 380 potential jurors to an employee's private e-mail address.
The information provided to the e-mail account could have included names, addresses, Social Security numbers and birth
dates.
Information
Source:
Dataloss DB
July 2, 2008
Baptist Health
MED
INSD
1,800
Due to a breach by an unauthorized person in its information systems, there is a possibility that personal information, such
as name, address, date of birth, Social Security number, and reason for coming to Baptist Health were compromised.
Apparently, no information in the patients' medical records and no information about the patients' diagnoses or prognoses
was accessed. A former employee was arrested for attempting to open a credit account at a retail merchant.
Information
Source:
Dataloss DB
July 2, 2008
University of Nebraska, Kearney
Kearney, Nebraska
EDU
HACK
2,035
(308) 865-8950
Officials at the University of Nebraska at Kearney discovered a security breach involving nine university computers. Of the
nine computers involved, five contained names and partial or complete Social Security numbers.
Information
Source:
Dataloss DB
June 27, 2008
Montgomery Ward
Cedar Rapids, Iowa
BSR
HACK
51,000
Hackers extracted information from an online database that held credit card account information.
Information
Source:
Dataloss DB
June 26, 2008
Texas Department of Public Safety
Austin, Texas
GOV
PHYS
826
The personal information of 826 state employees was stolen from a Wichita Falls home office. Notices are in the mail to
inform the hundreds of victims that their names, home addresses, dates of birth, driver's license and Social Security
numbers are in the hands of criminals.
Information
Source:
Dataloss DB
June 26, 2008
IGN Entertainment
Brisbane, California
BSR
STAT
119
A computer was stolen in an unspecified location on May 25 of 2008. The computer contained employee names, addresses,
dates of birth, Social Security numbers, and dependent information.
Information
Source:
Dataloss DB
146
Dataloss DB
June 24, 2008
Southeast Missouri State University
Cape Girardeau, Missouri
EDU
INSD
800
(573) 986-6800, (573) 335-6611, ex.123,[email protected]
A former employee has been indicted on two charges of identity fraud and one charge of computer trespass after being
found in possession of 800 student names and Social Security numbers.
Information
Source:
Dataloss DB
June 23, 2008
Colt Express Outsourcing Services, CNET Networks
Walnut Creek, California
BSO
STAT
17241
Burglars stole computer systems from the offices of the company that administers the Internet publisher's benefit plans. The
computers contained names, birth dates, Social Security numbers and employment information of the beneficiaries of
CNET's health insurance plans. CNET was only one of several clients affected.
UPDATE (8/26/08): Among the companies whose staffers have been exposed by the Colt break-in in Walnut Creek, Calif.:
Google, Bebe Stores, Alston & Bird, and the California Bankers Assn.
Information
Source:
Dataloss DB
June 23, 2008
Bank Atlantic
Tampa, Florida
BSF
CARD
Unknown
Bank Atlantic confirms they had a data loss, involving their MasterCard debit cards. It happened through a local merchant,
but at this time, isn't saying which one.
Information
Source:
Media
June 19, 2008
Citibank
New York, New York
BSF
HACK
Unknown
A Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached. The computer
intrusion into the Citibank server led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City
cash machines, pocketing at least $750,000 in cash
Information
Source:
Dataloss DB
June 19, 2008
Petroleum Wholesale
Houston, Texas
BSO
PHYS
Unknown
The company dumped hundreds of records in a publicly accessible trash container outside its former headquarters. The
records included receipts with customers' names and full credit or debit card numbers, including expiration dates. The
records also included returned checks and forms containing customers' names and bank routing, driver's license and Social
Security numbers.
Information
Source:
Dataloss DB
June 18, 2008
Domino's Pizza
BSR
PHYS
Unknown
147
June 18, 2008
Tucson, Arizona
BSR
PHYS
Unknown
Investigators found credit card numbers blowing in the wind. These piles and papers contained hundreds of old receipts from
Domino's Pizza stores. The former owner had been discarding boxes of old records and somehow all those receipts got
loose.
Information
Source:
Media
June 15, 2008
Conneticut Department of Administrative Services
GOV
DISC
Unknown
Department of Administrative Services posted the Social Security numbers of individual contractors on a state Web site. An
audit also uncovered the Social Security numbers of prospective nursing employees accessible on an agency Web site for
19 months until a complaint was lodged.
Information
Source:
Media
June 13, 2008
Texas Insurance Claims Services
Dallas, Texas
BSF
PHYS
Unknown
Hundreds of files with people's names, Social Security numbers and policy numbers were found in a Richardson dumpster,
apparently discarded by Texas Insurance Claims Services.
Information
Source:
Dataloss DB
June 12, 2008
Columbia University
New York, New York
EDU
DISC
5,000
Social Security numbers of some 5,000 Columbians were accidentally posted by a student employee on a Google-hosted
site in February 2007. Student Services discovered the leak in June 2008, 16 months later, removing the sensitive data
Information
Source:
Dataloss DB
June 11, 2008
Dickson County Board of Education
Dickson, Tennessee
EDU
PORT
850
A computer containing sensitive personal information was stolen from the Dickson County Board of Education. The computer
belongs to the new director of schools and was loaded with the name and Social Security number of every school employee
from the 2006-2007 school year, a total of 850.
Information
Source:
Dataloss DB
June 10, 2008
1st Source Bank
South Bend, Indiana
BSF
HACK
Unknown
1st Source Bank is replacing ATM cards this month for all its account holders after cyber-thieves accessed an unknown
amount of debit-related data.
Information
Source:
Dataloss DB
148
June 10, 2008
University of Utah Hospitals and Clinics
MED
PORT
2.2 million
[134]
Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier
failed to immediately take the eight data tapes to a storage center. The records, contained Social Security numbers of 1.3
million people treated at the university over the last 16 years.
Update (2/5/09): The data tapes were found within a month after being stolen.
Update (6/9/10): An Englewood, Colo., insurance company has filed a federal lawsuit contending that it isn't reponsible for
reimbursing the University of Utah for $3.3 million in costs related to a 2008 data breach
[135]
caused by a third-party service
provider.
The lawsuit filed in a Utah federal court by Colorado Casualty Insurance Co. contends that the insurer is not obligated to
cover the costs sought by the university. Colorado Casualty was providing breach insurance to the univerity at the time of the
breach.
The nine-page complaint, which seeks a declaratory judgment from the court, offers little explanation as to why exactly the
insurer believes it is not obligated to pay the breach relqted costs sought by the university.
http://www.computerworld.com/s/article/9177702/Insurer_says_it_s_not_liable_for_University_of_Utah_s_3.3M_data_breach
[134] [134]
Information
Source:
Dataloss DB
June 10, 2008
EDU
DISC
11,300
Current and former students had their Social Security numbers, names and addresses accidentally posted online. The
information became available when former student employees of the Office for Academic Support and Institutional Service,
or OASIS, program created online records of students participating in the program between 2003 and 2005.
Information
Source:
Dataloss DB
June 10, 2008
Wheeler's Moving Company
Boca Raton, Florida
BSO
PHYS
Unknown
Personal files with tax information, Social Security numbers and license numbers, were found in a Boca Raton dumpster.
Information
Source:
Media
June 9, 2008
University of South Carolina
EDU
STAT
7,000
Several items were stolen from an office in the Moore School of Business. Among the items was a desktop computer. As a
result of the computer being stolen, it is possible that some personally identifiable data could have been compromised.
Information
Source:
Dataloss DB
June 7, 2008
Southington Water Department
Southington, Connecticut
GOV
PHYS
26
Documents with the names and Social Security numbers of 26 people were found scattered by the Quinnipiac River.
149
Information
Source:
Media
June 7, 2008
East Tennessee State University
Johnson City, Tennessee
EDU
STAT
6,200
6,200 people may have had there identities compromised by the theft of a desktop computer. The computer is password
protected and files cannot be easily accessed. But there is a small possibility that the information could be compromised.
Information
Source:
Dataloss DB
June 6, 2008
Stanford University
Stanford, California
EDU
PORT
72,000
Stanford University determined that a university laptop, which was recently stolen, contained confidential personnel data.
The university is not disclosing details about the theft as an investigation is under way.
Information
Source:
Dataloss DB
June 4, 2008
Oregon State University
Corvallis, Oregon
EDU
HACK
4,700
The Oregon State Police are investigating the theft of personal information from online customers of the OSU Bookstore who
used credit cards to purchase items.
Information
Source:
Dataloss DB
June 2, 2008
Walter Reed Army Medical Center
MED
UNKN
1,000
(877) 854-8542, ext. 9
Sensitive information on patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security
breach. The computer file was found on a "non-government, non-secure computer network." The data file did not include
information such as medical records, or the diagnosis or prognosis for patients, but may have included names, Social
Security numbers, birth dates as well as other information.
Information
Source:
Dataloss DB
June 2, 2008
Connecticut Department of Labor
Wethersfield, Connecticut
GOV
PHYS
2,100
Records with confidential information on about 2,100 people have been lost and might have been mistakenly shredded. The
files contained copies of letters informing applicants that they were ineligible for the unemployment insurance. They were
dated between May 2 and May 20 and contained names, addresses and Social Security numbers.
Information
Source:
Dataloss DB
May 31, 2008
Pocono Mountain School District
EDU
HACK
11,000
150
May 31, 2008
Swiftwater, Pennsylvania
EDU
HACK
11,000
(570) 873-7121, ext. 10151
A hacker apparently broke into the computers at Pocono Mountain School District and may have tapped into confidential
information concerning students and their parents. Information may have included the students' birth dates, Social Security
numbers, student IDs, home phones, and the parents' names, phone numbers and emergency phone numbers. ''If you see
any unauthorized activity, promptly contract your service provider and or the office of the director of technology at 570-8737121, ext. 10151.''
Information
Source:
Dataloss DB
May 30, 2008
Circuit Court of Louisville
GOV
PHYS
312
(502) 595-3273
Louisville Metro Police made an arrest, and during that arrest they found 312 stolen court traffic files in that person's
possession. All of the files contain personal information of people in Louisville such as, name, address, date of birth and in
some cases Social Security numbers and copies of drivers' licenses.
Information
Source:
Media
May 29, 2008
State Street Corp, Investors Financial Services
BSF
STAT
45,500
Computer equipment containing personal information on customers and employees of a State Street unit was stolen. The
computer equipment was stolen from a vendor hired by Investors Financial Services to provide legal support services. The
personal information included names, addresses and Social Security numbers.
Information
Source:
Dataloss DB
May 28, 2008
University of California, San Francisco
EDU
HACK
3,569
[136]
During routine monitoring of a campus computer network, UCSF discovered unusual data traffic on one of its computers.
During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on one
computer by an unknown individual. Installation of this program required high-level system access. The computer contained
files with lists of patients from the UCSF pathology department's database. The data included information such as patient
names, dates of pathology service, health information and, in some cases, Social Security numbers.
Information
Source:
Dataloss DB
May 23, 2008
R.E. Moulton
Irving, Texas
BSF
PORT
19,000
Thieves broke into the Irving, Texas, regional office and stole a laptop computer containing personally information of
numerous individuals, including names and Social Security numbers. The company is in the medical stop-loss insurance
industry.
Information
Source:
Dataloss DB
151
May 22, 2008
HealthSpring Inc.
Franklin, Tennessee
MED
PORT
9,000
A laptop computer containing personal information of about 450 state residents was stolen. The laptop, believed to contain
names, dates of birth and Social Security numbers of about 9,000 individuals, was stolen from a HealthSpring employee's
locked car.
Information
Source:
Dataloss DB
May 22, 2008
AT&T
San Antonio, Texas
BSO
PORT
Unknown
A laptop was stolen from the car of an employee. The data on the computer was not encrypted -- a violation of company
policy -- and included names, Social Security numbers and in some cases, salary and bonus information.
Information
Source:
Security Breach
Letter
May 21, 2008
Oklahoma Corporation Commission
GOV
STAT
5,000
The Oklahoma Corporation Commission is removing hard drives from all surplus computer equipment after a server
containing the names and Social Security numbers of thousands of residents was sold at an auction.
Information
Source:
Media
May 20, 2008
University of Florida College of Medicine
MED
INSD
1,900
(866) 876-4472
A UF assistant professor of plastic surgery at the UF College of Medicine-Jacksonville, stored unsecured digital photographs
of his patients and identifying information on a computer. He then gave the computer to a family. The information included
names, dates of birth, Social Security numbers, and Medicare numbers.
Information
Source:
Dataloss DB
May 20, 2008
New York University
New York, New York
EDU
DISC
273
Duke University's Fuqua School of Business is notifying former New York University students that some of their personal
information was inadvertently accessible by targeted Internet searches. The personal data included names and Social
Security numbers and was contained in the faculty member's research records. The information could have been accessed
only if searched by specific student names, along with a search code for Social Security numbers.
Information
Source:
Dataloss DB
May 17, 2008
University of Louisville
EDU
PHYS
20
152
Documents being copied and taken from a private office in the president's office, to its Internal Audit Office and Department
of Public Safety may have resulted in a security breach. The documents contained personal information - including Social
Security numbers, student and employee identification numbers and salary information - for current and recent student
employees. The university learned of the theft when salary information was shared anonymously with some employees in
the office.
Information
Source:
Dataloss DB
May 16, 2008
Spring Independent School District (Spring, TX)
Spring, Texas
EDU
PORT
8,000
A laptop computer containing the personal information of students was stolen from a employee's car. The car burglars made
off with her school laptop and an external flash drive. The flash drive contains students' Social Security numbers, personal
information, schools those students attend, as well as their grade level and birthdates. The drive also contained the Texas
Assessment of Knowledge and Skills test results.
Information
Source:
Dataloss DB
May 16, 2008
Greil Memorial Psychiatric Hospital
Montgomery, Alabama
EDU
PHYS
Unknown
Index cards containing patients personal information, names, dates of birth, even Social Security numbers are gone.
Hundreds of records have simply disappeared.
Information
Source:
Dataloss DB
May 16, 2008
Amateur Athletic Union
Lake Buena Vista, Florida
NGO
PHYS
Unknown
Boxes filled with personal information were found in a dumpster. Information on athletes and their guardians included Social
Security numbers and copies of birth certificates.
Information
Source:
Dataloss DB
May 16, 2008
Chester County School District
Downingtown, Pennsylvania
EDU
HACK
55,000
A 15-year-old student gained access to files on a computer at Downingtown West High School. Private information, including
names, addresses and Social Security numbers, of more than 50,000 people were accessed. The student apparently used a
flash drive to save the personal data of about 40,000 taxpayers and 15,000 students.
Information
Source:
Media
May 15, 2008
BB&T Insurance
Harrisonburg, Virginia
BSF
PORT
Unknown
A BB&T Insurance laptop containing the personnel information of some Harrisonburg City Schools employees was stolen.
The laptop, used by an outside sales representative to develop an insurance proposal for the school system, was stolen
from a car. The information contained names, dates of birth, Social Security numbers, and, in some cases, medical history.
Information
153
Source:
Dataloss DB
May 14, 2008
Oklahoma State University
Stillwater, Oklahoma
EDU
HACK
70,000
A breach in an Oklahoma State University computer server exposed names, addresses and Social Security numbers of
students, staff and faculty who bought parking and transit services permits in the past six years.
Information
Source:
Dataloss DB
May 12, 2008
Dave & Buster's
Islandia, New York
BSO
HACK
5,000
Three men have been charged with hacking into the network and then remotely installing "packet sniffer" software on pointof-sale servers at 11 Dave & Buster's locations throughout the U.S. A packet sniffer logs information being sent over a
network. In this case, the criminals used it to log credit- and payment-card data as it was sent from the branch locations to
corporate headquarters. The hacking took place from April to September 2007. At Dave & Buster's Islandia, New York,
location, the hackers accessed details of about 5,000 payment cards. The information was sold to other criminals who then
used the card numbers to scam online merchants. The criminals were able to post at least US$600,000 in fraudulent
transactions from 675 cards taken from this one store.
UPDATE (4/05/10): In reaching a settlement with Dave & Buster’s, the FTC quietly and without fanfare introduced a new
security standard, requiring the company to monitor and filter outbound Internet traffic to block the unauthorized export of
sensitive information. The consent decree puts companies on notice that they may face FTC scrutiny and penalties if they
fail to use data loss prevention software.
Information
Source:
Dataloss DB
May 12, 2008
Pfizer
New York, New York
13,000 Not added to
total. It does not seem
BSO
PORT
that SSNs or financial
exposed.
(866) 274-3891
About 13,000 employees at Pfizer Inc., including about 5,000 from Connecticut, had their personal information compromised
when a company laptop and flash drive were stolen. No Social Security numbers were on the laptop, but names, home
addresses, home telephone numbers, employee ID numbers, positions and salaries were possibly compromised. Other
information possibly lost included the department employees worked in, the Pfizer site where the employees worked, the
name of employees' managers and descriptions of their jobs.
Information
Source:
Dataloss DB
May 9, 2008
Princeton University Tower Club
Princeton, New Jersey
EDU
DISC
103
Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their
names and Social Security numbers was e-mailed to current club members. The document was attached to an apparently
unrelated e-mail that informed current members about a club event. The spreadsheet was attached unintentionally because
of a technical glitch in an email program.
Information
Source:
Dataloss DB
154
May 8, 2008
Dominican University
River Forest, Illinois
EDU
HACK
5,000
Two students were able to access records on a staff network storage area. The files accessed were three spreadsheets that
included students' names, addresses, phone numbers, birthdays and Social Security numbers.
Information
Source:
Dataloss DB
May 8, 2008
Las Cruces Public Schools
Las Cruces, New Mexico
EDU
DISC
1,800
A part-time computer analyst for Las Cruces Public Schools inadvertently posted personal data for 50 special education
students and 1,750 district employees on the Internet. Information posted included Social Security number, date of birth,
name, the nature of disability and caseworker's name.
Information
Source:
Dataloss DB
May 7, 2008
SAIC
, Maryland
BSO
PORT
4,690
(877) 277-8001
SAIC stockholders are at risk of identity theft after a box of magnetic backup tapes went missing. The tapes contained
names, addresses, Social Security numbers, stock account information, transaction activity and possibly bank account
numbers for current or former shareholders.
Information
Source:
Media
May 6, 2008
Ohio State University Agricultural Technical Institute
Wooster, Ohio
EDU
DISC
192
Personal information on faculty and staff members was accidentally emailed to about 680 students. The email contained
spreadsheet information listing the names, positions, salaries and Social Security numbers.
Information
Source:
Dataloss DB
May 6, 2008
International Visa Service
Atlanta, Georgia
BSO
INSD
1,000
An employee has been arrested and charged with stealing the personal information of people who were applying for a
passport and sold the identities on the black market.
Information
Source:
Dataloss DB
May 6, 2008
Northeast Security
West Haven, Massachusetts
BSO
PHYS
Unknown
News Channel 8 found Social Security numbers, bank account numbers and even canceled checks inside a dumpster. The
files appear to belong to Northeast Security, a subcontractor for Safe Home Security, based out of Rocky Hill. Northeast
Security recently moved out of a West Haven storefront, and it seems they left their clients personal information behind.
155
Information
Source:
Dataloss DB
6,313 Not added to
May 5, 2008
Target America Inc., University of California, San Francisco (UCSF)
total. It is not clear if
MED
DISC
SSNs or financial
exposed.
Information on UCSF patients was accessible on the Internet. The information accessible online included names and
addresses of patients along with names of the departments where medical care was provided. Some patient medical record
numbers and the names of the patients' physicians also were available online.
Information
Source:
Dataloss DB
May 5, 2008
Iredell County Tax Administration
Statesville, North Carolina
GOV
PHYS
486
(704) 878-3020
A courier vehicle providing services for First Citizens Bank was stolen in Charlotte. The stolen shipment contained a
computer report of taxpayer's check information, including account numbers, check numbers, check amounts and routing
numbers from various banks on which the checks were drawn. There were also copies of tax bills that contained taxpayer
names, addresses and other public information related to tax payments.
Information
Source:
Dataloss DB
May 4, 2008
Staten Island University Hospital
Staten Island, New York
MED
STAT
88,000
Computer equipment stolen from an administrator contained personal information from patients. Social Security numbers
and health insurance numbers were contained in computer files on a desktop computer and the backup hard drive.
Information
Source:
Dataloss DB
May 2, 2008
Marine Corps Reserve Center
San Antonio, Texas
GOV
INSD
17,000
A former U.S. military contractor has pleaded guilty to exceeding authorized access to a computer and aggravated identity
theft after he was accused of selling names and Social Security numbers of 17,000 military employees.
Information
Source:
Media
May 1, 2008
Cove Creek Mortgage, Front Range Mortgage
Englewood, Colorado
BSF
PHYS
Unknown
Sensitive mortgage files with people's personal information were recently found in a Dumpster. The files and computers
contained sensitive information on many former customers of Front Range Mortgage, including names and addresses,
Social Security numbers and bank, credit card and investment account information.
Information
Source:
156
Source:
Media
May 1, 2008
Lunardi's Supermarket
Los Gatos, California
BSR
CARD
100, updated amount
250
An ATM and credit card reader in a checkout aisle at the Los Gatos Lunardi's supermarket was recently switched, resulting
in cases of identity theft. Victims all had their card numbers stolen after officials from Lunardi's contacted them about a
problem with one of their card readers.
UPDATE (8/4/08): Police arrested a man Friday that was involved with the ATM scam at a Los Gatos supermarket that lost
about $300,000. He was booked into the Santa Clara County Jail in connection with burglary, conspiracy, drunken driving,
and further charges may be filed later, according to the district attorney's office.
Information
Source:
Dataloss DB
April 28, 2008
Hough, MacAdam & Wartnik
North Bend, Oregon
BSO
PORT
500
A notebook computer was stolen from a locked vehicle. The notebook's hard drive may have contained names, Social
Security numbers, and other personal information.
Information
Source:
Dataloss DB
April 27, 2008
General Internal Medicine of Lancaster
East Hempfield Township, Pennsylvania
MED
PORT
Unknown
A laptop was stolen from a doctors' office containing the Social Security numbers of patients. The clinic is notifying 12,000
potential-affected patients.
Information
Source:
Media
April 25, 2008
University of Colorado, Boulder
Boulder, Colorado
EDU
HACK
9,500 revised to 0
Three computers in the Division of Continuing Education and Professional Studies were compromised, leaving people open
to potential identity theft. One of the three computers had personal data, including names, Social Security numbers,
addresses and grades.
UPDATE (5/1/08): Upon further analysis, the University concluded that no personal data had been exposed. 9,500 records
were initially thought to be comprised, but later this was revised to zero.
Information
Source:
Dataloss DB
April 25, 2008
Canton WiseBuys
Canton, New York
BSR
HACK
Unknown
Someone apparently hacked into the Canton WiseBuys store computer system during a changeover between December 5,
2007 and December 20, 2007. The hacker obtained personal identification and banking numbers of hundreds of customers.
Information
Source:
Media
157
April 25, 2008
Baltimore Highway Administration
Baltimore, Maryland
GOV
DISC
1,800
An employee transferred personnel transaction data from a secure drive to a SHA shared drive. Sensitive personal
information concerning employees, included names and Social Security numbers.
Information
Source:
Dataloss DB
April 24, 2008
Harmony Information Systems
Madison, Wisconsin
BSO
DISC
Unknown
A computer program housing personal information about Wisconsin seniors and disabled people had a significant security
hole. A senior center volunteer in McFarland said he could see hundreds of files of people's private information from across
the country in the system run by Virginia-based Harmony Information Systems. The information is entered into an electronic
record that includes the person's name and Social Security number.
Information
Source:
Media
April 24, 2008
Collections Lawyers Pellegrino & Feldstein
Denville, New Jersey
BSO
DISC
530
Consumer information somehow escaped the New Jersey law offices and ended up posted on several websites. The Liberty
Coalition discovered cached versions of an Excel file that contained the full names, Social Security numbers, dates of birth,
addresses, account numbers, and financial information.
Information
Source:
Dataloss DB
April 23, 2008
University of Texas Health Science Center
Tyler, Texas
MED
DISC
2,000
About 2,000 medical bills were mailed last week with patients' Social Security numbers visible on the envelope.
Information
Source:
Dataloss DB
April 23, 2008
Southern Connecticut State University
EDU
HACK
11,000
Southern Connecticut State University is taking action to prevent its students from becoming victims of identity theft. The
move comes after a website with student and alumni information was found to be easily accessible to hackers. It appears
that no financial information was accessed but Social Security numbers were vulnerable.
Information
Source:
Dataloss DB
April 22, 2008
LendingTree
BSF
INSD
Unknown
Outside loan companies may have accessed information, including Social Security numbers, between October 2006 and
early 2008 and used it to market their own mortgages to LendingTree customers. Several former employees may have
shared confidential passwords with a handful of lenders that were not approved by the company.
Information
158
Information
Source:
Media
April 22, 2008
University of Massachusetts, Amherst
Amherst, Massachusetts
MED
HACK
Unknown
Hackers breached the computer system used by UMass Amherst's Health Services, potentially gaining access to thousands
of medical records. More than half of the student population at UMass Amherst are patients on record at the University
Health Services.
Information
Source:
Dataloss DB
April 22, 2008
HealthNow New York
Buffalo, New York
MED
PORT
Unknown
Clients may be at risk for identity theft, after a former employee's laptop computer went missing with confidential information
several months ago. The potential information includes names, dates of birth, Social Security numbers, addresses, employer
group names, and health insurance identifier numbers.
Information
Source:
Media
April 22, 2008
Fishback Financial Corp.
Brookings, South Dakota
BSF
HACK
Unknown
There has been an unauthorized access to one of the database servers by a third party. The database includes names,
addresses and Social Security numbers.
Information
Source:
Dataloss DB
April 22, 2008
Central New England HealthAlliance
Leominster, Massachusetts
MED
PORT
384
Personal data could be at risk of exposure after a home health nurse reported that her handheld computer was missing. The
unencrypted data include names, Social Security numbers, and health insurance records.
Information
Source:
Media
April 22, 2008
Smithtown Post Office
Smithtown, New York
GOV
INSD
Unknown
A Smithtown postal worker was arrested after he stole credit cards from the mail and went on a shopping spree.
Information
Source:
Media
April 22, 2008
CollegeInvest
Denver, Colorado
NGO
PORT
200,000
Customers had personal information stored on a computer hard drive that disappeared during a recent move. CollegeInvest
moved to a new office space, using an international relocation firm that offered specialists in moving computer equipment.
CollegeInvest discovered while unpacking at the new location that a hard drive was missing. CollegeInvest is a not-for-profit
159
division of the Colorado Department of Higher Education.
Information
Source:
Dataloss DB
April 21, 2008
Brunswick Corp.
Lake Forest, Illinois
BSO
STAT
700
An electronic device that scans customers' drivers' licenses to make sure they're of legal drinking age was stolen from a
company-owned bowling facility in suburban Naperville. The device contains information such as driver's license number,
date of birth and first and last names of customers whose licenses were scanned.
Information
Source:
Media
April 20, 2008
Helping Homeless Veterans and Families Hoosier Veterans Foundation
NGO
PHYS
Unknown
Hundreds of files containing medical histories and Social Security numbers were found in the trash on Indianapolis' east side.
The records belong to homeless veterans. A lot of the things inside the folders are confidential information about the clients
including Social Secrutiy numbers.
Information
Source:
Media
April 19, 2008
Central Collection Bureau
BSO
STAT
700,000
A computer server containing Social Security numbers and other personal information was stolen last month from a
Southside debt-collection bureau. The information includes customer-billing records for Indiana businesses, including
Citizens Gas & Coke Utility, St. Vincent Health and Methodist Medical Group.
Information
Source:
Dataloss DB
April 17, 2008
SunGard, Connecticut State University System, Buffalo State, Northwest Missouri
State University
BSO
PORT
Totals are not known
,
http://www.sungardhe.com/custom.aspx?id=1554&LangType=1033
[137]
At least 18 colleges are scrambling to inform tens of thousands of students they are at risk of having their identities stolen. A
laptop computer that was stolen from a vendor contained the data of current and former students from the four state
universities, including Western Connecticut State University. The computer was password-protected but contained
unencrypted files with personally identifiable data, including names and Social Security numbers.
Information
Source:
Dataloss DB
April 17, 2008
University of Miami
Miami, Florida
MED
PORT
2,100,000
(866) 628-4492
Computer tapes containing confidential information of Miami patients was stolen last month when thieves took a case out of
a van used by a private off-site storage company. The data included names, addresses, Social Security numbers or health
information.
160
Information
Source:
Dataloss DB
April 16, 2008
Hexter Elementary School
Dallas, Texas
EDU
PHYS
Unknown
Employee and volunteer records were found at a recycling bin near the school. It's unknow what type of documents were
found.
Information
Source:
Media
April 16, 2008
EDU
PORT
7,000
A laptop stolen from a University of Virginia employee contained sensitive information about students, staff and faculty
members. Stolen from an unidentified employee from an undisclosed location in Albemarle County, the laptop contained a
confidential file filled with names and Social Security numbers.
Information
Source:
Dataloss DB
April 15, 2008
First Federal Bank of California
BSF
UNKN
Unknown
Additional locations: Brookfield, WI (headquarters of Fiserv, Inc)
This bank was not the only financial institute impacted by a security breach that occurred in a banking in a subsystem of a
financial data processor, Fiserv, Inc. of Wisconsin last month.The bank said that it was company policy not to reveal any
details about the breach including the number of banks involved, how many customers were impacted, the depth of
information breached, how extensive the breach was geographically even which federal agencies were involved. However,
non-public private account information might be at risk.
Information
Source:
Dataloss DB
April 15, 2008
Oklahoma's Department of Corrections
GOV
DISC
10,597
The names, addresses, and Social Security numbers of tens of thousands of Oklahoma residents were made available to
the general public for a period of at least three years on the ODC's website.
Information
Source:
Media
April 14, 2008
Stokes County High Schools
Danbury, North Carolina
EDU
STAT
800
A school computer containing the names, test scores and Social Security numbers of students from three Stokes County
high schools was stolen from a locked closet.
Information
Source:
Dataloss DB
161
April 14, 2008
GOV
INSD
Unknown
A former state employee who took applications from people seeking food stamps and other welfare aid worked with three
others to steal the identity of Utah residents and charge tens of thousands of dollars in purchases.
Information
Source:
Media
April 13, 2008
Toledo, Ohio
EDU
DISC
6,488
Personal information of the University of Toledo employees, the majority having worked on the Health Science Campus in
1993 and 1999 - last month was inadvertently placed on a server to which all employees had access. The information, which
was used for payroll purposes, included names, addresses, and Social Security numbers and was accessible for about 24
hours.
Information
Source:
Dataloss DB
April 12, 2008
Allied Waste
BSO
PHYS
Unknown
A strap on the garage truck snapped sending reams of unshredded financial reports over downtown Boston streets.
Information
Source:
Media
April 12, 2008
West Seneca School District
West Seneca, New York
EDU
HACK
1,800
Several current and former students are believed to have broken into the school district's computer system and copied
secure files that included the personal information and Social Security numbers of school employees
Information
Source:
Dataloss DB
April 11, 2008
New York-Presbyterian Hospital, Weill Cornell Medical Center
New York, New York
MED
INSD
49,841
An admissions employee is accused of selling 2,000 patients' data in an identity theft scheme and accessing nearly 50,000
records illegitimately. Records contained names, phone numbers and, in some cases, Social Security numbers of patients.
The employee has since been charged with one count of conspiracy involving computer fraud, identity document fraud,
transmission of stolen property and sale of stolen property.
Information
Source:
Dataloss DB
April 10, 2008
Joliet West High School
Joliet, Illinois
EDU
HACK
Unknown
A student using a school computer last month was able to access personal information about every student enrolled. The
student allegedly downloaded a list of names and Social Security numbers to his iPod.
Information
Source:
Dataloss DB
162
Dataloss DB
April 9, 2008
People's United Bank
BSF
PHYS
Unknown
For four months, a dumpster diver searched through trash bins outside People's United Bank branches in Fairfield County.
He pulled out bags of paperwork with private information, including customers' Social Security numbers and account
information.
UPDATE (5/1/08): The man who discovered bank records in the garbage outside local branches of People's United Bank in
Connecticut has been sued to prevent him from informing people about the discovery. The man, discovered financial
documents, including customer names, Social Security numbers, and account information. He was a no-show at a scheduled
appearance in court. The bank won a restraining order against the man, which ordered him not to talk to bank customers, or
disclose what he had discovered. He disregarded the order and made a documentary about the discovery. The man has
already been fined $800 USD for refusing to hold his tongue, and now he has also been ordered to pay the bank's legal
costs. According to the Connecticut Post, those costs are already up to around $40,000 USD.
Information
Source:
Media
April 9, 2008
Norfolk's Community Services Board
Norfolk, Virginia
NGO
PHYS
30
The personal information of clients of Norfolk's Community Services Board was compromised when a case worker's
briefcase was stolen. The briefcase was left in the worker's car in a Virginia Beach parking garage, but someone smashed a
window and stole it. It's unclear what information was in the files but that it likely included Social Security numbers.
Information
Source:
Media
April 8, 2008
WellPoint
BSO
DISC
128,000
Personal information that may have included Social Security numbers and pharmacy or medical data for customers in
several states was exposed online over the past year.
Information
Source:
Dataloss DB
April 8, 2008
WellCare Health Plans Inc.
Atlanta, Georgia
MED
DISC
71,000
Private records of members of health insurance programs for the poor or working poor were accidentally made available on
the Internet for several days. Those whose data was made available on the Internet included members of Medicaid, the
federal health program for the poor, and PeachCare for Kids, a federal-state insurance plan for children of the working poor.
About 10,500 members' Social Security numbers may have been viewed by unauthorized people on the Internet, all
members of Medicaid or PeachCare. There is a possibility that an initial 59,000 members may have had some personal
information made accessible.
Information
Source:
Dataloss DB
April 7, 2008
Pfizer Inc
New York, New York
BSO
PORT
800
A laptop was stolen by a burglar from the home of a contractor who helps arrange planning travel and meetings for Pfizer.
Information on the laptop included names, credit card numbers and, in some instances, credit card expiration dates, various
addresses and phone numbers, hotel loyalty program numbers and other information. It did not appear that any Social
Security numbers or PIN codes were exposed.
163
Information
Source:
Dataloss DB
April 7, 2008
Army Acquisition Support Center
Ft. Belvoir, Virginia
GOV
DISC
24
A spreadsheet containing a hidden column of Social Security numbers belonging to about two dozen officers and civilian
employees of one Army agency was left on the agency's website for five months after being notified of the presence of the
personal information. The center has temporarily shut down its website to scrub the information from the spreadsheet.
Information
Source:
Media
April 7, 2008
Redbox
Oakbrook Terrace, Illinois
BSR
CARD
Unknown
Redbox rents DVD movies via vending machine in drugstores and supermarkets throughout the country. They announced
that they'd found credit card skimmers attached to three of their kiosks.
Information
Source:
Media
April 4, 2008
Harley-Davidson, Inc. (HOG)
BSO
PORT
60,000
A laptop computer containing certain HOG members' personal information was determined to be missing from their facilities.
The personal information stored on the computer included names, addresses, credit card numbers, their expiration dates,
and driver's license numbers.
Information
Source:
Media
April 4, 2008
University of California, Irvine
Irvine, California
EDU
UNKN
7,000
7,000 current or former graduate students could be at risk of identity thieves who already used stolen data to file fake tax
returns for 93 students. UCI doesn't know how the information was stolen or who is using it.
Information
Source:
Dataloss DB
April 1, 2008
Okemo Mountain Resort
Ludlow, Vermont
BSO
HACK
28,168
(866) 756-5366
The Ludlow ski area announced that its computer network was breached by an intruder who gained access to credit card
data including cardholder names, account numbers and expiration dates.
Information
Source:
Dataloss DB
March 31, 2008
Advance Auto Parts
Roanoke, Virginia
BSR
HACK
56,000
164
The retailer reported that a network intrusion had exposed financial information and was the subject of a criminal
investigation. Fourteen of the retailer's stores, including locations in Georgia, Ohio, Louisiana, Tennessee, Mississippi,
Indiana, Virginia and New York, are believed to have been affected.
Information
Source:
Dataloss DB
March 29, 2008
Department of Human Resources
Atlanta, Georgia
GOV
PORT
Unknown
A thief has stolen computer records containing identifying information on current and former employees of the state
Department of Human Resources, including names, Social Security numbers, birth dates and home contact information. An
external hard drive that stored a database was removed by an unauthorized person.
Information
Source:
Dataloss DB
March 29, 2008
San Quentin State Prison
San Quentin, California
GOV
PORT
3,500
A flash memory drive containing names, birth dates and driver's license numbers of people who either volunteered or visited
San Quentin State Prison in a group tour has been lost.
Information
Source:
Media
March 28, 2008
Antioch University
Yellow Springs, Ohio
EDU
HACK
70,000
A computer system that contained personal information on about 70,000 people was breached by an unauthorized intruder
three times. The system contained the names, Social Security numbers, academic records and payroll documents for
current and former students, applicants and employees.
Information
Source:
Dataloss DB
March 28, 2008
Museum of Science, Boston
NGO
DISC
140
The museum has notified 140 patrons that their names, credit card numbers, and other personal information were exposed
on the museum's website because of a contractor's error.
Information
Source:
Dataloss DB
March 26, 2008
Presbyterian Intercommunity Hospital
Whittier, California
MED
STAT
5,000
About 5,000 past and current employees at Presbyterian Intercommunity Hospital had their private information stolen. The
data included Social Security numbers, birth dates, full names and other records stored on a desktop computer that was
stolen.
Information
Source:
Media
165
March 26, 2008
Broward School District
EDU
Coconut Creek, Florida
HACK
38,000
An Atlantic Technical High School senior hacked into a district computer and collected Social Security numbers and
addresses of district employees.
Information
Source:
Dataloss DB
March 26, 2008
Originally 4.5 million
Bank of New York Mellon
BSF
PORT
customer records,
raised to 12.5 million
(877) 278-3451, (877) 278-346, www.bnymellon.com/tapequery [138]
The company lost a box of computer data tapes storing personal information including names, Social Security numbers and
possibly bank account numbers.
UPDATE (5/07/08): On February 27, Bank of New York Mellon gave the unencrypted backup tape containing information on
about 4.5 million consumers -- hundreds of thousands of them People's United Bank customers and investors -- and nine
other tapes to a storage firm, Archive Systems, Inc., for transportation to a storage facility. When the storage company
vehicle arrived at the storage facility, the tape was missing. The other nine tapes reached the facility safely.
UPDATE (5/31/08): The Hartford Courant [139] reports the following figures regarding the number of Connecticut
shareholders affected by the lost computer tape: 403,894 People's United Bank 33,586 John Hancock Financial 18,361 Walt
Disney Co. 10,000 the remaining shareholders
UPDATE (8/30/08): The estimated number of people affected by a data breach at Bank of New York Mellon Corp has been
raised from 4.5 million to 12.5 million.
UPDATE (2/19/09): The Bank of New York Mellon will pay Connecticut $150,000 as part of a settlement. The bank will
continue to provide those affected by the breach with credit monitoring and fraud alerts for a total of 36 months of protection.
It will also reimburse anyone for funds stolen from their accounts as a direct result of the data breach.
Information
Source:
Media
March 24, 2008
National Institutes of Health
Bethesda, Maryland
GOV
PORT
4,359
A laptop was stolen from the trunk of a car. It contained information about heart disease patients, including their names,
dates of birth and diagnoses of their medical conditions.
UPDATE (4/14/08): Ongoing review of the computer's last-known contents, performed on data backed up from the laptop
before it was stolen, has found a file that, unbeknownst to the lead researcher, had been loaded onto the laptop by a
research associate.That file included Social Security numbers for at least 1,281 of the 3,078 patients enrolled in the multiyear study, which is sponsored by the NIH's National Heart, Lung and Blood Institute.
Information
Source:
Dataloss DB
March 22, 2008
Agilent Technologies
Santa Clara, California
BSO
PORT
51,000
A laptop containing sensitive and unencrypted personal data on current and former employees of Agilent Technologies was
stolen from the car of an Agilent vendor. The data includes employee names, Social Security numbers, home addresses and
details of stock options and other stock-related awards. Agilent blamed the San Jose vendor, Stock & Option Solutions, for
failing to scramble or otherwise safeguard the data - in violation of the contracted agreement.
Information
Source:
166
Dataloss DB
March 22, 2008
Western Carolina University
Cullowhee, North Carolina
EDU
HACK
555
Someone had hacked into a computer server and had access to the Social Security numbers of 555 graduates of the
university who had signed up for a newsletter.
Information
Source:
Dataloss DB
March 21, 2008
Compass Bank
Birmingham, Alabama
BSF
INSD
1,000,000
A database containing names, account numbers and customer passwords was stolen. A credit-card encoder and software to
encode the information onto blank cards was also used to acquire information from ATMs. A former programmer at
Birmingham, Ala.-based Compass Bank stole a hard drive containing 1 million customer records and used some of that
information to commit debit-card fraud. The thief had used the information stolen from Compass Bank's database to create
about 250 counterfeit debit cards. He was able to use about 45 of those cards to access and withdraw cash from customer
accounts at the bank before he was arrested.
Information
Source:
Dataloss DB
March 21, 2008
Rhode Island Department of Administration
Cranston, Rhode Island
GOV
PORT
1,400
A state computer disk containing Social Security numbers is missing. The information was discovered missing within the last
two weeks when human resources staff members who had relocated from Providence to Cranston could not find the data on
the server.
Information
Source:
Dataloss DB
March 20, 2008
Rampage Marketing Services
Columbus, Ohio
BSO
PHYS
Unknown
The company, a licensed insurance agency, threw 14 boxes of files containing sensitive financial and medical information
into a trash bin. An insurance agent for another company noticed the boxes in the shared bin and sent them back to the
Insurance Department
Information
Source:
Media
March 20, 2008
Pennsylvania Department of State
GOV
DISC
30,000
The state was forced to pull the plug on a voter registration Web site after it was found to be exposing sensitive data about
voters. Because of a Web programming error, the Web site was allowing anyone on the Internet to view data such as the
voter's name, date of birth, driver's license number, and political party affiliation. On some forms, the last four digits of Social
Security numbers could also be seen.
Information
Source:
Media
Lasell College
167
March 20, 2008
Lasell College
Newton, Massachusetts
EDU
HACK
20,000
A hacker accessed data containing personal information on current and former students, faculty, staff and alumni.
Information included names and Social Security numbers.
Information
Source:
Dataloss DB
March 19, 2008
Affordable Realty
Flint, Michigan
BSO
PHYS
Unknown
Social Security numbers and financial records of customers. Affordable Realty occupied office space inside the Ben Agree
building on Dort Highway for years. The company was evicted and all of its sensitive customer information ended up outside
in a dumpster or on the ground nearby.
Information
Source:
Dataloss DB
March 19, 2008
The Dental Network
Baltimore, Maryland
MED
DISC
74,256
(866) 879-7402
A security breach of The Dental Network website left access to member personal data, including names, Social Security
numbers, addresses and dates of birth unprotected for approximately two weeks. The Dental Network is an independent
licensee of the Blue Cross and Blue Shield Association.
Information
Source:
Dataloss DB
March 19, 2008
UCLA Medical Center
MED
INSD
900
UCLA Medical Center has moved to fire 13 employees and suspended six others for unauthorized access to confidential
medical records.
UPDATE (8/5/08): The latest report said 127 workers peeked into celebrities' medical records without permission, leading to
several firings, suspensions and warnings. The report also detailed the case of one employee who looked at the records of
about 900 patients without any legitimate reason and viewed Social Security numbers, health insurance information and
addresses, from April 2003 to May 2007.
Information
Source:
Dataloss DB
March 17, 2008
Hannaford Bros. Supermarket chain
Portland, Maine
BSF
HACK
4.2 million
(866) 591-4580
This security breach affects all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of
independent groceries that sell Hannaford products. The company is currently aware of about 1,800 cases of reported fraud
related to the security breach. Credit and debit card numbers were stolen during the card authorization transmission
process. It's unclear if personal information was exposed.
UPDATE (4/2/2009): An April 2, 2009, news story indicated that between Dec. 7, 2007, and March 10, 2008, hackers stole
credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. About
1,800 fraudulent charges had been made.
UPDATE (5/14/2009): A federal appeals court has revived a Tampa class-action suit seeking money for Florida shoppers
whose credit and debit card numbers were swiped in a data breach that hit 109 Sweetbay Supermarkets. The suit seeks free
168
credit monitoring, credit repair if necessary and undetermined money damages to be split up among victims of the breach,
including those unaware they were victims.
UPDATE (5/22/2009): A Maine U.S. District Court dismissed most of a class action lawsuit against Hannaford, finding that
there is no way to value the time and effort that consumers spent in correcting fraudulent activity resulting from the breach.
The case of one named plaintiff was not dismissed. That plaintiff suffered actual monetary damages for unreimbursed
fraudulent charges.
Information
Source:
Dataloss DB
March 17, 2008
Minneola City
Minneola, Florida
GOV
DISC
9
Nine Minneola firefighters are trying to keep their names clean after their personal information ended up on the city's Web
site. The city clerk accidentally published the information. Social security numbers, phone numbers, addresses and personal
information from union application cards found its way onto the city's Web site for over 36 hours.
Information
Source:
Media
March 17, 2008
Binghamton University
EDU
DISC
300
A university employee mistakenly sent an e-mail attachment containing the names, grade point averages and Social Security
numbers of junior and senior accounting students to another group of School of Management students.
Information
Source:
Dataloss DB
March 15, 2008
Starling Insurance and Associates
BSF
PHYS
Unknown
A server stolen from the locked offices contained names, addresses and Social Security numbers, dates of birth, driver's
license numbers and/or account information for an unspecified number of customers.
Information
Source:
Media
500 - not included in
March 15, 2008
Utah Division of Finance
GOV
HACK
total because it is
unclear whether Social
Security numbers or
was involved
Computer files containing the personal information of approximately 500 individuals may have been accessed by
unauthorized persons during a security breach. An initial investigation indicates it is highly unlikely the person who breached
the computer system was able to access any personal information.
Information
Source:
Dataloss DB
March 13, 2008
University Health Care
MED
PORT
4,800
169
A laptop and flash drive containing patient data were stolen after hours from a locked office. Data included patients' names,
addresses, and in some cases, medications, health insurance policy numbers, and Social Security numbers.
Information
Source:
Dataloss DB
March 12, 2008
Harvard University
EDU
HACK
6,600
Harvard Graduate School of Arts and Sciences (GSAS) Web server may have compromised 10,000 sets of personal
information from applicants and students, including 6,600 Social Security numbers and 500 Harvard ID numbers.
Information
Source:
Dataloss DB
March 10, 2008
Texas Department of Health and Human Services
Austin, Texas
MED
STAT
Unknown
Information, including Social Security numbers that could be used to steal Medicaid clients' identity may have been stored on
two computers stolen during a burglary. Computers could have contained personal information only on e-mails. The e-mails,
however, would normally contain only an individual's case number. It is unlikely those e-mails would have listed Social
Security numbers.
Information
Source:
Media
March 10, 2008
Central Florida Regional Hospital
Sanford, Florida
MED
PHYS
28
The medical records of Central Florida Regional Hospital patients were sold last month at a Salt Lake City surplus store for
about $20. The records were sold to a local school teacher looking for scrap paper for her fourth-grade class. The records
contained detailed medical histories, phone numbers, addresses, Social Security numbers and insurance information. They
were lost en route to a Medicare auditor in Las Vegas, NV.
Information
Source:
Media
March 10, 2008
Blue-Cross Blue-Shield of Western New York
Buffalo, New York
MED
PORT
40,000
A laptop hard-drive containing vital information about members has gone missing. Blue-Cross Blue-Shield of Western New
York says it is notifying its members about identity theft concerns after one of it's company laptops went missing.
Information
Source:
Dataloss DB
March 8, 2008
MTV Networks
BSO
HACK
5,000
Computer files with confidential data on employees at MTV Networks were breached by someone outside the company.
Personal information in the files included names, birth dates, Social Security numbers and compensation data.
Information
Source:
Dataloss DB
170
March 6, 2008
Cascade Healthcare Community
Prineville, Oregon
MED
HACK
11,500
A computer virus may have exposed to outside eyes the names, credit card numbers, dates of birth and home addresses of
individuals who donated to Cascade Healthcare Community.
Information
Source:
Dataloss DB
March 5, 2008
Nevada Department of Public Safety
Carson City, Nevada
GOV
PORT
109
A private firm working for the Nevada Department of Public Safety has lost a thumb drive containing personal information
provided by individuals seeking jobs with the agency. Data included Social Security numbers, addresses and background
check information.
Information
Source:
Dataloss DB
March 3, 2008
DaVita Inc.
Denver, Colorado
MED
PORT
8,800
A laptop containing employee information was stolen from an employee's vehicle. The information included Social Security
numbers and medical insurance information.
Information
Source:
Dataloss DB
March 3, 2008
Kaft Foods
Northfield, Illinois
BSO
PORT
20,000
A company-owned laptop computer was stolen from an employee of Kraft Foods traveling on company business. The laptop
contained the names and may have contained Social Security numbers.
Information
Source:
Dataloss DB
February 29,
2008
Wellesley Health Department
Wellesley, Massachusetts
GOV
PHYS
480
Information in an envelope that had been mailed by the town's health department to a Medicare office in Boston say when
the envelope arrived, it was open and the contents were missing. The material included social security numbers, addresses
and dates of birth of seniors who had received flu shots from the town last fall.
Information
Source:
Dataloss DB
February 27,
2008
Health Net Federal Services
Rancho Cordova, California
MED
DISC
103,000
Thousands of doctors in eleven states had their personal information openly posted on a company website. Social Security
numbers were part of the personal information exposed. The states involved include Wisconsin, Michigan, Illinois, Indiana,
Ohio, Pennsylvania, Tennessee, Iowa, Missouri, Kentucky and West Virginia.
Information
Source:
171
Dataloss DB
February 25,
2008
Mecklenburg County
GOV
PHYS
400
A County employee's car was stolen, and in that car was a printout of bank draft transactions within the Park and Recreation
Department. Bank account information of an unknown number of people in Mecklenburg County has been stolen.
UPDATE: 400 account numbers were stolen; the county alerted those who were affected via letter.
Information
Source:
Dataloss DB
February 18,
2008
First Magnus Financial
Ft. Lauderdale, Florida
BSF
PHYS
Unknown
Outside a University of Phoenix Building in Ft. Lauderdale, files and paperwork belonging to the defunct First Magnus
Financial were just lying in stacked boxes inside an industrial garbage container. The paperwork contained Social Security
numbers, credit card information, addresses, and properties.
Information
Source:
Dataloss DB
February 16,
2008
College Station, Texas
EDU
DISC
3,000
A computer file containing the names and Social Security numbers of current and former Texas A&M University agricultural
employees was inadvertently posted online and accessible to the public for three weeks.
Information
Source:
Dataloss DB
February 15,
2008
Systematic Automation Inc
Fullerton, California
BSO
STAT
40,000
Police filed possession of stolen property charges against a prison parolee who was arrested for having a computer with
more than 40,000 names, addresses and Social Security numbers of California residents. The computer was stolen from
Systematic Automation Inc., which processes individualized annual statements customized for employees with a summary of
their health and other employee benefits. The hard drive contained employee information from 19 agencies. Some of the
larger agencies include the Modesto City Schools, Clovis Unified School District, Los Angeles Department of Water and
Power, and the Torrance Unified School District.
Information
Source:
Dataloss DB
February 15,
2008
Lexmark International
Lexington, Kentucky
BSO
DISC
Unknown
The employee personal data was inadvertently exposed, it included Social Security numbers, dates of birth, along with
names and addresses. The data was accessed by two unknown parties when the data was loaded to a company file sharing
site.
Information
Source:
Dataloss DB
February 15,
Crosslines Ministries of Carthage
NGO
PHYS
2,000
172
2008
Carthage, Missouri
NGO
PHYS
2,000
One of the largest aid agencies in Carthage was burglarized and files, containing the personal information of about 2,000
families, were stolen. Among the items stolen were paper files containing names, addresses, Social Security numbers and
other personal information of individuals served by Crosslines.
Information
Source:
Dataloss DB
February 14,
2008
Tenet Healthcare Corporation
Dallas, Texas
MED
INSD
37,000
A ex-employee worked at a Frisco, Texas, billing center for less than two years, and is confirmed to have stolen the names,
Social Security numbers and other personal information of about 90 patients. The employee also had access to 37,000 other
accounts.
Information
Source:
Dataloss DB
February 13,
2008
Los Angeles Department of Water and Power
GOV
PHYS
Unknown
A computer was stolen from a contractor on February 11, 2008. Compromised information included name, Social Security
number, date of birth, employee identification number, salary, work location, deferred compensation balances, insurance
plan coverage and health care benefits selection for all active employees who were members of the DWP Retirement Plan
during 2006 and 2007.
Information
Source:
Security Breach
Letter
February 13,
2008
Milwaukee County
GOV
DISC
Unknown
Milwaukee County officials mistakenly released numerous confidential court records for a citizens group's Web site that detail
payments for tests and other costs linked to to mental competency, paternity and guardianship cases. Entries for psychiatric
examinations and guardianship fees in which the clients' names were still listed.
Information
Source:
Media
February 13,
2008
Lifeblood
Memphis, Tennessee
MED
PORT
321,000
Laptop computers with birth dates and other personal information of roughly 321,000 blood donors are missing and
presumed stolen. Stored inside both computers were names, birth dates and addresses at the time of the individual's last
donation or attempted donation. In most cases, the donors' Social Security numbers were also stored, along with driver's
licenses, telephone numbers, e-mail addresses, ethnicity, marital status, blood type and cholesterol levels. Social Security
numbers had been used to track blood from the donor to the recipients.
Information
Source:
Dataloss DB
February 13,
2008
Middle Tennessee State University
Murfreesboro, Tennessee
EDU
STAT
1,500
A professor left the university computer unattended in the mass communication department about two weeks ago and an
unidentified person is believed to have used the machine to send spam e-mails. The computer contained the names and
173
Social Security numbers of past and current students.
Information
Source:
Dataloss DB
February 12,
2008
Modesto City Schools
Modesto, California
EDU
PORT
3,500
(209) 576-4192
A computer hard drive holding the names, addresses, birth dates and Social Security numbers of Modesto City Schools'
employees was stolen.
Information
Source:
Dataloss DB
February 12,
2008
Long Island University
Brookville, New York
EDU
PHYS
30,000
Students tax forms mailed to them last week in were in defective mailers. The mailers containing each student's annual
1098-T Tuition Statement were supposed to have adhesive on all four sides. But one side of each envelope was missing
adhesive. The statement contains the student's name, address and Social Security number.
Information
Source:
Dataloss DB
February 11,
2008
Jefferson County Public Schools
Arvada, Colorado
EDU
PORT
2,900
A special education technician had a personal laptop and jump drive stolen during a home robbery. Student name and date
of birth, Student ID number, School location If the student has received district transportation additional information such as
parent or guardian name and contact information, may also have been on the jump drive. The stolen information did not
contain any Social Security numbers or financial information.
Information
Source:
Dataloss DB
February 10,
2008
Administrative Systems, Inc
Seattle, Washington
BSO
STAT
Unknown
A desktop computer stolen from an Administrative Systems, Inc. (ASI) office in Seattle contained names and sensitive
information about customers or employees of several of the firm's clients: Continental American Medical, EyeMed
Vision/Kelly Services Vision, and Jefferson Pilot Financial Dental. Personal details may have included name, date of birth,
mailing address, and Social Security number, depending on the service being provided.
Information
Source:
Dataloss DB
February 8, 2008
MLSgear.com
BSR
HACK
Unknown
Injection attacks on web servers hosted by a third-party service provider has compromised the personal data of an
unspecified number of individuals who had shopped on Major League Soccer's MLSgear.com Web site. The compromised
information included names, addresses, credit card data, debit card data, and MLSgear.com passwords.
Information
Source:
174
Dataloss DB
February 7, 2008
Memorial Hospital
South Bend, Indiana
MED
PORT
4,300
A laptop containing the personal information of full and part time employees and retirees is missing. The missing computer
contains their names, addresses, birth dates, ID numbers and Social Security numbers.
Information
Source:
Dataloss DB
February 4, 2008
Bellin Health
Greenbay, Wisconsin
MED
PHYS
650
Patients received notification that their Social Security numbers may have been exposed. Invoices mailed from Bellin
Health's unnamed bill processor had viewable Social Security numbers.
Information
Source:
PHIPrivacy.net
February 2, 2008
Diocese of Providence
NGO
STAT
5,000
Four computers were taken, and one had personal information on current and former Catholic school employees. The theft
possibly exposed names, addresses and Social Security numbers.
Information
Source:
Dataloss DB
February 1, 2008
Marine Corps Bases Japan
GOV
PORT
4,000
Additional location: Okinawa, Japan
A laptop was stolen which contained personally identifiable information for clients of Marine Corps Community Services' New
Parent Support Program. The laptop may contain names, ranks, Social Security numbers, dates of birth, children's names
and mailing addresses of U.S. military service members, U.S. government employees and Status of Forces Agreement
personnel on Okinawa and Marine Corps Air Station Iwakuni. It does not include driver's license numbers or bank and credit
card information.
Information
Source:
Dataloss DB
South Carolina Department of Health and Environmental Control in Spartanburg,
January 31, 2008 Cherokee, Union, Greenville and Pickens counties
GOV
PORT
400
, South Carolina
A laptop containing the names and Social Security numbers of state health department employees is missing. The computer
was inside a worker's vehicle when it was stolen last week from a convenience store. State officials say the passwordprotected computer contains personal information of state health department workers from Spartanburg, Cherokee, Union,
Greenville and Pickens counties.
Information
Source:
Dataloss DB
January 31, 2008
University of Minnesota Reproductive Medicine Center
MED
PORT
3,100
175
January 31, 2008
MED
PORT
3,100
A doctor at the fertility clinic lost a flash drive that was used to back up his computer. The drive held details of infertility
treatments for 3,100 patients going back to 1999. The lost drive included names, birthdates, and in some cases, diagnostic
information, details of treatments, whether or not patients had conceived, baby names, and birth weights -- but apparently no
SSNs or financial information.
Information
Source:
Dataloss DB
January 30, 2008
Davidson Companies
Great Falls, Montana
BSF
HACK
226,000
A computer hacker broke into a database and obtained the names and Social Security numbers of virtually all of the Great
Falls financial services company's clients. The database also included information such as account numbers and balances.
Information
Source:
Dataloss DB
January 29, 2008
Georgetown University
EDU
PORT
38,000
A hard drive containing the Social Security numbers of Georgetown students, alumni, faculty and staff was reported stolen
from the office of Student Affairs.
Information
Source:
Dataloss DB
January 29, 2008
Wake County (NC) Emergency Medical Services
MED
PORT
4733
A Panasonic Toughbook used by county paramedics to store patient information on ambulance runs went missing from the
WakeMed emergency department and now is thought to have been stolen. The laptop contained names, addresses and
UPDATE (2/7/08): The laptop also may have the names and Social Security numbers of emergency personnel. The number
includes county paramedics, firefighters and contracted emergency medical technicians and paramedics from municipal
agencies.
Information
Source:
Dataloss DB
January 29, 2008
Horizon Blue Cross Blue Shield
Newark, New Jersey
MED
PORT
300,000
More than 300,000 members names, Social Security numbers and other personal information were contained on a laptop
computer that was stolen. The laptop was being taken home by an employee who regularly works with member data.
Information
Source:
Dataloss DB
January 29, 2008
TransUnion, Intelenet Global Services,
Fullerton, California
BSF
INSD
400
Additional location: Plano, TX
Credit profiles of as many as 400 Americans have been altered by two employees of Mumbai, India-based Intelenet Global
176
Services, an outsourcing company. The two arrested Intelenet employees had been accessing and altering data of
individuals in the datafiles of the credit bureau TransUnion since August 2005. The bank account statements of the two men
revealed that money was being deposited from an international source for the past few months.
Information
Source:
Dataloss DB
January 28, 2008
T. Rowe Price Retirement Plan Services, CBIZ Benefits and Insurance Services Inc.
BSF
Baltimore, Maryland
STAT
35,000
Names and Social Security numbers of current and former participants in several hundred retirement plans were
compromised when several computers were stolen. The machines were taken from the office of CBIZ Benefits and
Insurance Services Inc.
Information
Source:
Dataloss DB
January 25, 2008
Penn State University
EDU
PORT
677
A university laptop containing archived information and Social Security numbers for 677 students attending Penn State
between 1999 and 2004 was recently stolen from a faculty member.
Information
Source:
Dataloss DB
January 24, 2008
Fallon Community Health Plan
Worcester, Massachusetts
MED
PORT
29800
A vendor computer containing personal information on patients of Fallon Community Health Plan has been stolen. The data
included names, dates of birth, some diagnostic information and medical ID numbers. Some of which may be based on
Information
Source:
Dataloss DB
January 24, 2008
OmniAmerican Bank
Fort Worth, Texas
BSF
HACK
Unknown
An international gang of cyber criminals hacked into the bank's records. They stole account numbers, created new PINs,
fabricated debit cards, then withdrew cash from ATMs in Eastern Europe, Russia, Ukraine, Britain, Canada and New York.
Fewer than 100 accounts, some of them dormant, were compromised.
Information
Source:
Dataloss DB
January 23, 2008
Baylor University
Waco, Texas
EDU
INSD
Unknown
A student employee breached the security of the Baylor Information Network to access the Bear ID and passwords of those
logging on to the BIN. This access didn't include sensitive information like Social Security Numbers, financial information or
academic records. It was just unlawful access to Bear IDs and passwords. The information did, however, give access to
Baylor e-mail and Blackboard accounts.
Information
Source:
177
Media
January 17, 2008
GE Money , Iron Mountain
BSF
PORT
150,000
Personal information on customers of J.C. Penney and up to 100 other retailers could be compromised after a computer
tape went missing. The missing information includes Social Security numbers for about 150,000 people.
Information
Source:
Dataloss DB
January 16, 2008
University of Wisconsin, Madison
Madison, Wisconsin
EDU
DISC
205
The personal information, including e-mail addresses, phone numbers, Social Security numbers and campus ID numbers of
faculty and staff who made purchases from the DoIT computer shop had been accessible on a campus Internet site.
Information
Source:
Dataloss DB
January 15, 2008
Department of Revenue Wisconsin
Madison, Wisconsin
GOV
PHYS
5,000
Breach locations: Lena, Marinette, Little Suamico, Freedom, Kaukauna, Kimberly, Little Chute, Krakow, Keshena and
Lakewood
Taxpayers in northeastern Wisconsin had their Social Security numbers exposed in a state mailing. A folding error,
apparently the result of a faulty machine, allowed the Social Security numbers to be seen through the clear address window
of the envelope.
Information
Source:
Dataloss DB
January 15, 2008
Naval Surface Warfare Center Dahlgren Division
White Oak, Maryland
GOV
PHYS
Unknown
(800) 352-7967
Officials at the Naval Surface Warfare Center are warning past and present employees that their identities and credit ratings
could be at risk. Two pages of a Naval Surface Warfare Center Employment Verification Report was found when four people
were arrested in Bensalem Township, Pa., last week for attempted identity fraud. The report included names, Social Security
numbers, birth dates, position titles, tenure codes, pay grades, salaries and other information about the employees.
Information
Source:
Dataloss DB
January 14, 2008
Tennessee Tech University
Cookeville, Tennessee
EDU
PORT
990
A portable storage drive containing the names and Social Security numbers of 990 students has been lost. A school
employee transferred the information onto a portable flash drive when the printer where he was working did not print. The
employee noticed the drive was missing the next morning.
Information
Source:
Dataloss DB
178
January 12, 2008
California State University Stanislaus, Sodexho
Turlock, California
EDU
UNKN
Unknown
A possible data breach occurred on a food vendor's computer server. Credit card numbers, cardholder names and
expiration dates were exposed, leaving hundreds, possibly thousands, of university students, staff and guests open to
identity theft, with victims reporting fake charges on their cards. Social Security numbers were not accessible.
Information
Source:
Dataloss DB
January 11, 2008
University of Akron
Akron, Ohio
EDU
PORT
800
A portable hard drive containing personal information is missing and may have been discarded or destroyed. The device
contained Social Security numbers, names and addresses of students and graduates.
Information
Source:
Dataloss DB
January 11, 2008
University of Iowa
Iowa City, Iowa
EDU
DISC
216
Iowa College of Engineering has notified some of its former students that some of their personal information, including Social
Security numbers, was inadvertently exposed on the Internet for several months.
Information
Source:
Dataloss DB
January 11, 2008
Virginia Department of Social Services
Richmond, Virginia
GOV
INSD
1,500
The Department of Social Services has mailed about 1,500 letters to warn of a potential security breach involving a
department computer that police suspect was used to commit fraud. A woman is accused of using her work computer while
employed by Social Services last summer to apply for a credit card using her landlord's information. She was charged with
two felony counts, credit card fraud and forgery, and is accused of spending nearly $1,000 on the card.
Information
Source:
Dataloss DB
January 10, 2008
Select Physical Therapy
Levelland, Texas
MED
PHYS
4,000
The company dumped about 4,000 pieces of sensitive customer information in garbage containers behind its facility. The
records included Social Security numbers, credit and debit card account numbers, names, addresses and telephone
numbers.
Information
Source:
Dataloss DB
January 8, 2008
Wisconsin Department of Health and Family Services
Madison, Wisconsin
GOV
DISC
260,000
Social Security numbers were printed on about 260,000 informational brochures sent by a vendor hired by the state,
Electronic Data Systems Inc. (EDS), to recipients of SeniorCare, BadgerCare and Medicaid. The company agreed to pay
$250,000 to the state for the mistake, as well as paying for an identity theft monitoring service for the affected individuals, for
a total of about $1 million.
179
Information
Source:
Dataloss DB
January 8, 2008
University of Georgia
EDU
Athens, Georgia
HACK
4,250
Former and prospective residents of a University housing complex were affected by a hacker who was able to access a
server containing personal information, including Social Security numbers. A computer with an overseas IP address was able
to access the personal information - including Social Security numbers, names and addresses - of 540 current graduate
students living in graduate family housing and 3,710 former students and applicants.
Information
Source:
Dataloss DB
January 7, 2008
Sears, ManageMyHome.com
Cook County, Illinois
BSR
DISC
Unknown
Sears' ManageMyHome.com site exposed customer purchase data to any online visitor who asked about it.
Information
Source:
Media
January 7, 2008
Geeks.com
BSR
HACK
Unknown
Personal and financial data may have been compromised by an intrusion into the systems of the online retailer's Web site.
Compromised information included the names, addresses, telephone numbers and Visa credit card numbers.
Information
Source:
Dataloss DB
January 5, 2008
New Mexico State University
EDU
PORT
Unknown
A computer hard drive containing the names and Social Security numbers of current and former NMSU employees is missing
from the Pan American Center.
Information
Source:
Dataloss DB
January 4, 2008
Health Net
MED
PORT
5,000
Additional locations: Connecticut.
Thousands of Health Net employees in Connecticut and other states have been notified that their names and Social Security
numbers were on a laptop computer that was stolen more than a month ago from a company vendor. The laptop had
information on about 5,000 employees companywide and an undisclosed number of health-care providers outside the
Northeast.
Information
Source:
Dataloss DB
January 4, 2008
Florida Department of Children and Families
GOV
PORT
1,200
180
January 4, 2008
Orange, Florida
GOV
PORT
1,200
Additional locations: Seminole and Osceola, FL)
Social Security numbers, birth dates and other information about day-care workers in Orange, Seminole and Osceola
counties were among the data on five laptop computers that were stolen from the DCF office near Orlando.
Information
Source:
Dataloss DB
January 4, 2008
Maryland Department of Assessments and Taxation
Baltimore, Maryland
GOV
DISC
900
The Maryland Department of Assessments and Taxation Web site may have exposed Social Security numbers online
because the application system did not have a necessary security certificate to encrypt the information before it was sent out
over the Internet. Roughly 900 people used the system.
Information
Source:
Dataloss DB
January 3, 2008
Robotics Industries Association
Ann Arbor, Michigan
BSO
HACK
Unknown
A hacker accessed the administration site for Robotics Online gaining access to individual orders that contained credit card
information. Seven residents of NH were affected, but national totals were not indicated.
Information
Source:
Media
January 3, 2008
Dorothy Hains Elementary School
Augusta, Georgia
EDU
STAT
Unknown
The library door was kicked in and the circulation computer was stolen, something the principal desperately wants back
because it has the Social Security numbers of students and teachers on it.
Information
Source:
Dataloss DB
January 2, 2008
Workers Compensation Fund
BSO
PORT
2,800
Officials with one of Utah's largest insurance companies are searching for a stolen laptop containing Social Security numbers
and other personal information for about 2,800 people and 1,400 companies. The computer was taken from a car parked in
the home garage of an auditor for the Workers Compensation Fund.
Information
Source:
Dataloss DB
December 28,
2007
Minnesota Department of Commerce
St. Paul, Minnesota
GOV
PORT
219
A laptop computer containing personal information on Minnesotans licensed by the state Commerce Department was stolen
from one of its Pennsylvania vendors.
Information
Source:
181
Dataloss DB
December 28,
2007
Davidson County Election Commission
GOV
PORT
337,000
Someone broke into several county offices over Christmas and stole laptop computers that county officials now believe may
have contained Social Security numbers and other personal information for every registered voter in Davidson County.
UPDATE (1/19/08): Metro Police confirmed late Thursday they have recovered the hard drive from the laptop computer,
containing names and complete Social Security numbers for 337,000 registered voters, that was stolen from the Election
Commission in December.
Information
Source:
Dataloss DB
December 28,
2007
United States Air Force
GOV
PORT
10,501
A military laptop computer is missing and it contains personal information including Social Security numbers, birth dates,
addresses, and telephone numbers of active and retired Air Force members. The laptop belonged to an Air Force band
member at Bolling Air Force Base, he reported it missing from his home.
Information
Source:
Dataloss DB
December 21,
2007
Franklin County Municipal Court
Columbus, Ohio
GOV
HACK
270
At least six central Ohioans are now under investigation by the U.S. Secret Service for hacking into a government Web site
and stealing Social Security numbers to create false credit accounts. More than 270 people nationwide might have been
victimized by a security lapse in the Franklin County Municipal Court Web site. Someone was randomly feeding Social
Security numbers into a clerk's site, which contained personal information for thousands of people charged with
misdemeanors, some guilty of only a speeding ticket. Once a number was hit on, the name, address, age and other
information could be used to obtain credit cards and open bank accounts.
Information
Source:
Dataloss DB
December 20,
2007
Dormitory Authority of the State of New York
Manhattan, New York
NGO
PORT
800
Data tapes containing Social Security numbers, phone numbers and addresses for up to 800 current and former employees
of the state Dormitory Authority are missing.
Information
Source:
Dataloss DB
December 20,
2007
Greenville County School District
EDU
HACK
Unknown
The district notified employees last week that its computers had been compromised and that employees' personal
information was taken, including their names, home phone numbers and Social Security numbers.
Information
Source:
Dataloss DB
182
December 18,
2007
Brownsville School District
Brownsville, Pennsylvania
EDU
PHYS
Unknown
Forms with employee personal information littered the fence of a Brownsville school district warehouse. Information on litter
contained confidential letters with names, bank account numbers, and Social Security numbers. The forms may be more
than ten years old, but they each contain information that's still valuable.
Information
Source:
Media
December 18,
2007
Pennsylvania Department of Aging
GOV
PORT
21,000
A state Department of Aging-owned laptop computer containing personal information on senior citizens was stolen from a
Johnstown home. The information included names, addresses, Social Security numbers and some medical information.
Information
Source:
Dataloss DB
December 17,
2007
West Penn Allegheny Health System
MED
(866) 559-6309 Monday through Friday from 10 a.m. to 6 p.m. or e-mail the hospital at [email protected]
PORT
42,000
[140] .
The names, Social Security numbers, phone numbers, addresses and patient care information of 42,000 patients were all on
a laptop computer stolen from a nurse's home. Only home care and hospice patients could be impacted, not patients at the
hospitals.
Information
Source:
Dataloss DB
December 14,
2007
Deloitte & Touche
New York, New York
BSO
PORT
Unknown
A laptop containing the personal information of an undisclosed number of Deloitte & Touche partners, principals and
employees was stolen while in possession of a contractor responsible for scanning the accounting firm's pension fund
documents. The computer contained confidential data, including names, Social Security numbers, birth dates, and other
personnel information, such as hire and termination dates.
Information
Source:
Dataloss DB
December 10,
2007
Cameron County
Brownsville, Texas
GOV
UNKN
Unknown
An employee released an e-mail with a list of all county officials and employees. It reportedly contained names, Social
Security numbers, and salaries.
Information
Source:
Dataloss DB
December 10,
2007
Sutter Lakeside Hospital
Lakeport, California
MED
PORT
45,000 Not added to
total. It is not clear if
SSNs or financial
exposed.
183
(866) 785-6443
A laptop computer containing personal and medical information of approximately 45,000 former patients, employees and
physicians has been stolen from the residence of a contractor.
Information
Source:
Dataloss DB
December 10,
2007
Iowa Department of Natural Resources
Des Moines, Iowa
GOV
PORT
7,000
A contractor working for the DNR revealed that a computer jump drive containing the names and Social Security numbers for
7000 people is missing. The contractor believes the jump drive fell off of his desk and into a garbage can.
Information
Source:
Dataloss DB
December 7,
2007
Beacon Medical Services
Aurora, Colorado
MED
DISC
Unknown
Detailed, personally identifiable medical records of thousands of Colorado residents were viewable on a publicly accessible
Internet site for an uncertain period of time. The data included details of patients' visits to emergency rooms -- what ailments
they complained of, diagnoses, treatments, and medical histories, along with the patients' names, occupations, addresses,
phone numbers, insurance providers, and in some cases, Social Security numbers. The company is trying to determine the
exact number of patients affected, but Beck says the number looks to be fewer than 5,000.
Information
Source:
Dataloss DB
December 7,
2007
Colorado Board of Dental Examiners
Lone Tree, Colorado
GOV
PHYS
Unknown
More than a hundred Colorado dentists and their patients could be at risk for identity theft after a car containing a bag of
sensitive information was stolen. Authorities found the car a few days later at an apartment complex where one of the
alleged thieves lived. Inside the unit, police discovered a massive amount of personal information from previous crimes.
Social Security numbers, dates of birth, the credit card numbers, the pin numbers to those credit cards, they even have the
photo IDs of the individuals they stole those credit cards from.
Information
Source:
Dataloss DB
December 6,
2007
Oak Ridge National Laboratory
Oak Ridge, Tennessee
GOV
HACK
12,000
Hackers may have infiltrated a non-classified database containing names, Social Security numbers and birth dates of every
lab visitor between 1990 and 2004. The assault was in the form of phony e-mails containing attachments, which when
opened allowed hackers to penetrate the lab's computer security. The lab has sent letters to about 12,000 potential victims.
Information
Source:
Dataloss DB
December 5,
2007
Memorial Blood Centers
Duluth, Minnesota
Hot Line (888) 333-1491 Contacts: Memorial Blood Centers Laura Kaplan, (651) 332-7220 [email protected]
McCartney, (952) 346-6688
MED
[141]
PORT
268,000
or Jim
184
McCartney, (952) 346-6688
A laptop computer holding donor information was stolen. About 268,000 donor records on this laptop computer contain a
donor name in combination with the donor's Social Security number.
Information
Source:
Dataloss DB
December 5,
2007
Forrester Research
BSO
PORT
unknown
Thieves stole a laptop from the home of a Forrester Research employee, potentially exposing the names, addresses and
Social Security numbers of an undisclosed number of current and former employees and directors.
Information
Source:
Dataloss DB
December 4,
2007
Indianapolis Power and Light
BSO
DISC
3,000
(317) 261-4845
The private information of thousands of customers was inadvertently posted online for up to four years. Data included
names, addresses and Social Security numbers.
Information
Source:
Dataloss DB
December 4,
2007
Duke University
EDU
HACK
1,400
Social Security numbers of about 1,400 prospective law school applicants may have been compromised when a school Web
site was accessed illegally.
Information
Source:
Dataloss DB
December 1,
2007
Battelle & Battelle LLC
Oakwood, Ohio
BSO
PORT
600
Other organizations: Community Blood Bank, Ohio Masonic Home
A laptop was stolen from a Battelle & Battelle LLC employee's vehicle. The laptop contained information on an audit of the
Community Blood Center's 401K plan as well as information on the employees of Springfield-based Ohio Masonic Home.
The stolen laptop needs multiple levels of authentication in order to access the sensitive data, according to a representative
of Battelle. Masonic Home officials report 600 of its employees were affected.
Information
Source:
Dataloss DB
November 30,
2007
Prescription Advantage
, Massachusetts
MED
UNKN
150,000
(866) 523-6846 or (877) 610-0241 for those who are hearing impaired.
The state of Massachusetts is warning 150,000 members of its Prescription Advantage insurance program that their
personal information may have been snatched by an identity thief. Local authorities arrested a lone identity thief who had
been using information taken from the program in an attempted identity theft scheme. Although the thief used information
from just a small number of participants in the scheme, state data-breach laws require that the 150,000 people who could
185
have possibly been affected by the breach be contacted.
Information
Source:
Dataloss DB
November 29,
2007
American Red Cross
Dallas, Texas
NGO
PHYS
Unknown
Six boxes were left unattended in a public hallway for more than six hours. The files contained personal information of
current and former employees and were placed there by human resources. Names, addresses and social security numbers
could have easily been stolen. The files also contained embarrassing information, including disciplinary actions, results from
a drug test, a sexual harassment case even someone's criminal record from another state.
Information
Source:
Media
November 21,
2007
EDU
DISC
415
Those who suspect their Social Security numbers were posted can search their names on the Web site www.ssnbreach.org
[142] .
More than 400 former UF students might have been put at risk for identity theft after their Social Security numbers were
posted on UF's Computing & Networking Services Web site. A news release from the Liberty Coalition, a group that works to
preserve the privacy of individuals, said 14 files on the Web site contained sensitive information of 534 former UF students,
including 415 Social Security numbers.
Information
Source:
Dataloss DB
November 21,
2007
United Healthcare (UnitedHealthcare)
New York, New York
MED
DISC
Unknown
UnitedHealthcare is headquartered in Minneapolis, Minnesota.
United Healthcare posted the Social Security numbers of doctors at Columbia University's faculty practice on a public Web
site. United posted the taxpayer identification numbers, some of which were Social Security numbers, alongside the names
of 993 providers at Columbia who participate in the insurer's network. The list was supposed to be accessible to Columbia
employees during the current open enrollment period
Information
Source:
Media
November 16,
2007
A.J. Falciani Realty Company
Vineland, New Jersey
BSO
STAT
Unknown
Computers containing the personal information of between 500 to 1,000 clients of A.J. Falciani Realty Company were taken
in a burglary. Many of the stolen computers stored the names, addresses, Social Security numbers, dates of birth, telephone
numbers and other information on the company's clients.
Information
Source:
Dataloss DB
November 16,
2007
University of Wisconsin, Whitewater
Whitewater, Wisconsin
EDU
DISC
Unknown
Officials were notified by one individual about his ability to access an online search feature for the school's website. The
186
search feature could be used to see student names and Social Security numbers along with some other limited student
information. Access to the feature was promptly disabled upon notification of the problem.
Information
Source:
Media
November 16,
2007
U.S. Department of Veteran Affairs
GOV
INSD
185,000
Investigation from a man's home uncovered a computer that held about 1.8 million Social Security numbers from the U.S.
Department of Veteran Affairs, where he had been employed as an auditor. Veterans Affairs' officials have said only 185,000
numbers are at risk because many were repeated in the file.
Information
Source:
Dataloss DB
November 15,
2007
Roudebush Veteran's Administration Medical Center
MED
STAT
12,000
Two personal computers and a laptop computer were allegedly stolen from an unsecured room. One of the stolen
computers contained the names, Social Security numbers and dates of service of approximately 12,000 veterans.
UPDATE (3/19/08) : A 50 year old Indianapolis man was arrested Monday on one count of Class D felony theft after
investigators identified him from surveillance video. A probable cause affidavit, a sworn police statement filed in support of
the charge, identifies him as a former patient at the facility.The man has been charged in the disappearance of hospital
computer equipment that contained the records of nearly 12,000 patients.
Information
Source:
Dataloss DB
November 13,
2007
Commerce Bancorp
BSF
INSD
Unknown
A Commerce Bancorp Inc. employee gave out personal information on an unspecified number of the Cherry Hill bank's
customers. The Bank discovered the breach through an internal investigation and sent letters to affected customers. The
bank does not know if the information included account numbers and Social Security numbers.
Information
Source:
Dataloss DB
November 7,
2007
University of Connecticut Foundation, Convio
Storrs, Connecticut
NGO
HACK
Unknown
[143]
UConn was notified of a security breach by an outside party on the network of Convio, Inc., a vendor used by The University
of Connecticut Foundation, Inc. for processing online gift transactions and communicating by e-mail. This breach affected 92
of Convio's clients nationwide, including the UConn Foundation. User names and passwords for Convio account preferences
were compromised in this breach.
Information
Source:
Media
November 7,
2007
Carolinas Medical Center, NorthEast
Concord, North Carolina
MED
PORT
28,000
A paramedic left a computer on the back bumper of an ambulance and then drove away. The laptop contains names,
187
addresses, phone numbers and Social Security numbers of approximately 28,000 people who have been cared for by the
Cabarrus County EMS over the last four years.
Information
Source:
Dataloss DB
November 6,
2007
Butte Community Bank
Chico, California
BSF
PORT
Unknown
(866) 488-8588
A laptop with customers' personal information including names, addresses, Social Security numbers and bank account
numbers was stolen from Butte Community Bank.
Information
Source:
Dataloss DB
November 5,
2007
Alabama Department of Public Health
Montgomery, Alabama
GOV
DISC
1,554 (at least 1,554
people)
The personal information, including the names, ages and Social Security numbers of families enrolled in the state's ALL Kids
health care coverage program, were accidentally sent to the wrong families last week. 1,554 affected families were alerted
that some of their confidential information might have been released.
Information
Source:
Dataloss DB
November 2,
2007
Montana State University
Bozeman, Montana
EDU
PORT
216
(406) 994-6550 http://eu.montana.edu/security [144]
MSU learned that an employee's laptop computer had been stolen somewhere off-campus. It contained the Social Security
numbers of 216 students and employees who lived in on-campus housing from 1998 to 2007.
Information
Source:
Dataloss DB
November 2,
2007
Bozeman, Montana
EDU
DISC
42
(406) 994-6550 http://eu.montana.edu/security [144]
An independent security watchdog group informed MSU that an Excel spreadsheet with the names and Social Security
numbers of 42 people, most of them hired in the summer of 2006, was publicly accessible on MSU's Web site.
Information
Source:
Dataloss DB
November 2,
2007
Bozeman, Montana
EDU
DISC
13
(406) 994-6550, http://eu.montana.edu/security [144]
While investigating that breach, MSU data-security staff found another Excel spreadsheet accidentally posted on the MSU
Web site since 2002. It contained the Social Security numbers of 13 people who got travel vouchers from the computer
science department in the College of Engineering.
188
Information
Source:
Dataloss DB
November 1,
2007
City University of New York
New York, New York
EDU
PORT
20,000
A broken laptop containing personal information was taken from the school's financial aid office.
Information
Source:
Dataloss DB
October 30, 2007
University of Nevada, Reno
Reno, Nevada
EDU
PORT
16,000
A University of Nevada, Reno administrative employee has lost a flash drive that contained the names and Social Security
numbers of 16,000 current and former students.
Information
Source:
Dataloss DB
October 30, 2007
Hartford Financial Services Group
BSF
PORT
230,000
Other locations: Ohio
Three backup tapes that contained personal information of 230,000 customers, including 9,200 Ohioans, mainly of the
company's property lines, were misplaced.
Information
Source:
Dataloss DB
October 30, 2007
Pathology Group
Memphis, Tennessee
MED
STAT
75,000
Someone broke into a locked office building, several computers with flat screen monitors were stolen. One of those
computers had patient information on about 75,000 people. This information included names, addresses, Social Security
number, even medical information
Information
Source:
Dataloss DB
October 29, 2007
United States Postal Service
Oahu, Hawaii
GOV
PORT
3,000
Employees' names, Social Security numbers and other information were on a laptop computer that was stolen.
Information
Source:
Dataloss DB
October 29, 2007
ABC Phones, ACC Communications
BSO
PHYS
Unknown
Two men found a box in a dumpster. The cell phone business recently moved and threw away documents that contained
personal information from customers. The information contained driver's license numbers, Social Security number, bank
189
accophonesunt numbers, credit card numbers, work and home addresses.
Information
Source:
Media
October 28, 2007
Art.com
Lockbourne, Ohio
BSR
HACK
Unknown
Cyberspace criminals gained systems entry despite multiple security layers and accessed some credit card transactions. The
retailer of posters, prints and framed art alerted customers that hackers had gotten into the website to access credit card
accounts.
Information
Source:
Dataloss DB
October 25, 2007
University of Akron
Akron, Ohio
EDU
PORT
1,200
A microfilm containing the personal information of alumni were missing. Names, previous addresses, phone numbers, birth
dates and Social Security numbers was on the missing microfilm.
Information
Source:
Dataloss DB
October 24, 2007
Not Your Average Joe's
Dartmouth, Massachusetts
BSO
HACK
Unknown
Massachusetts restaurants were targeted by an individual or individuals seeking to illegally obtain credit card data. The data
that was compromised included credit card numbers, expiration date and name associated with the card.
Information
Source:
Dataloss DB
October 23, 2007
West Virginia Public Employees Insurance Agency
MED
PORT
200,000
(800) 435-4351
West Virginia officials are alerting 200,000 past and current members of three health insurance programs that a computer
tape containing full names, addresses, phone numbers, Social Security numbers and marital status was lost last week while
being shipped via United Parcel Service.
Information
Source:
Dataloss DB
October 23, 2007
Blockbuster
Sarasota, Florida
BSR
PHYS
Unknown
A Sarasota resident was fishing in a trash container for boxes when he found 400 documents. These documents included
membership forms and employment applications with names, addresses, credit card numbers and Social Security numbers.
Information
Source:
Dataloss DB
October 23, 2007
Dixie State College
EDU
DISC
11,000
190
October 23, 2007
EDU
St. George, Utah
DISC
11,000
[145]
An unauthorized person reportedly gained access to a computer system and confidential files, including Social Security
numbers, birth date information and addresses for some 11,000 alumni and current DSC employees who graduated or
worked at DSC from 1986 to 2005.
Information
Source:
Dataloss DB
October 23, 2007
Bates College
Lewiston, Maine
EDU
DISC
500
Two publicly accessible documents that contained the records of nearly 500 recipients of the federal Perkins Loan, along
with each recipient's address, date of birth, Social Security number, legal name and loan amount, were accessible on the
Bates network.
Information
Source:
Dataloss DB
October 18, 2007
University of Cincinnati
Cincinnati, Ohio
EDU
PORT
7,000
The personal information of thousands of University of Cincinnati students and graduates has been stolen. A flash drive was
taken from a UC employee last month. It contained the Social Security numbers and other data for more than 7,000 people.
Information
Source:
Dataloss DB
October 17, 2007
Home Depot
BSR
PORT
10,000
A laptop computer containing about 10,000 employees' personal data was stolen from a regional manager's car. The
computer, which was password protected, didn't contain any customer information. The laptop contained names, home
addresses and Social Security numbers of certain Home Depot employees.
Information
Source:
Dataloss DB
October 17, 2007
Louisiana Office of Student Financial Assistance, Iron Mountain
http://www.osfa.state.la.us/notice.htm
EDU
PORT
Unknown
[146]
Sensitive data for virtually all Louisiana college applicants and their parents over the past nine years were in a case lost last
month during a move. The data included Social Security numbers for applicants and their parents. The bank account
information for START account holders also was involved.
Information
Source:
Dataloss DB
October 16, 2007
Administaff Inc.
Houston, Texas
BSO
PORT
159,000
Current and former workers personal data may be compromised because of a stolen laptop. The data wasn't encrypted
when it was stored on the portable computer, which is password-protected. Data stored on the laptop included names,
191
addresses and Social Security numbers for most employees paid by Administaff in 2006.
Information
Source:
Dataloss DB
October 15, 2007
Transportation Security Administration
Arlington, Virginia
GOV
PORT
3,930
Two laptop computers with detailed personal information about commercial drivers across the country who transport
hazardous materials are missing and considered stolen. The laptops contained the names, addresses, birthdays,
commercial driver's license numbers and, in some cases, Social Security numbers of 3,930 people.
Information
Source:
Dataloss DB
October 13, 2007
Bozeman, Montana
EDU
HACK
1,400
(406) 994-6550, http://eu.montana.edu/security/ [147]
An unknown hacker remotely accessed a computer server that housed records containing credit card numbers and Social
Security numbers of students who enrolled online for MSU Extended University courses during the last two years. The data
in question was encrypted, and there is no evidence that personal information was stolen.
Information
Source:
Dataloss DB
October 12, 2007
King County Transportation Department
Seattle, Washington
GOV
PORT
1,400
A laptop computer containing personal information about current and former employees has been stolen. Workers' names,
addresses and Social Security numbers were on the password-protected laptop, which was stolen during a Sept. 28 home
burglary. The information was not encrypted.
Information
Source:
Dataloss DB
October 10, 2007
Wheels Inc., Pfizer
Des Plaines, Illinois
BSO
DISC
1,800 + 23 Not
included in Total
because it is not clear if
SSNs were exposed.
The spouses and domestic partners of about 1,800 Pfizer employees, including 23 from Connecticut, learned late last month
about a data breach at Wheels Inc., which provides cars to the company, mostly for use by its sales force. The breach at
Wheels, first reported by the Pharmalot Web site, released onto the Internet names, addresses, birth dates and driver's
license numbers, but not Social Security numbers, according to the company.
Information
Source:
Dataloss DB
October 10, 2007
Commerce Bank
Wichita, Kansas
BSF
HACK
20
A hacker gained access to a database with about 3,000 customer records and accessed data belonging to 20 of them. The
bank is contacting those who may have been affected. The hacking was quickly detected and stopped, according to
Commerce Bank, which then notified law enforcement.
192
Information
Source:
Dataloss DB
October 9, 2007
Pembroke Schools
Pembroke, Massachusetts
EDU
DISC
Unknown
(781) 829-1178
Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible
via the Internet because of a weakness in the district's computer system. The information included names, birth dates and
Information
Source:
Dataloss DB
October 8, 2007
University of Iowa
Iowa City, Iowa
EDU
PORT
184
http://www.uiowa.edu/~phil/SSN.shtml [148]
A laptop computer was stolen from a former teaching assistant. The theft of the computer, which occurred last month in a
break-in of the instructor's home, contained class records such as attendance, test scores, and grades of students who took
his philosophy courses at the UI between 2002 and 2006. Social Security numbers were also present in 100 of the records.
Information
Source:
Dataloss DB
October 8, 2007
Carnegie Mellon University
EDU
PORT
Unknown
Two laptops were stolen from the office of a computer science professor. Both of the computers were believed to have
contained significant personal identifying data, such as Social Security numbers.
Information
Source:
Dataloss DB
October 8, 2007
Semtech
Camarillo, California
BSO
PORT
Unknown
A laptop computer and other personal belongings were stolen from one of Semtech's vendors. The computer was not stolen
from a Semtech facility, but may have contained computerized data relating to Semtech employees. Semtech declined to
provide further details of the incident, such as what personal employee data may have been put at risk, when the theft
happened or how long it took the company to inform its workers of the potential breach.
Information
Source:
Dataloss DB
October 4, 2007
Massachusetts Division of Professional Licensure
GOV
DISC
450,000
http://www.mass.gov/dpl [149] or call (617) 973-8100
Social Security numbers of about 450,000 licensed professionals were inadvertently released. The information was mailed
last month to agencies that submitted a public records request for the names and addresses of professionals licensed by the
division. The division mailed 28 computer disks to 23 agencies that use the information as a marketing or promotional tool.
The disks would normally contain only the names and addresses of individuals licensed through the Division of Professional
Licensure and the Division of Health Professions Licensure. However, the disks also included Social Security numbers.
193
Information
Source:
Dataloss DB
October 2, 2007
The Nature Conservancy
Arlington, Virginia
NGO
HACK
14,000
Additional locations: Little Rock, Fayetteville, Arkadelphia, Batesville and Ponca, (Arkansas)
A hacker illegally gained access to a computer of The Nature Conservancy containing personal information on current and
former employees and their dependents. The stolen information included the names, home addresses, Social Security
numbers and birth dates. It also included direct deposit bank account numbers for employees who were on the payroll
between 2000 and 2004, as well as the Social Security numbers of those employees' dependents. When employees
accessed a particular Web site, the site planted a program on the employees' computers that copied the contents of the hard
drives and sent the information to the hacker.
Information
Source:
Dataloss DB
October 2, 2007
Athens Regional Health Services
Athens, Georgia
MED
STAT
1,400 only 85 people
were affected by SSN
(706) 475-4369
A computer missing from a Regional First Care clinic in Watkinsville held the personal information of more than 1,400
people, according to Athens Regional Health Services. Workers first noticed on Sept. 24 that the computer was missing. The
computer held Social Security numbers for 85 people, some health information for 545 people and the name, address and/or
telephone numbers of 811 people. No credit card or other financial information was stored on the computer, which was a
backup server for the Watkinsville clinic.
Information
Source:
Dataloss DB
September 28,
2007
Gap Inc.
BSR
PORT
800,000
(866) 237-4007, http://gapinc.com/securityassistance/ [150]
A laptop containing the personal information of certain job applicants was recently stolen from the offices of an experienced
third-party vendor that manages job applicant data for Gap Inc. Personal data for approximately 800,000 people who applied
online or by phone for store positions at one of Gap Inc.'s brands between July 2006 and June 2007 was contained on the
stolen laptop. Social Security numbers were included in the information on the laptop.
Information
Source:
Dataloss DB
September 24,
2007
American Fork, Utah
GOV
PORT
2,000
A laptop computer containing a spreadsheet with the the Social Security numbers and other personal information of about
2,000 people was reported stolen.
Information
Source:
Dataloss DB
September 21,
2007
City of Columbus, Ohio
Columbus, Ohio
GOV
STAT
3,500
194
For Info: The Columbus Dispatch, http://www.dispatch.com
[151]
The city of Columbus is offering identity-theft protection services to more than 3,000 people whose Social Security numbers
were on three computers stolen from a warehouse. The theft affected people who had signed up for the city's Mobile Tool
Library, which lends power tools, lawn mowers and supplies.
Information
Source:
Dataloss DB
September 21,
2007
Citigroup, ABN Amro Mortgage Group
Norridge, Illinois
BSF
DISC
5,208
Three spreadsheets containing 5,200 Social Security numbers and other personal details about customers were
inadvertently leaked over an online file-sharing network by a former employee. Tiversa, a company that monitors P2P
networks, found Excel spreadsheets from the desktop of a financial analyst at ABN Amro Mortgage Group running LimeWire.
Although Tiversa found over 10,000 files, deduplication revealed only 5,208 unique Social Security numbers, along with
names and what type of mortgage each customer had.
Information
Source:
Media
September 20,
2007
State of Connecticut, Accenture Ltd.
GOV
PORT
58
A backup tape was stolen in Ohio in June and contained data removed by Accenture from the state's Core-CT computer
system, which performs all of the state's payroll, personnel, purchasing, accounting and inventory functions. The backup
tape contained state agency bank account numbers, bank names and types of accounts, as well as the names and Social
Security numbers of 58 of Connecticut taxpayers. Connecticut officials today revealed plans to file a civil complaint against IT
consulting giant Accenture Ltd. related to this security breach involving stolen records tied to state agency bank accounts
worth millions of dollars.
Information
Source:
Media
September 19,
2007
Kansas University
Lawrence, Kansas
EDU
PHYS
Unknown
A number of documents containing Kansas University student, faculty and staff personal information were recovered from
the recycling and trash in the Mathematics Department at Kansas University. The information included student exams,
student change of grade forms, class rosters, copies of health insurance cards, copies of immigration forms as well as a
copy of a Social Security card.
Information
Source:
Media
September 19,
2007
University of Michigan School of Nursing
Ann Arbor, Michigan
MED
PORT
8,585
Backup tapes containing patient information like Social Security numbers, patient names and addresses were stolen from the
School of Nursing two weeks ago.
Information
Source:
Dataloss DB
September 14,
2007
TD Ameritrade Holding Corp.
Omaha, Nebraska
BSF
HACK
6.3 million
195
FAQ at http://www.elvey.com/IDTheft/spam_faq.cfm.html [152] For links to key legal documents, see
http://datalossdb.org/incident_highlights/30-legal-sub-project-elvey-v-td-ameritrade [153]
One of TD Ameritrade's databases was hacked and contact information for its more than 6.3 million customers was stolen. A
spokeswoman for the Omaha-based company said more sensitive information in the same database, including Social
Security numbers and account numbers, does not appear to have been taken. "We were able to conclude that while Social
Security numbers are stored in this particular database, your SSN were not retrieved." The company said names, e-mail
addresses, phone numbers, and home addresses were taken in the data breach. Company customers received unwanted
spam because of this breach.
UPDATE (4/28/09):TD Ameritrade sent a mass email on September 14, 2007 to its customers admitting SSNs had been
compromised:" [W]e recently discovered and eliminated unauthorized code from our systems. This code allowed certain
client information stored in one of our databases ... to be retrieved by an external source [and] Social Security Numbers are
stored in this particular database."
UPDATE(10/27/09): TD Ameritrade was nearing a settlement in the case of more than 6 million stolen records when the
judge, who previously seemed to agree with the proposal, rejected it today. The federal judge handling the case has decided
the proposed settlement provides no discernible benefit to the victims and he rejected the proposed settlement.
Information
Source:
Dataloss DB
September 14,
2007
Tennessee Tech University
Cookeville, Tennessee
EDU
DISC
3,100
Some 3,100 current or past students who owe the university money were notified today that some of their personal data may
have been compromised. A technical problem in the way student bills are printed resulted in the chance that some student
social security numbers and personal identification numbers may have been sent to another student's address.
Information
Source:
Dataloss DB
September 13,
2007
Voxant.com
Reston, Virginia
BSO
HACK
4,500
(703) 964-0696
The Voxant online ecommerce store server was hacked using what appeared to be a typical phishing scheme. The server is
seperate from the primary business at www.voxant.com [154] . The affected server was immediately taken offline and removed
the offending phising pages. Encrypted credit card numbers could have been accessed during the incident. Although the
credit card numbers were encrypted, the encryption key was not well protected. The database up through June 19-20 could
have been affected, representing approximately 4,500 US customers.
Information
Source:
Dataloss DB
September 12,
2007
TennCare, Americhoice Inc.
Knoxville,
MED
PORT
67,000
To sign up for the free ID theft protection you must call AmeriChoice at (800) 690-1606.
There are 67,000 TennCare enrollees at risk of identity theft after a courier service lost their personal information. The lost
information includes names, Social Security Numbers, birthdays and addresses.
Information
Source:
Dataloss DB
September 11,
2007
Pennsylvania Public Welfare Department
GOV
STAT
2,000
196
Two computers containing the mental health histories of more than 300,000 medical-assistance recipients were stolen. The
computer work stations were taken during an overnight break-in at an office. The mental health information on the
computers identified people by codes and not by name. The information also was protected by multiple passwords, but full
names and Social Security numbers of nearly 2,000 people were also on the computers.
Information
Source:
Dataloss DB
September 11,
2007
Gander Mountain
BSR
STAT
112,000
Somebody either lost or stole a computer potentially containing the credit card information of anyone who has shopped at
the Greensburg store since it first opened more than five years ago. Gander Mountain said credit card information for
112,000 customers of its Greensburg store might have been compromised. That includes 10,000 records with names, card
numbers and expiration dates.
Information
Source:
Dataloss DB
September 10,
2007
Purdue University
EDU
DISC
111
www.purdue.edu/news/coa0709.html [155] , (866) 275-1181
The university is warning those who were students in the fall of 2004 that information about them was inadvertently posted
on the Internet. The information was in a document that contained the names and Social Security numbers of students in the
Animal Sciences 102 class. The page was no longer in use but was on a computer server connected to the Internet. The
document was found recently through an internal search and reported to the chief information security officer at Purdue.
Information
Source:
Dataloss DB
September 9,
2007
De Anza College
EDU
PORT
4,375
(408) 864-8292
Thousands of former students might be at risk for identity fraud after an instructor's laptop computer, containing students'
personal information, was stolen last month. The computer contained the students' names, addresses, grades and in many
cases Social Security numbers.
Information
Source:
Dataloss DB
September 9,
2007
McKesson
MED
STAT
Unknown (thousands)
(866) 554-6366
McKesson Health-care services company, is alerting thousands of its patients that their personal information is at risk after
two of its computers were stolen from an office.
Information
Source:
Dataloss DB
September 6,
2007
EDU
DISC
1,482
197
A number of files containing Social Security numbers, test scores and course grades were exposed online. It appears the
person responsible for the breach may not have known enough about computers to realize the information could be
accessed outside the university system.
Information
Source:
Dataloss DB
September 4,
2007
Pfizer
New York, New York
BSO
INSD
34,000
(866) 274-3891
A security breach may have caused employees' names, Social Security numbers, addresses, dates of birth, phone numbers,
bank account numbers, credit card information, signatures and other personal information to be publicly exposed. The
breach occurred late last year when a Pfizer employee removed copies of confidential information from a Pfizer computer
system without the company's knowledge or approval. Pfizer didn't become aware of the breach until July 10.
Information
Source:
Dataloss DB
September 4,
2007
Brevard Public Schools
Viera, Florida
EDU
UNKN
61
A missing piece of luggage belonging to a state auditor contains the personal information of 61 Brevard Public Schools
employees and had district personnel scrambling before the holiday weekend began to notify people that their names and
Social Security numbers might be compromised.
UPDATE (9/21/07): Melbourne International Airport police arrested a 44-year-old defense subcontractor from California on
charges of stealing luggage. He is in the Brevard County Jail, facing at least two charges of grand theft.
Information
Source:
Media
September 1,
2007
Johns Hopkins Hospital
Baltimore, Maryland
MED
STAT
5,783
A desktop computer containing the personal information of 5,783 Johns Hopkins Hospital patients was stolen. The computer
included patients' names, Social Security numbers, birth dates and medical histories.
Information
Source:
Dataloss DB
August 30, 2007
Maryland Department of the Environment
Annapolis, Maryland
GOV
PORT
Unknown
A laptop computer containing personal information on people with state licenses has been stolen from a vehicle. It contains
four databases that include personal information related to licenses issued by four state boards.
Information
Source:
Dataloss DB
August 30, 2007
AT&T
San Antonio, Texas
BSO
PORT
Unknown
A laptop containing unencrypted personal data on current and former employees of the former AT&T Corp. was stolen
recently from the car of an employee of a professional services firm doing work for the company. That theft prompted the
company to notify an unspecified number of individuals about the potential compromise of their Social Security numbers,
198
names and other personal details.
Information
Source:
Media
August 28, 2007
Connecticut Department of Revenue Services
GOV
PORT
106,000
A computer laptop with the names and Social Security numbers of more than 100,000 Connecticut taxpayers has been
stolen. The Department of Revenue Services intends to launch a web page soon that residents can search to determine
whether their personal information was stored on the laptop.
UPDATE (9/14/07): More than 2 dozen state laptops have gone missing since July 2006.
UPDATE (10/19/07): A supervisor at the state Department of Revenue Services was suspended without pay. His computer
was stolen from his car in August at a hotel in New York. Police say it was possible the vehicle was not locked because there
were no signs of a break-in.
Information
Source:
Dataloss DB
5,247 Not added to
total. It does not
August 27, 2007
University of Illinois
Champaign-Urbana, Illinois
EDU
DISC
appear that SSNs or
financial account
numbers were
exposed.
An e-mail sent Aug. 24 to about 700 University of Illinois engineering students contained a spreadsheet listing personal
information, including addresses and grade point averages, of thousands of students. The spreadsheet attached to the mass
mail did not contain Social Security numbers or the students' university identification numbers. But, the person who sent the
mass e-mail attached a spreadsheet containing information on all 5,247 students in the College of Engineering. The
spreadsheet included each student's name, e-mail address, major, gender, race and ethnicity, class, date admitted, spring
2007 grade point average, cumulative GPA, plus local address and phone number.
Information
Source:
Media
August 26, 2007
American Ex-Prisoners of War
, Texas
NGO
UNKN
35,000
Personal records including addresses and Social Security numbers of more than 35,000 veterans and their families were
stolen this month from the offices of a POW support organization in Texas. Digital and paper records included information on
the group's entire membership, including addresses, dates of birth, Social Security numbers and VA claims data.
Information
Source:
Dataloss DB
August 23, 2007
New York City Financial nformation Services Agency
New York, New York
280,000 Not added to
total. It is not clear that
GOV
PORT
SSNs or financial
exposed.
A laptop loaded with financial information on as many as 280,000 city retirees was stolen from a consultant who took the
computer to a restaurant.
199
Information
Source:
Dataloss DB
August 23, 2007
Loomis Chaffee School
Windsor, Connecticut
EDU
UNKN
Unknown
Valuable computer equipment, including two large storage devices were stolen during a night time burglary from the locked
IT facility on campus. The stolen storage devices contained information about some recent graduates of the school,
including their names, Social Security numbers, and contact information from their days as students at the school.
Information
Source:
Dataloss DB
August 23, 2007
Monster.com
Maynard, Massachusetts
BSO
HACK
Unknown
http://help.monster.com/besafe/ [116]
Monster announced that the details of some 1.6 million job seekers had been stolen. Fewer than 5,000 of those 1.6 million
users affected are based outside the United States. The information stolen was limited to names, addresses, phone
numbers and email addresses, and no other details including bank account numbers were uploaded.
UPDATE (8/29/07) : Hackers have stolen the names, e-mail addresses and telephone numbers of about 146,000
subscribers to USAJOBS.gov. The hackers accessed the information from the resume database run by Monster.com, which
provides the technology for USAJOBS.gov. Monster Worldwide told OPM that no Social Security numbers were
compromised.
Information
Source:
Media
August 22, 2007
California Public Employees' Retirement System (CalPERS)
GOV
DISC
445,000
Roughly 445,000 retirees in California received brochures announcing an upcoming election to fill a rare vacancy on the
board of the California Public Employees' Retirement System. All or a portion of each person's Social Security number
appeared without hyphens on the address panel.
Information
Source:
Dataloss DB
August 21, 2007
Walter Reed Army Institute of Research
Silver Spring, Maryland
GOV
PHYS
Unknown
Boxes of documents containing personal information were supposed to be shredded but instead turned up last week in an
off-base trash bin. Police do not believe anyone had access to the information other than the person who found the records.
An investigation is under way to determine precisely what information they held and why they appeared off base.
Information
Source:
Dataloss DB
August 21, 2007
West Virginia Board of Barbers and Cosmetologists
BSO
UNKN
Unknown
Every barber and cosmetologist licensed in the state of West Virginia since 1986 could now potentially be a victim of identity
theft. Someone broke into the second floor office of the Board of Barbers and Cosmetologists and stole a safe. The director
of the agency says the safe contains the personal information of thousands of hair dressers.
200
Information
Source:
Dataloss DB
August 20, 2007
Toledo, Ohio
EDU
PORT
Unknown
A laptop computer has been stolen from an office in the Student Recreation Center that contained some student and
employee names and Social Security numbers.
Information
Source:
Dataloss DB
August 16, 2007
Utica Title and Escrow
Bixby, Oklahoma
BSF
PHYS
Unknown
Boxes belonging to Utica Title and Escrow had been stored at a storage unit in Bixby. When Utica quit paying rent the
storage company went through the legal process to be able to sell everything left behind. No one wanted to buy the boxes of
paper so the boxes were thrown out. The boxes contained private information, including Social Security numbers, bank
accounts and pay stubs.
Information
Source:
Media
August 15, 2007
Idaho Army National Guard
Boise, Idaho
GOV
PORT
3,400
http://www.idahoarmyguard.org/ [156] , or call the Idaho National Guard Joint Operations Center
A small computer drive containing Social Security numbers and other personal information about every Army National Guard
soldier in Idaho has been stolen.
Information
Source:
Dataloss DB
August 15, 2007
Greater Detroit Hospital
Detroit, Michigan
MED
PHYS
Unknown
It's a repeat of a problem that emerged late last year at the Greater Detroit Hospital where metal thieves stripped everything
from copper piping to windows, exposing rows of abandoned patient files. Neighbors said there are hundreds of boxes of
patient files and payroll records inside, full of credit card and Social Security numbers.
Information
Source:
Media
August 15, 2007
Sky Lakes Medical Center, Verus Inc.
Klamath Falls, Oregon
MED
DISC
30,000
The company that maintained the hospital's online bill payment system, transferred patient information from one server to
another to perform maintenance but didn't take security measures, leaving information such as names, addresses and
Social Security numbers exposed.
Information
Source:
Dataloss DB
August 13, 2007
Pfizer, Axia Ltd.
BSO
PORT
950
201
August 13, 2007
New York, New York
BSO
PORT
950
(866) 274-3891
Axia Ltd. had notified Pfizer on June 14 of an incident in which two Pfizer laptops were stolen from a locked car. The laptops,
which disappeared May 31 in Boston, included the names and Social Security numbers of health-care professionals who
were providing or considering providing contract services for Pfizer, according to the letter.
Information
Source:
Dataloss DB
August 11, 2007
Providence Alaska Medical Center
Anhorage, Alaska
MED
PORT
250
(888) 387-3392
A laptop computer that contains the personal information of patients is missing. On the laptop there maybe names, medical
record numbers, dates of birth, patient diagnoses, Social Security numbers and addresses.
Information
Source:
Dataloss DB
August 10, 2007
Loyola University
Chicago, Illinois
EDU
STAT
5,800
A computer with the Social Security numbers of 58 hundred students was discarded before its hard drive was erased, forcing
the school to warn students about potential identify theft.
Information
Source:
Dataloss DB
August 10, 2007
Legacy Health System
Portland, Oregon
MED
INSD
747
(503) 445-9533
A primary care physician practice has discovered the theft of $13,000 in cash and personal data for patients. Patient
receipts, credit card transaction slips and checks are also missing, in addition to Social Security numbers and dates of birth
for patients. The investigation indicated it was a dishonest insider.
Information
Source:
Dataloss DB
August 8, 2007
Yale University
EDU
STAT
10,200
Social Security numbers for over 10,000 current and former students, faculty and staff were compromised last month
following the theft of two University computers
Information
Source:
Dataloss DB
August 7, 2007
Electronic Data Systems
Montgomery, Alabama
BSO
INSD
498
A former employee was arrested this week for allegedly trafficking in stolen identities she received through her work with the
company. She obtained the names and identifying information of 498 Alabama Medicaid recipients and subsequently sold 50
202
of those identities.
Information
Source:
Dataloss DB
August 7, 2007
Merrill Lynch
Hopewell, New Jersey
BSF
UNKN
33,000
A computer device apparently was stolen containing sensitive personal information, including Social Security numbers, about
some 33,000 employees.
Information
Source:
Dataloss DB
August 6, 2007
Verisign
BSO
PORT
Unknown
A laptop containing extensive personal information on an undisclosed number of VeriSign employees was stolen from an
employee's car. The information included names, addresses, Social Security numbers, dates of birth, telephone numbers,
and salary records.
Information
Source:
Dataloss DB
August 4, 2007
Kellogg Community Federal Credit Union
BSF
STAT
Unknown
A computer containing personal information on an undisclosed number members was stolen. A file containing some
members' names, addresses, telephone numbers, birth dates, Social Security numbers and account numbers was on the
computer's hard drive.
Information
Source:
Dataloss DB
August 3, 2007
WorkCare Orem
Pleasant Grove, Utah
MED
PHYS
Unknown
A truck driver found medical documents containing personal information in his truck and on the ground while he picked up a
load at a garbage transfer station. The documents contained names, addresses, telephone numbers, Social Security
numbers and birth dates.
Information
Source:
Media
August 3, 2007
Wabash Valley Correctional Facility
GOV
DISC
Unknown
A database containing Social Security numbers, dates of birth and names of people employed at the facility between 1997
and 2002 was unintentionally moved from a secure private drive that was accessible only by the human resources
department to a shared directory that could be accessed by other employees here.
Information
Source:
Dataloss DB
203
August 2, 2007
E.On - U.S.(energy services)
BSO
PORT
Unknown
A laptop with names, Social Security numbers and birth dates of most E.On U.S. employees and some retirees was stolen
last month.
Information
Source:
Dataloss DB
August 2, 2007
Toledo, Ohio
EDU
STAT
Unknown
(419) 530-4836, (419) 530-3661, (419) 530-1472
Two computers were stolen with hard drives containing student and staff Social Security numbers, names, and grade
change information.
Information
Source:
Dataloss DB
August 1, 2007
Lifetime Fitness
Dallas, Texas
GOV
PHYS
Unknown
Staff had discarded customer records in easily accessible trash cans behind Dallas businesses. Information that was
discarded contained names, addresses, Social Security numbers, driver's license numbers and credit card information, as
well as the date of birth of several children. Lifetime Fitness is based in Minnesota.
Information
Source:
Dataloss DB
July 28, 2007
Yuba County Health and Human Services
Yuba County, California
MED
PORT
70,000
A laptop stolen from a building contained personally identifiable information of individuals whose cases were opened before
May 2001. The laptop was being used as a backup system for the county's computer system. The data include Social
Security numbers, birth dates, driver's license numbers and other private information.
Information
Source:
Dataloss DB
July 27, 2007
City of Virginia Beach, Flexible Benefits Administrators
Virginia Beach, Virginia
GOV
INSD
2,000
A former employee allegedly stole Virginia Beach city and school district employees' personal information and used it to
commit prescription fraud. Police discovered a list of names and Social Security numbers at the employee's home.
Information
Source:
Dataloss DB
July 27, 2007
City Harvest
New York, New York
NGO
HACK
12,000
(917) 351-8763
City Harvest is currently investigating a potential improper access of systems that contained credit card information of their
donors.
204
Information
Source:
Dataloss DB
July 27, 2007
American Education Services, Vista Financial Inc
BSF
PORT
5,000
Personal information was on a laptop stolen in a burglary at a subcontractor's headquarters. The information, which was not
encrypted, included names, addresses, phone numbers, e-mail addresses and Social Security numbers.
Information
Source:
Dataloss DB
July 26, 2007
United States Marine Corps, Penn State University
EDU
DISC
10,554
Data belonging to 10,554 Marines was “improperly posted” by Penn State University, according to the Marine Corps. Names
and Social Security numbers of Marines could be found via Google search engine. Penn State University was under a
research contract with the Marine Corps.
Information
Source:
Dataloss DB
July 25, 2007
Hidalgo County Commissioner's Office
Hidalgo County, Texas
GOV
DISC
25
The private medical information, including Social Security numbers and treatment details of people who sought medical
assistance from the county was posted on the Hidalgo County Website.
Information
Source:
Media
July 24, 2007
St. Vincent Hospital, Verus Inc.
MED
DISC
51,000
The hospital used subcontractor Verus Inc. to set up an online bill payment for patients. For a "brief" period of time,
personal information was left unprotected and available online. The security lapse compromised names, addresses and
Information
Source:
Dataloss DB
1.5 million Not added to
total. It does not
July 23, 2007
Fox News
BSO
DISC
appear that SSNs or
financial account
numbers were
exposed.
Sensitive information was exposed on the Fox News web server. The security hole allowed hackers to access login
information, names, phone numbers, and email addresses.
Information
Source:
Media
205
July 21, 2007
University of Michigan
Ann Arbor, Michigan
EDU
HACK
5,500
University databases were hacked. Names, addresses, Social Security numbers, birth dates, and in some cases, the school
districts where former students were teaching were exposed.
Information
Source:
Dataloss DB
July 20, 2007
Science Applications International Corp. (SAIC)
BSO
DISC
580,000
(703) 676-6533, http://www.saic.com/response/ [157]
Pentagon contractor may have compromised personal information. Information such as names, addresses, birth dates,
Social Security numbers and health information about military personnel and their relatives because it did not encrypt data
transmitted online.
Information
Source:
Dataloss DB
July 19, 2007
Cricket Communications
Omaha, Nebraska
BSO
PHYS
300
Documents stolen from store result in loss of 300 credit card numbers.
Information
Source:
Dataloss DB
July 19, 2007
Jackson Local Schools
Massillon, Ohio
EDU
DISC
1,800
The Social Security numbers of present and former Jackson Local Schools' employees were at risk of public access on a
county maintained Web site.
Information
Source:
Dataloss DB
July 18, 2007
Purdue University
EDU
DISC
50
(866) 605-0013
Files which were no longer in use were discovered on a computer server connected to the Internet. The files contained
names and Social Security numbers of students who were enrolled in an industrial engineering course in spring 2002 or fall
2004.
Information
Source:
Dataloss DB
July 18, 2007
Connecticut General Assembly Transportation Committee, L.G. Defelice
GOV
DISC
300
Social Security numbers of former employees of defunct L.G. Defelice Inc. were posted on CT transportation committee
website.
Information
206
Source:
Dataloss DB
July 17, 2007
Western Union
Greenwood Village, Colorado
BSF
HACK
20,000
Credit card information and names were hacked from a database. The thieves got names, addresses, phone numbers and
complete credit-card information.
Information
Source:
Dataloss DB
July 17, 2007
Louisiana Board of Regents
GOV
DISC
80,000
Records of students and staff including Social Security numbers,names, and addresses exposed on web. In all, more than
80,000 names and Social Security numbers were accessible for perhaps as long as two years on an internal Internet site.
Information
Source:
Dataloss DB
July 17, 2007
Kingston Technology Co.
Fountain Valley, California
BSO
HACK
27,000
A security breach may have compromised the names, addresses and credit card details of online customers. Kingston
Technology is a computer memory vendor. The breach may have gone undetected for nearly 2 years.
Information
Source:
Dataloss DB
July 16, 2007
Transportation Security Administration (TSA)
Arlington, Virginia
GOV
PORT
100,000
Authorities realized in May a storage device was missing from TSA headquarters. The drive contained historical payroll data,
Social Security numbers, dates of birth, addresses, time and leave datas, bank account, routing information, and details
about financial allotments and deductions.
Information
Source:
Media
July 15, 2007
Westminster College
EDU
DISC
100
Names of students, former and current were printed in two files along with each student's Social Security number. The files
were on a student Web server used by Westminster students.
Information
Source:
Media
July 13, 2007
City of Encinitas
Encinitas, California
GOV
DISC
1,200
(760) 633-2788
Credit card or checking account information and addresses of people who had enrolled in Encinitas' youth recreation
programs was inadvertently posted on the city's Web site.
207
Information
Source:
Dataloss DB
July 13, 2007
Metropolitan St. Louis Sewer District
St.Louis, Missouri
GOV
INSD
1,600
A employee had downloaded Social Security numbers of current or former district employees to a home computer. The
Social Security numbers were part of a computer file the district uses to make sure workers get the proper pay.
Information
Source:
Dataloss DB
July 11, 2007
South County Hospital
South Kingstown, Rhode Island
MED
PHYS
79
Paperwork containing personal details from customers was left in a briefcase inside a car that was stolen. That batch of
paperwork contained details including names, addresses, Social Security numbers, phone numbers and a summary of
hospital accounts.
Information
Source:
Dataloss DB
July 11, 2007
EDU
PHYS
49
College of Business officials are investigating a faculty member for the misplacement of a business law class roster
containing the names and Social Security numbers of students.
Information
Source:
Media
July 11, 2007
Disney Movie Club, Alta Resources, McNeil-PPC Inc
Neenah, Wisconsin
BSO
INSD
Unknown
A contract employee stole an unknown number of credit card numbers. Credit-card information was sold by an employee of
a Disney contractor to a federal agent as part of an undercover sting operation.
Information
Source:
Dataloss DB
July 9, 2007
Girl Scouts Mile Hi
Denver, Colorado
NGO
PORT
Unknown
Tapes stolen from a car held personal information from a membership database, including names, addresses, phone
numbers. A very limited number of credit card numbers and Social Security numbers were included in the stolen data from
the camp and event registration database.
Information
Source:
Media
July 7, 2007
Cuyahoga County Dept. of Development
Cleveland, Ohio
GOV
PORT
3,000
208
Names and Social Security numbers on memory stick stolen in carjacking.
Information
Source:
Dataloss DB
July 5, 2007
Highland University
Las Vegas, New Mexico
EDU
UNKN
420
A building on the campus had been broken into, and the affected offices might have contained such personal information as
Social Security numbers, credit card and bank account information.
Information
Source:
Dataloss DB
July 3, 2007
Fidelity National Information Services/Certegy Check Services Inc.
BSF
INSD
8,500,000
A worker at one of the company's subsidiaries (Certegy Check Services, Inc.) stole customer records containing credit card,
bank account and other personal information.
UPDATE (8/27/07):
The company first estimated that about 2.3 million records were affected but quickly boosted that number to 8.5 million in
filings with the U.S. Securities and Exchange Commission. A California law firm has filed a class-action suit charging Fidelity
National Information Services (FIS) and one of its subsidiaries with negligence in connection with a data breach.
UPDATE (11/23/07): A former database analyst at Certegy Check Services Inc., has agreed to plead guilty to federal fraud
and conspiracy charges in connection with the theft of data.
UPDATE (7/7/08):A man has been sentenced to four years and nine months in jail and fined US $3.2 million for his part in
the theft of consumer records from Certegy Check Services.
UPDATE (7/7/08): A new settlement provides that all class members whose personal or financial information was stolen can
get compensated up to $20,000 for certain unreimbursed identity theft losses caused by the data theft. The losses covered
could have occurred from Aug. 24, 1998, to Dec. 31, 2010. www.datasettlement.com [158]
UPDATE (4/26/10): As part of a class action settlement in U.S. District Court in Tampa, consumers were given the
opportunity to elect credit monitoring for one year or bank account monitoring for two years and were able to seek
reimbursement of certain out-of-pocket costs incurred or identity theft expenses. Consumers also were able to request credit
monitoring at the company's expense immediately after the thefts were announced. The settlement with the attorney
general's office ensures that Certegy will maintain a comprehensive information-security program. This program will assess
internal and external risks to consumers' personal information, implement safeguards to protect that consumer information,
and will regularly monitor and test the effectiveness of those safeguards. Certegy and its related entities also agree to
adhere to payment card industry data security standards as those standards continue to evolve. As part of the settlement,
Certegy is donating $125,000 to the attorney general's Seniors vs. Crime Program for educational, investigative and crime
prevention programs for the benefit of senior citizens and the community and will pay $850,000 for the state's investigative
costs and attorney's fees related to the case.
Information
Source:
Dataloss DB
June 29, 2007
Harrison County Schools
EDU
STAT
Unknown
Several computers that contained the personal information, including Social Security numbers, of several Harrison County
school employees were stolen. Workers Comp claims between January of 2001 and February of 2007 are at risk.
Information
Source:
Dataloss DB
June 27, 2007
Milwaukee PC
BSR
DISC
65,000
(414) 258-2275
209
Credit card information for 65,000 was possibly compromised. A service center noticed a file in their server and was
concerned that file could contain customers' credit card numbers and personal information.
Information
Source:
Dataloss DB
June 27, 2007
Bowling Green State University
Bowling Green, Ohio
EDU
PORT
199
Lost storage device contained Social Security numbers, and names of 199 former students.
Information
Source:
Dataloss DB
June 27, 2007
University of California, Davis
Davis, California
[email protected]
EDU
HACK
1,120
[159]
Computer-security safeguards were breached. Compromised information included the applicants' names, birth dates and, in
most cases, Social Security numbers.
Information
Source:
Dataloss DB
June 25, 2007
Fresno County
Fresno, California
GOV
PORT
10,000
(559) 453-6450
A disk containing information pertaining to thousands of home health-care workers -- including their names, addresses and
Social Security numbers -- was lost when it was shipped to a software vendor's office in San Jose, CA.
Information
Source:
Dataloss DB
June 23, 2007
Winn-Dixie
Pascagoula, Mississippi
MED
PHYS
Unknown
Pharmacy documents were found behind a closed Winn-Dixie grocery store, containing telephone numbers, Social Security
numbers and addresses of thousands of individuals. Apparently when the grocery store/pharmacy closed, employees put
bundles of documents outside to be picked up. However, they were never retrieved.
Information
Source:
Dataloss DB
June 22, 2007
Texas First Bank
Texas City, Texas
BSF
PORT
4,000
Information such as account numbers, Social Security numbers, names and addresses may have been stored on a stolen
laptop computer during a car theft in Dallas.
Information
Source:
Dataloss DB
210
June 20, 2007
American Airlines
Fort Worth, Texas
BSO
DISC
365
Personal information including Social Security numbers of pilots and other employees at American Airlines, including the
chief executive, was exposed on a company Web site.
Information
Source:
Dataloss DB
June 20, 2007
University Community Hospital
Tampa, Florida
MED
DISC
Unknown
A parent says his son should never have received bills in the mail for a pre-employment drug screening visit. Additionally, he
received information about 17 others who were also tested, including Social Security numbers.
Information
Source:
Media
June 18, 2007
Parisexposed.com
BSO
DISC
750
Investigation by The Smoking Gun Web site said that by changing a few characters on the web page URL it was possible to
see the subscriber's name, email address, password, phone number, mailing address and credit card number.
Information
Source:
Dataloss DB
June 18, 2007
Shamokin Area School District
Coal Township, Pennsylvania
EDU
DISC
Unknown
A local newspaper employee gained unauthorized access to the Shamokin Area School District's computer database. It is
the same system that stores students' personal information, including Social Security numbers. That newspaper employee
brought the security flaw to the attention of school officials.
Information
Source:
Dataloss DB
June 18, 2007
EDU
PORT
8,000
A professor vacationing off the coast of Africa took data with him on a small computer storage device which was lost or
stolen. It is thought to contains SSNs and dates of birth for students enrolled in the spring, summer and fall semesters of
2006
Information
Source:
Dataloss DB
June 15, 2007
Ohio state workers
Columbus, Ohio
GOV
PORT
1,000,000
(888) 644-6648(taped-message), (877) 742-5622 (Ohio Consumers' Counsel) or (800) 267-4474
A backup computer storage device with the names and Social Security numbers of every state worker was stolen out of a
state intern's car. The tape, which was stolen in June, contains personally identifiable information of nearly 84,000 current
and former Ohio state employees and more than 47,000 state taxpayers.
UPDATE (6/20/07) : The storage device also had the names and Social Security numbers of 225,000 taxpayers.
211
UPDATE (6/22/07) : Previous news stories reported smaller amounts, but the most recent news story shows 500,000.
UPDATE (7/12/07) State of Ohio increases data theft estiamte to 1 million.
Information
Source:
Dataloss DB
June 14, 2007
Division of Workforce Services
GOV
UNKN
20,000
(801) 281-1267
Children's Social Security numbers are believed to have been compromised by identity thieves.
Information
Source:
Media
June 14, 2007
Hamburger Hamlet Restaurant
BSO
INSD
40
Former waitress made off with the credit or debit card numbers of at least half a dozen patrons - and possibly as many as
40. Already, about $16,300 in unauthorized charges have been linked to the scam.
Information
Source:
Media
June 14, 2007
Georgia Tech University
Atlanta, Georgia
Total because it's not
EDU
DISC
clear SSNs or account
numbers were
exposed.
An electronic file containing the personal information of current and former Georgia Tech students was exposed briefly.
Information
Source:
Dataloss DB
June 14, 2007
Lynchburg City
Lynchburg, Virginia
total because it's not
GOV
DISC
clear SSNs or account
numbers were
exposed.
Personal information of Lynchburg city employees and retirees was accidentally posted on the city's website among that
information employee's prescription medications.
Information
Source:
Dataloss DB
June 11, 2007
Pfizer
New York, New York
BSO
DISC
17,000
866-274-3891
Installation of certain file sharing software on a Pfizer laptop, exposed files containing names, Social Security numbers,
212
addresses and bonus information of present and former Pfizer colleagues. Investigation revealed that certain files containing
data were accessed and copied.
Information
Source:
Dataloss DB
June 11, 2007
Grand Valley State University
Allendale, Michigan
EDU
PORT
3,000
Jann Joseph (616) 331-2110
A flash drive containing confidential information was stolen. Social Security numbers of current and former students were on
the flash drive, stolen from the English department.
Information
Source:
Dataloss DB
June 9, 2007
Concord Hospital, Verus Inc.
MED
[email protected]
DISC
9,000
[160]
Names, addresses, dates of birth and Social Security numbers exposed on the internet for a period of time, security lapsed
from a subcontractor that handles its online billing.
UPDATE (6/20/07): Washington-based company that was managed its online billing system was fired. Hospital officials now
are asking for an audit to verify that Verus Incorporated has removed all of its patient information from its servers.
Information
Source:
Dataloss DB
June 8, 2007
http://www.virginia.edu/uvatoday/newsRelease.php?id=2217
EDU
[161] ,
[email protected]
[162] ,
HACK
5,735
(866) 621-5948
A breach in one of the computer applications resulted in exposure of sensitive information belonging to current and former
U.Va. faculty members. The information included names, Social Security numbers and dates of birth. The investigation has
revealed that on 54 separate days between May 20, 2005, and April 19, 2007, hackers tapped into the records of 5,735
faculty members.
Information
Source:
Dataloss DB
June 8, 2007
University of Iowa
Iowa City, Iowa
EDU
HACK
1,100
Social Security numbers of faculty, students and prospective students were stored on the Web database program that was
compromised.
Information
Source:
Dataloss DB
June 6, 2007
Cedarburg High School
Cedarburg, Wisconsin
EDU
DISC
Unknown
Students obtained names, addresses and Social Security numbers and might have accessed personal bank account
information of current and former district employees.
213
Information
Source:
Dataloss DB
June 6, 2007
Dearfield Medical Building
Greenwich, Connecticut
MED
PHYS
Unknown
A box was discovered at inside a trash bin in May and contains information about lab tests and insurance approvals as well
as other medical issues, documents are not medical charts, but do contain patient names and contact information.
Information
Source:
Dataloss DB
June 4, 2007
Stevens Hospital
Edmonds, Washington
MED
DISC
550
(425) 673-3745
Personal information including names, addresses, and Social Security numbers were exposed online due to a lapse in the
data security procedures by a subcontractor. An Internet search engine was able to access the information while the
subcontractor's laptop was unsecured.
Information
Source:
Dataloss DB
June 3, 2007
Gadsden State Community College
College Gadsden, Alabama
EDU
PHYS
400
Students who took an Art Appreciation class at the Ayers Campus between 2005 and 2006 had their names, grades and
Social Security numbers scattered across a local business' driveway.
Information
Source:
Dataloss DB
June 1, 2007
Fresno County, Refined Technologies Inc., DHL
Fresno, California
GOV
HACK
10,000
A missing computer disk contains names, addresses and Social Security numbers. The County sent it by courier to a
software vendor's office in San Jose to determine workers' eligibility for health care benefits. The software company, Refined
Technologies Inc., said they never received the disk. The courier service, DHL, told County officials that the file was
delivered May 10, though the County didn't require anyone to sign for the delivery.
Information
Source:
Dataloss DB
June 1, 2007
Jax Federal Credit Union
BSF
DISC
7,766
Social Security numbers and account numbers of clients were accidentally posted on the Internet, then indexed by Google.
JFCU was transmitting information to a printer for a preapproved auto loan mailing when the information was picked up by
Google from the printer's Web site. JFCU normally transmits information on an encrypted disk delivered by courier, but when
the printer couldn't open the disk, the information was sent again, but wasn't encrypted and included Social Security
numbers and account numbers.
Information
Source:
Dataloss DB
214
June 1, 2007
Northwestern University
Evanston, Illinois
[email protected]
BSO
DISC
4,000
[163]
Files containing personal information of students and applicants were available online.
Information
Source:
Dataloss DB
May 31, 2007
Priority One Credit Union
South Pasadena, California
BSF
DISC
Unknown
Priority One Credit Union sent out election ballots to members with Social Security numbers and account numbers printed on
the outside of the envelopes
Information
Source:
Dataloss DB
May 26, 2007
Cover Tennessee
MED
DISC
279
A computer error at the Cover Tennessee health insurance program caused small business owners who chose not to print
out their forms from the Web site to have their personal information including Social Security numbers added to the next
user's printout request.
Information
Source:
Dataloss DB
May 25, 2007
North Carolina Deptartment of Transportation
https://apps.dot.state.nc.us/pio/releases/details.aspx?r=1179
GOV
UNKN
25,000
[164]
A computer server used to back up employee identification badge records that included the names and Social Security
numbers of NCDOT employees, contractors and other state employees was compromised.
Information
Source:
Dataloss DB
May 25, 2007
Booker T. Washington Community Center
Auburn, New York
NGO
PORT
Unknown
A laptop computer with personal information of individuals who applied for Family Health Plus or Child Health Plus state
health insurance program benefits was recovered when a woman tried to sell it at a pawn shop.
Information
Source:
Media
May 24, 2007
Beacon Medical Services
Aurora, Colorado
MED
DISC
5,000
Private medical and financial information including patient records from at least 10 Colorado clinics and hospitals, and one
hospital in Peoria, Illinois that should have been only accessible through VPN access were inadvertently available on the
Internet.
215
Information
Source:
Dataloss DB
May 23, 2007
Waco Independent School District
Waco, Texas
EDU
HACK
17,400
Two high school seniors recently hacked into the district's computer network potentially compromising the personal
information including Social Security numbers of students and employees.
Information
Source:
Dataloss DB
May 23, 2007
Check into Cash
Champaign, Illinois
BSF
PHYS
Unknown
Consumer loan documents and related reports were found in a trash bin behind the shopping center where Check into Cash
is located. Documents contained Social Security numbers, addresses, copies of driver's licenses and other personal
information of the company's customers.
Information
Source:
Dataloss DB
May 22, 2007
University of Pittsburgh Medical Center
MED
DISC
6,000 former patients
UPMC mailed a fundraising letter to 6,000 former patients on May 7. The donor response cards inadvertently included each
individual's SSN in the tracking code, visible through the envelope window.
Information
Source:
Dataloss DB
May 22, 2007
Boulder, Colorado
EDU
HACK
45,000
Hotline: (303) 492-1655
A hacker launched a worm that attacked a University computer server used by the College of Arts and Sciences. Information
for 45,000 students enrolled at UC-B from 2002 to the present was exposed, including SSNs. The breach was discovered
May 12. Apparently anti-virus software had not been properly configured.
Information
Source:
Dataloss DB
May 21, 2007
Columbia Bank
Fair Lawn, New Jersey
BSF
HACK
Unknown
Columbia Bank notified its online banking customers of a hacking incident. Names and SSNs were accessed, but account
numbers and passwords were not.
Information
Source:
Dataloss DB
May 20, 2007
Chicago, Illinois
EDU
PORT
Unknown
216
A laptop belonging to the financial aid office was stolen. It contained SSNs and other information of some alumni.
Information
Source:
Dataloss DB
May 19, 2007
Texas Commission on Law Enforcement Standards and Education
Austin, Texas
GOV
PORT
230,000
A laptop computer was stolen from the state agency that licenses police officers. It contained information on every licensed
peace officer in Texas, including SSNs, driver's license numbers, and birth dates.
Information
Source:
Dataloss DB
May 19, 2007
Illinois Dept. of Financial and Professional Regulation
Chicago, Illinois
For information about breach www.idfpr.com
GOV
HACK
300,000
[165]
A computer server in the office of the Illinois Dept. of Financial and Professional Regulation was breached earlier this year.
SSNs, tax numbers, and addresses of banking and real estate licensees and applicants were exposed. The hacking incident
was discovered May 3.
Information
Source:
Dataloss DB
May 19, 2007
Stony Brook University
Stony Brook, New York
EDU
DISC
90,000
http://www.stonybrook.edu/sb/disclosure/ [166] , Call Center, (866) 645-5830 (available until July 15, 2007)
SSNs and university ID numbers of faculty, staff, students, alumni, and other community members were visible via the
Google search engine after they were posted to a Health Sciences Library Web server April 11. It was discovered and
removed 2 weeks later.
Information
Source:
Dataloss DB
May 18, 2007
Alcatel-Lucent
Murray Hill, New Jersey
BSO
PORT
Unknown
The telecom and networking equipment maker notified employees that a computer disk containing personal information was
lost in transit to Aon Corp., another vendor. It contained names, addresses, SSNs, birth dates, and salary information of
current and former employees.
Information
Source:
Dataloss DB
May 18, 2007
Yuma Elementary School District No. 1
Yuma, Arizona
EDU
PHYS
91
SSNs of 91 substitute teachers were stolen May 7 when a district employee's car was broken into and a brief case was taken
containing payroll reports. The reports did not include bank account information..
Information
Source:
217
Dataloss DB
May 18, 2007
Indianapolis Public Schools
EDU
DISC
7,500 students not
included in total
SSNs were exposed.
A local newspaper reporter discovered that sensitive personal information was accessible online, including employee
performance reviews, student gradebooks, student special education needs, and essays.
Information
Source:
Dataloss DB
May 17, 2007
Georgia Division of Public Health
Atlanta, Georgia
GOV
HACK
140,000
The GA Dept. of Human Resources notified parents of infants born between 4/1/06 and 3/16/07 that paper records
containing parents' SSNs and medical histories -- but not names or addresses -- were discarded without shredding.
Information
Source:
Dataloss DB
May 15, 2007
IBM
Armonk, New York
BSO
PORT
Unknown
An unnamed IBM vendor lost computer tapes containing information on IBM employees -- mostly ex-workers -- including
SSNs, dates of birth, and addresses. They went missing in transit frm a contractor's vehicle.
Information
Source:
Dataloss DB
May 14, 2007
Community College of Southern Nevada
North Las Vegas, Nevada
EDU
HACK
197,000
A virus attacked a computer server and could have allowed a hacker to access students' personal information including
names, Social Security numbers and dates of birth, but the school is not certain whether anything was actually stolen from
the school's computer system.
Information
Source:
Dataloss DB
May 12, 2007
Goshen College
EDU
Goshen, Indiana
http://www.goshen.edu/news/pressarchive/05-11-07-security.html [167] , [email protected]
[168] ,
HACK
7,300
(866) 877-3055
A hacker accessed a college computer that contained the names, addresses, birth dates, Social Security numbers and
phone numbers of students and information on some parents with the suspected motivation of using the system to send
spam e-mails.
Information
Source:
Dataloss DB
May 11, 2007
University of California, Irvine Medical Center
Irvine, California
MED
PHYS
287
218
About 1,600 file boxes stored in an off-site university warehouse were discovered missing. Some of the files included
patients' names, addresses, Social Security numbers and medical record numbers.
Information
Source:
Media
May 11, 2007
Highland Hospital (Rochester, NY)
Rochester, New York
[email protected]
MED
PORT
13,000
[169]
Two laptop computers, one containing patient information including Social Security numbers, were stolen from a business
office. The computers were sold on eBay, and the one containing personal information was recovered.
Information
Source:
Dataloss DB
May 8, 2007
University of Missouri
Columbia, Missouri
EDU
HACK
22,396
(866) 241-5619
A hacker accessed a computer database containing the names and Social Security numbers of employees of any campus
within the University system in 2004 who were also current or former students of the Columbia campus.
Information
Source:
Dataloss DB
May 7, 2007
Indiana Deptartment of Administration
GOV
DISC
"No more than a couple
hundred"
An employee uploaded a list of certified women and minority business enterprises to the department's Web site and
inadvertently included their tax identification numbers, which for some businesses and sole proprietorships is the owner's
Social Security number.
Information
Source:
Dataloss DB
May 5, 2007
Crystal City, Virginia
GOV
PORT
100,000
A computer hard drive containing payroll data from January 2002 to August 2005 including employee names, Social Security
numbers, birth dates, bank account and routing information of current and former workers including airport security officers
and federal air marshals was stolen.
UPDATE (5/14/07) The American Federation of Government Employees is suing the TSA for the loss of the hard drive. It
calls the breach a violation of the Privacy Act.
Information
Source:
Dataloss DB
May 3, 2007
Maryland Department of Natural Resources
Annapolis, Maryland
GOV
PORT
1,433
Personal information of current and retired employees including names and Social Security numbers was downloaded to a
219
thumb drive by an employee who wanted to work at home but was lost en route.
Information
Source:
Dataloss DB
May 3, 2007
Louisiana State University, E..J. Ourso College of Business
Baton Rogue, Louisiana
EDU
PORT
750
A laptop stolen from a faculty member's home contained personally identifiable information including may have included
students' Social Security numbers, full names and grades of University students.
Information
Source:
Dataloss DB
May 3, 2007
Montgomery College
Conroe, Texas
EDU
DISC
Unknown
A new employee posted the personal information of all graduating seniors including names, addresses and Social Security
numbers on a computer drive that is publicly accessible on all campus computers.
Information
Source:
Dataloss DB
May 1, 2007
Healing Hands Chiropractic
Sterling, Colorado
MED
PHYS
Hundreds
Medical records containing the personal information of chiropractic patients including Social Security numbers, birth dates,
addresses and, in some cases, credit card information were thrown into a dumpster “due to lack of office space.”
Information
Source:
Media
May 1, 2007
J. P. Morgan
New York, New York
BSF
PHYS
Unknown
Documents containing personal financial data of customers including names, addresses and Social Security numbers were
found in garbage bags outside five branch offices in New York.
Information
Source:
Dataloss DB
May 1, 2007
Maine State Lottery Commission
Hallowell, Maine
GOV
PHYS
Unknown
Documents containing personal information such as names, Social Security numbers, references to workers compensation
claim records, psychiatric and other medical records, and police background checks were found in a dumpster.
Information
Source:
Media
May 1, 2007
Champaign Police Officers
Champaign, Illinois
GOV
STAT
139
The names and Social Security numbers of Champaign police officers were left on a computer donated to charity.
220
Information
Source:
Dataloss DB
May 1, 2007
J. P. Morgan
Chicago, Illinois
BSF
PORT
47,000
A computer tape containing personal information of wealthy bank clients and some employees was delivered to a secure offsite facility for storage but was later reported missing.
Information
Source:
Dataloss DB
April 29, 2007
University of New Mexico
Alburquerque, New Mexico
EDU
PORT
3,000 not included in
total below because
SSNs were apparently
not compromised)
Employees' personal information including names, e-mail and home addresses, UNM ID numbers and net pay for a pay
period for staff, faculty and a few graduate students may have been stored on a laptop computer stolen from the San
Francisco office of an outside consultant working on UNM's human resource and payroll systems.
Information
Source:
Dataloss DB
April 28, 2007
Couriers on Demand
Dallas, Texas
BSO
DISC
Hundreds
Personal information of job applicants was accidentally published to the Internet.
Information
Source:
Dataloss DB
April 27, 2007
Google Ads
BSO
HACK
Unknown
Top sponsored Google ads linked to 20 popular search terms were found to install a malware program on users' computers
to capture personal information and access online accounts for 100 different banks.
Information
Source:
Media
April 27, 2007
Caterpillar, Inc.
Peoria, Illinois
BSO
PORT
Unknown
A laptop computer containing personal data of employees including Social Security numbers, banking information and
addresses was stolen from a benefits consultant that works with the company.
Information
Source:
Dataloss DB
April 26, 2007
Ceridian Corp.
BSO
DISC
150
221
A former employee had data containing the personal information of employees including ID and bank-account data and then,
accidentally posted it on a personal Web site.
Information
Source:
Dataloss DB
April 25, 2007
Neiman Marcus Group
Dallas, Texas
http://phx.corporate-ir.net/phoenix.zhtml?c=118113&p=irol-recentdata
BSR
[170] ,
STAT
160,000
(800) 456-7019
Computer equipment was stolen containing files with sensitive information including name, address, Social Security number,
date of birth, period of employment and salary information of retailer Neiman Marcus Group's current and former employees
and their spouses.
Information
Source:
Dataloss DB
April 24, 2007
Purdue University
EDU
DISC
175
(866) 307-8513
Personal information including names and Social Security numbers of students who were enrolled in a freshman engineering
honors course was on a computer server connected to the Internet that had been indexed by Internet search engines and
consequently was available to individuals searching the Web.
Information
Source:
Dataloss DB
April 24, 2007
Baltimore County Deptartment of Health
Baltimore, Maryland
GOV
PORT
6,000
A laptop containing personal information including names, date of birth, Social Security numbers, telephone numbers and
emergency contact information of patients who were seen at the clinic between Jan. 1, 2004 and April 12 was stolen.
Information
Source:
Dataloss DB
April 23, 2007
Federal Emergency Management Agency (FEMA)
GOV
DISC
2,300
Social Security numbers of Disaster Assistance Employees were printed on the outside address labels of reappointment
letters
Information
Source:
Dataloss DB
April 21, 2007
Albertsons (Save Mart Supermarkets)
Alameda, California
BSR
CARD
Over 100
(510) 337-8340
Credit and debit card numbers were stolen using bogus checkout-line card readers resulting in card numbers processed at
those terminals being captured and some to be misused.
Information
222
Source:
Dataloss DB
April 20, 2007
Los Alamos National Laboratory
Alburquerque, New Mexico
GOV
DISC
550
The names and Social Security numbers of lab workers were posted on a Web site run by a subcontractor working on a
security system.
Information
Source:
Dataloss DB
April 20, 2007
U.S. Agriculture Department
GOV
DISC
38,700
http://www.usda.gov/wps/portal/!ut/p/_s.7_0_A/7_0_1OB?contentidonly=true&contentid=2007/04/0110.xml [171]
The Social Security numbers of people who received loans or other financial assistance from two Agriculture Department
programs were disclosed since 1996 in a publicly available database posted on the Internet. Originally, the US Department
of Agriculture estimated that the personal information of as many as 150,000 people may be affected, then reduced the
number 38,700.
Information
Source:
Dataloss DB
April 19, 2007
New Mexico State University
EDU
DISC
5,600
The names and Social Security numbers of students who registered online to attend their commencement ceremonies from
2003 to 2005 were accidentally posted on the school's Web site when an automated program moved what was supposed to
be a private file into a public section of the Web site.
Information
Source:
Dataloss DB
April 18, 2007
Columbus, Ohio
http://www.osu.edu/news/newsitem1673
EDU
HACK
14,000
[172]
A hacker accessed the names, Social Security numbers, employee ID numbers and birth dates of 14,000 current and former
staff members.
Information
Source:
Dataloss DB
April 18, 2007
University of California, San Francisco (UCSF)
EDU
STAT
3,000
(866) 485-8777, http://news.ucsf.edu/releases/ucsf-computer-server-with-research-subject-information-is-stolen/ [173] ,
http://security.ucsf.edu/alert/information.html [174]
A computer file server containing names, contact information, and Social Security numbers for study subjects and potential
study subjects related to research on causes and cures for different types of cancer was stolen from a locked UCSF office.
For some individuals, the files also included personal health information.
Information
Source:
223
Dataloss DB
April 18, 2007
Columbus, Ohio
http://www.osu.edu/news/newsitem1673
EDU
PORT
3,500
[172]
The names, Social Security numbers and grades of 3,500 former chemistry students were on class rosters housed on two
laptop computers stolen from a professor's home in late February.
Information
Source:
Dataloss DB
April 15, 2007
CVS Pharmacy
MED
Liberty, Texas
PHYS
Over 1,000
The Attorney General of Texas filed a complaint against CVS Pharmacy for illegally disposing of personal information
including active debit and credit card numbers, complete with expiration dates and medical prescription forms with
customer's name, address, date of birth, issuing physician and the types of medication prescribed. The information was
found in a dumpster behind a store that apparently was being vacated.
Information
Source:
Dataloss DB
April 12, 2007
Bank of America
BSF
PORT
"limited" number of
people
A laptop containing personal information of current, former and retired employees including names, addresses, dates of birth
and Social Security numbers was stolen when an employee was a victim of a recent break-in.
Information
Source:
Dataloss DB
April 12, 2007
University of Pittsburgh Medical Center
MED
DISC
88
Personal information including names, Social Security numbers, and radiology images of patients were previously included in
two medical symposium presentations that were posted on UPMC's Web site. Though the presentation was later removed in
2005, the presentations were apparently inadvertently re-posted on the site and only recently removed again.
Information
Source:
Dataloss DB
April 12, 2007
Georgia Secretary of State
Atlanta, Georgia
http://sos.georgia.gov/pressrel/20070411a.htm
GOV
PHYS
75,000
[175]
30 boxes of Fulton County voter registration cards that contain names, addresses and Social Security numbers were found
in a trash bin.
Information
Source:
Dataloss DB
April 11, 2007
New Horizons Community Credit Union, Protiviti
BSF
PORT
9,000
224
April 11, 2007
BSF
Denver, Colorado
http://www.ncua.gov/news/press_releases/2007/MR07-0411.htm
PORT
9,000
[176]
A laptop computer that contained personal information of members who had loans with the credit union was stolen from
Protiviti, a consultant employed by Bellco Credit Union conducting due diligence to prepare a possible acquisition bid.
Information
Source:
Dataloss DB
April 11, 2007
ChildNet
Ft. Lauderdale, Florida
NGO
PORT
12,000
An organization responsible for managing Broward County's child welfare system believe a dishonest former employee stole
a laptop from the agency's office. It contains personal information of adoptive and foster-care parents including financial and
credit data, Social Security numbers, driver's license data and passport numbers.
Information
Source:
Dataloss DB
April 11, 2007
Black Hills State University
Spearfish, South Dakota
EDU
STAT
56
http://www.bhsu.edu/AboutBHSU/NewsEvents/tabid/3454/articleType/ArticleView/articleId/339/Default.aspx [177] , (605) 6426215
Names and Social Security numbers of scholarship winners were inadvertently posted and publicly available on the
university's web site.
Information
Source:
Dataloss DB
April 10, 2007
Georgia Department of Community Health, Affiliated Computer Services (ACS)
Atlanta, Georgia
GOV
PORT
2,900,000
http://dch.georgia.gov/vgn/images/portal/cit_1210/19/38/80010015Public_Notice-Missing_Personal_Data.pdf [178] , (866) 2133969
A computer disk containing personal information including addresses, birthdates, dates of eligibility, full names, Medicaid or
children's health care recipient identification numbers, and Social Security numbers went missing from a private vendor,
Affiliated Computer Services (ACS), contracted to handle health care claims for the state.
Information
Source:
Dataloss DB
April 9, 2007
Turbo Tax
,
BSO
DISC
Unknown
Using Turbo Tax online to access previous returns, a Nebraska woman was able to access tax returns for other Turbo Tax
customers in different parts of the country. The returns contained personal information needed to e-file including bank
account numbers with routing digits and Social Security numbers.
Information
Source:
Dataloss DB
April 6, 2007
Hortica (Florists’ Mutual Insurance Company), UPS
Edwardsville, Illinois
BSF
PORT
Unknown
225
http://www.hortica-insurance.com/hotTopics/26.PDF
[179] ,
[180]
A locked shipping case of backup tapes containing personal information including names, Social Security numbers, drivers'
license numbers, and bank account numbers went missing while in transit with UPS.
Information
Source:
Dataloss DB
April 6, 2007
Chicago Public Schools
Chicago, Illinois
EDU
PORT
40,000
(773) 553-1142
Two laptop computers contain the names and Social Security numbers of current and former employees was stolen from
Chicago Public Schools headquarters.
Information
Source:
Dataloss DB
April 5, 2007
DCH Health Systems
Tuscaloosa, Alabama
MED
PORT
6,000
An encrypted disc and hardcopy documents containing retirement benefit information including Social Security numbers and
other personal information were lost. Tracking data indicates the package was delivered to the addressee's building, but the
intended recipient never received the package.
Information
Source:
Dataloss DB
April 5, 2007
Security Title Agency
Phoenix, Arizona
BSF
HACK
Unknown
Hackers "defaced" the company's Web site and may have accessed customer information which is stored on the same
server as the site.
Information
Source:
Media
April 4, 2007
EDU
HACK
46,000
[181]
An unauthorized party may have accessed the personal information including names, Social Security numbers, and bank
account numbers of students, faculty, and staff associated with UCSF or UCSF Medical Center over the past two years by
compromising the security of a campus server.
Information
Source:
Dataloss DB
March 30, 2007
Los Angeles County Child Support Services
GOV
PORT
243,000
Three laptops containing personal information including about 130,500 Social Security numbers — most without names,
12,000 individuals' names and addresses, and more than 101,000 child support case numbers were apparently stolen from
the department's office.
226
Information
Source:
Dataloss DB
March 30, 2007
Naval Station San Diego's Navy College Office
GOV
PORT
Unknown
(866) U-ASK-NPC, [email protected] [182]
Three laptops were reported missing that may contain Sailors' names, rates and ratings, Social Security numbers, and
college course information. The compromise could impact Sailors and former Sailors homeported on San Diego ships from
January 2003 to October 2005 and who were enrolled in the Navy College Program for Afloat College Education.
Information
Source:
Dataloss DB
March 30, 2007
University of Montana Western
Dillon, Montana
EDU
PORT
over 400
A computer disk containing students' Social Security numbers, names, birth dates, addresses and other personal information
was stolen from a professor's office. The stolen information belonged to students enrolled in the TRIO Student Support
Services program, which offers financial and personal counseling and other assistance.
Information
Source:
Dataloss DB
March 29, 2007
RadioShack
BSR
Portland, Texas
PHYS
Unknown
20 boxes of discarded records including sales receipts with names, addresses, Social Security numbers, credit card
information. and personal information of store employees spanning from 2001 to 2005 were found in a dumpster.
UPDATE (04/03/07): The Texas Attorney General's Office filed an action
[183]
against the Radio Shack store for violating the
state's violating the 2005 Identity Theft Enforcement and Protection Act.
Information
Source:
Dataloss DB
March 27, 2007
St. Mary Parish Schools
Centerville, Louisiana
EDU
DISC
380
Personal information including Social Security numbers of St. Mary Parish public school employees was available on the
Internet when a Yahoo!Web crawler infiltrated the server of the school's technology department.
Information
Source:
Dataloss DB
March 26, 2007
Fort Monroe
Fort Monroe, Virginia
GOV
PORT
16,000
A laptop computer containing the names, Social Security numbers and payroll information for as many as 16,000 civilian
employees was stolen from an employee's personal vehicle. Bank account and bank routing information were not included.
Information
Source:
Dataloss DB
227
March 23, 2007
Group Health Cooperative Health Care System
Seattle, Washington
MED
PORT
31,000
http://www.ghc.org/news/news.jhtml?reposid=/common/news/news/20070323-missing_laptops.html [184]
Two laptops containing names, addresses, Social Security numbers and Group Health ID numbers of local patients and
employees have been reported missing.
Information
Source:
Dataloss DB
March 23, 2007
Swedish Urology Group
Seattle, Washington
MED
PORT
hundreds
Three computer hard drives with personal files on hundreds of local patients including were stolen.
Information
Source:
Dataloss DB
March 20, 2007
Tax Service Plus
Santa Rosa, California
BSF
STAT
4,000
Thieves stole the company's backup computer, which contained financial data on thousands of tax returns dating back three
years.
Information
Source:
Dataloss DB
March 19, 2007
Boise, Idaho
BSO
PHYS
Unknown
Barrels filled with thousands of sensitive documents including printed copies of e-mail and performance evaluations along
with documents marked “internal use only – not for public release” and “for official use only” were found on the curb outside
of SAIC's local office.
Information
Source:
Media
March 16, 2007
Springfield City Schools, Ohio State Auditor
Springfield, Ohio
EDU
PORT
1,950
http://www.spr.k12.oh.us/ [185] , http://www.spr.k12.oh.us./ourboard/treasdocs/notificationofDataTheft.pdf [186]
A laptop containing personal information of current and former employees of Springfield City Schools including their names
and Social Security numbers was stolen from a state auditor employee's vehicle while parked at home in a garage.
Information
Source:
Dataloss DB
March 14, 2007
Wellpoint's Empire Blue Cross and Blue Shield unit in NY
MED
PORT
75,000
800-293-3443
An unencrypted disc containing patient's names, Social Security numbers, health plan identification numbers and description
of medical services back to 2003 was lost en route to a subcontractor.
228
UPDATE (3/14/07): The subcontrator reported that the CD that was reported missing on Feb. 9 has been found.
Information
Source:
Dataloss DB
March 13, 2007
U.S. Department of Agriculture (USDA)
GOV
UNKN
Unknown
http://www.usda.gov/oig/webdocs/50501-8-FM.pdf [187]
A total of 95 USDA computers were lost or stolen between Oct. 1, 2005, and May 31, 2006. Some may have contained
personal information such as names, addresses, Social Security numbers and payment information. Two-thirds of the
computers contained unencrypted data.
Information
Source:
Media
March 12, 2007
Dai Nippon
,
BSO
INSD
Unknown
A former contract worker of a Japanese commercial printing company stole nearly 9 million pieces of private data on
customers from 43 clients, including U.S. companies. The stolen data includes confidential information such as names,
addresses and credit card numbers intended for use in direct mailing and other printing services. Customers of U.S.-based
American Home Assurance Co. and Toyota Motor were affected.
Information
Source:
Dataloss DB
March 10, 2007
University of Idaho
Moscow, Idaho
EDU
DISC
2,700
888-900-3783
A data file posted to the school's Web site contained personal information including names, birthdates and Social Security
numbers of University employees.
Information
Source:
Dataloss DB
March 9, 2007
California National Guard
GOV
PORT
1,300
A computer hard drive containing Social Security numbers, home addresses, birth dates and other identifying information of
California National Guard troops deployed to the U.S.-Mexico border was stolen.
Information
Source:
Dataloss DB
March 7, 2007
Los Rios Community College
EDU
DISC
2,000
Student information including Social Security numbers were accessible on the Internet after the school used actual data to
test a new online application process in October.
Information
Source:
Dataloss DB
229
March 7, 2007
U.S. Census Bureau
GOV
DISC
302 households
http://www.census.gov/Press-Release/www/releases/archives/miscellaneous/009732.html [188]
Personal information of 302 households including names, addresses, phone numbers, birth dates and family income ranges
were posted on a public Internet site multiple times over a five-month period from October 2006 to Feb. 15, 2007 when
Census employees working from home tested new software records.
Information
Source:
Dataloss DB
March 3, 2007
Metropolitan State College of Denver
Denver, Colorado
EDU
PORT
988
http://www.mscd.edu/securityalert/ [189] , 866-737-6622
A faculty member's laptop computer that contained the names and Social Security numbers of former students was stolen
from its docking station on campus.
Information
Source:
Dataloss DB
March 3, 2007
Johnny's Selected Seeds
Winslow, Maine
BSR
HACK
11,500
Hacker accessed credit card account information of online customers. About 20 credit cards have been used fraudulently.
Information
Source:
Dataloss DB
March 2, 2007
California Department of Health Services
GOV
DISC
54
http://www.cchealth.org/press_releases/dhs_breach_03_2007.php [190] ,
http://www.applications.dhs.ca.gov/pressreleases/store/PressReleases/07-... [191]
Benefit notification letters containing names addresses, Medicare Part D plan names and premium payment amounts of
some individuals enrolled in the California AIDS Drug Assistance Program (ADAP) were erroneously mailed to another
enrollee.
Information
Source:
Media
March 1, 2007
Westerly Hospital
Westerly, Rhode Island
MED
DISC
2,200
Patient names, Social Security numbers, contact information as well as insurance information were posted on a publiclyaccessible Web site.
Information
Source:
Dataloss DB
February 28,
2007
Gulf Coast Medical Center
MED
PORT
8,000
230
Patient information including names and Social Security numbers were compromised when a computer went missing in
February in Tallahassee, FL.
Information
Source:
Dataloss DB
February 28,
2007
Gulf Coast Medical Center
MED
PORT
1,900
Patient information including names and Social Security numbers were compromised when a computer went missing in
November 2006 from Nashville, TN. This breach drew media attention when an additional 8,000 patients' information was
compromised during a February 2007 breach in Tallahassee, FL.
Information
Source:
Dataloss DB
February 23,
2007
Rabun Apparel Inc., former subsidiary of Fruit of the Loom
Rabun Gap, Georgia
BSR
DISC
1,006
Names and Social Security numbers of former employees were accessible on the Internet from Jan. 15 until Feb. 20.
Information
Source:
Dataloss DB
February 22,
2007
Speedmark
Woodlands, Texas
BSO
STAT
35,000
Thieves stole several computers, one of which contained a database with personally identifying information including names,
addresses, e-mail accounts, and Social Security numbers of Speedmark's mystery shopper employees and contractors.
Information
Source:
Dataloss DB
February 21,
2007
Georgia Institute of Technology
Atlanta, Georgia
404-894-2499, [email protected]
EDU
HACK
3,000
[192]
Personal information of former employees mostly in the School of Electrical and Computer Engineering including name,
address, Social Security number, other sensitive information, and about 400 state purchasing card numbers, were
compromised by unauthorized access to a Georgia Tech computer account.
Information
Source:
Dataloss DB
February 20,
2007
Back and Joint Institute of Texas
San Antonio, Texas
MED
PHYS
hundreds
20 boxes containing Social Security numbers, photocopies of driver's license numbers, addresses, phone numbers and
private medical history of chiropractic patients were found in a dumpster.
Information
Source:
Dataloss DB
February 19,
Seton Healthcare Network
MED
PORT
7,800
231
2007
North Austin, Texas
MED
PORT
7,800
A laptop with uninsured patients' names, birth dates and Social Security numbers was stolen last week from the Seton
hospital system. The uninsured patients had gone to Seton emergency rooms and city health clinics since July 1, 2005.
Information
Source:
Dataloss DB
February 19,
2007
Clarksville-Montgomery County middle and high schools
Clarksville, Tennessee
EDU
DISC
633
Staff and faculty Social Security numbers, used as employee identification numbers, were embedded in file photos by the
company that took yearbook pictures and inadvertently placed in a search engine on school system's Web site.
Information
Source:
Dataloss DB
February 19,
2007
Stop & Shop Supermarkets
Quincy, Massachusetts
BSR
CARD
Unknown
Additional locations: Southern Massachusetts and Rhode Island. (877) 366-2668
Credit and debit card account information including PIN numbers was stolen by high-tech thieves who apparently broke into
checkout-line card readers and PIN pads and tampered with them.
Information
Source:
Dataloss DB
February 19,
2007
Social Security Administation (SSA)
GOV
PHYS
13
Files of disability applicants containing Social Security numbers, addresses, phone numbers of family members, dates of
birth and work history, and detailed medical information were lost/stolen when a telecommuting employee abandoned them
in a locked filing cabinet at home after a threat of domestic violence. Several of the files were mailed back to the local SSA
office months later others were found in a dumpster recently, and four were never recovered.
Information
Source:
Media
February 15,
2007
City College of San Francisco
EDU
DISC
11,000 students
(800) 436-0108, www.ccsf.edu/securityalert [193]
Names, grades, and SSNs were posted on an unprotected Web site after summer session in 1999. CCSF stopped using
SSNs as studens IDs in 2002.
Information
Source:
Dataloss DB
February 14,
2007
Kaiser Medical Center
Oakland, California
MED
PORT
22,000 patients, but
apparently only 500
records contained
SSNs
(866) 529-0779
232
A doctor's laptop was stolen from the Medical Center containing medical information of 22,000 patients. But only 500 records
contained SSNs.
Information
Source:
Dataloss DB
February 14,
2007
Iowa Department of Education
Des Moines, Iowa
GOV
HACK
600
Up to 600 files of G.E.D. recipients were viewed when the online database was hacked. Files included names, addresses,
birthdates, and SSNs of G.E.D. graduates from 1965 to 2002.
Information
Source:
Dataloss DB
February 14,
2007
Conneticut Office of the State Comptroller
GOV
DISC
1,753
Personal information of state employees including names and Social Security numbers was inadvertently posted on the
Internet in a spreadsheet of vendors used by the state.
Information
Source:
Dataloss DB
February 10,
2007
State of Indiana Official Website www.IN.gov
GOV
HACK
76,600
(888) 438-8397, Email: securityconcerns @www.IN.gov
A hacker gained access to the State Web site and obtained credit card numbers of individuals who had used the site's online
services and gained access to Social Security numbers for 71,000 healthcare workers and 5,600 individuals and businesses.
UPDATE (3/22/07): Investigators have identified a teen they believe hacked into the IN.gov as a prank.
Information
Source:
Dataloss DB
February 9, 2007
East Carolina University
EDU
DISC
65,000 students,
alumni, and staff
members
http://www.ecu.edu/incident/ [194] , 877-328-6660
A programming error resulted in personal information of 65,000 individuals being exposed on the University's Web site. The
data has since been removed. Included were names, addresses, SSNs, and in some cases credit card numbers.
Information
Source:
Dataloss DB
February 9, 2007
Radford University, Waldron School of Health and Human Services
Radford, Virginia
EDU
HACK
2,400 children
A computer security breach exposed the personal information, including SSNs, of children enrolled in the FAMIS program,
Family Access to Medical Insurance Security.
Information
233
Source:
Dataloss DB
February 8, 2007
Piper Jaffrey
BSF
DISC
More than 1,000
employees
W-2s sent to current and former employees in January included employees' Social Security numbers on the outside of the
envelope. Though the numbers were not identified as Social Security numbers, they followed the standard XXX-XX-XXXX
format. Executives indicated the mishap was an error by a third-party vendor.
Information
Source:
Dataloss DB
February 8, 2007
St. Mary's Hospital
Leonardtown, Maryland
MED
PORT
130,000
A laptop was stolen in December that contained names, SSNs, and birthdates for many of the Hospital's patients.
Information
Source:
Dataloss DB
February 7, 2007
University of Nebraska
Lincoln, Nebraska
EDU
DISC
72
An employee accidentally posted SSNs of 72 students, professors, and staff on UNL's public Web site where they remained
for 2 years. They have since been removed.
Information
Source:
Dataloss DB
February 7, 2007
Johns Hopkins University and Johns Hopkins Hospital
Baltimore, Maryland
MED
PORT
52,000 past and
present employees
plus 83,000 patients
Johns Hopkins reported the disappearance of 9 backup computer tapes containing personal information of employees and
patients. Eight of the tapes contained payroll information on 52,000 past and present employees, including SSNs and in
some cases bank account numbers. The 9th tape contained less sensitive information about 83,000 hospital patients.
Information
Source:
Dataloss DB
February 7, 2007
Central Connecticut State University
New Britain, Connecticut
EDU
DISC
750 students
Social Security numbers of about 750 CCSU students were exposed in the name and address window on envelopes mailed
to them. The envelopes were not folded correctly. They contained IRS 1098T forms.
Information
Source:
Dataloss DB
February 6, 2007
New York Department of Labor
Glenn Falls, New York
GOV
PHYS
537
234
A laptop computer annd documents were stolen from a state tax auditor's apartment. While the laptop had security features
and had little personal information on it, the documents contained personal information for people who were employed by 13
Capital Region businesses.
Information
Source:
Dataloss DB
February 6, 2007
Metro Credit Services
Hurst, Texas
BSF
PHYS
thousands
Files of the defunct bill collection company containing medical records, phone bills and Social Security numbers were found
in a trash bin.
Information
Source:
Dataloss DB
February 3, 2007
CTS Tax Service
Cassopolis, Michigan
BSO
STAT
800
The computer and hard drive of a tax preparation company were stolen. Data included names, bank account numbers,
routing numbers, birthdates, SSNs, and addresses.
Information
Source:
Dataloss DB
February 2, 2007
Massachusetts Department of Industrial Accidents
800) 323-3249 ext. 560, www.mass.gov/dia
GOV
INSD
1,200 people who
submitted claims
[195]
A former state contractor allegedly accessed a workers' compensation data file and stole personal information, including
SSNs. The thief used the data to commit identity theft on at least 3 individuals.
Information
Source:
Dataloss DB
February 2, 2007
Indian Consulate via Haight Ashbury Neighborhood Council recycling center
GOV
PHYS
Unknown
Visa applications and other sensitive documents were accessible for more than a month in an open yard of a recycling
center. Information included applicants' names, addresses, phone numbers, birthdates, professions, employers, passport
numbers, and photos. A sampling of documents indicated that the paperwork included everyone who applied in the Western
states from 2002-2005. Applicants were current and former executives of major Bay Area companies that have operations in
India.
Information
Source:
Dataloss DB
February 2, 2007
Wisconsin Assembly
Madison, Wisconsin
GOV
PHYS
150 Assembly
members and aides
A document containing personal information of Wisconsin Assembly members was stolen from a legislative employee's car
while she was exercising at a local gym. It contained names, addresses, and SSNs.
Information
235
Source:
Dataloss DB
February 2, 2007
University of Missouri, Research Board Grant Application System
Columbia, Missouri
EDU
HACK
1,220
A hacker broke into a UM computer server mid-January and might have accessed personal information, including SSNs, of
1,220 researchers on 4 campuses. The passwords of 2,579 individuals might also have been exposed.
Information
Source:
Dataloss DB
February 2, 2007
New York Deptartment of State
Albany, New York
GOV
DISC
Unknown
The agency's Web site posted commercial loan documents that mistakenly contained SSNs. The forms are posted to let
lenders know the current financial status of loan recipients.
Information
Source:
Dataloss DB
February 2, 2007
U.S. Dept. of Veterans Affairs, VA Medical Center
Birmingham, Alabama
(877) 894-2600, http://www1.va.gov/opa/pressrel/pressrelease.cfm?id=1294
MED
PORT
48,000 veterans plus
535,000
[196]
An employee reported a portable hard drive stolen or missing that might contain personal information about veterans
including Social Security numbers.
UPDATE (2/10/07
[196] ):
VA increases number of affected veterans to 535,000, included in the total below.
UPDATE (2/12/07): VA reported that billing information for 1.3 million doctors was also exposed, including names and
Medicare billing codes, not included in the total below.
UPDATE (3/19/07): The VA's Security Operations Center has referred 250 incidents since July 2006 to its inspector general,
which has led to 46 separate investigations.
UPDATE (6/18/07):More than $20 million to respond to its latest data breach, the breach potentially puts the identities of
nearly a million physicians and VA patients.
Information
Source:
Dataloss DB
January 29, 2007
Mendoza College of Business, Notre Dame University
Notre Dame, Indiana
EDU
DISC
Unknown
Additional location: South Bend, Indiana
A file of individuals who took the GMAT test (Graduate Management Admissions Test) was mistakenly left on a computer
that was decommissioned. The computer was later reactivated and plugged into the Internet. Its files were available through
a file-sharing program. Data included names, scores, SSNs and demographic information from 2001.
Information
Source:
Media
January 26, 2007
Indiana Deptartment of Transportation (INDOT)
GOV
DISC
4,000 employees
The names and SSNs of INDOT employees were inadvertently posted on an internal network computer drive sometime
236
The names and SSNs of INDOT employees were inadvertently posted on an internal network computer drive sometime
between Sept. 6 and Dec. 4, 2006.
Information
Source:
Dataloss DB
January 26, 2007
Vanguard University
Costa Mesa, California
EDU
STAT
5,105 financial aid
applicants
(800) 920-7312
On Jan. 16, 2 computers were discovered stolen from the financial aid office. Data included names, SSNs, dates of birth,
phone numbers, driver's license numbers, and lists of assets. Affected financial aid applicants from 2005-2006 and 20062007 school years.
Information
Source:
Dataloss DB
January 26, 2007
WellPoint's Anthem Blue Cross Blue Shield
Richmond, Virginia
MED
PORT
50,000
(800) 284-9779
Cassette tapes containing customer information were stolen from a lock box held by one of its vendors. Data included names
and SSNs.
Information
Source:
Dataloss DB
January 26, 2007
Chase Bank and the former Bank One, now merged
Shreveport, Louisiana
BSF
4,100 current and
PHYS former employees from
all over Louisiana
A Bossier woman bought a used desk from a furniture store. She discovered a 165-page spread sheet in a drawer that
included names and SSNs of bank employees. The document was returned to the bank.
Information
Source:
Media
January 26, 2007
EDU
STAT
1,400 currently enrolled
students
A desktop computer was stolen from the Student Life office containing membership rosters -- including SSNs, birthdates, and
addresses -- of the University's 23 fraternities and sororities. A hard drive and memory from 2 other computers were also
stolen.
Information
Source:
Dataloss DB
January 25, 2007
Clay High School
Oregon, Ohio
EDU
HACK
Unknown
A former high school student obtained sensitive staff and student information through an apparent security breach. The data
was copied onto an iPod and included names, birth dates, SSNs, addresses, and phone numbers.
237
Information
Source:
Dataloss DB
January 25, 2007
Ohio Board of Nursing
GOV
Columbus, Ohio
DISC
3,031 newly licensed
nurses
The agency's Web site posted names and SSNs of newly licensed nurses twice in the past 2 months. SSNs were supposed
to have been removed before posting.
Information
Source:
Dataloss DB
January 25, 2007
Wahiawa Women, Infants and Children program (WIC)
Honolulu, Hawaii
(808) 586-8080, http://www.hawaii.gov/dcca/quicklinks/id_theft_info
GOV
INSD
11,500 current and
former clients
[197]
A WIC employee apparently stole the personal information of agency clients, including SSNs, and committed identity theft on
at least 3 families and perhaps 2 more. The Health Director said the agency will no longer use SSNs in its data base.
Information
Source:
Dataloss DB
January 23, 2007
Rutgers-Newark University, Political Science Department
Newark, New Jersey
EDU
PORT
200 students
An associate professor's laptop was stolen, containing names and SSNs of 200 students. Rutgers no longers uses SSNs as
student IDs, but student IDs from past years are still SSNs.
Information
Source:
Dataloss DB
January 22, 2007
U.S. Deptartment of Veterans Affairs
Seattle, Washington
GOV
PHYS
Unknown
Folders of veterans' personal information were stolen from a locked car in Bremerton, WA. News stories are not clear on the
type of information contained in the folders.
Information
Source:
Media
January 22, 2007
Chicago Board of Election
Chicago, Illinois
GOV
PORT
1.3 million voters
About 100 computer discs (CDs) with 1.3 million Chicago voters' SSNs were mistakenly distributed to aldermen and ward
committeemen. CDs also contain birth dates and addresses.
Information
Source:
Dataloss DB
January 19, 2007
U.S. Internal Revenue Service via City of Kansas City
GOV
PORT
Unknown
238
26 IRS computer tapes containing taxpayer information were reported missing after they were delivered to City Hall. They
potentially contain taxpayers' names, SSNs, bank account numbers, or employer information. The 26 tapes were the entire
shipment received by the City last August. The disappearance was noticed late December 2006.
Information
Source:
Dataloss DB
January 18, 2007
KB Home
BSO
Charleston, South Carolina
STAT
2,700
A computer was stolen from one of the home builder's offices. It likely contained names, addresses, and SSNs of people who
had visited the sales office for Foxbank Plantation in Berkeley County near Charleston.
Information
Source:
Dataloss DB
January 17, 2007
TJ stores (TJX), including TJMaxx, Marshalls, Winners, HomeSense, AJWright,
KMaxx, and possibly Bob's Stores in U.S. & Puerto Rico -- Winners and
HomeGoods stores in Canada -- and possibly TKMaxx stores in UK and Ireland
Framingham, Massachusetts
U.S.: Call (866) 484-6978, Canada: (866) 903-1408, U.K. & Ireland: 0800 77 90 15, www.tjx.com
BSR
HACK
100,000,000
[198]
The TJX Companies Inc. experienced an unauthorized intrusion into its computer systems that process and store customer
transactions including credit card, debit card, check, and merchandise return transactions. It discovered the intrusion midDecember 2006. Transaction data from 2003 as well as mid-May through December 2006 may have been accessed.
According to its Web site, TJX is the leading off-price retailer of apparel and home fashions in the U.S. and worldwide.
Note on our total: included in this breach are 45,700,000 credit and debit card account numbers; 455,000 merchandise
return records containing customer names and driver's license numbers; recovery of about 200,000 stolen credit card
account numbers; records then 1indicated an additional 48 million people have been affected. Totals were estimated at 94
million but now seem to have affected over 100 million accounts.
UPDATE (2/22/07):TJX said that while it first thought the intrusion took place from May 2006 to January 2007, it now thinks
its computer system was also hacked in July 2005 and on various subsequent dates that year.u
UPDATE (3/21/07): Information stolen from TJX's systems was being used fraudulently in November 2006 in an $8 million
gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement
officials.
UPDATE (3/29/07): The company reported in its SEC filing that 45.7 million credit and debit card numbers were hacked,
along with 455,000 merchandise return records containing customers' driver's license numbers, Military ID numbers or
UPDATE (4/22/07): Initially, TJX said the break-in started seven months before it was discovered. Then, on Feb. 18, the
company noted the perpetrators had access to data for 17 months, and apparently began in July 2005.
UPDATE (04/26/07): Three states' banking associations (MA, CT, and ME) filed a class action lawsuit [199] against TJX to
recover the costs of damages totaling tens of millions of dollars incurred for replacing customers' debit and credit cards.
UPDATE (05/04/07): An article in the WSJ [200] notes that because TJX had an outdated wireless security encryption system,
had failed to install firewalls and data encryption on computers using the wireless network, and had not properly install
another layer of security software it had bought, thieves were able to access data streaming between hand-held pricechecking devices, cash registers and the store's computers. 21 U.S. and Canadian lawsuits seek damages from the retailer
for reissuing compromised cards.
UPDATE (07/10/07): U.S. Secret Service agents found TJX customers' credit card numbers in the hands of Eastern
European cyber thieves who created high-quality counterfeit credit cards. Victims are from the U.S., Europe, Asia and
Canada, among other places, Several Cuban nationals in Florida were arrested with more than 200,000 credit card account
numbers.
UPDATE (08/31/07): The U.S. Secret Service Agency earlier this week said it has arrested and indicted four members of an
organized fraud ring in South Florida, charging each of them with aggravated identity theft, counterfeit credit-card trafficking,
and conspiracy.
UPDATE (09/21/07): A ring leader in the TJX Cos.-linked credit card fraud, was sentenced to five years in prison and has
been ordered to pay nearly $600,000 in restitution for damages resulting from stolen financial information.
UPDATE (09/25/07): TJX announced the terms of a settlement for customers affected by the data breach -- with strings
attached. Credit monitoring will be offered to about 455,000 of the 46 million affected. TJX will reimburse customers who had
to replace driver's licenses as a result of the breach if they submit documentation for the time and money spent on replacing
licenses. The company will give a $30 store voucher to those customers who submit documentation about their lost time and
money. And TJX will hold a special 3-day sale with a 15% discount sometime in 2008. The settlement still needs to be
approved by the court.
239
UPDATE (10/23/07): Court filings in a case brought by banks against TJX say the number of accounts affected by the thefts
topped 94 million.
UPDATE (10/23/07): The total number of records increased from 167 million to 215 million. Recent court filings in a case
brought by banks against TJX say the number of accounts affected by the thefts topped 94 million, up considerably from
45,7 million credit and debit card account numbers initially thought to be compromised. Breach costs have been estimated at
$216 million.
UPDATE (11/30/07): Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data
security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data
from BJ's Wholesale Club Inc.
UPDATE (12/05/07): An InternetNews.com article estimates TJX expenses at $500 million to $1 billion. In a settlement with
VISA USA, TJX will pay a maximum of $40.9 million to fund an alternative recovery payments program for customers
affected by the breach. At least 19 lawsuits have been filed, and there are investigations underway by the Federal Trade
Commission and 37 state Attorneys General.
UPDATE (12/18/07): TJX has settled the lawsuit for an undisclosed amount.Although both sides said the settlement total
would remain confidential, TJX said the costs were covered by a $107 million reserve that it set aside against its secondquarter earnings.TJX also has said that $107 million would cover the costs of another breach agreement: a Nov. 30 deal with
Visa Inc. to help pay a maximum $40.9 million to help the network's card-issuing banks recover expenses to replace
customers' Visa cards.
UPDATE (2/10/08): Notices are going out to millions of customers who may have had credit card information compromised in
a data breach. The notices contain information about eligibility for compensation such as vouchers and credit monitoring to
be provided under a proposed settlement.
UPDATE (4/2/08): TJX Cos. reached a settlement with MasterCard Inc. in which it will pay up to $24 million to banks and
other institutions to cover fraud losses stemming from a massive data breach disclosed last year. They also struck a similar
deal with rival card network Visa in which it agreed to pay up to $40.9 million. As in that deal, TJX said the costs of its
MasterCard settlement are included in the $256 million the company has set aside to pay for computer work and other costs
associated with the breach.
UPDATE (5/14/08): The TJX Companies, Inc. today announced that it completed its previously announced settlement with
MasterCard International Incorporated and its issuers. Financial institutions representing 99.5% of eligible MasterCard
accounts worldwide claimed to have been affected by the unauthorized computer intrusion(s) at TJX accepted the alternative
recovery offer under TJX's previously announced Settlement Agreement with MasterCard.
UPDATE (8/5/08): Eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers have been charged with
numerous crimes, including conspiracy, computer intrusion, fraud and identity theft. This is the largest hacking and identity
theft case ever prosecuted by the U.S. Department of Justice. An indictment was returned on Aug. 5, 2008. Conspirators
obtained the credit and debit card numbers by wardriving and hacking into the wireless computer networks of major retailers
-- including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21
and DSW. The indictments are the result of a three-year undercover investigation conducted out of the San Diego Field
Office of the U.S. Secret Service.
UPDATE (8/30/08): TrustCo BankCorp NY sued TJX in August 2008 to recoup costs it incurred from reissuing an estimated
4,000 customer MasterCard debit cards after hackers accessed the TJX computer network. The bank stated its cost for the
breach was up to $20 per affected account, explaining that it suffered losses from administrative expenses and lost interest
and transaction fees. Later in the month, TJX in turn claimed that Trustco failed to implement policies or procedures that
would have enabled the bank to avoid canceling and replacing customer debit cards.
UPDATE (9/22/08):One of the 11 people arrested last month in connection with the massive data theft at T JX Companies
Inc., BJ Wholesale Clubs Inc. and several other retailers pleaded guilty yesterday to four felony counts, including wire and
credit card fraud and aggravated identity theft. Many of the Internet attacks that he facilitated were SQL injection attacks,
according to court documents. The stolen data was sold to cyber criminals in Eastern Europe and the U.S. or used to make
fraudulent credit and debit cards.
UPDATE (6/26/09): TJX has agreed to pay $9.75 million to 41 states and to implement and maintain a comprehensive
information security program, designed to safeguard consumer data and address any weaknesses in TJX's systems in place
at the time of the breach. Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data
protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the
investigation. Further, $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the state Attorneys
General to advance enforcement efforts and policy development in the field of data security and protecting consumers’
personal information.
UPDATE (7/28/09): Pennsylvania and 40 other states reached a $9.75 million settlement.
UPDATE (9/4/09): TJX settles for $525K with four banks. As part of the settlement with AmeriFirst Bank, Trustco Bank,
HarborOne Credit Union and SELCO Community Credit Union, the Framingham, Mass.-based retailer paid $525,000. The
money primarily will be used to cover the banks' expenses in pursuing the legal action.
UPDATE (12/15/09):A Miami hacker who had already pleaded guilty to computer fraud and identity theft for breaches at
retailers T.J. Maxx, OfficeMax, and many other merchants, pleaded guilty on Tuesday to similar charges related to breaches
at Heartland Payment Systems, 7-11, Hannaford Brothers supermarkets, and two other companies. Albert Gonzalez, 28,
reiterated terms of a plea agreement in U.S. District Court in Boston. A week earlier, co-conspirator Stephen Watt of New
York, appeared in that same court and was ordered to serve two years in prison and pay $171.5 million in restitution for
developing a sniffing program used to grab payment card data in the breach at the TJX companies between 2003 and 2008.
UPDATE (3/17/10): Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced in Boston to 46
months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.
Zaman was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting
sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other
240
companies to steal data on more than 100 million credit and debit card accounts. Zaman pleaded guilty in April to one count
of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his
conviction to any future employer. Upon release, Zaman will not be barred from using computers. Zaman is the second
conspirator in the TJX case to be charged. Former Morgan Stanley coder, Stephen Watt, was sentenced in December to two
years in prison for his role in the TJX case, which involved supplying Gonzalez with a sniffer program used to siphon card
data from the TJX network.
UPDATE (3/29/10): A 28-year-old college dropout who became the world’s biggest credit card hacker on Thursday was
sentenced to 20 years in prison for stealing millions of credit union and bank account records from TJX Cos., BJ’s Wholesale
Club, Office Max, Dave & Busters, Barnes & Noble and a string of other companies – even as he was working as a $75,000a-year undercover informant for the U.S. government in identity theft cases. But that’s not the end of it, as Albert Gonzalez is
scheduled to be sentenced again to additional years behind bars for additional data thefts at Heartland Payment Systems,
Hannaford Bros. supermarkets and 7-Eleven convenience stores. The theft of credit card data cost financial institutions,
insurers and cardholders an estimated $200 million, according to law enforcement. JC Penney and Wet Seal were both
officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P.
Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had
reported last August that $17 billion JC Penney chain was one of Gonzalez.s victims, even though JC Penney's media
representatives were denying it. But the $561 million chain Wet Seal, which has 504 stores in 47 states, Washington, D.C.
and Puerto Rico, had kept their identity secret. No more and that.s the way Woodlock wanted it.
UPDATE (4/16/10): Damon Patrick Toey, the 'trusted subordinate' of TJX hacker Albert Gonzalez, was sentenced in Boston
to 5 more years in prison. He also received a $100,000 fine and three years. supervised release, according to the Justice
Department.
UPDATE (7/8/10): TJX has settled another lawsuit. The Louisiana Municipal Police Employees' Retirement System, a
shareholder of TJX stock, settled with TJX for $595,000 in legal fees and enhanced oversight of customer files.
Information
Source:
Dataloss DB
January 17, 2007
Rincon del Diablo Municipal Water District
GOV
Escondido, California
STAT
500 customers
Additional locations:unincorporated neighborhoods outside the city, and parts of San Marcos and San Diego, CA. (760) 7455522
2 computers were stolen from the district office. One included names and credit card numbers of customers.
Information
Source:
Dataloss DB
January 16, 2007
University of New Mexico
EDU
STAT
Unknown
At least 3 computers and 4 monitors were stolen from the associate provost's office overnight between Jan. 2 and 3. They
may have included faculty members' names and SSNs.
Information
Source:
Dataloss DB
January 13, 2007
North Carolina Department of Revenue
GOV
PORT
30,000 taxpayers
A laptop computer containing taxpayer data was stolen from the car of a NC Dept. of Revenue employee in mid-December.
The files included names, SSNs or federal employer ID numbers , and tax debt owed to the state.
Information
Source:
Dataloss DB
January 12, 2007
MoneyGram International
BSF
HACK
79,000
241
January 12, 2007
BSF
HACK
79,000
MoneyGram, a payment service provider, reported that a company server was unlawfully accessed over the Internet last
month. It contained information on about 79,000 bill payment customers, including names, addresses, phone numbers, and
in some cases, bank account numbers.
Information
Source:
Media
January 11, 2007
University of Idaho
Moscow, Idaho
EDU
STAT
70,000
(866) 351-1860
Over Thanksgiving weekend, 3 desktop computers were stolen from the Advancement Services office containing personal
information of alumni, donors, employees, and students. 331,000 individuals may have been exposed, with as many as
70,000 records containing SSNs, names and addresses.
Information
Source:
Dataloss DB
January 10, 2007
University of Arizona
Tucson, Arizona
EDU
UNKN
Unknown
Breaches occurred in November and December 2006 that affected services with UA Student Unions, University Library, and
UA Procurement and Contracting Services. Some services were shut down for several days.
Information
Source:
Dataloss DB
18,000 past and
present employees,
January 9, 2007
Towers Perrin
New York, New York
BSF
INSD
presumably of Altria
(total number of
affected invididuals is
unknown); 6,300
employees of Philip
Morris.
5 laptops were stolen from Towers Perrin, allegedly by a former employee. The theft occurred Nov. 27, 2006. The
computers contain names, SSNs, and other pension-related information, presumably of several companies, although news
reports are not clear. Companies named include Altria (18.000 employees) and Philip Morris (6,300 employees).
UPDATE (1/11/07): NY police arrested a junior-level administrative employee of the company in the theft of the laptops.
Information
Source:
Dataloss DB
January 5, 2007
Dr. Baceski's office, internal medicine
Somerset, Pennsylvania
MED
PORT
hundreds of patients
A hard drive was stolen containing personal information on hundreds of patients.
Information
Source:
Media
242
January 4, 2007
Selma, North Carolina, Water Treatment Plant
Johnston County, North Carolina
GOV
PORT
Unknown
A laptop stolen from the water treatment facility holds the names and SSNs of Selma volunteer firefighters.
Information
Source:
Dataloss DB
January 2, 2007
Notre Dame University
Notre Dame, Indiana
EDU
PORT
Unknown
Additional location: South Bend, IN
A University Director's laptop was stolen before Christmas. It contained personal information of employees, including names,
SSNs, and salary information.
Information
Source:
Dataloss DB
January 2, 2007
News accounts are not clear as to source, but thought to be a realty office
Las Vegas, Nevada
BSO
PHYS
Unknown
About 40 boxes of financial paperwork, thought to be from loan applications, was found in a dumpster. One of the boxes
visible to news reporters was said to contain paperwork with bank account details, photocopies of driver's licenses, SSNs
and other private information.
Information
Source:
Media
January 1, 2007
Wisconsin Department of Revenue via Ripon Printers
Madison, Wisconsin
(608) 224-5163, http://privacy.wi.gov/alerts/jan0107.jsp
GOV
DISC
171,000 taxpayers
[201]
Tax forms were mailed to taxpayers in which SSNs were inadvertently printed on the front of some Form 1 booklets. Some
were retrieved before they were mailed.
Information
Source:
Dataloss DB
December 30,
2006
KeyCorp
Cleveland, Ohio
BSF
PORT
9,300
A laptop computer stolen from a KeyCorp vendor contains personally identifiable information, including SSNs, of 9,300
customers in six states.
Information
Source:
Dataloss DB
December 28,
2006
U.S. State Department
GOV
PHYS
700
A bag containing approximately 700 completed passport applications, which included Social Security numbers, was reported
missing on December 1. The bag, which was supposed to be shipped to Charlotte, NC, was found later in the month at Los
Angeles International Airport.
Information
243
Source:
Dataloss DB
December 27,
2006
Bozeman, Montana
EDU
DISC
259 students
A student working in the loan office mistakenly sent packets containing lists of student names, Social Security numbers, and
loan information to other students
Information
Source:
Dataloss DB
December 27,
2006
Deaconess Hospital
Evansville, Indiana
MED
PHYS
128 patients
A computer missing from the hospital holds personal information, including SSNs, of 128 respiratory therapy patients.
Information
Source:
Dataloss DB
December 22,
2006
Texas Woman's University
Dallas, Texas
EDU
DISC
15,000 students
Additional locations: Denton and Houston, TX
A document containing names, addresses and SSNs of 15,000 TWU students was transmitted over a non-secure
connection.
Information
Source:
Media
December 21,
2006
Santa Clara County employment agency
Santa Clara County, California
GOV
STAT
2,500
A computer stolen from the agency holds the SSNs of approximately 2,500 individuals.
Information
Source:
Dataloss DB
December 20,
2006
Lakeland Library Cooperative - serving 80 libraries in 8 counties
Grand Rapids, Michigan
GOV
DISC
15,000 library users,
not included in total
because Social
Security numbers not
involved
Personal information of 15,000 library users in West Michigan was displayed on the Cooperative's Web site due to a
technical problem. Information exposed included names, phone numbers, e-mail addresses, street addresses, and library
card numbers. Children's names were also listed along with their parents' names on a spreadsheet document. The
information has since been removed.
Information
Source:
Dataloss DB
December 20,
Big Foot High School
EDU
DISC
87 current and former
244
2006
Walworth, Wisconsin
EDU
DISC
employees
Personal information was accidentally exposed on the High School's Web site for a short time, perhaps for about 36 minutes,
according to a report. Information included last names, SSNs, and birthdates.
Information
Source:
Dataloss DB
27 residents of Lake
County plus about 90
December 20,
2006
Lake County residents, plus Major League Baseball players
Northbrook, Illinois
BSO
PHYS
current and retired
Major League Baseball
players for a total of
117 individuals
A Chicago man apparently removed documents from a trash bin outside SFX Baseball Inc., a sports agency that deals with
Major League Baseball. He used information found on those documents to commit identity theft on at least 27 Lake County
residents. Information found during a search of the thief's home included SSNs, birthdates, canceled paychecks, obituaries,
and infant death records.
Information
Source:
Dataloss DB
December 20,
2006
Deb Shops, Inc.
BSR
HACK
Unknown
(800) 460-9704
A hacker illegally accessed company Web pages and a related data base used for Internet-based purchases. The intruder
may have accessed customers' credit card information including names on cards and credit card numbers.
Information
Source:
Dataloss DB
December 19,
2006
Mississippi State University
Jackson, Mississippi
EDU
DISC
2,400 students and
emplolyees
SSNs and other personal information were inadvertently posted on a publicly accessible MSU Web site. The breach was
discovered last week and the information has since been removed.
Information
Source:
Dataloss DB
December 15,
2006
University of Colorado, Boulder, Academic Advising Center
Boulder, Colorado
EDU
HACK
17,500
http://www.colorado.edu/its/security/awareness/privacy/identitytheft.pdf [202]
A server in the Academic Advising Center was the subject of a hacking attack. Personal information exposed included names
and SSNs for individuals who attended orientation sessions from 2002-2004. CU-Boulder has since ceased using SSNs as
identifiers for students, faculty, staff, and administrators.
Information
Source:
Dataloss DB
245
December 15,
2006
City of Wickliffe
Wickliffe, Ohio
GOV
HACK
125 employees
Hackers breached security in one of the city's three computer servers containing personal information on some city
employees, including names and SSNs.
Information
Source:
Dataloss DB
December 14,
2006
Electronic Registry Systems
Atlanta, Georgia
MED
PORT
More than 63,000
patients
Additional locations: Danville, Pennsylvania, Nashville, TN
On Nov. 23, 2006, two computers (one desktop, one laptop) were stolen from Electronic Registry Systems, a business
contractor in suburban Springdale, OH, that provides cancer patient registry data processing services. It contained the
personal information (name, date of birth, Social Security number, address, medical record number, medical data and
treatment information) of cancer patients from hospitals in Pennsylvania, Tennessee, Ohio and Georgia, dating back to 1977
at some hospitals. Hospitals include Emory Hospital, Emory Crawford Long Hospital, Grady Memorial Hospital, as well as
Geisinger Health System (PA) and Williamson Medical Center (TN).
UPDATE(1/14/07): The number of affected patients was increased from 25,000 to 63,000.
Information
Source:
Dataloss DB
December 14,
2006
Riverside High School
EDU
DISC
Thousands of school
employees (at least
2,000)
Two students discovered a breach in the security of a Durham Public Schools computer as part of a class assignment. They
reported to school officials that they were able to access a database containing SSNs and other personal information of
thousands of school employees. The home of one student was searched by Sheriff's deputies and the family computer was
seized.
Information
Source:
Dataloss DB
December 14,
2006
St. Vrain Valley School District
Longmont, Colorado
EDU
PHYS
600 students
Paper records containing student information were stolen, along with a laptop, from a nurse's car Nov. 20. Personal
information included students' names, dates of birth, names of their schools, what grade they are in, their Medicaid numbers
(presumably SSNs), and their parents' names. The laptop contained no personal data.
Information
Source:
Dataloss DB
December 14,
2006
Bank of America
BSF
INSD
Unknown
A former contractor for Bank of America unauthorizedly accessed the personal information (name, address, phone number,
Social Security number) of an undisclosed number of customers, for the purpose of committing fraud.
Information
Source:
Dataloss DB
246
December 13,
2006
Boeing
Seattle, Washington
BSO
PORT
382,000 current and
former employees
In early December, a laptop was stolen from an employee's car. Files contained names, salary information, SSNs, home
addresses, phone numbers and dates of birth of current and former employees.
UPDATE (12/14/06): Boeing fired the employee whose laptop was stolen.
UPDATE(1/26/07): The laptop was recovered.
Information
Source:
Dataloss DB
December 12,
2006
University of California at Los Angeles (UCLA)
Affected individuals can call UCLA at (877) 533-8082, http://www.identityalert.ucla.edu
EDU
HACK
800,000
[203]
Hacker(s) gained access to a UCLA database containing personal information on current and former students, current and
former faculty and staff, parents of financial aid applicants, and student applicants, including those who did not attend.
Exposed records contained names, SSNs, birth dates, home addresses, and contact information. About 3,200 of those
notified are current or former staff and faculty of UC Merced and current and former staff of UC's Oakland headquarters.
Information
Source:
Media
December 12,
2006
University of Texas, Dallas
Dallas, Texas
EDU
HACK
35,000
Affected individuals can call (972) 883-4325, http://www.utdallas.edu/datacompromise/form.html [204]
The University discovered that personal information of current and former students, faculty members, and staff may have
been exposed by a computer network intrusion -- including names, SSNs, home addresses, phone numbers and e-mail
addresses.
UPDATE (12/14/06): The number of people affected was first thought to be 5,000, but was increased to 6,000.
UPDATE (01/19/07): Officials now say 35,000 individuals may have been exposed.
Information
Source:
Dataloss DB
December 12,
2006
Aetna, Nationwide, Wellpoint Group Health Plans, Humana Medicare, Mutual of
Omaha Insurance Company,Anthem Blue Cross Blue Shield via Concentra
Preferred Systems
MED
PORT
396,279
Dayton, Ohio
A lockbox holding personal information of health insurance customers was stolen Oct. 26. Thieves broke into an office
building occupied by insurance company vendor, Concentra Preferred Systems. The lockbox contained computer backup
tapes of medical claim data for Aetna and other Concentra health plan clients. Exposed data includes member names,
hospital codes, and either SSNs or Aetna member ID numbers. SSNs of 750 medical professionals were also exposed.
Officials downplay the risk by stating that the tapes cannot be used on a standard PC.
UPDATE (12/23/06): The lockbox also contained tapes with personal information of 42,000 NY employees insured by Group
Health Insurance Inc.)
UPDATE(1/24/07): Personal data of 28,279 Nationwide's Ohio customers were also compromised. 2/11/10 Total changes to
396,279 to reflect final total of records breached in all of the affected companies.
Information
Source:
247
Dataloss DB
December 9,
2006
Home Finance & Mortgage, Inc.
Cornelius, North Carolina
BSF
PHYS
146
Company dumped files containing names, addresses, Social Security numbers, credit card numbers, and bank account
numbers of people who had applied for mortgage loans. Home Finance and its owners have agreed to pay the State of NC
$3,000 for their violations.
Information
Source:
Dataloss DB
December 9,
2006
Virginia Commonwealth University (VCU)
Richmond, Virginia
EDU
DISC
561 students
Personal information of 561 students was inadvertently sent as attachments on Nov. 20 in an e-mail, including names, SSNs,
local and permanent addresses and grade-point averages. The e-mail was sent to 195 students to inform them of their
eligibility for scholarships.
Information
Source:
Dataloss DB
December 8,
2006
Segal Group of New York, via web site of Vermont state agency used to call for
bids on state contracts
Montpelier, Vermont
BSO
DISC
1,100
Names and SSNs of several hundred physicians, psychologists and other health care providers were mistakenly posted
online by Segal Group, a contractor hired by the state to put its health management contract out for bid. The information was
posted from May 12 to June 19. It was discovered when a doctor found her own SSN online.
UPDATE (1/14/07): SSNS of more than 1,100 doctors, psychothereapists and other health professionals were exposed.
Information
Source:
Dataloss DB
December 6,
2006
Premier Bank
Columbia, Missouri
BSF
PHYS
1,800 customers
Headquarters in Jefferson City, MO
A report was stolen the evening of Nov. 16 from the car of the bank's VP and CFO while employees were celebrating an
award received by the bank. The document contained names and account numbers of customers, but reportedly no SSNs.
Information
Source:
Dataloss DB
December 5,
2006
Army National Guard 130th Airlift Wing
GOV
PORT
Unknown
A laptop was stolen from a member of the unit while he was attending a training course. It contained names, SSNs, and birth
dates of everyone in the 130th Airlift Wing.
Information
Source:
Media
December 5,
2006
Nassau Community College
Garden City, New York
EDU
PHYS
21,000 students
248
Garden City, New York
A printout is missing that contains information about each of NCC's 21,000 students, including names, SSNs, addresses, and
phone numbers. It disappeared from a desk in the Student Activities Office.
Information
Source:
Dataloss DB
December 3,
2006
City of Grand Prairie
Grand Prairie, Texas
GOV
DISC
hundreds of employees
(at least 200)
Employees of the city of Grand Prairie were notified that personal records were exposed on the city's website for at least a
year. Included were the names and SSNs of hundreds of employees. The information has since been removed. The city had
been working with a contractor on a proposal for workers' compensation insurance. Along with the proposal, names and
SSNs were mistakenly listed.
Information
Source:
Dataloss DB
December 1,
2006
TD Ameritrade
Omaha, Nebraska
BSF
PORT
about 300 current and
former employees
(201) 369-8373
According to a letter sent to employees, a laptop was removed (presumably stolen) from the office Oct. 18, 2006, that
contained unencrypted information including names, addresses, birthdates, and SSNs.
Information
Source:
Dataloss DB
November 30,
2006
Pennsylvania Deptartment of Transportation (PennDOT)
Dunmore, Pennsylvania
GOV
STAT
11,384
Affected individuals can call (800) PENNDOT if you have questions.
Thieves stole equipment from a driver's license facility late evening Nov. 28, including computers containing personal
information on more than 11,000 people. Information included names, addresses, dates of birth, driver's license numbers
and both partial and complete SSNs (complete SSNs for 5,348 people). Also stolen were supplies used to create drivers
licenses and photo IDs. The state maintains 97 driver's license facilities.
Information
Source:
Dataloss DB
November 30,
2006
TransUnion Credit Bureau via Kingman, AZ, court office
,
BSF
HACK
more than 1,700
people
Four different scam companies downloaded the credit information of more than 1,700 individuals, including their credit
histories and SSNs. They were able to illegitimately obtain the password to the TransUnion account held by the Kingman,
AZ, court office, which apparently has a subscription to the bureau's services.
Information
Source:
Dataloss DB
November 29,
2006
Gundersen Lutheran Medical Center
LaCrosse, Wisconsin
MED
INSD
unknown
249
A Medical Center employee used patient information, including SSNs and dates of birth, to apply for credit cards in their
names. As patient liaison, her duties included insurance coverage, registration, and scheduling appointments. She was
arrested for 37 counts of identity theft, and was convicted of identity theft and uttering forged writing, according to the
criminal complaint.
Information
Source:
Media
November 28,
2006
Kaiser Permanente Colorado-- Skyline and Southwest offices
Denver, Colorado
MED
PORT
38,000 (not included in
total, because SSNs
were apparently not
exposed)
For members who have questions: (866) 529-0813
A laptop was stolen from the personal car of a Kaiser employee in California on Oct. 4. It contained names, Kaiser ID
number, date of birth, gender, and physician information. The data did not include SSNs.
Information
Source:
Dataloss DB
November 28,
2006
California State University, Los Angeles (Cal State LA), Charter College of
Education
EDU
PORT
2,534
(800) 883-4029
An employee's USB drive was inside a purse stolen from a car trunk. It contained personal information on 48 faculty
members and more than 2,500 students and applicants of a teacher credentialing program. Information included names,
SSNs, campus ID numbers, phone numbers, and e-mail addresses.
Information
Source:
Dataloss DB
November 27,
2006
Johnston County, NC
Johnston County, North Carolina
GOV
DISC
About 39,000 North
Carolina residents
Personal data, including SSNs, of thousands of taxpayers, were inadvertently posted on the county web site. The information
was removed from the site within an hour after officials became aware of the situation.
Information
Source:
Dataloss DB
November 27,
2006
Greenville County School District
EDU
STAT
At least 101,000
students and
employees
School district computers sold to the WH Group at auctions between 1999 and early 2006 contained the birth dates, SSNs,
driver's license numbers and Department of Juvenile Justice records of approximately 100,000 students. The computers
also held sensitive data for more than 1,000 school district employees.
UPDATE(12/10/06): A judge ordered the WH Group to return the computers and the confidential data on them to the school
district.
Information
Source:
250
Dataloss DB
November 27,
2006
Chicago Public Schools via All Printing & Graphics, Inc.
Chicago, Illinois
1,740 former Chicago
EDU
DISC
Public School
employees
A company hired to print and mail health insurance information to former Chicago Public School employees mistakenly
included a list of the names, addresses and SSNs of the nearly 1,740 people receiving the mailing. Each received the 125page list of the 1,740 former employees.
Information
Source:
Dataloss DB
November 25,
2006
Family Health Center of Clark County
Jeffersonville, Indiana
MED
STAT
7,700
Two computers stolen from an Indiana state health department contractor, the Family Health Center of Clark Count,
contained the names, addresses, birth dates, SSNs and medical and billing information for more than 7,500 women. The
data were collected as part of the state's Breast and Cervical Cancer Program.
Information
Source:
Dataloss DB
November 20,
2006
Administration for Children's Services
New York, New York
GOV
200 case files (not
included in Total
PHYS
SSNs were exposed)
More than 200 case files from the Emergency Children's Services Unit of ACS were found on the street in a plastic garbage
bag. The files contain sensitive information of families, social workers and police officers.
Information
Source:
Dataloss DB
November 17,
2006
Jefferson College of Health Sciences
Roanoke, Virginia
EDU
DISC
143
An email containing the names and SSNs of 143 students intended for one employee was inadvertently sent to the entire
student body of 900.
Information
Source:
Dataloss DB
November 16,
2006
American Cancer Society (ACS)
NGO
PORT
Unknown
Headquarters in Atlanta, GA. If you have tips, call (502) 574-5673
An unspecified number of laptop computers were stolen from the Louisville offices of the American Cancer Society. It is not
clear what personal information was exposed, if any.
Information
Source:
Media
251
November 15,
2006
Internal Revenue Service (IRS)
GOV
PORT
2,359
According to document s obtained under the Freedom of Information Act, 478 laptops were either lost or stolen from the IRS
between 2002 and 2006. 112 of the computers held sensitive taxpayer information such as SSNs.
UPDATE (04/05/07): A report [205] by the Treasury Inspector General for Tax Administration noted that at least 490 IRS
computers have been stolen or lost since 2003 in 387 security breach incidents that potentially jeopardized tax payers'
UPDATE (04/17/07): The Inspector General's assessment of 20 buildings in 10 cities discovered four separate locations at
which hackers could have easily gained access to IRS computers and taxpayer data using wireless technology.
Information
Source:
Media
November 13,
2006
Connors State College
EDU
Warner, Oklahoma
PORT
Considerably more
than 22,500
[206]
On Oct. 15, a laptop computer was discovered stolen from the college. (It has since been recovered by law enforcement).
The computer contains Social Security numbers and other data for Connors students plus 22,500 high school graduates who
qualify for the Oklahoma Higher Learning Access Program scholarships.
Information
Source:
Dataloss DB
November 11,
2006
Hertz Global Holdings, Inc.
BSO
INSD
Unknown
1-888-222-8086
The names and Social Security numbers of Hertz employees dating back to 2002 were discovered on the home computer of
a former employee.
Information
Source:
Dataloss DB
November 10,
2006
KSL Services, Inc.
Los Alamos, New Mexico
BSO
PORT
Approximately 1,000
A disk containing the personal information of approximately 1,000 KSL employees is missing. KSL is a contractor for Los
Alamos National Laboratory.
Information
Source:
Dataloss DB
November 9,
2006
Four ARCO gas stations
Costa Mesa, California
BSR
CARD
At least 440
Additional locations: Westminster and Torrance, CA
From Sept. 29 to Oct. 9, thieves used card skimmers to steal bank account numbers and PIN codes from gas station
customers and used the information to fabricate debit cards and make ATM withdrawals.
Information
Source:
Dataloss DB
252
November 7,
2006
City of Lubbock
Lubbock, Texas
GOV
HACK
5,800
Hackers broke into the city's web site and compromised the online job application database, which included Social Security
numbers.
Information
Source:
Dataloss DB
November 6,
2006
Bowling Green Police Department
Bowling Green, Ohio
GOV
DISC
Approx. 200 victims or
suspects
The police dept. accidentally published a report on their website containing personal information on nearly 200 people the
police had contact with on Oct. 21. Data included names, Social Security numbers, driver's license numbers, etc.
Information
Source:
Dataloss DB
November 3,
2006
University of Virginia (UVA)
EDU
DISC
632 students
Due to a computer programming error, Student Financial Services sent e-mail messages to students containing 632 other
students' Social Security numbers.
Information
Source:
Dataloss DB
November 3,
2006
West Shore Bank
Ludington, Michigan
BSF
CARD
About 1,000
Customers' debit cards and possibly credit cards were compromised from a security break last summer at a common
MasterCard point-of-purchase provider.
Information
Source:
Dataloss DB
November 3,
2006
Wesco
Muskegon, Michigan
BSR
CARD
Unknown
Wesco gas stations experienced a breach in credit card transactions from July 25-Sept. 7 resulting in inaccurate charges to
customer accounts.
Information
Source:
Dataloss DB
November 3,
2006
Starbucks Corp.
Seattle, Washington
60,000 current and
former U.S. employees
BSR
PORT and about 80 Canadian
workers and
contractors
1-800-453-1048
253
Starbucks lost track of four laptop computers. Two held employee names, addresses, and Social Security numbers.
Information
Source:
Dataloss DB
November 3,
2006
Several Joliet area motels
Joliet, Illinois
BSO
INSD
Unknown
Motel owners and employees allegedly stole and sold customers' credit card numbers.
Information
Source:
Media
November 2,
2006
Hilb, Rogal & Hobbs, Villanova University
Plymouth Meeting, Pennsylvania
BSF
1,243 Villanova
PORT University students and
staff
In September 2006, a laptop computer was stolen from the insurance brokerage firm. It contained client information
including the names, birthdates, and drivers license numbers of Villanova University students and staff who drive university
vehicles.
Information
Source:
Dataloss DB
November 2,
2006
Colorado Deptartment of Human Services via Affiliated Computer Services (ACS)
Dallas, Texas
GOV
STAT
Up to 1.4 million
For questions, call ACS at (800) 350-0399
On Oct. 14, a desktop computer was stolen from a state contractor who processes Colorado child support payments for the
Dept. of Human Services. Computer also contained the state's Directory of New Hires.
UPDATE (12/07/2006) When initially posted to this list, the number 1.4 million was not added to the total because we could
not confirm if SSNs were exposed. The PRC was contacted by an affected individual today who confirmed that names,
addresses, SSNs and dates of birth were exposed.
Information
Source:
Dataloss DB
November 2,
2006
Greater Media, Inc.
BSO
PORT
Unknown
A laptop computer containing the Social Security numbers of the radio broadcasting company's current and former
employees was stolen from their Philadelphia offices.
Information
Source:
Dataloss DB
November 2,
2006
McAlester Clinic and Veterans Affairs Medical Center
Muskogee, Oklahoma
MED
PORT
1,400 veterans
Three disks containing billing information, patient names and Social Security numbers, were lost in the mail.
Information
Source:
Dataloss DB
254
November 2,
2006
Intermountain Health Care
MED
PORT
6,244
A computer was purchased at a second-hand store, Deseret Industries, that contained the names, Social Security numbers,
employment records, and other personal information about Intermountain Health Care employees employed there in 19992000.
Information
Source:
Dataloss DB
November 2,
2006
Compulinx
White Plains, New York
BSO
INSD
Up to 50 Compulinx
employees
The CEO of Compulinx was arrested for fraudulently using employees' names, addresses, Social Security numbers and
other personal information for credit purposes. (It is unclear whether customers' data was also used).
Information
Source:
Media
November 1,
2006
U.S. Army Cadet Command
Fort Monroe, Virginia
GOV
PORT
4,600 high school
seniors
1-866-423-4474, Email: [email protected]
A laptop computer was stolen that contained the names, addresses, telephone numbers, birthdates, Social Security
numbers, parent names, and mother's maiden names of applicants for the Army's four-year ROTC college scholarship.
Information
Source:
Dataloss DB
October 31, 2006
Avaya
Maitland, Florida
BSO
PORT
Unknown
Additional location: Basking Ridge, NJ A laptop stolen from an Avaya employee on October 16 in Florida contained
personally identifiable information, including names, addresses, W-2 tax form information and SSNs.
Information
Source:
Dataloss DB
October 27, 2006
Gymboree
BSR
PORT
up to 20,000
employees
A thief stole 3 laptop computers from Gymboree's corporate headquarters. They contained unencrypted human resources
data (names and Social Security numbers) of thousands of workers.
Information
Source:
Dataloss DB
October 27, 2006
Hancock Askew & Co.
Savannah, Georgia
BSO
PORT
Unknown
On October 5, 2006, a laptop computer containing 401(k) information for employees of at least one company (Atlantic
Plastics, Inc.) was stolen from accounting firm Hancock Askew.
255
Information
Source:
Dataloss DB
October 26, 2006
Akron Children's Hospital
MED
Akron, Ohio
HACK
235,903
Overseas hackers broke into two computers at Children's Hospital. One contains private patient data (including Social
Security numbers) and the other holds billing and banking information.
Information
Source:
Dataloss DB
October 26, 2006
Empire Equity Group
BSF
PHYS
Unknown
Mortgage files that included personal financial details about loan applicants were found in a dumpster. Empire Equity will pay
$12,500 to the State of NC.
Information
Source:
Dataloss DB
October 26, 2006
LimeWire
Denver, Colorado
BSO
HACK
75
http://www.denverda.org/News_Release/Releases/2006%20Release/Computer%20security%20alert.pdf [207]
The Denver Police Dept. reports that LimeWire's file-sharing program was exploited to access personal and financial
information from approximately 75 different individual and business account names from all over the country. The
information, which included tax records, bank account information, online bill paying records and other material, appears to
have been stolen directly from computers that were using LimeWire's filesharing software program.
Information
Source:
Dataloss DB
October 25, 2006
Portland, Oregon
GOV
PORT
Oregon TSA
employees
A thumb drive is missing from the TSA command center at Portland International Airport and believed to contain the names,
addresses, phone numbers and Social Security numbers of approximately 900 current and former employees.
Information
Source:
Media
October 25, 2006
Swedish Medical Center, Ballard Campus
Seattle, Washington
MED
INSD
Up to 1,100 patients
(800) 840-6452
An employee stole the names, birthdates, and Social Security numbers from patients who were hospitalized or had daysurgeries from June 22 to Sept 21. She used 3 patients' information to open multiple credit accounts.
Information
Source:
Dataloss DB
256
October 25, 2006
Tuscarawas County and Warren County
Tuscarawas County, Ohio
GOV
DISC
Unknown
Additional location: Warren County, OH
The Social Security numbers of some Tuscarawas and Warren County voters were available on the LexisNexis Internet
database service. Local boards of elections may be the source of the information.
UPDATE (11/1/06): LexisNexis says it has now removed the SSNs.
Information
Source:
Dataloss DB
October 24, 2006
Jacobs Neurological Institute
MED
Buffalo, New York
PORT
Unknown
The laptop of a research doctor was stolen from her locked office at the Institute. It included records of patients and her
research data.
Information
Source:
Media
260,000 patients and
Sisters of St. Francis Health Services via Advanced Receivables Strategy (ARS), a
October 23, 2006 Perot Systems Company
MED
PORT
about 6,200
employees, board
members and
physicians for a total of
266,200
(866) 714-7606
On July 28, 2006, a contractor working for Advanced Receivables Strategy, a medical billing records company, misplaced
CDs containing the names and SSNs of 266,200 patients, employees, physicians, and boad members of St. Francis
hospitals in Indiana and Illinois. Also affected were records of Greater Lafayette Health Services. The disks were
inadvertently left in a laptop case that was returned to a store. The purchaser returned the disks. The records were not
encrypted even though St. Francis and ARS policies require encryption.
Information
Source:
Dataloss DB
October 23, 2006
Chicago Voter Database
Chicago, Illinois
GOV
DISC
1.35 million Chicago
residents
An official from the not-for-profit Illinois Ballot Integrity Project says his organization hacked into Chicago's voter database,
compromising the names, SSNs and dates of birth of 1.35 million residents. The Chicago Election Board is reportedly looking
into removing SSNs from the database. Election officials have patched the flaw that allowed the intrusion.
Information
Source:
Dataloss DB
October 20, 2006
Manhattan Veterans Affairs Medical Center, New York Harbor Health Care System
New York, New York
MED
1,600 veterans who
PORT receive pulmonary care
at the facility
On Sept. 6, an unencrypted laptop computer containing veterans' names, Social Security numbers, and medical diagnosis,
was stolen from the hopsital.
257
Information
Source:
Dataloss DB
October 19, 2006
Allina Hospitals and Clinics
Minneapolis-St.Paul, Minnesota
MED
PORT
Individuals in 17,000
households
A laptop stolen from a nurse's car on October 8 contains the names and SSNs of individuals in approximately 17,000
households participating in the Allina Hospitals and Clinics obstetric home-care program since June 2005.
Information
Source:
Dataloss DB
October 19, 2006
University of Minnesota
Minneapolis-St.Paul, Minnesota
EDU
PORT
200 students (not
included in total)
In June, a University of Minnesota art department laptop computer stolen from a faculty member while traveling in Spain
holds personally identifiable information of 200 students.
Information
Source:
Media
October 17, 2006
City of Visalia, Recreation Division
Visalia, California
GOV
PHYS
employees
Personally identifiable information of approximately 200 current and former Visalia Recreation Department employees was
exposed when copies of city documents were found scattered on a city street.
Information
Source:
Dataloss DB
October 16, 2006
Germanton Elementary School
Germanton, North Carolina
EDU
STAT
Unknown
A computer stolen from Germanton Elementary school holds students' SSNs. The data on the computer are encrypted.
Information
Source:
Dataloss DB
October 16, 2006
VISA, FirstBank (1st Bank)
Lakewood, Colorado
BSF
UNKN
Unknown
FirstBank sent a letter to an unknown number of customers informing them their FirstTeller Visa Check Card numbers were
compromised when someone accessed “a merchant card processor's transaction database.” The FirstBank letter said
customers would receive new cards by October 27.
Information
Source:
Dataloss DB
October 16, 2006
Dr, Charles Kay of Orchard Family Practice
Englewood, Colorado
MED
PHYS
"Hundreds"
258
Sheriff's deputies evicting Dr. Charles Kay put files from his office in a nearby parking lot. In a news report, Dr. Kay said he
had removed the patient files but not the business files.
Information
Source:
Media
October 15, 2006
Poulsbo Department of Licensing
Poulsbo, Washington
GOV
PORT
2,200
An unspecified “storage device” containing personally identifiable data of approximately 2,200 North Kitsap (WA) residents
has been lost from the Poulsbo Department of Licensing. The data include names, addresses, photographs and driver's
license numbers of individuals who conducted transactions at the Poulsbo branch in late September.
Information
Source:
Media
October 14, 2006
T-Mobile USA Inc.
Bellvue, Washington
BSO
PORT
43,000 current and
former employees
A laptop computer holding personally identifiable information of approximately 43,000 current and former T-Mobile
employees disappeared from a T-Mobile employee's checked luggage. T-Mobile has reportedly sent letters to all those
affected. The data are believed to include names, addresses, SSNs, dates of birth and compensation information.
Information
Source:
Dataloss DB
October 13, 2006
Ohio Ethics Commission
Columbus, Ohio
GOV
PHYS
Unknown number of
Ohio state employees
Papers belonging to the Ohio Ethics Commission were found floating on the wind in an alley. The documents are related to
state employees' finances and contained SSNs and financial statements. They were supposed to be in the possession of the
state archives.
Information
Source:
Dataloss DB
October 12, 2006
U.S. Census Bureau
GOV
PORT
Unknown number of
Travis Co., TX,
residents
Additional location: Travis Co., TX
This spring, residents of Travis County, TX helped the Census Bureau test new equipment. When the test period ended, 15
devices were unaccounted for. The Census Bureau and the Commerce Department issued a press release saying the
devices held names, addresses and birthdates, but not income or SSNs.
Information
Source:
Media
October 12, 2006
Congressional Budget Office
GOV
HACK
Unknown
Hackers broke into the Congressional Budget Office's mailing list and sent a phishing e-mail that appeared to come from the
CBO.
259
Information
Source:
Media
October 12, 2006
University of Texas, Arlington
Arlington, Texas
http://www.uta.edu/oit/iso/Datatheft.php
EDU
STAT
2,500 students
[208]
Two computers stolen from a University of Texas faculty member's home hold the names, SSNs, grades, e-mail addresses
and other information belonging to approximately 2,500 students enrolled in computer science and engineering classes
between fall 2000 and fall 2006. The theft occurred on September 29 and was reported on October 2.
Information
Source:
Dataloss DB
October 11, 2006
Republican National Committee (RNC)
NGO
DISC
76 RNC donors
http://www.nysun.com/national/gop-donors-personal-data-disclosed-in-rnc-privacy/41341/ [209]
The Republican National Committee (RNC) inadvertently emailed a list of donors' names, SSNs and races to a New York
Sun reporter.
Information
Source:
Dataloss DB
October 10, 2006
Florida Labor Department
GOV
DISC
4,624 individuals who
had registered with
Florida 's Agency for
Workforce Innovation
The names and SSNs of 4,624 Floridians were accessible on the Internet for approximately 18 days in September. The data
were not accessible through Web sites, but an individual came across the information when Googling his own name. The
agency has asked Google to remove the pages from its cache, and has notified all affected individuals by mail.
Information
Source:
Dataloss DB
October 9, 2006
Troy Athens High School
Troy, Michigan
EDU
PORT
4,400
For questions or comments, call (248) 823-4035
A hard drive stolen from Troy Athens High School in August contained transcripts, test scores, addresses and SSNs of
students from the graduating classes of 1994 to 2004. The school district and the superintendent have notified all affected
alumni by regular mail.
Information
Source:
Dataloss DB
October 6, 2006
Cleveland Air Route Traffic Control Center
Oberlin, Ohio
GOV
STAT
At least 400
A computer hard drive missing from the Cleveland Air Route Traffic Control Center in Oberlin (OH) contains the names and
SSNs of at least 400 air traffic controllers.
260
Information
Source:
Dataloss DB
October 6, 2006
Camp Pendleton Marine Corps base via Lincoln B.P. Management
Camp Pendleton, California
GOV
PORT
2,400
A laptop missing from Lincoln B.P. Management Inc. holds personally identifiable data about 2,400 Camp Pendleton
residents.
Information
Source:
Dataloss DB
October 5, 2006
San Juan Capistrano Unified School District (CA)
San Juan Capistrano, California
EDU
STAT
Unknown
Five computers stolen from the HQ of San Juan Capistrano Unified School District likely contain the names, SSNs and dates
of birth of district employees enrolled in an insurance program.
Information
Source:
Dataloss DB
October 4, 2006
Orange County Controller
Orlando, Florida
GOV
DISC
Unknown
A Florida woman discovered her marriage license was visible on the Orange County (FL) controller's Web site with no
information blacked out, not even SSNs. She discovered the breach because someone had applied for a loan in her name.
The Orange County Comptroller is reportedly paying a vendor $500,000 to black out all SSNs by January 2008.
Information
Source:
Media
October 3, 2006
Cumberland County
Carlisle, Pennsylvania
GOV
DISC
1,200 employees of the
county
Cumberland County (PA) officials removed salary board meeting minutes from their Web site because they contained the
SSNs of 1,200 county employees. The information was included in minutes from meetings prior to 2000. The county no
longer uses SSNs as unique identifiers for employees. Employees will be informed of the data breach in a note included with
their paychecks.
Information
Source:
Dataloss DB
4,500 Oregon high
school students [not
October 3, 2006
Willamette Educational Service District (ESD)
Salem, Oregon
EDU
STAT
included in total
because not thought to
contain sensitive info.
such as SSNs]
Seven computers stolen from a Willamette Educational Service District office were believed to contain personal information
of 4,500 Oregon high school students. Backup tapes indicate the computers hold information about the students' school
clubs but do not contain sensitive information.
Information
261
Source:
Media
October 3, 2006
Picatinny Arsenal
Rockaway, New Jersey
GOV
UNKN
Unknown
If you have tips, call (973) 989-0652
28 computers are missing from the Picatinny Arsenal, a Department of Defense Weapons Research Center. The computers
were reported lost or stolen over the last two years. None of the computers was encrypted. Officials state the computers did
not contain classified information.
Information
Source:
Media
6,939 current and
October 2, 2006
Port of Seattle, Seattle-Tacoma Airport (Sea-Tac)
Seattle, Washington
http://www.portseattle.org
[210] ,
GOV
former Seattle-Tacoma
PORT
International Airport
employees
(888) 902-PORT
Six CDs missing from the ID Badging office at Seattle-Tacoma International Airport hold the personal information of 6,939
airport workers. The data include names, addresses, birth dates, SSNs and driver's license numbers, telephone numbers,
employer information, and height/weight. The data on the disks were scanned from paper applications for airport badges.
The port learned of the missing disks on September 18 and sent letters to the affected employees on Oct. 2.
Information
Source:
Dataloss DB
September 29,
2006
University of Iowa Department of Psychology
Iowa City, Iowa
EDU
HACK
14,500
A computer containing SSNs of 14,500 psychology department research study subjects was the object of an automated
attack designed to store pirated video files for subsequent distribution.
Information
Source:
Dataloss DB
September 29,
2006
Kentucky Personnel Cabinet via Bluegrass Mailing
Frankfort, Kentucky
GOV
DISC
146,000
State employees received letters from the Kentucky Personnel Cabinet with their SSNs visible through the envelope
windows.
Information
Source:
Dataloss DB
September 28,
2006
North Carolina Department of Motor Vehicles
Louisville, North Carolina
GOV
STAT
16,000
(888) 495-5568
A computer was stolen from a NC Dept. of Motor Vehicles office, reported Sept. 10. It contains names, addresses, driver's
license numbers, SSNs, and in some cases immigration visa information of 16,000 people who have been issued licenses in
the past 18 months. Most are residents of Franklin County.
262
Information
Source:
Dataloss DB
September 28,
2006
Illinois Department of Transportation (IDOT)
GOV
PHYS
40
Documents found by state auditors in recycling bins in a hallway contained IDOT employee names and SSNs.
Information
Source:
Media
September 28,
2006
Stevens Hospital Emergency Room via dishonest employee of billing company
Med Data
Edmonds, Washington
MED
INSD
about 30 patients
A manager for the hospital's billing company, Med Data, stole patients' credit card numbers. She gave them to her brother
who bought $30,000 worth of clothes and gift cards over the Internet. The woman is scheduled for sentencing in Nov. and
her brother's trial is expected Jan. 2007.
Information
Source:
Dataloss DB
September 25,
2006
Movie Gallery
Gastonia, North Carolina
BSR
PHYS
Unknown
A large number of Movie Gallery's files and videos were found in a dumpster. The files contained personal information of
people employed by Movie Gallery and people applying for jobs at the video store as well as people applying for movie rental
membership. Movie Gallery has agreed to pay $50,000 to the State of NC.
Information
Source:
Dataloss DB
September 25,
2006
General Electric (GE)
Fairfield, Connecticut
BSO
PORT
50,000 employees
An employee's laptop computer holding the names and Social Security numbers of approximately 50,000 current and former
GE employees was stolen from a locked hotel room while he was traveling for business.
Information
Source:
Dataloss DB
September 23,
2006
Erlanger Health System
MED
PORT
4,150 current and
former employees
Records of hospital employees disappeared from a locked office on Sept. 15. They were stored on a USB jump drive.
Information was limited to names and SSNs. Those affected included anyone who went through job status changes from
Nov. 2003 to Sept. 2006.
Information
Source:
Dataloss DB
September 22,
2006
Purdue University College of Science
EDU
STAT
2,482 students from
the year 2000
263
(866) 307-8520
A file in a desktop computer in the Chemistry Department may have been accessed illegitimately. The file contained names,
SSNs, school, major, and e-mail addresses of people who were students in 2000.
Information
Source:
Dataloss DB
September 22,
2006
University of Colorado, Boulder, Leeds School of Business
Boulder, Colorado
EDU
STAT
1,372 students and
former students
(303) 492-8741
Two computers had been placed in storage during the school's move to temporary quarters in May. When they were to be
retrieved Aug. 28, they were found missing. They had been used by 2 faculty members and included students' names,
SSNs, and grades.
UPDATE (9/25/06): One of the computers was found.
Information
Source:
Dataloss DB
September 22,
2006
Several Indianapolis pharmacies
MED
PHYS
Unknown
Earlier this year a local TV reporter from WTHR found that dozens of pharmacies disposed of customer records in
unsecured garbage bins. Now the Indiana Board of Pharmacy has launched an investigation of 30 pharmacies. Both the
Board and the Attorney General say that the pharmacies violated state law.
Information
Source:
Media
September 21,
2006
Pima County Health Department
Tucson, Arizona
GOV
PHYS
2,500 (no SSNs or
reported)
Vaccination records on 2,500 clients had been left in the trunk of a car that was stolen Sept. 12. The car and records have
since been recovered. Records included names, dates of birth and ZIP codes, but no SSNs or addresses.
Information
Source:
Dataloss DB
September 21,
2006
U.S. Department of Commerce and Census Bureau
GOV
PORT
Unknown
https://www.census.gov/Press-Release/www/releases/archives/miscellaneous/007497.html [211]
The agency reported that 1,137 laptops have been lost or stolen since 2001. Of those, 672 were used by the Census
Bureau, with 246 of those containing personal data. Secretary Gutierrez said the computers had protections to prevent a
breach of personal information.
Information
Source:
Media
8,800 individuals
264
September 20,
2006
City of Savannah, Georgia
Savannah, Georgia
GOV
DISC
whose identities were
captured by red-light
cameras
(912) 651-6565, http://www.savannahga.gov/security [212]
Because of a hole in the firewall, a City server exposed personal information online for 7 months. Individuals identified by the
Red Light Camera Enforcement Program are affected -- name, address, driver's license number, vehicle identification
number, and SSNs of those individuals whose driver's license number is still the SSN.
Information
Source:
Dataloss DB
September 20,
2006
Berry College via consultant Financial Aid Services Inc.
Mount Berry, Georgia
EDU
PHYS
2,093 students and
potential students (of
those, 1,322 are
currently enrolled)
(800) 961-4692, http://www.berry.edu/stulife/idprotect/ [213]
Student applications for need-based financial aid were misplaced by a consultant -- in both paper and digital form. Data
included name, SSN, and reported family income for students and potential students for the 2005-06 academic year.
Information
Source:
Dataloss DB
September 19,
2006
Life Is Good
Hudson, New Hampshire
BSR
HACK
9,250
Hackers accessed the retailer's database which contained customer's credit card numbers. The company said no other
personal information was in the database.
Information
Source:
Dataloss DB
September 18,
2006
Howard, Rice, Nemerovski, Canady, Falk & Rabkin law firm via its auditor Morris,
Davis & Chan
BSO
PORT
employees
Additional locations: Oakland, CA
A laptop was stolen from the trunk of the car of the law firm's auditor, containing confidential employee pension plan
information -- names, SSNs, remaining balances, 401(k) and profit-sharing information.
Information
Source:
Dataloss DB
September 18,
2006
DePaul Medical Center, Radiation Therapy Department
Norfolk, Virginia
MED
STAT
More than 100 patients
(757) 889-5945
Two computers were stolen, one on August 28 and the other Sept. 11. Personal data included names, date of birth,
treatment information, and some SSNs.
Information
Source:
Dataloss DB
265
September 17,
2006
U.S. Dept. of Energy, Direct Loan Servicing
,
GOV
DISC
21,000 accounts
A security breach exposed private information of student loan borrowers from Aug. 20-22 during a computer software
upgrade. Users of the DOE's Direct Loan Web site were able to view information other than their own if they used certain
options when accessing the program's web pages. SSNs were among the data elements exposed online. Software
company Affiliated Computer Services (ACS) created the technology for the Direct Loan Servicing feature on the DoE's site.
Information
Source:
Dataloss DB
September 16,
2006
Michigan Department of Community Health
Detroit, Michigan
GOV
PORT
4,000 Michigan
residents
Residents who participated in a scientific study were notified that a flash drive was discovered missing as of Aug. 4, and likely
stolen, from an MDCH office.The portable memory device contained names, addresses, phone numbers, dates of birth, and
SSNs of participants. The study tracked the long-term exposure to flame retardents ingested by residents in beef and milk.
Information
Source:
Dataloss DB
September 16,
2006
Beaumont Hospital
Royal Oak, Michigan
MED
DISC
3 patients
The hospital mistakenly mailed medical reports on 3 patients to a retired dentist in Texas. Reports included name, test
results, date of birth and patient ID numbers. The hospital admitted to both human and computer error. A new computer
system mixed similar names, and staff did not catch it.
Information
Source:
Media
September 15,
2006
Mercy Medical Center
Merced, California
MED
PORT
295 patients
A memory stick containing patient information was found July 18 by a local citizen on the ground at the County Fairgrounds
near the hospital's information booth. It was returned to the hospital 4 weeks later. Data included names, SSNs, birthdates,
and medical records.
Information
Source:
Dataloss DB
September 15,
2006
Whistle Junction restaurant
Orlando, Florida
BSO
PHYS
Unknown
Personnel files of employees of the now-closed restaurant were found in a nearby Dumpster. Papers included names and
SSNs of former employees,
Information
Source:
Dataloss DB
September 14,
2006
Nikon Inc. and Nikon World Magazine
Melville, New York
BSR
DISC
3,235 magazine
subscribers
266
Workers at a Montgomery, AL, camera store discovered that subscription information for the magazine Nikon World was
exposed on the Web for at least 9 hours. Data included subscribers' names, addresses and credit card numbers.
Information
Source:
Dataloss DB
September 14,
2006
Illinois Department of Corrections (IDOC)
GOV
PHYS
Unknown
A document containing employees' personal information was found outside the agency's premises where it should not have
been. It has since been retrieved. Information included employees' names, SSNs, and salaries.
Information
Source:
Dataloss DB
September 13,
2006
American Family Insurance Group
Madison, Wisconsin
BSF
PORT
2,089 customers
The office of an insurance agent was broken into and robbed last July. Among the items stolen was a laptop with customers'
names, SSNs, and driver's license numbers.
Information
Source:
Dataloss DB
September 11,
2006
Telesource via Veksta
BSO
PHYS
Unknown
Employees discovered their personnel files in a Dumpster after the company had been bought out by another company
Vekstar. The files were discarded when the office was being cleaned out and shut down. Files contained SSNs, dates of birth
and photocopies of SSN cards and driver's licenses.
Information
Source:
Dataloss DB
September 9,
2006
Cleveland Clinic
Naples, Florida
MED
INSD
1,100 patients
(866) 907-0675
A clinic employee stole personal information from electronic files and sold it to her cousin, owner of Advanced Medical
Claims, who used it to file fraudulent Medicare claims totaling more than $2.8 million. Information included names, SSNs,
birthdates, addresses and other details. Both individuals were indicted.
Information
Source:
Dataloss DB
September 8,
2006
Linden Lab, Second Life
BSO
HACK
Unknown
http://blog.secondlife.com/2006/09/08/urgent-security-announcement/ [214]
On Sept. 6, Linden Lab discovered that a hacker accessed its Second Life database through web servers. The affected data
included unencrypted account names, real life names, and contact information, plus encrypted account passwords and
payment information. Second Life is a 3-D virtual world.
Information
Source:
267
Dataloss DB
September 8,
2006
University of Minnesota
EDU
STAT
13,084 students
including SSNs of 603
students
On August 14-15 eve, two computers were stolen from the desk of an Institute of Technology employee, containing
information on students who were freshmen from 1992-2006 -- including names, birthdates, addresses, phone numbers,
high schools attended, student ID numbers, grades, test scores, and, academic probation. SSNs of 603 students were also
exposed.
Information
Source:
Dataloss DB
25,000 gun permit
September 8,
2006
Berks County Sheriff's Office via contractor Canon Technology Solutions
Reading, Pennsylvania
GOV
DISC
holders exposed,
although initially the
number was unknown
A confidential list of some of the County's 25,000 gun permit holders was exposed on the Web by the contractor that is
developing a Web-based computer records program for the Sheriff's Office. Personal information included names,
addresses and SSNs.
UPDATE (10/6/06): The Berks County solicitor's office says the entire list of more than 25,000 gun permit holders was
exposed.
Information
Source:
Dataloss DB
September 7,
2006
Florida National Guard
Bradenton, Florida
GOV
PORT
100
A laptop computer was stolen from a soldier's vehicle contained training and administrative records, including Social Security
numbers of up to 100 Florida National Guard soldiers.
Information
Source:
Dataloss DB
September 7,
2006
Circuit City and Chase Card Services, a division of JP Morgan Chase & Co.
Wilmington, Delaware
BSF
PORT
2.6 million past and
current Circuit City
credit cardholders
Chase Card Services mistakenly discarded 5 computer data tapes in July containing Circuit City cardholders' personal
information.
Information
Source:
Security Breach
Letter
September 5,
2006
Transportation Security Administration (TSA) via Accenture
GOV
DISC
1,195 former TSA
employees
In late August 2006, Accenture, a contractor for TSA mailed documents containing former employees' SSN,, date of birth,
and salary information to the wrong addresses due to an administrative error.
268
Information
Source:
Dataloss DB
September 2,
2006
Iowa Student Loan
BSF
West Des Moines, Iowa
PORT
165,000
A compact disk containing personal information, including SSNs, was lost when shipped by private courier.
Information
Source:
Dataloss DB
September 1,
2006
Wells Fargo via unnamed auditor
BSF
PORT
Unknown
In a letter dated Aug. 28, the company notified its employees that a laptop and data disk were stolen from the locked trunk of
an unnamed auditor, hired to audit the employees' health plan. Data included names, SSNs, and information about drug
claim cost and dates from 2005, but no prescription information said the company.
Information
Source:
Security Breach
Letter
September 1,
2006
Virginia Commonwealth University (VCU)
Richmond, Virginia
EDU
DISC
2,100 current and
former students
http://old.ts.vcu.edu/security/id_exposure.html [215]
Personal information of freshmen and graduate engineering students from 1998 through 2005 was exposed on the Internet
for 8 months (Jan. - Aug.) due to human error. It was discovered by a student who used a search engine to find her name.
The data included SSNs and e-mail addresses.
Information
Source:
Dataloss DB
September 1,
2006
City of Chicago via contractor Nationwide Retirement Solutions, Inc.
Chicago, Illinois
GOV
PORT
Up to 38,443 city
employees and retirees
(800) 638-1485, http://www.chicagofop.org/Updates/links/nrs.pdf [216]
A laptop was stolen from the home of contractor's employee last April 2005. It was reported to the city July 2006 more than a
year later. Data included names, addresses, phone numbers, birthdates and SSNs for those in the city's deferred
compensation plan.
Information
Source:
Dataloss DB
August 31, 2006
CoreLogic for ComUnity Lending
[217] .
BSO
STAT
Unknown
Exact date in August 2006 unknown.
In early August, CoreLogic notified customers of ComUnity Lending that a computer with customers' data was stolen from its
office. Data included names, SSNs, and property addresses related to an existing or anticipated mortgage loan.
Information
269
Source:
Security Breach
Letter
August 31, 2006
Labcorp
Monroe, New Jersey
MED
STAT
Unknown
(800) 788-9091 x3925
During a break-in June 4 or 5, a computer was stolen that contained names and SSNs, but according to the company did not
have birth dates or lab test results.
Information
Source:
Dataloss DB
August 31, 2006
Diebold, Inc., GE Capital
Canton, Ohio
BSO
PORT
Unknown
An employee's laptop was stolen containing employee information, including name, SSN, and if applicable, corporate credit
card number.
Information
Source:
Security Breach
Letter
August 29, 2006
Valley Baptist Medical Center
Harlingen, Texas
MED
DISC
Unknown
(877) 840-5999
A programming error on the hospital's web site exposed names, birth dates, and SSNs of healthcare workers in late August.
The error was fixed but it is not known how long the personal information was compromised. The affected individuals are
workers from outside the hospital who provide services and bill the hospital via an online form.
Information
Source:
Dataloss DB
August 29, 2006
AT&T via vendor that operates an order processing computer
BSO
HACK
19,000
Computer hackers accessed credit card account data and other personal information of customers who purchased DSL
equipment from AT&T's online store. The company is notifying fewer than 19,000 customers.
UPDATE (9/1/06). The breach was followed by a bogus phishing e-mail to those customers that attempted to trick them into
revealing more info such as SSN and birthdate -- essential for crime of identity theft.
Information
Source:
Dataloss DB
August 29, 2006
Compass Health
Everett, Washington
MED
PORT
A limited number of
people
(800) 508-0059
Compass Health notified some of its clients that a laptop containing personal information, including SSNs, was stolen June
28. The agency serves people who suffer from mental illness.
Information
270
Source:
Dataloss DB
August 27, 2006
New Mexico Administrative Office of the Courts
Santa Fe, New Mexico
GOV
DISC
1,500 employees
For 8 days in late May, an unsecured document was exposed on the agency's FTP site on the state's computer server. It
contained names, birth dates, SSNs, home addresses and other personal information of judicial branch employees. The FTP
site was shut down June 2 and has since be redesigned.
Information
Source:
Dataloss DB
August 26, 2006
EDU
HACK
6,000
TheState.com reported that the University of South Carolina warned 6,000 current and former students that their
information, including Social Security numbers and birth dates, may have been breached when a server was accessed from
outside the system.
Information
Source:
Media
August 26, 2006
PortTix
Portland, Maine
BSO
HACK
2,000
Credit card information for about 2,000 people who ordered tickets online through PortTix was accessed by someone who
hacked into the Web site. PortTix is Merrill Auditorium's ticketing agency. The Web site was secured as of Aug. 24.
Information
Source:
Dataloss DB
August 25, 2006
Dominion Resources
Richmond, Virginia
BSO
PORT
Unknown
Two laptops containing employee information were stolen earlier in August. It was not clear what type of data were included.
No customer records were on the computers. Dominion operates a gas and electric energy distribution company.
Information
Source:
Dataloss DB
August 25, 2006
U.S. Department of Transportation, Federal Motor Carrier Safety Administration
Baltimore, Maryland
GOV
PORT 193 (not added to total)
(800) 832-5660
A laptop that might contain personal information of people with commercial driver's licenses was stolen Aug. 22. FMCSA said
the data might include names, dates of birth, and commercial driver's license numbers of 193 individuals from 40 trucking
companies.
Information
Source:
Dataloss DB
August 25, 2006
Sovereign Bank
New Bedford, Massachusetts
BSF
PORT
thousands of
customers
271
Personal data may have been compromised when 3 managers' laptops were stolen from 2 separate locations in early
August. Customers were notified Aug. 21. Sovereign serves New England and the Mid-Atlantic. The bank said the data
included unspecified customer information, but not account data.
Information
Source:
Dataloss DB
August 23, 2006
U.S. Department of Education, Direct Loan Servicing Online
Atlanta, Georgia
http://www.dlssonline.com
GOV
DISC
21,000
[218]
A faulty Web site software upgrade resulted in personal information of 21,000 student loan holders being exposed on the
U.S. Department of Education's loan Web site. Information included names, birthdates, SSNs, addresses, phone numbers,
and in some cases, account information. Affiliated Computer Services Inc. is the contractor responsible for the breach. The
breach did not include those whose loans are managed through private companies.
Information
Source:
Dataloss DB
August 22, 2006
AFLAC American Family Life Assurance Co.
BSF
PORT
612 policyholders
(888) 794-2352
A laptop containing customers' personal information was stolen from an agent's car. It contained names, addresses, SSNs,
and birth dates of 612 policyholders. They were notified Aug. 11.
Information
Source:
Dataloss DB
August 22, 2006
Beaverton School District
Beaverton, Oregon
EDU
PHYS
1,600 employees
Time slips revealing personal information were missing and presumed stolen following a July 24 break-in at a storage shed
on the administration office's property. The time slips included names and SSNs but not addresses.
Information
Source:
Dataloss DB
August 22, 2006
Beaumont Hospital
Troy, Michigan
MED
PORT
28,400 home care
patients
A vehicle of a home health care nurse was stolen from outside a senior center Aug. 5. Although it was recovered nearby, a
laptop left in the rear of the car was not recovered. It contained names, addresses, SSNs, and insurance information of
home health care patients.
UPDATE (8/23/06). The laptop was returned Aug. 23 by a woman who said she found it in her yard.
Information
Source:
Dataloss DB
August 21, 2006
U.S. Dept. of Education via contractor, DTI Associates
GOV
PORT
43
272
Two laptops were stolen from DTI's office in downtown DC containing personal information on 43 grant reviewers for the
Teacher Incentive Fund. DTI could not rule out that the data included SSNs.
Information
Source:
Dataloss DB
August 18, 2006
California Department of Mental Health
,
GOV
PORT
9,468 employees
(916) 654-2309
Computer tape with employees' names, addresses, and SSNs has been reported missing. Employees were notified Aug. 17
by e-mail.
Information
Source:
Dataloss DB
August 17, 2006
Williams-Sonoma, Deloitte & Touche
BSR
PORT
1,200 current and
former employees
On July 10, a laptop was stolen from the Los Angeles home of a Deloitte & Touche employee who was conducting an audit
for W-S. Computer contained employees' payroll information and SSNs.
Information
Source:
Dataloss DB
August 17, 2006
HCA, Inc. Hospital Corporation of America
(800) 354-1036, http://www.hcahealthcare.com
MED
STAT
thousands of files
[219]
10 computers containing Medicare and Medicaid billing information and records of employees and physicians from 19962006 were stolen from one of the company's regional offices. Some patient names and SSNs were exposed, but details are
vague. Records for patients in hospitals in the following states were affected: CO, KS, LA, MS, OK, OR, TS, WA.
Information
Source:
Dataloss DB
Total employees
affected is unclear.
August 16, 2006
Chevron
San Ramon, California
BSO
Nearly half of its 59,000
workers are from North
PORT
America, but it is not
known if that number
includes employees
from Canada.
Chevron informed its U.S. workers Aug. 14 that a laptop was stolen from an employee of an independent public accounting
firm who was auditing its benefits plans. The theft apparently occurred Aug. 5. Files contained SSNs and sensitive
information related to health and disability plans.
Information
Source:
Dataloss DB
August 15, 2006
University of Kentucky
EDU
DISC
630
273
August 15, 2006
Lexington, Kentucky
EDU
DISC
630
The names and SSNs of 630 students were posted on the University's financial aid web site between Friday and Monday,
Aug. 11-14.
Information
Source:
Dataloss DB
August 15, 2006
University of Kentucky Department of Georgraphy
Lexington, Kentucky
EDU
DISC
80
About 80 geography students were notified Aug. 14 that their SSNs were inadvertently listed on an e-mail communication
they all received telling them who their academic advisor would be for the coming year.
Information
Source:
Dataloss DB
August 15, 2006
U.S. Department of Transportation
Orlando, Florida
GOV
PORT
Unknown
On April 24, a DOT employee's laptop computer was stolen from an Orlando hotel conference room. It contained several
unencrypted case files. Investigators are determining if it contained sensitive personal information.
Information
Source:
Media
August 11, 2006
Madrona Medical Group
Bellingham, Washington
MED
INSD
At least 6,000 patients
On Dec. 17, 2005, a former employee accessed and downloaded patient files onto his laptop computer. Files included name,
address, SSN, and date of birth. The former employee has since been arrested.
Information
Source:
Dataloss DB
August 9, 2006
U.S. Department of Transportation
,
GOV
PORT
132,470
(800) 424-9071, [email protected] [220]
The DOT's Office of the Inspector General reported a special agent's laptop was stolen on July 27 from a governmentowned vehicle in Miami, FL, parked in a restaurant parking lot. It contained names, addresses, SSNs, and dates of birth for
80,670 persons issued commercial drivers licenses in Miami-Dade County 42,800 persons in FL with FAA pilot certificates
and 9,000 persons with FL driver's licenses.
UPDATE (11/21/06):A suspect was arrested in the same parking lot where the theft occurred, but the laptop has not been
recovered. Investigators found a theft ring operating in the vicinity of the restaurant parking lot.
Information
Source:
Dataloss DB
August 8, 2006
Virginia Bureau of Insurance
Richmond, Virginia
GOV
DISC
Unknown
(804) 726-2630
The Bureau has advised insurance agents in the state that their SSN may have been exposed on its web site from June 13
274
through July 31, 2006, due to a programming error. The SSNs were not shown on any web page, but could have been found
by savvy computer users using the source code tool of a web browser.
Information
Source:
Dataloss DB
August 8, 2006
Linens 'n Things
Sterling, Virginia
BSR
PHYS
90
A folder holding about 90 receipts was missing from the store. Receipts included full credit or debit account number and
name of the card holder.
Information
Source:
Dataloss DB
5,000 Philadelphia
patients, 11,000
August 7, 2006
U.S. Department of Veterans Affairs via contractor Unisys Corporation
Reston, Virginia
GOV
INSD
Pittsburgh patients,
2,000 deceased
patients, plus possibly
20,000 more (18,000 is
included in total below)
Computer at contractor's office was reported missing Aug. 3, containing billing records with names, addresses, SSNs, and
dates of birth of veterans at 2 Pennsylvania locations.
UPDATE (9/15/06): Law enforcement recovered the computer and arrested an individual who had worked for a company
that provides temporary labor to Unisys.
Information
Source:
Dataloss DB
August 6, 2006
American Online (AOL)
New York, New York
BSO
DISC
Unknown how many
records contain highrisk personal
information
Other locations: nationwide
In late July AOL posted on a public web site data on 20 million web queries from 650,000 users. Some search records
exposed SSNs, credit card numbers, or other pieces of sensitive information.
UPDATE (9/26/06): Three individuals whose data were exposed have filed a lawsuit against AOL.
Information
Source:
Dataloss DB
August 4, 2006
Toyota
San Antonio, Texas
BSO
PORT
1,500
Laptop belonging to contractor and containing personal information of job applicants and employees of a Toyota plant was
stolen. Data included names and SSNs.
Information
Source:
Dataloss DB
275
August 4, 2006
PSA HealthCare
Norcross, Georgia
MED
PHYS
51,000 current and
former patients
(866) 752-5259
A company laptop was stolen from an employee's vehicle in a public parking lot July 15. It contained names, addresses,
SSNs, and medical diagnostic and treatment information used in reimbursement claims.
Information
Source:
Dataloss DB
August 1, 2006
US Bank
Covington, Kentucky
BSF
PHYS
very small number
A bank employee's briefcase was stolen from the employee's car with documents containing names, phone numbers, and
SSNs of customers.
Information
Source:
Dataloss DB
August 1, 2006
Wichita State University
Wichita, Kansas
EDU
HACK
2,000
WSU learned on June 29 that someone gained unauthorized access into 3 computers in its College of Fine Arts box office,
containing credit card information for about 2,000 patrons.
Information
Source:
Dataloss DB
August 1, 2006
Wichita State University
Wichita, Kansas
40 (not included in total
below because it is not
EDU
HACK
known if SSNs were
included in breached
data)
An intrusion into a WSU Psychology Department's server was discovered July 16. It contained information on about 40
applicants to the doctoral program.
Information
Source:
Dataloss DB
August 1, 2006
Dollar Tree
Carmichael, California
BSR
HACK
Unknown
Additional locations: Modesto, CA and Ashland, OR. Other locations may also be involved.
Customers of the discount store have reported money stolen from their bank accounts due to unauthorized ATM
withdrawals. Data may have been intercepted by a thief's use of a wireless laptop computer with the thief then creating
counterfeit ATM cards and using them to withdraw money.
UPDATE (10/5/06): Parkev Krmoian was indicted by a federal grand jury for allegedly using phony ATM cards made from gift
cards. The case is tied to the Dollar Tree customer bank account thefts.
Information
Source:
Dataloss DB
276
August 1, 2006
Ron Tonkin Nissan
Portland, Oregon
BSR
UNKN
Up to 16,000 affected
Questions? Call: (503) 251-3349
Several months ago the car dealership experienced a security breach affecting the personal information of those who bought
cars or applied for credit between 2001 and March 2006.
Information
Source:
Dataloss DB
Information on 72
claimants was sold on
the Internet. Data on
July 29, 2006
Sentry Insurance
Stevens Point, Wisconsin
BSF
INSD
an additional 112,198
claimants was also
stolen with no evidence
of being sold online.
Total affected is
112,270
Personal information including SSNs on worker's compensation claimants was stolen, some of which was later sold on the
Internet. No medical records were included. The thief was a lead programmer-consultant who had access to claimants' data.
The consultant was arrested and faces felony charges.
Information
Source:
Dataloss DB
July 28, 2006
Matrix Bancorp Inc.
Denver, Colorado
BSF
PORT
Unknown
(877) 250-7742
Two laptop computers were stolen during daytime while staffers were away from their desks. One computer contained
customers' account information. The bank says data is encrypted and password protected.
Information
Source:
Dataloss DB
July 28, 2006
City of Riverside, California
Riverside, California
GOV
DISC
nearly 2,000
employees
The SSNs and financial information regarding 401(k) accounts was accidentally e-mailed to 2,300 city employees due to a
computer operator's error. The data was intended for the city payroll dept.
Information
Source:
Dataloss DB
July 27, 2006
Kaiser Permanente Northern California Office
Oakland, California
MED
PORT
160,000 records.
Because the data file
did not include SSNs,
this number is not
added to the total
below.
(866) 453-3934
277
A laptop was stolen containing names, phone numbers, and the Kaiser number for each HMO member. The data file did not
include SSNs. The data was being used to market Hearing Aid Services to Health Plan members.
Information
Source:
Dataloss DB
July 27, 2006
Los Angeles County
GOV
PORT
Unknown
In May, a laptop was stolen from the home of a community and senior services employee. It contained information on LA
County employees.
Information
Source:
Dataloss DB
4,800 records (not
July 27, 2006
Los Angeles County, Community Development Commission (CDC)
Monterey Park, California
GOV
included in total below
HACK because it is not known
if SSNs were included
in breached data)
Earlier in July, a computer hacker located in Germany gained access to the CDC's computer system, containing personal
information on 4,800 public housing residents.
Information
Source:
Dataloss DB
July 27, 2006
Los Angeles County, Adult Protective Services
Burbank, California
GOV
PORT
Unknown
Last weekend 11 laptops were stolen from the Burbank office. It is not clear what type of personal information was included.
Information
Source:
Dataloss DB
31,000 records were
July 26, 2006
U.S. Navy recruitment offices
Trenton, New Jersey
GOV
stolen, with about
4,000 containing SSNs.
PORT
The latter number is
included in the total
below.
Additional location: Jersey City, NJ
Two laptop computers with information on Navy recruiters and applicants were stolen in June and July. Also included was
information from selective service and school lists. About 4,000 records contained SSNs. Files were password protected.
Information
Source:
Dataloss DB
July 26, 2006
West Virginia Division of Rehabilitation Services
Beckley, West Virginia
GOV
PORT
Unknown
A laptop was stolen July 24 containing clients' names, addresses, SSNs, and phone numbers. Data was password protected.
278
Information
Source:
Dataloss DB
July 25, 2006
Armstrong World Industries, Deloitte & Touche
Lancaster County, Pennsylvania
BSO
PORT
12,000
A laptop containing personal information of current and former employers was stolen. The computer was in the possession
of the company's auditor, Deloitte & Touche. Data included names, home addresses, phone numbers, SSNs, employee ID
numbers, salary data, and bank account numbers of employees who have their checks directly deposited.
Information
Source:
Dataloss DB
July 25, 2006
Belhaven College
Jackson, Michigan
EDU
PORT
300 employees
An employee carrying laptop was robbed at gunpoint on July 19 while walking to his car. Computer contained names and
SSNs of college employees.
Information
Source:
Dataloss DB
July 25, 2006
Georgetown University Hospital
MED
DISC
between 5,600 and
23,000 patients were
affected (23,000 added
to total below)
Patient data was exposed online via the computers of an e-prescription provider, InstantDx. Data included names,
addresses, SSNs, and dates of birth, but not medical or prescription data. GUH suspended the trial program with InstantDX.
Information
Source:
Dataloss DB
July 25, 2006
Old Mutual Capital Inc., subsidiary of United Kingdom-based financial services
firm Old Mutual PLC
BSF
PORT
6,500 fund
shareholders
Laptop was stolen sometime in May containing personal information of U.S. clients, including names, addresses, account
numbers and some SSNs.
Information
Source:
Dataloss DB
July 25, 2006
Cablevision Systems Corp., ACS, FedEx
Bethpage, New York
BSO
PORT
13,700 current and
former employees
Additional locations: Dallas, TX, Connecticut, New Jersey and New York
A tape en route to the company's 401(k) plan record-keeper ACS was lost when shipped by FedEx to Dallas, TX. No
customer data was on the tape.
Information
Source:
Dataloss DB
279
July 24, 2006
New York City Department of Homeless Services
New York, New York
GOV
DISC
8,400
The personal information of 8,400 homeless persons, including SSNs, was leaked in an e-mail attachment July 21, when
accidentally sent to homeless advocates and city officials.
Information
Source:
Dataloss DB
July 18, 2006
Nelnet Inc., UPS
BSO
Lincoln, Nebraska
PORT
188,000
(800) 552-7925
A computer tape containing personal information of student loan customers and parents, mostly from Colorado, was lost
when shipped via UPS. The loans were previously serviced by College Access Network between November 1, 2002 and May
31, 2006.
Information
Source:
Dataloss DB
July 18, 2006
CS Stars, subsidiary of insurance company Marsh Inc.
Chicago, Illinois
BSF
STAT
722,000
On May 9, CS Stars lost track of a personal computer containing records of more than a half million New Yorkers who made
claims to a special workers' comp fund. The lost data includes SSNs and date of birth but apparently no medical information.
UPDATE (7/26/06): Computer was recovered.
UPDATE (04/26/07): The New York Attorney General's office
[221]
found that CS Stars violated the state's security breach law.
CS Stars must pay the Attorney General's office $60,000 for investigation costs. It was determined that the computer had
been stolen by an employee of a cleaning contractor, the missing computer was located and recovered, and that the data on
the missing computer had not been improperly accessed.
Information
Source:
Security Breach
Letter
July 18, 2006
U.S. Department of Agricultur
Wellington, Kansas
GOV
PORT
350
Laptop computer and printout containing names, addresses and SSNs of 350 employees was stolen from an employee's car
and later recovered.
Information
Source:
Dataloss DB
[257,800 patients were
initially notified, but an
analysis by Kroll later
July 17, 2006
Vassar Brothers Medical Center
Poughkeepsie, New York
MED
PORT
determined that the
laptop contained no
This number is not
included in the total
below.]
(845) 483-6990
280
(845) 483-6990
Laptop was stolen from the emergency department between June 23-26. It contained information on patients dating back to
2000, including SSNs and dates of birth.
UPDATE (10/5/06) Private investigators determined the laptop did not contain personally identifiable patient information.
Information
Source:
Dataloss DB
July 16, 2006
Mississippi Secretary of State
Jackson, Mississippi
GOV
DISC
Among the 2 million
postings are
"thousands"
containings SSNs
The state agency's web site listed 2 million+ Uniform Commercial Code (UCC) filings in which thousands of individuals' SSNs
were exposed.
Information
Source:
Dataloss DB
July 14, 2006
Evanston, Illinois
EDU
HACK
17,000
(888) 209-0097. http://www.northwestern.edu/newscenter/stories/2006/07/data.html [222]
Files containing names and some personal information including SSNs were on 9 desktop computers that had been
accessed by unauthorized persons outside the University. The computers were in the Office of Admissions and Financial Aid.
Information
Source:
Dataloss DB
July 14, 2006
University of Iowa
Davenport, Iowa
EDU
PORT
280
Laptop computer containing personal information of current and former MBA students was stolen. Data files included SSNs
and some contact info.
Information
Source:
Dataloss DB
July 14, 2006
California Polytechnic State University (Cal Poly)
San Luis Obispo, California
EDU
PORT
3,020 students
Call (805) 756-2226 or (805) 756-2171
Laptop computer was stolen from the home of a physics department professor July 3. It included names and SSNs of
physics and astronomy students from 1994-2004.
Information
Source:
Security Breach
Letter
Over 100,000 records
July 14, 2006
Hampton Circuit Court Clerk - Treasurer's computer
Hampton, Virginia
GOV
DISC
(The number
containing SSNs is not
known yet and not
included in total below.)
281
included in total below.)
Public computer in city government building containing taxpayer information was found to display SSNs of many residents -those who paid personal property and real estate taxes. It was shut down and confiscated by the police on July 12th.
UPDATE (7/27/2006) Investigation concluded that the data was exposed due to software problem.
Information
Source:
Dataloss DB
July 13, 2006
Moraine Park Technical College
Beaver Dam, Wisconsin
EDU
PORT
1,500
Additional locations: Fond du Lac and West Bend, WI
Computer disk (CD) with personal information of 1,500 students was reported missing. Information includes names,
addresses, phone numbers & SSNs of apprenticeship students back to 1993.
Information
Source:
Dataloss DB
July 7, 2006
University of Tennessee
EDU
(866) 748-1680, http://security.tennessee.edu
[223] .
HACK
36,000
Additional locations: Chattanooga, Martin, Tullahoma and Memphis, TN
Hacker broke into UT computer containing names, addresses and SSNs of about 36,000 past and current employees.
Intruder apparently used computer from Aug. '05 to May '06 to store and transmit movies.
Information
Source:
Dataloss DB
July 7, 2006
National Association of Securities Dealers (NASD)
Boca Raton, Florida
BSF
PORT
73
Ten laptops were stolen on Feb. 25 '06 from NASD investigators. They included SSNs of securities dealers who were the
subject of investigations involving possible misconduct. Inactive account numbers of about 1,000 consumers were also
contained on laptops.
Information
Source:
Dataloss DB
July 7, 2006
Naval Safety Center
Norfolk, Virginia
GOV
DISC
more than 100,000
SSNs and other personal information of naval and Marine Corps aviators and air crew, both active and reserve, were
exposed on Center web site and on 1,100 computer discs mailed to naval commands.
Information
Source:
Dataloss DB
July 7, 2006
Montana Public Health and Human Services Department
Helena, Montana
MED
STAT
Unknown
A state government computer was stolen from the office of a drug dependency program during a 4th of July break-in. It was
not known if sensitive information such as SSNs was compromised.
282
Information
Source:
Dataloss DB
July 7, 2006
City of Hattiesburg
Hattiesburg, Mississippi
GOV
STAT
thousands of city
workers and
contractors (at least
2,000)
Video surveillance cameras caught 2 intruders stealing hard drives from 18 computers June 23. Data files contained names,
addresses, and SSNs of current and former city employees and registered voters as well as bank account information for
employees paid through direct deposit and water system customers who paid bills electronically.
Information
Source:
Dataloss DB
July 6, 2006
Automated Data Processing (ADP)
Roseland, New Jersey
BSO
UNKN
Hundreds of thousands
[not included in total]
Payroll service company ADP gave scam-artist names, addresses, and number of shares held of investors, although
apparently not SSNs or account numbers. The leak occurred from Nov. '05 to Feb. '06 and involved individual investors with
60 companies including Fidelity, UBS, Morgan Stanley, Bear Stearns, Citigroup, Merrill Lynch.
Information
Source:
Dataloss DB
July 5, 2006
Bisys Group Inc.
BSF
PORT
61,000
Personal details about 61,000 hedge fund investors were lost when an employee's truck carrying backup tapes was stolen.
The data included SSNs of 35,000 individuals. The tapes were being moved from one Bisys facility to another on June 8
when the theft occurred.
Information
Source:
Dataloss DB
July 1, 2006
American Red Cross, Farmers Branch
Dallas, Texas
NGO
PORT
Unknown
Sometime in May, 3 laptops were stolen, one of them containing encrypted personal information including names, SSNs,
dates of birth, and medical information of all regional donors. They also report losing a laptop with encrypted donor
information in June 2005.
Information
Source:
Dataloss DB
June 30, 2006
U.S. Department of Veteran Affairs
GOV
PORT
16,500
A data tape disappeared from a VA facility in Indianapolis, IN that contained information on legal cases involving U.S.
veterans and included veterans' Social Security numbers, dates of birth and legal documents.
UPDATE (10/11/06): The VA's Office of the General Counsel is offering identity theft protection services to those affected by
the missing tape.
Information
283
Source:
Dataloss DB
June 30, 2006
National Institutes of Health Federal Credit Union
Rockville, Maryland
BSF
UNKN
Very few of 41,000
members affected [not
included in total]
NIHFCU and law enforcement are investigating the identity theft of some of its 41,000 members. No details were given on
the type of information stolen, or how it was stolen.
Information
Source:
Media
June 29, 2006
AllState Insurance Huntsville branch
Huntsville, Alabama
BSF
STAT
27,000
Over Memorial Day weekend, a computer containing personal data including images of insurance policies, correspondence
and Social Security numbers was stolen.
Information
Source:
Dataloss DB
June 29, 2006
Nebraska Treasurer's Office
Lincoln, Nebraska
GOV
HACK
309,000
A hacker broke into a child-support computer system and may have obtained names, Social Security numbers and other
information such as tax identification numbers for 9,000 businesses.
Information
Source:
Dataloss DB
June 29, 2006
Minnesota Department of Revenue
St. Paul, Minnesota
GOV
PORT
50,400
http://www.taxes.state.mn.us/taxes/publications/press_releases/content/taxpayer_information.shtml [224]
On May 16, a package containing a data tape used to back up the regional office's computers went missing during delivery.
The tape contained personal information including individuals' names, addresses, and Social Security numbers.
UPDATE (7/20/06): The package was reported delivered 2 months later, but apparently had been temporarily lost by the
U.S. Postal Service.
Information
Source:
Dataloss DB
June 27, 2006
Government Accountability Office (GAO)
GOV
DISC
Fewer than 1,000
[1,000 used in total]
Data from audit reports on Defense Department travel vouchers from the 1970s were inadvertently posted online and
included some service members' names, Social Security numbers and addresses. The agency has subsequently removed
the information.
Information
Source:
Dataloss DB
284
June 26, 2006
AAAAA Rent-A-Space
Colma, California
BSO
DISC
13,000
Customer's account information including name, address, credit card, and Social Security number was easily accessible due
to a security gap in AAAAA's online payment system.
Information
Source:
Dataloss DB
June 24, 2006
Catawba County Schools
Newton, North Carolina
EDU
UNKN
619
On June 22, it was discovered that a web site posted names, Social Security numbers, and test scores of students who had
taken a keyboarding and computer applications placement test during the 2001-02 school year.
UPDATE:The web site containing the data has been removed.
Information
Source:
Dataloss DB
June 23, 2006
San Francisco State University
EDU
PORT
3,000
www.sfsu.edu/%7Eadmisrec/reg/idtheft.html [225]
A faculty member's laptop was stolen from a car on June 1 that contained personal information of former and current
students including Social Security numbers, and names and ins some instance, phone numbers and grade point averages.
Information
Source:
Dataloss DB
June 23, 2006
U.S. Navy
GOV
UNKN
30,000
Navy personnel were notified on June 22 that a civilian web site contained files with personal information of Navy members
and dependents including names, birth dates and Social Security numbers.
Information
Source:
Dataloss DB
June 22, 2006
Ohio University
Athens, Ohio
EDU
HACK
2,480
http://www.ohio.edu/datasecurity [226]
A breach was discovered on a computer that housed IRS 1099 forms for vendors and independent contractors for calendar
years 2004 and 2005.
Information
Source:
Media
June 22, 2006
Ohio University
Athens, Ohio
EDU
HACK
Unknown
http://www.ohio.edu/datasecurity/ [227]
A computer was compromised that hosted a variety of Web-based forms, including some that processed online business
285
transactions. Although this computer was not set up to store personal information, investigators did discover files that
contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain
if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that
were used for event registration.
Information
Source:
Media
June 22, 2006
Lexington, Kentucky
EDU
PORT
6,500
The personal data of current and former students including classroom rosters names, grades and Social Security numbers
was reported stolen on May 26 following the theft of a professor's flash drive.
Information
Source:
Dataloss DB
June 22, 2006
GOV
HACK
26,000
http://www.firstgov.gov/usdainfo.shtml [228]
During the first week in June, a hacker broke into the Department's computer system and may have obtained names, Social
Security numbers and photos of current and former employees and contractors.
Information
Source:
Dataloss DB
June 22, 2006
Federal Trade Commission (FTC)
GOV
PORT
110
Two laptop computers containing personal and financial data were stolen from an employee's vehicle. The data included
names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers gathered in
law enforcement investigations.
Information
Source:
Dataloss DB
June 21, 2006
Cumberland County Emergency Medical Service
Fayetteville, North Carolina
MED
PORT
24,350
Portable computer containing personal information of more than 24,000 people was stolen from ambulance of Cumberland
Co. Emergency Medical Services on June 8th. It contained information on people treated by the EMS, including names,
addresses, and birthdates, plus SSNs of 84% of those listed.
Information
Source:
Dataloss DB
June 21, 2006
Lancaster General Hospital
Lancaster, Pennsylvania
Hundreds of local
EDU
STAT
physicians (at least
200)
Date of letter sent to doctors: June 21, 2006 Date of news story: July 28, 2006
A desktop computer with personal information of hundreds of doctors was stolen from a locked office June 10. The
unencrypted data included names, practice addresses, and SSNS of physicians on medical and dental staff.
286
Information
Source:
Security Breach
Letter
June 20, 2006
Equifax
Atlanta, Georgia
BSF
PORT
2,500
On May 29, a company laptop containing employee names and partial and full Social Security numbers was stolen from an
employee.
Information
Source:
Dataloss DB
June 20, 2006
University of Alabama
Birmingham, Alabama
EDU
STAT
9,800
In February a computer was stolen from a locked office of the kidney transplant program at the University of Alabama at
Birmingham that contained confidential information of donors, organ recipients and potential recipients including names,
Social Security numbers and medical information.
Information
Source:
Dataloss DB
June 18, 2006
ING U.S. Financial Services
Miami, Florida
BSF
PORT
13,000
Two ING laptops that carried sensitive data affecting of Jackson Health System hospital workers were stolen in December
2005. The computers, belonging to financial services provider ING, contained information gathered during a voluntary life
insurance enrollment drive in December and included names, birth dates and Social Security numbers.
Information
Source:
Dataloss DB
June 18, 2006
ING U.S. Financial Services
BSF
PORT
13,000
A laptop was stolen from an employee's home. It contained retirement plan information including Social Security numbers of
D.C. city employees.
Information
Source:
Dataloss DB
June 17, 2006
Western Illinios University
Macomb, Illinois
EDU
HACK
180,000
http://www.wiu.edu/securityalert/ [229]
On June 5th, a hacker compromised a University server that contained names, addresses, credit card numbers and Social
Security numbers of people connected to the University.
UPDATE (7/5/06): Number affected reduced from 240,000.
Information
Source:
Dataloss DB
287
June 17, 2006
Automatic Data Processing (ADP)
BSO
DISC
80
Personal and payroll information of workers were intended to be faxed between ADP offices and were mistakenly sent to a
third party.
Information
Source:
Dataloss DB
June 17, 2006
California Department of Health Services (CDHS)
GOV
PHYS
1,550
http://www.applications.dhs.ca.gov/pressreleases/store/PressReleases/06-41.html [230]
On June 12, a box of Medi-Cal forms from December 2005 were found in the cubicle of a California Dept. of Health Services
employee. The claim forms contained the names, addresses, Social Security numbers and prescriptions for beneficiaries or
their family members.
Information
Source:
Dataloss DB
June 16, 2006
Union Pacific
Omaha, Nebraska
BSO
PORT
30,000
On April 29th, an employee's laptop was stolen that contained data for current and former Union Pacific employees,
including names, birth dates and Social Security numbers.
Information
Source:
Dataloss DB
June 16, 2006
New York State Controller's Office
Albany, New York
GOV
PORT
1,300
A state controller data cartridge containing payroll data of employees who work for a variety of state agencies was lost during
shipment. The data contained names, salaries, Social Security numbers and home addresses.
Information
Source:
Dataloss DB
June 16, 2006
California Department of Health Services (CDHS)
GOV
PHYS
1,550
http://www.applications.dhs.ca.gov/pressreleases/store/PressReleases/06-41.html [230]
CDHS documents were inappropriately emptied from an employee's cubicle on June 5 and 9 rather than shredded. The
documents contained state employees and other individuals applying for employment with the state including names,
addresses, Social Security numbers and home and work telephone numbers. They were mostly expired state employment
certification lists, but also included requests for personnel action, copies of e-mail messages and handwritten notes.
Information
Source:
Dataloss DB
June 14, 2006
American International Group (AIG), Indiana Office of Medical Excess, LLC
New York, New York
BSF
STAT
930,000
The computer server was stolen on March 31 containing personal information including names, Social Security numbers,
birth dates, and some medical and disability information.
288
UPDATE (1/12/2010) A 28-year-old Indianapolis man was sentenced today to two years in state prison for trying to extort
$208,00 from an insurance company after stealing a computer server. In March 2006, the man burglarized the Indianapolis
office of AIG Medical Excess, threatening to release clients' personal data on the Internet. The server contained the names
of more than 900,000 insured persons, as well as their personal identifying information, and confidential medical information
and e-mail communications. At the time of the burglary, the man was an employee of a private security firm that provided
security services to the insurance company. On July 23, 2008, Stewart delivered a package to the insurance company. The
package included a letter stating that he possessed the stolen server and its confidential data. He asked for $1,000 a week
for four years, but the FBI and others intervened. The Indiana State Police, the Indiana Department of Natural Resources,
Indianapolis Metropolitan Police Department, and Attorney General also were part of the investigation.
Information
Source:
Dataloss DB
June 13, 2006
Minnesota State Auditor
St. Paul, Minnesota
GOV
PORT
493
Three laptops possibly containing Social Security numbers of employees and recipients of housing and welfare benefits
along with other personal information of local governments the auditor oversees have gone missing.
Information
Source:
Dataloss DB
June 13, 2006
Oregon Department of Revenue
Salem, Oregon
GOV
HACK
2,200
Electronic files containing personal data of Oregon taxpayers may have been compromised by an ex-employee who
downloaded a contaminated file from a porn site. The trojan attached to the file may have sent taxpayer information back to
the source when the computer was turned on.
Information
Source:
Dataloss DB
June 13, 2006
U.S. Dept of Energy, Hanford Nucear Reservation
Richland, Washington
GOV
UNKN
4,000
Current and former workers at the Hanford Nuclear Reservation were notified that their personal information may have been
compromised, after police found a 1996 list with workers' names, Social Security numbers, birth dates, work titles,
assignments, and telephone numbers in a home during an unrelated investigation.
Information
Source:
Dataloss DB
June 11, 2006
Denver Election Commission
Denver, Colorado
GOV
PHYS
150,000
Records containing personal information on more than 150,000 voters are missing at city election offices. The microfilmed
voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new
offices in February. The files contain voters' Social Security numbers, addresses and other personal information.
Information
Source:
Dataloss DB
June 11, 2006
Adams State College
Alamosa, Colorado
EDU
PORT
184 Upward Bound
students
289
A laptop computer stolen from a locked closet at Adams State College contained personally identifiable data belonging to
184 high school students who participated in the college's Upward Bound program over the last four years. The theft
occurred on August 14, but it was not until late September that staff realized the computer held students' data.
Information
Source:
Dataloss DB
June 8, 2006
University of Michigan Credit Union
Ann Arbor, Michigan
BSF
PHYS
5,000
Paper documents containing personal information of credit union members were stolen from a storage room. The
documents were supposed to have been digitally imaged and then shredded. Instead, they were stolen and used to
perpetrate identity theft.
Information
Source:
Dataloss DB
June 6, 2006
University of Texas at El Paso
El Paso, Texas
EDU
HACK
4,719
Students demonstrated that student body and faculty elections could be rigged by hacking into student information including
Information
Source:
Dataloss DB
June 6, 2006
U.S. Department of Energy
GOV
HACK
1,502
Names, Social Security numbers, security clearance levels and place of employment for mostly contract employees who
worked for National Nuclear Security Administration may have been compromised when a hacker gained entry to a computer
system at a service center in Albuquerque, NM eight months prior to press releases.
Information
Source:
Dataloss DB
June 5, 2006
U.S. Internal Revenue Service (IRS)
GOV
PORT
291
A laptop computer containing personal information of employees and job applicants, including fingerprints, names, Social
Security numbers, and dates of birth, was lost during transit on an airline flight
Information
Source:
Security Breach
Letter
June 3, 2006
Buckeye Community Health Plan
Columbus, Ohio
MED
PORT
72,000
Four laptop computers containing customer names, Social Security numbers, and addresses were stolen from the Medicaid
insurance provider.
Information
Source:
Dataloss DB
290
June 3, 2006
Humana
MED
DISC
17,000 current and
former Medicare
enrollees
Personal information of Humana customers enrolled in the company's Medicare prescription drug plans could have been
compromised when an insurance company employee called up the data through a hotel computer and then failed to delete
the file.
Information
Source:
Dataloss DB
June 2, 2006
Ahold USA, parent company of Stop & Shop, Giant stores and Tops stores via
subcontractor Electronic Data Systems (EDS)
Landover, Maryland
BSR
PORT
Unknown
Additional location: Plano, TX
An EDS employee lost a laptop computer during a commercial flight that contained pension data of former employees of
Ahold's supermarket chains including Social Security numbers, birth dates and benefit amounts.
Information
Source:
Dataloss DB
June 1, 2006
Miami University
Oxford, Ohio
EDU
PORT
851
An employee lost a hand-held personal computer containing personal information of students who were enrolled between
July 2001 and May 2006.
Information
Source:
Dataloss DB
June 1, 2006
Ernst & Young
New York, New York
BSO
PORT
243,000
Additional locations: Throughout the US and UK. Breach occurred in Texas.
A laptop containing names, addresses and credit or debit card information of Hotels.com customers was stolen from an
employee's car in Texas.
Information
Source:
Media
June 1, 2006
Lexington, Kentucky
EDU
DISC
1,300
Personal information of current and former University of Kentucky employees including Social Security numbers was
inadvertently accessible online for 19 days in May.
Information
Source:
Dataloss DB
June 1, 2006
YMCA of Greater Providence
NGO
PORT
65,000
A laptop computer containing personal information of members was stolen. The information included credit card and debit
291
card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare
programs and medical information about the children, such as allergies and the medicine they take, though the type of stolen
information about each person varies. Those affected were notified.
Information
Source:
Dataloss DB
May 31, 2006
Texas Guaranteed Student Loan Corp. via subcontractor Hummingbird
Round Rock, Texas
BSF
UNKN
1,300,000 plus 400,000
for total of 1,700,000
Additional location: Toronto, Canada
Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of
equipment containing names and Social Security numbers of TG borrowers.
UPDATE (6/16/06):TG now says a total of 1.7 million people's information was compromised, 400,000 more than original
estimate of 1.3 million.
Information
Source:
Dataloss DB
May 30, 2006
Florida International University
Miami, Florida
EDU
HACK
Unknown
Hacker accessed a database that contained personal information on thousands of individuals, such as student and applicant
names and Social Security numbers.
Information
Source:
Dataloss DB
May 25, 2006
VyStar Credit Union
BSF
HACK
34,400
Hacker gained access to member accounts a and stole personal information including names, addresses, birth dates,
mother's maiden names, Social Security numbers and/or email addresses. Less than 10% of VyStar's 344,000 members
were affected.
Information
Source:
Dataloss DB
May 24, 2006
Sacred Heart University
Fairfield, Connecticut
EDU
HACK
Unknown
It was discovered on May 8th that a computer containing personal information including names, addresses and Social
Security numbers was breached. The University did not immediately release information on who the breach affected.
Information
Source:
Dataloss DB
May 23, 2006
University of Delaware
Newark, Delaware
EDU
HACK
1,076
A security breach of a Department of Public Safety computer server potentially exposed names, Social Security numbers and
driver's license numbers. Individuals whose personal information was compromised were contacted.
Information
292
Source:
Dataloss DB
May 23, 2006
Butler County Department of Mental Retardation & Developmental Disabilities
Cincinnati, Ohio
NGO
PORT
100 clients
In April, three laptop computers were stolen from the agency's office. They contained personal information on mental health
clients, including Social Security numbers. Those affected were contacted in May.
Information
Source:
Dataloss DB
May 23, 2006
Mortgage Lenders Network USA
BSF
INSD
231,000
A former employee was arrested for extortion for attempting to blackmail his former employer for $6.9 million. He threatened
to expose company files containing sensitive customer information - including customers' names, addressess, Social
Security numbers, loan numbers, and loan types - if the company didn't pay him. He stole the files over the 16 months he
worked there.
Information
Source:
Dataloss DB
May 22, 2006
U.S. Department of Veterans Affairs
GOV
PORT
26,500,000
(800) 827-1000
On May 3, data of all American veterans who were discharged since 1975 including names, Social Security numbers, dates
of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and
computer storage device included data of 26.5 milliion veterans. The data did not contain medical or financial information,
but may have disability numerical rankings.
UPDATE (6/29/06): The stolen laptop computer and the external hard drive were recovered.
UPDATE (7/14/06): FBI claims no data had been taken from stolen computer.
UPDATE(8/5/06): Two teens were arrested in the theft of the laptop.
UPDATE (8/25/06): In an Aug. 25 letter, Secretary Nicholson told veterans of the decision to not offer them credit monitoring
services. Rather the VA has contracted with a company to conduct breach analysis to monitor for patterns of misuse.
UPDATE (11/23/07): A federal judge questioned the Veterans Affairs Department's computer security and ruled Friday that
lawsuits can go forward over the theft of computer equipment containing data on 26.5 million veterans. The lawsuits have
been filed as potential class-action cases representing every veteran whose data was released.
UPDATE (1/23/09): The Department of Veterans Affairs has agreed to pay $20 million to current and former military
personnel to settle a class action lawsuit.
UPDATE (6/16/09): No less than $75 will be paid for any valid claim, up to a cap of $1,500. If your expenses were higher
than that, you might want to opt out of the class-action portion so you can file for your actual damages. In that case, you
need to file a letter so it is received by June 29, 2009. You have until Nov. 27, 2009, to mail your claim form to VA Settlement
Claims, P.O. Box 6727, Portland, OR 97228-9767. Be sure to keep a copy of the claim form, along with your proof of mailing.
To download the claim form and to get more information, go to www.veteransclass.com [231] . Read the FAQ and note the
particulars on out-of-pocket expenses and actual damages. You also can call (888) 288-9625.
Information
Source:
Dataloss DB
May 18, 2006
American Red Cross, St. Louis Chapter
St. Louis, Missouri
NGO
INSD
1,000,000
A dishonest employee had access to Social Security numbers of donors. The database was used to call previous donors
293
and urge them to give blood again. The employee misused the personal information of at least three people to perpetrate
identity theft and had access to the personal information of one million donors.
Information
Source:
Dataloss DB
May 17, 2006
M &T Bank via contractor PFPC
Buffalo, New York
BSF
PORT
Unknown
A laptop computer, owned by PFPC, a third party company that provides record keeping services for M & T's Portfolio
Architect accounts was stolen from a vehicle. The laptop contained clients' account numbers, Social Security numbers, last
name and the first two letters of their first name.
Information
Source:
Security Breach
Letter
May 16, 2006
American Institute of Certified Public Accountants (AICPA)
New York, New York
NGO
PORT
330,000 [Updated
6/16/06]
An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it
was shipped back to the organization by a computer repair company. AICPA offered one year of free credit monitoring
services to affected members.
Information
Source:
Dataloss DB
May 12, 2006
Mercantile Potomac Bank
Gaithersburg, Maryland
BSF
PORT
48,000
A laptop containing confidential information about customers, including Social Security numbers and account numbers was
stolen when a bank employee removed it from the premises, in violation of the bank's policies. The computer did not contain
customer passwords, personal identification numbers (PIN numbers) or account expiration dates. The bank contacted
affected customers and offered them one year of free credit monitoring services.
Information
Source:
Dataloss DB
May 11, 2006
Ohio University Hudson Health Center
Athens, Ohio
MED
HACK
60,000
Names, birth dates, Social Security numbers and medical information were accessed in records of students dating back to
2001, plus faculty, workers and regional campus students.
Information
Source:
Dataloss DB
May 5, 2006
Wells Fargo
BSF
STAT
Unknown
A computer containing names, addresses, Social Security numbers and mortgage loan deposit numbers of existing and
prospective customers may have been stolen while being delivered from one bank facility to another.
Information
294
Source:
Dataloss DB
May 4, 2006
Idaho Power Company
Boise, Idaho
BSO
PORT
Unknown
Four company hard drives were sold on eBay containing hundreds of thousands of confidential company documents,
employee names and Social Security numbers, and confidential memos to the company's CEO.
Information
Source:
Dataloss DB
May 2, 2006
Ohio University Innovation Center
Athens, Ohio
EDU
HACK
35
A server containing data including e-mails, patent and intellectual property files, and 35 Social Security numbers associated
with parking passes was compromised.
Information
Source:
Dataloss DB
May 2, 2006
Ohio University
Athens, Ohio
EDU
HACK
300,000
http://www.ohio.edu/datasecurity/ [227]
Hackers accessed a computer system of the school's alumni relations department that included biographical information and
137,000 Social Security numbers of alum.
UPDATE (8/30/07) : An Ohio judge has granted a motion to dismiss a case against Ohio University (OU) regarding security
breaches of the school's computer systems that compromised alumni data. The two alumni who filed the lawsuit wanted OU
to pay for credit monitoring services for everyone whose data were compromised. The judge said the pair had not proven
that they had suffered damages for which they could be compensated.
Information
Source:
Dataloss DB
May 2, 2006
Georgia State Government
Atlanta, Georgia
GOV
STAT
Unknown
Government surplus computers that sold before their hard drives were erased contained credit card numbers, birth dates,
and Social Security numbers of Georgia citizens. The State stopped selling the computers after being notified by a buyer.
Thousands of patient records from a psychiatric hospital in Rome, Georgia were found on one computer's hard drive.
Information
Source:
Dataloss DB
April 28, 2006
Ohio Secretary of State
Cleveland, Ohio
GOV
DISC
Potentially millions of
registered voters
The names, addresses, and Social Security numbers of potentially millions of registered voters in Ohio were included on CDROMs distributed to 20 political campaign operations for spring primary election races. The records of about 7.7 million
registered voters are listed on the CDs, but it's unknown how many records contained Social Security numbers, which were
not supposed to have been included on the CDs.
UPDATE (9/15/06): A news report said that some Social Security numbers still remain on the agency's Web site.
295
Information
Source:
Dataloss DB
April 28, 2006
U.S. Department of Defense
GOV
HACK
Unknown
Hacker accessed a Tricare Management Activity (TMA) public server containing personal information about military
employees.
Information
Source:
Dataloss DB
April 27, 2006
Long Island Railrad via contractor Iron Mountain
Jamaica, New York
GOV
PORT
17,000
Data tapes containing personal information including names, addresses, Social Security numbers and salary figures of
virtually everyone who worked for or currently works for the agency were lost. The lost occurred during delivery by
contractor Iron Mountain. Data tapes belonging to the U.S. Department of Veteran's Affairs may also have been affected.
Information
Source:
Dataloss DB
April 26, 2006
Purdue University
EDU
HACK
1,351
A hacker accessed personal information including Social Security numbers of current and former graduate students,
applicants to graduate school, and a small number of applicants for undergraduate scholarships. The information
compromised goes back three years prior to the incident. Those who were affected were contacted.
Information
Source:
Dataloss DB
April 26, 2006
Aetna, Omni Hotels and the Department of Defense NAF
MED
PORT
38,253
A laptop containing personal information including names, addresses and Social Security numbers of Department of Defense
(35,253) and Omni Hotel employees (3,000) was stolen from an Aetna employee's car. Members were notified and Aetna
offered to pay for the credit monitoring services of those who were affected.
Information
Source:
Dataloss DB
April 23, 2006
University of Texas McCombs School of Business
Austin, Texas
EDU
HACK
197,000
Foreign hackers accessed records containing names, biographical information and, in some cases, Social Security numbers
and dates of birth of current and prospective students, alumni, faculty members, corporate recruiters and staff members.
Information
Source:
Dataloss DB
April 21, 2006
University of Alaska, Fairbanks
Fairbanks, Alaska
EDU
HACK
38,941
296
A hacker had access to names, Social Security numbers, and partial e-mail addresses of current and former students,
faculty, and staff. The University reported that it would not contact those affected after a first and second notification.
Anyone claiming to be from the University after these notifications should be viewed with suspicion.
Information
Source:
Dataloss DB
April 21, 2006
Boeing
Seattle, Washington
BSO
PORT
3,600 current and
former employees
A laptop was taken from a Boeing human resources employee at Sea-Tac airport. It contained Social Security numbers and
other personal information, including personnel information from the 2000 acquisition of Hughes Space and
Communications.
Information
Source:
Dataloss DB
April 14, 2006
NewTech Imaging
BSO
Honolulu, Hawaii
INSD
40,000
Records containing the names, Social Security numbers and birth dates of more than 40,000 members of Voluntary
Employees Benefit Association of Hawaii were illegally reproduced at a copying business before they were to be put onto a
compact disc for the State. Police later found the data on a computer that had been confiscated as part of a drug
investigation. Those who were on the list and Hawaii Government Employees Association and United Public Workers
members who were enrolled in union-sponsored health and group life insurance plans between July and December 1999
were warned. Investigators were only able to speculate that the theft may have occurred in February of 2005.
Information
Source:
Dataloss DB
April 14, 2006
Unviersity of South Carolina
EDU
DISC
1,400
A department chair distributing information about summer courses sent an email containing sensitive information. A
database containing Social Security numbers of students was mistakenly added as an attachment and e-mailed to
classmates.
Information
Source:
Dataloss DB
April 12, 2006
Ross-Simons
BSR
HACK
Unknown
A security breach exposed account and personal information of those who applied for Ross-Simons' private label credit card.
Information exposed includes private label credit card numbers and other personal information of applicants.
Information
Source:
Dataloss DB
April 9, 2006
University of Medicine and Dentistry of New Jersey
Newark, New Jersey
EDU
HACK
1,850
Hackers accessed Social Security numbers, loan information, and other confidential financial information of students and
alumni.
297
Information
Source:
Dataloss DB
April 7, 2006
DiscountDomainRegistry.com
Brooklyn, New York
BSO
DISC
thousands of domain
name registrations
Domain name registrants' personal information including user names, passwords and credit card numbers was accessible
online. The information may have been exposed online for four months.
Information
Source:
Dataloss DB
April 6, 2006
Progressive Casualty Insurance
Mayfield Village, Ohio
BSF
INSD
13
A dishonest insider accessed confidential information, including names, Social Security numbers, birth dates and property
addresses on foreclosure properties she was interested in buying.
Information
Source:
Dataloss DB
April 1, 2006
Con Edison
New York, New York
BSO
PORT
15,000 Con Edison
employees
Con Edison shipped two cartridge tapes to JPMorgan Chase in upstate Binghamton so it could input data on behalf of the NY
Dept. of Taxation and Finance. One tape was apparently lost and contained employees' W-2 data, including names,
addresses, Social Security numbers, taxes paid and salaries.
Information
Source:
Dataloss DB
March 30, 2006
U.S. Marine Corp
Monterey, California
GOV
PORT
207,750
A portable drive containing the personal information of Marines was lost in a campus computer lab. The lost drive was being
used for research on Marine re-enlistment bonuses and contained names, Social Security numbers, marital status, and
enlistment contract details. Enlisted marines on active duty between January 2001 and December of 2005 were affected.
The University notified those whose information may have been compromised.
Information
Source:
Dataloss DB
March 30, 2006
Georgia Technology Authority (GTA)
Atlanta, Georgia
GOV
HACK
573,000
Hackers exploited a security flaw to gain access to confidential information including Social Security numbers and bankaccount details of state pensioners. The State only had contact information for 180,000 of those affected and relied on
media coverage to get the word out to others.
Information
Source:
Dataloss DB
Connecticut Technical High School System
298
March 30, 2006
Connecticut Technical High School System
EDU
DISC
1,250
Social Security numbers of faculty and administrators were mistakenly distributed via email to staff. The email went to 17
principals; at least one forwarded the email to her staff of 77. Those affected were contacted.
Information
Source:
Dataloss DB
March 24, 2006
California State Employment Development Division
GOV
DISC
64,000
A computer glitch sent state Employment Development Division 1099 tax forms containing Social Security numbers and
income information to the wrong addresses, potentially exposing those taxpayers to identity theft.
Information
Source:
Dataloss DB
March 24, 2006
Vermont State Colleges
Waterbury, Vermont
EDU
PORT
14,000
Note: there are several locations in Vermont. We list the Office of the Chancellor as the primary location.
A laptop containing Social Security numbers and payroll data of students, faculty and staff associated with the five-college
system was stolen. It contained information from as long ago as 2000.
Information
Source:
Dataloss DB
March 23, 2006
Fidelity Investments
BSF
PORT
196,000
A laptop containing names, addresses, birth dates, Social Security numbers and other information of 196,000 Hewlett
Packard, Compaq and DEC retirement account customers was stolen. Fidelity contacted the customers and paid for one
year of credit monitoring services. Fidelity also pledged to pay for unauthorized transactions in pensions or retirement
accounts that occurred due to the theft.
Information
Source:
Security Breach
Letter
March 16, 2006
Bananas.com
San Rafael, California
BSR
HACK
274
A hacker accessed names, addresses, phone numbers and credit card numbers of customers. The breach occurred in
February and someone on the Internet began selling personal information shortly after. Affected customers were notified in
March.
Information
Source:
Dataloss DB
March 14, 2006
General Motors (GM)
Detroit, Michigan
BSO
INSD
100
A former security guard kept Social Security numbers of co-workers to perpetrate identity theft. The disgruntled former
employee sent harassing emails to employees after gaining access to personal information including the types of cars they
drove.
299
Information
Source:
Dataloss DB
March 14, 2006
Buffalo Bisons and Choice One Online
Buffalo, New York
BSO
HACK
Unknown
A hacker accessed sensitive financial information including the credit card numbers names, and passwords of customers
who ordered items online. The Bisons mailed letters to affected customers and notified American Express, MasterCard,
Discover, and Visa.
Information
Source:
Dataloss DB
March 11, 2006
California Department of Consumer Affairs (DCA)
GOV
PHYS
A small number
Mailed applications of DCA licensees or prospective licensees for CA state boards and commissions were stolen. The forms
include full or partial Social Security numbers, driver's license numbers, and potentially payment checks.
Information
Source:
Dataloss DB
March 8, 2006
Verizon Communications
New York, New York
BSO
PORT
Significant number
Two laptops containing employees' personal information including Social Security numbers were stolen. Verizon is offering
affected employees free use of a credit monitoring service.
Information
Source:
Dataloss DB
March 8, 2006
iBill [disputed]
Deerfield Beach, Florida
BSF
UNKN
17,781,462 (SSNs and
not involved)
A dishonest insider or possibly malicious software linked to iBill was used to post names, phone numbers, addresses, e-mail
addresses, Internet IP addresses, login names and passwords, credit card types and purchase amount online. Credit card
account numbers, expiration dates, security codes, and Social Security numbers were NOT included, but in our opinion the
affected individuals could be vulnerable to social engineering to obtain such information. Whether iBill is the source of the
breach has been disputed [232] .
Information
Source:
Dataloss DB
March 5, 2006
Georgetown University
EDU
HACK
41,000
A server was attacked that housed personal information including names, birthdates and Social Security numbers of District
seniors served by the Office on Aging. Georgetown managed the server as part of a grant to manage information services
provided by the D. C. Office of Aging.
Information
Source:
Dataloss DB
300
March 3, 2006
Metropolitan State College of Denver (MSCD)
Denver, Colorado
EDU
PORT
93,000
http://www.mscd.edu/securityalert/ [189]
A laptop containing student information was stolen. The information included names and Social Security numbers of
students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester.
Information
Source:
Security Breach
Letter
March 2, 2006
Olympic Funding
Chicago, Illinois
BSF
UNKN
Unknown
Three hard drives containing clients' names, Social Security numbers, addresses and phone numbers stolen during a break
in. Information on the drives was protected via password and security software. The business owner sent letters to his
clients alerting them of the theft.
Information
Source:
Dataloss DB
March 2, 2006
Los Angeles County Department of Social Services
GOV
PHYS
Potentially 2,000,000
File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W2, and date of birth were left unattended for at least one month. This affects employees and clients.
Information
Source:
Dataloss DB
March 2, 2006
Hamilton County Clerk of Courts
Cincinnati, Ohio
GOV
DISC
[1,300,000] Not
included in number
below.
Social Security numbers, and other personal data of residents was posted on the County's website. Some information was
stolen and used to commit identity theft.
UPDATE (9/28/06):An identity thief was sentenced to 13 years in prison for the crimes. She stole 100 identities and nearly
$500,000. The Web site now blocks access to court documents containing personal information.
Information
Source:
Dataloss DB
March 1, 2006
Medco Health Solutions
Columbus, Ohio
MED
PORT
4,600
A laptop containing Social Security numbers for State of Ohio employees and their dependents, as well as their birth dates
and, in some cases, prescription drug histories was stolen from an employee. The theft occurred in December and Medco
contacted Ohio officials in February. The company agreed to provide free credit monitoring and fraud alert services for the
affected families for one year.
Information
Source:
Dataloss DB
301
February 23,
2006
Deloitte & Touche, McAfee
,
BSO
PORT
9,290
Deloitte & Touche is an international organization with multiple locations throughout the United States.
An external auditor lost a CD with names, Social Security numbers and stock holdings in McAfee of current and former
McAfee employees. Three thousand current employees and 6,000 former employees were affected. Current and former
employees received two years of free credit monitoring services from Equifax.
Information
Source:
Dataloss DB
February 18,
2006
University of Northern Iowa
Cedar Falls, Iowa
EDU
HACK
6,000
A laptop computer holding W-2 forms of student employees and faculty was illegally accessed. The University warned
students and faculty to monitor their bank accounts.
Information
Source:
Dataloss DB
February 17,
2006
California Department of Corrections, Pelican Bay State Prison
GOV
INSD
Unknown
Inmates gained access to files stored in a warehouse. The files contained employees' Social Security numbers, birth dates
and pension account information.
Information
Source:
Dataloss DB
February 17,
2006
Mount St. Mary's Hospital (1 of 10 hospitals with patient info. stolen)
Lewiston, New York
MED
PORT
17,000
Two laptops containing dates of birth, addresses and Social Security numbers of patients were stolen in an armed robbery in
New Jersey. The laptops and sensitive files were password protected. The Hospital contacted those whose information may
have been compromised.
Information
Source:
Dataloss DB
February 16,
2006
Blue Cross and Blue Shield
MED
INSD
27,000
A contractor sent names and Social Security numbers of current and former employees, vendors and contractors to his
home computer in violation of company policies. A judge ordered the former computer consultant to reimburse the
Jacksonville-based health insurer $580,000 for expenses related to his theft.
Information
Source:
Dataloss DB
February 15,
2006
GOV
DISC
350,000
The Social Security numbers of tobacco farmers were accidentally released when the U.S. Department of Agriculture
attempted to comply with the Freedom of Information Act. Those who received the information agreed to destroy any copies
and return the original discs, which also contained tax identification numbers.
302
Information
Source:
Dataloss DB
February 15,
2006
Old Dominion University
Norfolk, Virginia
EDU
DISC
601
An instructor posted a class roster containing names and Social Security numbers to a publicly accessible website. The
information was posted during the spring semester of 2004. Letters were sent to affected students which contained websites
where the students could check to see if they had been victims of identity theft.
Information
Source:
Dataloss DB
38,000 BP employees
February 13,
2006
Ernst & Young
New York, New York
BSO
PORT
in U.S. in addition to
Sun, Cisco and IBM
employees.
Additional locations: Throughout the US and UK
A laptop was stolen from an employee's car. It contained customers' personal information including Social Security
numbers.
Information
Source:
Security Breach
Letter
February 13,
2006
Ernst & Young
New York, New York
BSO
PORT
Unknown
Additional locations: Throughout the US and UK
A laptop was stolen from a locked car containing the names, dates of birth, genders, family sizes, Social Security numbers
and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees. While Ernst and Young
waited until pressured to inform a majority of those affected about the breach, at least one CEO from the affected companies
was contacted immediatel.
Information
Source:
Dataloss DB
February 9, 2006
OfficeMax and perhaps other businesses including Sam's Club
,
BSR
HACK
200,000, although total
number is unknown.
Debit card accounts and pin numbers from bank and credit union accounts nationwide (including CitiBank, BofA, WaMu,
Wells Fargo) were exposed. The crooks created counterfeit cards to make fraudulent purchases and withdrawals from cardholder accounts.
UPDATE (3/14/06) New Jersey law enforcement arrested 14 people connected to the crime spree.
Information
Source:
Dataloss DB
February 6, 2006
Prudential Financial Inc.
Newark, New Jersey
BSF
DISC
1,000
303
A health insurer claims data were erroneously faxed to a company in Canada by doctors and clinics across the U.S.. Data
included the patients' Social Security numbers, bank account details and health care information.
Information
Source:
Media
February 4, 2006
FedEx
,
BSO
DISC
8,500
W-2 forms including other workers' tax information such as Social Security numbers and salaries were sent out to
employees.
Information
Source:
Dataloss DB
February 1, 2006
Blue Cross and Blue Shield of North Carolina
BSO
DISC
629
Social Security numbers of members were printed on the mailing labels of envelopes with information about a new insurance
plan. Those who were affected were contacted immediately.
Information
Source:
Dataloss DB
Boston Globe (The New York Times Company) and The Worcester Telegram &
January 31, 2006 Gazette
BSO
DISC
240,000 potentially
exposed
Recycled paper used in wrapping newspaper bundles for distribution turned out to contain credit and debit card information
along with routing information for personal checks of subscribers.
Information
Source:
Dataloss DB
January 31, 2006
Honeywell International
Morristown, New Jersey
BSO
UNKN
19,000
Personal information of current and former employees including Social Security numbers and bank account information was
posted on an Internet Web site. It was not known whether this was the result of a malicious insider or an administrative
error. Current and former employees whose information was compromised were informed immediately and offered free
credit monitoring and identity theft insurance.
Information
Source:
Dataloss DB
January 27, 2006
State of Rhode Island website (www.RI.gov)
GOV
HACK
4,118
Hackers obtained credit card information in conjunction with names and addresses. The credit card companies were notified
of the breach, but not the customers.
Information
Source:
Dataloss DB
304
January 25, 2006
Providence Home Services
Portland, Oregon
MED
PORT
365,000
Backup tapes, laptops and disks containing Social Security numbers, clinical and demographic information were stolen from
the car of an employee. In a small number of cases, patient financial data was stolen.
UPDATE (9/26/06) Providence Health System and the Oregon Attorney General [233] have filed a settlement agreement.
Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of
identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its
security programs.
UPDATE (7/15/08) Providence Health will pay $100,000 and adhere to a compliance plan under the first ever Resolution
Agreement negotiated by CMS (Centers for Medicare and Medicaid Services of the U.S. Dept. of Health and Human
Services) under the HIPAA Privacy and Security Standards. The Corrective Action Plan requires Providence to revamp its
security policies to include physical protections for portable devices and off-site transport and storage of backup media.
Further, it must implement technical safeguards, such as encryption and password protection. And it must conduct random
compliance audits and submit compliance reports to HHS for the next three years
Information
Source:
Dataloss DB
January 24, 2006
University of Washington Medical Center
Seattle, Washington
MED
PORT
1,600
Laptops containing names, Social Security numbers, maiden names, birth dates, diagnoses and other personal data were
stolen from a UW office. The information was password protected and the affected patients were notified.
Information
Source:
Dataloss DB
January 23, 2006
University of Notre Dame
Notre Dame, Indiana
EDU
HACK
Unknown
Hackers may have accessed Social Security numbers, credit card information and check images of people who donated to
the University between November 22 of 2005 and January 12 of 2006.
Information
Source:
Dataloss DB
January 21, 2006
California Army National Guard
GOV
PHYS
hundreds of officers (at
least 200)
A briefcase with personal information of National Guardsmen including a seniority roster, Social Security numbers and dates
of birth was stolen from the car of an employee. A memo was sent to National Guard soldiers.
Information
Source:
Dataloss DB
January 20, 2006
Indiana University, University Place Conference Center & Hotel
BSO
HACK
Unknown
The computer housing the reservations data base was compromised. Data included credit card account numbers and
names.
Information
Source:
Security Breach
305
Letter
January 17, 2006
City of San Diego, Water & Sewer Department
GOV
INSD
Unknown
A dishonest employee accessed customer account files, including Social Security numbers, and stole the identities of two
individuals.
Information
Source:
Media
January 12, 2006
People's Bank
BSF
PORT
90,000
A computer tape containing names, addresses, Social Security numbers, and checking account numbers was lost while
being transported by UPS. The bank alerted the affected customers and provided them with a credit monitoring service for
one year.
Information
Source:
Dataloss DB
January 2, 2006
H&R Block
BSO
DISC
Unknown
H&R Block included Social Security numbers in a 40-digit number string on mailing labels. Affected individuals were
contacted.
Information
Source:
Dataloss DB
January 1, 2006
University of Pittsburgh Medical Center, Squirrel Hill Family Medicine
MED
STAT
700
Six computers containing names, Social Security numbers, and birth dates of patients were stolen from doctors' offices. A
letter was sent notifying the affected patients.
Information
Source:
Dataloss DB
December 25,
2005
Ameriprise Financial Inc.
BSF
PORT
260,000
(877) 267-7408
A laptop was stolen from an employee's car Christmas eve. It contained customers' names and Social Security numbers and
in some cases, Ameriprise account information.
UPDATE (08/06): The laptop was recovered by local law enforcement in the community where it was stolen.
UPDATE (12/11/06): The company settled with the Massachusetts securities regulator in the office of the Secretary of State.
Ameriprise agreed to hire an independent consultant to review its policies and procedures for employees' and contractors'
use of laptops containing personal information. Ameriprise will pay the state regulator $25,000 for the cost of the
investigation.
Information
Source:
Dataloss DB
306
December 22,
2005
Ford Motor Co.
Dearborn, Michigan
BSO
STAT
70,000
A computer containing names and Social Security numbers of current and former employees was stolen. Ford alerted those
who were affected and offered to pay for their credit monitoring services.
Information
Source:
Dataloss DB
December 22,
2005
H&R Block
BSO
DISC
Unknown
Many past and present customers received unsolicited copies of the program TaxCut that displayed their Social Security
numbers on the outside, embedded in a lengthy string of code.
Information
Source:
Security Breach
Letter
December 20,
2005
Guidance Software, Inc.
BSO
Pasadena, California
HACK
3,800
A hacked database exposed credit card numbers of law enforcement officials and network security professionals. The
company is a leading provider of software used to diagnose hacked attacks.
UPDATE (4/3/07): The FTC came to a settlement agreement and final consent order
[234]
against Guidance Software.
Information
Source:
Dataloss DB
December 16,
2005
La Salle Bank, ABN AMRO Mortgage Group, DHL
Ann Arbor, Michigan
BSF
PORT
[2,000,000] Not
included in total below.
A backup tape with residential mortgage customers' information was lost in shipment by DHL. It contained Social Security
numbers and account information.
UPDATE (12/20/05): DHL found the lost tape.
Information
Source:
Security Breach
Letter
December 16,
2005
Colorado Technical University (CTU)
EDU
DISC
300
An email was erroneously sent which contained names, phone numbers, email addresses, Social Security numbers and
class schedules.
Information
Source:
Security Breach
Letter
December 12,
2005
Sam's Club, a division of Wal-Mart Stores, Inc
Bentonville, Arkansas
BSR
UNKN
Unknown
Note: location is corporate headquarters, not necessarily the location of the breach.
307
Customers who used credit cards at the wholesaler's gas stations discovered fraudulent activity on their credit accounts.
Sam's Club is unaware of how the information was stolen. Visa alerted the affected financial institutions and asked them to
provide fraud monitoring services for the affected customers.
Information
Source:
Dataloss DB
December 12,
2005
Iowa State University
Ames, Iowa
EDU
HACK
5,500
Two ISU computers were hacked. One held 2,500 encrypted credit card numbers. The second contained employee
information of more than 3,000 employees.
Information
Source:
Dataloss DB
December 7,
2005
Idaho State University, Office of Institutional Research
Pocatello, Idaho
EDU
HACK
Unknown
Contact: Information Technology Services (208) 282-2872, http://www.isu.edu/announcement/ [235]
ISU discovered a security breach in a server containing archival information about students, faculty, and staff, including
names, Social Security numbers, birth dates, and grades. Anyone who was a student or employee between 1995 and 2005
could be affected.
Information
Source:
Dataloss DB
December 6,
2005
Washington State Employment Security Department
Olympia, Washington
GOV
PORT
530
A laptop was stolen from the trunk of an auditor's car. Names, Social Security numbers and earnings of former employees
from 2002 to 2005 were exposed. The Employment Security Department does not have all of the contact information for
those affected and used the media to help notify those whose information was compromised. The laptop contained
unemployment insurance reports for 49 Seattle businesses that were undergoing routine audits by Employment Security
between November 2004 and October 2005..
Information
Source:
Dataloss DB
December 2,
2005
Cornell University
Ithaca, New York
EDU
HACK
900
The University discovered a security breach last summer that exposed names, addresses, Social Security numbers, bank
names and account numbers.
Information
Source:
Dataloss DB
December 1,
2005
First Trust Bank
Memphis, Tennessee
BSF
PORT
100,000
A man claiming to be a janitor bypassed security and stole a laptop from the bank. The laptop contained Social Security
numbers and other personal information of current and former customers. Affected customers were contacted and the theft
was caught on tape.
308
Information
Source:
Dataloss DB
December 1,
2005
University of San Diego
EDU
HACK
7,800
Hackers gained access to computers containing personal income tax data, including Social Security numbers, names, and
addresses. Faculty members, students and vendors had their information compromised and were notified by the University.
Information
Source:
Dataloss DB
November 19,
2005
Boeing
Chicago, Illinois
BSO
PORT
161,000
A laptop containing names, Social Security numbers, bank account information and other human resources data was stolen.
Affected current and former employees were notified.
Information
Source:
Dataloss DB
November 11,
2005
Georgia Tech University Office of Enrollment Services
Atlanta, Georgia
EDU
STAT
13,000
On October 16 of 2005 computers were stolen from campus which contained the names, Social Security numbers,
addresses and birth dates of current and prospective students. Notifications were sent to those who were affected.
Information
Source:
Dataloss DB
November 11,
2005
Scottrade Troy Group
Santa Ana, California
BSF
HACK
Unknown
A hacker compromised a server containing names, Social Security numbers, driver's licenses, state ID numbers, dates of
birth, phone numbers, bank names, bank codes, bank account numbers and Scottrade account numbers. Scottrade alerted
all affected customers.
Information
Source:
Dataloss DB
November 10,
2005
State of California - Department of Corrections and Rehabilitations (CDCR) Parole
Outpatient Clinic
MED
PORT
Unknown
On or around June 18, 2005 a laptop computer was stolen with information on parolees. It was unclear from the letter we
recieved whether Social Security numbers were involved.
Information
Source:
Security Breach
Letter
November 9,
2005
TransUnion Credit Bureau
Chester, Pennsylvania
BSF
STAT
3,623
A desktop containing Social Security numbers and other information was stolen from a regional sales office in California.
309
A desktop containing Social Security numbers and other information was stolen from a regional sales office in California.
Affected consumers were notified and offered one year of free credit monitoring services.
Information
Source:
Dataloss DB
November 5,
2005
Safeway, Hawaii
Pleasanton, California
1,400 in Hawaii,
BSR
PORT
perhaps more
elsewhere
Additional locations: Hawaii (where affected employees work). Laptop was stolen from a private home in California.
A division director's laptop was stolen. Names and Social Security numbers of some Hawaii workers were compromised by
the theft. The theft occurred in August and letters were sent to affected employees in October.
Information
Source:
Dataloss DB
November 4,
2005
Keck School of Medicine, University of Southern California (USC)
EDU
STAT
50,000
A computer server containing names and Social Security numbers of patients, donors and employees was stolen from a
campus computer room.
Information
Source:
Security Breach
Letter
November 1,
2005
University of Tennessee Medical Center
MED
PORT
3,800
A laptop was stolen from the University's medical billing office. Personal information lost included names, Social Security
numbers and birth dates. Affected patients were not informed of the theft for nearly two months.
Information
Source:
Dataloss DB
October 21, 2005
Wilcox Memorial Hospital
Lihue, Hawaii
MED
PORT
130,000
A backup computer data drive containing medical record numbers, addresses, names and Social Security numbers of
current and former patients was lost. Letters have been sent to affected patients.
Information
Source:
Dataloss DB
October 15, 2005
Montclair State University
Montclair, New Jersey
EDU
DISC
9,100
Names and Social Security numbers of undergraduates were posted online for nearly four months. An undergraduate
alerted the University after running a Google.com search of his name. The University warned all students of the problem.
Information
Source:
Dataloss DB
310
October 12, 2005
Ohio State University Medical Center
Columbus, Ohio
MED
DISC
2,800
Appointment information including Social Security numbers, birth dates, addresses, phone numbers, medical record
numbers, reasons for appointments, and physicians was exposed online.
Information
Source:
Security Breach
Letter
September 29,
2005
University of Georgia
Athens, Georgia
EDU
HACK
At least 1,600
A hacker may have accessed names and Social Security numbers of people working for the College of Agricultural and
Environmental Sciences. The University is attempting to contact individuals who may have been affected.
Information
Source:
Dataloss DB
September 28,
2005
RBC Dain Rauscher
BSF
INSD
100+ customers'
records compromised
out of 300,000
Someone claiming to be a former employee obtained customer names, addresses, tax ID number, birth date and Dain
Rauscher account number. Letters were sent to customers claiming that their personal information had been sold in
retaliation against the company.
Information
Source:
Dataloss DB
September 23,
2005
Bank of America
BSF
PORT
Not disclosed
A laptop was stolen from a Bank of America service provider. Information such as names, account numbers, routing transit
numbers, and credit card numbers were compromised by the theft. An unspecified number of Visa Buxx users were
contacted by Bank of America.
Information
Source:
Dataloss DB
September 22,
2005
City University of New York
New York, New York
EDU
DISC
771
An unprotected payroll link exposed personal information for Hunter College Campus Schools. Those affected included 335
Queens College law school students, 265 current workers and 171 former workers at local elementary and high schools. All
affected people were contacted.
Information
Source:
Dataloss DB
September 19,
2005
Children's Health Council
San Jose, California
NGO
PORT
5,000 - 6,700
A tape containing sensitive information was stolen from a Children's Health Council office. The tape contained names, Social
Security numbers, and detailed medical information for around 6,000 current and former clients. Payroll information for 700
311
current and former employees was also on the tape. The agency alerted those who may be at risk of identity theft.
Information
Source:
Dataloss DB
September 17,
2005
North Fork Bank (now Capital One Bank)
New York, New York
BSF
PORT
9,000
A laptop containing mortgage data was stolen from a North Fork Bank office on the weekend of July 24 of 2005. Personal
information included names, addresses, and mortgage account numbers. Affected customers were contacted and offered
one year of free credit monitoring services from Equifax.
Information
Source:
Dataloss DB
September 15,
2005
Miami University
Hamilton, Ohio
EDU
DISC
21,762
A report containing Social Security numbers and grades of students was accessible online for three years. The University is
attempting to contact those affected via letters and emails. A graduate alerted the University to the exposure after running a
Google.com search of her name.
Information
Source:
Dataloss DB
September 10,
2005
Kent State University
Kent, Ohio
EDU
STAT
100,000
Five desktop computers were stolen from the locked offices of two deans. Names, Social Security numbers, and grades
were on the computers. The information goes back to 2000 for students and 2002 for instructors. Affected students and
professors were alerted by the University.
Information
Source:
Dataloss DB
August 30, 2005
J.P. Morgan Chase & Co. (Dallas, TX)
Dallas, Texas
BSF
PORT
Unknown
A laptop was stolen on August 8th. It contained personal and financial account information of customers. Those affected
were contacted.
Information
Source:
Dataloss DB
August 30, 2005
California State University, Chancellor's Office
Long Beach, California
EDU
HACK
154
A computer virus attack exposed names and Social Security numbers. Those affected included two financial aid
administrators and 152 students enrolled at various Cal State Universities. Those affected were contacted.
Information
Source:
Dataloss DB
August 29, 2005
Iowa Student Loan
BSF
PORT
Unknown
312
August 29, 2005
Des Moines, Iowa
BSF
PORT
Unknown
A CD-Rom including Social Security numbers, last name and state of residence was lost while in transit from an outside
business partner.
Information
Source:
Security Breach
Letter
August 27, 2005
University of Florida, Health Sciences Center, ChartOne
EDU
PORT
3,851
A contractor's laptop containing patient names, Social Security numbers, dates of birth, and medical record numbers was
stolen. A letter was sent to the affected patients.
Information
Source:
Dataloss DB
August 22, 2005
U.S. Air Force
GOV
HACK
33,300
A hacker used a legitimate user ID and password to access career information, birth dates, and Social Security numbers.
Those affected were notified several months after the breach was discovered.
Information
Source:
Dataloss DB
August 19, 2005
University of Colorado
Denver, Colorado
EDU
HACK
49,000
A hacker may have gained access to personal information from June of 1999 to May of 2001, and fall of 2003 to summer of
2005. The information included current and former student names, Social Security numbers, addresses and phone
numbers. The University contacted individuals who were affected.
Information
Source:
Dataloss DB
August 17, 2005
California State University, Stanislaus
Turlock, California
EDU
HACK
900
The names and Social Security numbers of student workers were exposed during a hacker attack. The student workers
were contacted by the University.
Information
Source:
Dataloss DB
August 10, 2005
University of North Texas
Denton, Texas
EDU
HACK
39,000
A server containing housing records, financial aid inquiries, and in some cases credit card numbers was hacked. UNT sent
letters to current, former, and prospective students whose information may have been accessed.
Information
Source:
Dataloss DB
313
August 9, 2005
Sonoma State University
Rohnert Park, California
EDU
HACK
61,709
Hackers broke into a computer system and may have accessed the names and Social Security numbers of people who
applied, attended, or worked at the University between 1995 and 2002. University officials attempted to notify those who
were affected.
Information
Source:
Dataloss DB
August 9, 2005
University of Utah
EDU
HACK
100,000
A server containing library archival databases was hacked. The server included names and Social Security numbers of
former University employees. The University issued a warning that people may try to get personal information by posing as
University officials involved in the investigation.
Information
Source:
Dataloss DB
August 2, 2005
University of Colorado
Denver, Colorado
EDU
HACK
36,000
Hackers accessed files containing names, photographs, Social Security numbers, and University meal card information.
Around 7,000 staff members, 29,000 current students, and some former students were affected.
Information
Source:
Dataloss DB
July 31, 2005
California State Polytechnic University (Cal PolyPomona)
Pomona, California
EDU
HACK
31,077
Hackers gained access to two computers containing names, Social Security numbers and transfer records. Applicants,
current students, current and former faculty, and staff were affected.
Information
Source:
Dataloss DB
July 30, 2005
San Diego County Employees Retirement Association
GOV
HACK
33,000
Two computers that contained personal information for current and retired San Diego County employees were hacked. The
information included names, addresses, Social Security numbers, and dates of birth. The San Diego Retirement Association
mailed warnings to members.
Information
Source:
Dataloss DB
July 30, 2005
California State University, Dominguez Hills
Carson, California
EDU
HACK
9,613
Hackers accessed several computers containing personal information such as names and Social Security numbers. The
students who were affected were emailed.
Information
314
Source:
Dataloss DB
July 21, 2005
Boulder, Colorado
EDU
HACK
49,000
Prospective students, current students, staff, faculty and University health care service recipients may have had their data
exposed in a campus server breach. The information included names, Social Security numbers, addresses, student ID
numbers, birth dates, and lab test information. The University mailed letters and sent emails to the individuals affected.
UPDATE (08/20/2005) The number of students affected was increased from an estimate of 42,000 to 49,000.
Information
Source:
Dataloss DB
July 12, 2005
University of Southern California (USC)
270,000 possibly
EDU
DISC
accessed, dozens
exposed
A reporter contacted USC based on an individual's claim to be able to access personal information on college applicants
online. USC removed the site pending investigation and sent letters to affected individuals.
Information
Source:
Security Breach
Letter
July 7, 2005
Michigan State University
East Lansing, Michigan
EDU
HACK
27,000
Student information was compromised during an attack on the College of Education server. The information included Social
Security numbers, names, addresses, student courses, and personal identification numbers. The breach occurred in April
and students were emailed in July.
Information
Source:
Dataloss DB
July 6, 2005
City National Bank, Iron Mountain
BSF
PORT
Unknown
Two tapes containing Social Security numbers, account numbers, and other customer information were lost or stolen during
transportation. The tapes have been missing since April. City National Bank notified its customers.
Information
Source:
Dataloss DB
July 1, 2005
University of California San Diego
La Jolla, California
EDU
HACK
3,300
A University server was hacked in April. The server contained Social Security numbers, driver's license numbers, and credit
card numbers from people who attended or worked at UCSD Extension between the time of the incident and 2000. UCSD
contacted those who were affected two months after the incident.
Information
Source:
Dataloss DB
315
June 30, 2005
Ohio State University Medical Center, MTE Consulting
Columbus, Ohio
MED
PORT
15,000
A laptop containing patient information was stolen from a financial consultant. MTE Consulting notified OSU medical center
a month after the laptop was stolen and OSU sent a brief letter to the affected clients.
Information
Source:
Dataloss DB
June 29, 2005
Bank of America
BSF
PORT
18,000
A laptop containing the names, Social Security numbers, and addresses of customers was stolen from a consultant's car.
Information
Source:
Dataloss DB
June 28, 2005
Lucas County Children Services
Toledo, Ohio
GOV
DISC
900
Data from around 500 former and 400 current employees from as far back as 1991 were sent outside the organization via email. The data included names, Social Security numbers, and telephone numbers. Current employees were contacted
immediately and letters were sent to former employees.
Information
Source:
Media
June 27, 2005
U.S. Department of Veterans Affairs
GOV
PORT
66
Note: exact month and date are unknown
A laptop being stored in the trunk of a car was stolen in Minneapolis, Minnesota. Two people later reported identity fraud
problems.
Information
Source:
Dataloss DB
June 25, 2005
University of Connecticut (UCONN)
Storrs, Connecticut
EDU
HACK
72,000
University officials became aware of an October 26, 2003 hacking incident. The personal information included Social
Security numbers and addresses for students, faculty, and staff. The University began contacting those affected in June of
2005.
Information
Source:
Dataloss DB
June 22, 2005
Eastman Kodak
Rochester, New York
BSO
PORT
5,800
A password-protected laptop containing former employee names, Social Security numbers, birth dates, and benefits
information was stolen from a consultant's car trunk. Kodak sent letters and offered one-year of credit monitoring services
and identity theft insurance covering up to $50,000 in fraud.
Information
316
Source:
Dataloss DB
June 18, 2005
University of Hawaii
Manoa, Hawaii
EDU
INSD
150,000
A former librarian with access to the personal information of students, faculty, staff and patrons was convicted of Social
Security fraud. The former librarian used Social Security information to obtain fraudulent loans. The University used Social
Security numbers to track who checked out library materials. At the time of the press release it was unclear whether any
information had been stolen from the University.
Information
Source:
Dataloss DB
June 17, 2005
Kent State University
Kent, Ohio
EDU
PORT
1,400
A laptop containing the names, Social Security numbers, and in some cases birthdays of current and former University
employees was stolen from a human resources administrator's car.
Information
Source:
Dataloss DB
June 16, 2005
CardSystems
Tucson, Arizona
BSF
HACK
40,000,000
The motion to dismiss by Savvis: http://www.box.net/shared/static/180zctq8dz.pdf [236]
Over 40 million card accounts were exposed to potential fraud due to a security breach that occurred at a third-party
processor of payment card transactions. Of the more than 40 million accounts exposed, information on 68,000 Mastercard
accounts, 100,000 Visa accounts and 30,000 accounts from other card brands are known to have been exported by the
hackers. The data exported included names, card numbers and card security codes.
UPDATE (2/23/2006) CardSystems agreed to settle Federal Trade Commission charges that it failed to take appropriate
security measures to protect sensitive personal information. The company must implement a comprehensive security
program and obtain audits every 2 years for 20 years.
UPDATE (5/12/2006) CardSystems filed for bankruptcy.
UPDATE (5/28/2009) Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of
erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations less than a year
before the payment processor's systems were hacked, compromising up to 40 million credit card accounts. Less than a year
later the security breach occurred. Hackers were able to get hold of the data because CardSystems kept unencrypted card
information on its servers - in contravention of the regulations for which Savvis certified it.
Information
Source:
Dataloss DB
June 10, 2005
Federal Deposit Insurance Corp. (FDIC)
GOV
UNKN
6,000
Personal information including the names, birthdays, salaries, and Social Security numbers of former Federal Deposit
Insurance Corporation employees was stolen. Some of the information was used for fraudulent purposes. Affected
employees from as far back as July 2002 were notified.
Information
Source:
Dataloss DB
June 6, 2005
Citigroup, UPS
BSF
PORT
3,900,000
317
June 6, 2005
New York, New York
BSF
PORT
3,900,000
Customers are being notified that backup tapes containing their account information were lost or stolen while being shipped
by UPS.
Information
Source:
Dataloss DB
June 4, 2005
Duke University Medical Center
EDU
HACK
total because full Social
Security numbers not
involved
A hacker broke into the computer system, stealing thousands of passwords and fragments of Social Security numbers.
14,000 affected people were notified, including 10,000 employees of Duke University Medical Center.
Information
Source:
Dataloss DB
May 30, 2005
Motorola
Schaumburg, Illinois
BSO
STAT
Unknown
Two computers were stolen from third party vendor Affiliated Computer Services (ACS). They had security safeguards and
contained names and Social Security numbers of Motorola employees. Motorola notified affected staff by email and offered
fraud insurance coverage.
Information
Source:
Dataloss DB
May 28, 2005
Merlin Information Services
Kalispell, Montana
BSO
INSD
5,875
An individual fraudulently obtained personal information about thousands of victims from Merlin Information Services and
used that information to commit identity theft by opening up credit card accounts. He posed as a private investigator, thus
giving Merlin the impression that he was a legitimate user of their services. He conducted at least 1,873 queries through the
Merlin system to obtain information on approximately 5,875 people.
Information
Source:
Media
May 27, 2005
Cleveland State University
Cleveland, Ohio
EDU
PORT
44,420
A laptop containing personal information from applicants, current students, and former students was stolen from the
University's admissions office. The information included Social Security numbers and addresses from as far back as 2001.
Letters were sent to those affected.
UPDATE (12/24):CSU found the stolen laptop
Information
Source:
Dataloss DB
May 19, 2005
Valdosta State University
Valdosta, Georgia
EDU
HACK
40,000
318
A computer server containing campus ID card information and Social Security numbers was hacked. The cards were
designed to be used as debit cards by students and employees.
Information
Source:
Dataloss DB
May 18, 2005
Jackson Community College
Jackson, Michigan
EDU
HACK
8,000
A hacker may have downloaded the passwords and Social Security numbers of employees and students. The College sent
new, high security passwords to students and employees.
Information
Source:
Dataloss DB
May 18, 2005
University of Iowa
Iowa City, Iowa
EDU
HACK
30,000
A computer containing credit card numbers and campus ID numbers for University Book Store customers was breached by a
hacker.
Information
Source:
Dataloss DB
May 16, 2005
Westborough Bank
Westborough, Massachusetts
BSF
INSD
750
A former employee who ran an investment program from 1998 to 2001 may have given Social Security numbers and
account information to a convicted felon known for defrauding senior citizens. The bank mailed warning letters.
Information
Source:
Dataloss DB
May 14, 2005
Georgia Technology Authority (GTA)
Atlanta, Georgia
GOV
INSD
465,000
A former computer programmer for Georgia Technology Authority downloaded state driver's license information which
contained names, addresses, driver's license numbers, and in some cases Social Security numbers.
Information
Source:
Dataloss DB
May 12, 2005
Hinsdale Central High School
Hinsdale, Illinois
EDU
HACK
2,400
Two students were accused of hacking into the School's computer system and stealing student and staff Social Security
numbers. The students had the information for months before being caught. Letters were sent to affected families. The
Social Security Administration and the Federal Trade Commission were also notified.
Information
Source:
Dataloss DB
May 11, 2005
Stanford University
Stanford, California
EDU
HACK
9,900
319
The University's Career Development Center was hacked. This exposed the names, Social Security numbers, and other
personal information of users. Names and credit card information for some employers that registered with the site were also
in the database.
Information
Source:
Dataloss DB
May 7, 2005
Department of Justice
GOV
PORT
80,000
A laptop containing password protected names and travel account credit card information was stolen.
Information
Source:
Dataloss DB
May 5, 2005
Purdue University
EDU
HACK
11,360
Hackers accessed a program which contained University credit card information and the Social Security numbers of current
and former employees. Letters were sent to employees and former employees.
Information
Source:
Dataloss DB
May 4, 2005
Colorado Health Department
Denver, Colorado
GOV
PORT
1,600 (families)
A laptop containing Social Security numbers, medical records, family medical history, and addresses was stolen from an
employee's car. The State Health Department is not monitoring the affected group and has only contacted some of the
families involved.
Information
Source:
Dataloss DB
May 2, 2005
Time Warner
New York, New York
BSO
PORT
600,000
Backup tapes containing the personal information of current and former employees from as far back as 1986 was lost or
stolen during shipping. An 800 number was set up to answer questions and provide free credit monitoring for one year.
Information
Source:
Dataloss DB
April 29, 2005
Oklahoma State University
Stillwater, Oklahoma
EDU
PORT
37,000
A laptop used for student job placement seminars was lost or stolen. It contained the Social Security numbers of current and
former students.
Information
Source:
Dataloss DB
April 28, 2005
Georgia Southern University
Stateboro, Georgia
EDU
HACK
tens of thousands
320
Hackers accessed a University server which contained thousands of credit card and Social Security numbers collected over
three years. Students who received bookstore credit through scholarship or financial aid between the fall 2003 and spring of
2005 semesters, and anyone who made credit purchases at campus stores, stadium, or website are at risk. Email alerts
were sent to students and alumni.
Information
Source:
Dataloss DB
April 28, 2005
Wachovia, Bank of America, PNC Financial Services Group and Commerce
Bancorp
Hackensack, New Jersey
BSF
INSD
676,000
Note: location listed is the corporate headquarters of Bank of America, not necessarily where the breach occurred.
Bank employees illegally sold account information to someone posing as a collection agency. Customers affected were
notified and received one year of free credit monitoring services.
Information
Source:
Dataloss DB
April 26, 2005
Michigan State University's Wharton Center
East Lansing, Michigan
EDU
HACK
40,000
A hacker may have stolen the credit card information of visitors attending a performing arts venue. Warnings were sent to
Wharton visitors who used their credit cards anytime between September of 2003 and the incident.
Information
Source:
Dataloss DB
April 26, 2005
Christus St. Joseph's Hospital
Houston, Texas
MED
STAT
16,000
Two computers used for converting paper medical records into digital files were stolen. One of the computers contained
Social Security numbers and medical records for hundreds of patients. Letters were sent to about 16,000 patients.
Information
Source:
Dataloss DB
April 21, 2005
Carnegie Mellon University
EDU
HACK
19,000
The compromised information included Social Security numbers and grades from master's alumni classes 1997 through
2004, job offer information from master's alumni classes 1985 through 2004, contact information for all alumni, and Social
Security numbers and grades from doctoral students enrolled between 1998 and 2004. Between 5,000 and 6,000 of those
affected had their credit card information and Social Security numbers compromised. Emails and letters were sent to those
who were affected.
Information
Source:
Dataloss DB
April 20, 2005
TD Ameritrade
Omaha, Nebraska
BSF
PORT
200,000
A backup tape was lost, stolen, or accidentally destroyed while being shipped. The tape contained account information from
clients or former clients between the years of 2001 and 2003. Ameritrade notified the affected clients and offered one free
year of credit protection services.
321
Information
Source:
Dataloss DB
April 15, 2005
Polo Ralph Lauren, HSBC
New York, New York
BSR
HACK
180,000
Credit card data was stolen. Individuals holding the HSBC-issued General Motors Mastercard were told their cards should be
replaced.
UPDATE(07/10/07): U.S. Secret Service agents found Ralph Polo Lauren customers' credit card numbers in the hands of
Eastern European cyber thieves who created high-quality counterfeit credit cards. Victims are from the U.S., Europe, Asia
and Canada, among other places, Several Cuban nationals in Florida were arrested with more than 200,000 credit card
account numbers.
Information
Source:
Dataloss DB
April 15, 2005
California Department of Health Services
GOV
PORT
21,600
A laptop containing the names, Social Security numbers, and medical information of Medi-Cal beneficiaries was stolen from
the car trunk of an employee. The Department of Health Services began notifying beneficiaries in late May.
Information
Source:
Dataloss DB
April 11, 2005
Tufts University
EDU
HACK
106,000
The University's donor database was breached. Letters were sent to the alumni who may have had their personal
information stolen.
Information
Source:
Dataloss DB
April 8, 2005
Eastern National
Ft. Washington, Pennsylvania
NGO
HACK
15,000
A hacker gained access to a server containing the names, credit card information, and billing addresses of 15,000
customers. Letters were mailed to all customers who bought products through the educational website for national parks.
Information
Source:
Dataloss DB
April 8, 2005
San Jose Medical Group
San Jose, California
MED
STAT
187,000
UPDATE(10/10/07): A former branch manager at the San Jose Medical Group has been sentenced to almost two years in
prison for stealing medical records for about 187,000 patients. The accused pleaded guilty in May to one count of health
care-related theft after he stole computer equipment from his former employer, including a DVD that contained patients'
names, Social Security numbers, medical diagnoses and other information.
Information
Source:
Dataloss DB
322
April 6, 2005
EDU
HACK
7,000
A server in the accounting and personnel departments was hacked. It contained information on 7,000 students, faculty, and
staff members. The affected individuals were notified March 23.
Information
Source:
Dataloss DB
April 5, 2005
MCI
BSO
PORT
16,500
A laptop containing names and Social Security numbers of current and former employees was stolen from the car trunk of an
MCI financial analyst. An MCI spokesperson stated that MCI would continue its policy of allowing laptops to be taken home
by employees and will evaluate new security technologies.
Information
Source:
Dataloss DB
April 5, 2005
University of California, Davis
Davis, California
EDU
HACK
1,100
The names and Social Security numbers of students, faculty, visiting speakers and staff may have been compromised when
a hacker accessed a main computer.
Information
Source:
Dataloss DB
1,200 (not included in
total because news
March 25, 2005
Purdue University
EDU
HACK
stories are not clear if
SSNs or financial
information were
exposed)
Computers in the College of Liberal Arts' Theater Dept. were hacked, exposing personal information of employees, students,
graduates, and business affiliates.
Information
Source:
Dataloss DB
March 20, 2005
Evanston, Illinois
EDU
HACK
17,500
Hackers gained access to multiple computers and gathered user ID and password information from the University's network.
The personal information for around 500 faculty members, 2000 staff members, and 14,000 alumni was compromised.
Information
Source:
Media
March 20, 2005
University of Nevada, Las Vegas
Las Vegas, Nevada
EDU
HACK
5,000
A hacker was caught accessing the University's server and may have gotten information from the Student Exchange and
Visitor Information System (SEVIS).
323
Information
Source:
Dataloss DB
March 16, 2005
California State University, Chico
Chico, California
EDU
HACK
59,000
A university housing and food service computer server containing names and Social Security numbers of faculty, staff,
students, former students, and prospective students was hacked.
Information
Source:
Dataloss DB
March 12, 2005
Las Vegas Department of Motor Vehicles (LV DMV)
Las Vegas, Nevada
GOV
STAT
8,900
A computer and holographic laminate materials were stolen from the Donovan office of the DMV in North Las Vegas.
UPDATE. The equipment was recovered on June 1.
Information
Source:
Dataloss DB
March 11, 2005
University of California, Berkeley
EDU
PORT
98,400
A laptop containing the Social Security numbers of doctoral degree recipients from 1976 to 1999, graduate students enrolled
between 1989 and 2003, and graduate school applicants between fall 2001 and spring of 2004 was stolen. Birth dates and
addresses for about one-third of the affected people were also on the laptop.
Information
Source:
Dataloss DB
March 11, 2005
Kaiser Permanente
Oakland, California
MED
DISC
140
A disgruntled employee posted informaton on her blog noting that Kaiser Permanente included private patient information on
systems diagrams posted on the Web.
UPDATE (6/21/2005): The California Department of Managed Health Care fined Kaiser $200,000 for exposing the
confidential health information.
Information
Source:
Dataloss DB
March 11, 2005
Boston College
EDU
HACK
120,000
A hacker gained access to a phone banking database that included alumni addresses and Social Security numbers.
Information
Source:
Dataloss DB
March 10, 2005
LexisNexis
Dayton, Ohio
BSO
INSD
30,000 additional
280,000
324
Unauthorized individuals used IDs and passwords of legitimate customers to obtain consumers' Social Security numbers,
driver's license numbers, and names and addresses. Most of the breaches were at the company's subsidiary Seisint Inc.,
based in Florida.
UPDATE (4/12/05) An internal investigation at LexisNexis has uncovered evidence that an additional 280,000 records may
have been involved in this breach, increasing the total from 30,000 to 310,000.
UPDATE (06/30/06): Last week, five men were arrested in connection with this breach.
Information
Source:
Dataloss DB
March 8, 2005
DSW, Retail Ventures
Columbus, Ohio
BSR
HACK
1,400,000
Credit card information from customers in 25 states was compromised.
UPDATE (4/19/2005) additional 1,300,000 added to 100,000
Information
Source:
Dataloss DB
February 25,
2005
Bank of America Corp.
BSF
PORT
1,200,000
Computer tapes with credit card information, Social Security numbers, addresses and account numbers were lost. Bank of
America began monitoring the customer accounts on the lost tapes and said it would contact cardholders if unusual activity
was detected. Around 900,000 of the account holders affected were Defense Department employees.
Information
Source:
Dataloss DB
February 25,
2005
PayMaxx
Miramar, Florida
BSF
DISC
100,000
A software glitch at PayMaxx Inc., a Franklin, Tenn., payroll processing company, accidentally revealed personal financial
information on as many as 100,000 individuals, including Social Security numbers. The problem arose in a PayMaxx feature
that enabled employees to use the Internet to get their W-2 forms, the standard tax information form issued by companies to
their employees.
Information
Source:
Dataloss DB
February 18,
2005
University of Chicago Hospital
Chicago, Illinois
MED
INSD
85
The FBI launched an investigation into possible fraud by at least one hospital employee. As many as 85 patients may have
been affected. The hospital contacted all affected patients.
Information
Source:
Dataloss DB
February 15,
2005
ChoicePoint
Alpharetta, Georgia
BSO
INSD
163,000
Fraudsters who presented themselves as legitimate ChoicePoint customers purchased data profiles from ChoicePoint on
325
individuals and used that data to commit identity theft. The initial number of affected records was estimated at 145,000 but
was later revised to 163,000.
UPDATE(1/26/06): ChoicePoint settled with the Federal Trade Commission
[237]
for $10 million in civil penalties and $5 million
for consumer redress.
UPDATE (12/06/06): The FTC announced
[238]
that victims of identity theft as a result of the data breach who had out-of-
pocket expenses can now be reimbursed. The claims deadline is Feb. 4, 2007.
UPDATE (06/24/07): Starting Dec. 2006, the FTC began mailing claims forms to victims of the breach. Its Web site [239]
provides information about the claims process. Deadline is Aug. 18, 2007. Victims can be reimbursed for out-of-pocket
expenses resulting from identity theft connected to the breach. Call (888) 884-8772, or email [email protected] [240] .
UPDATE (11/04/07): Since its 2005 data security incident, ChoicePoint has implemented enhancements to its privacy and
information security framework including the establishment of an Office of Privacy, Ethics and Compliance to reinforce the
responsible use and protection of information at ChoicePoint through policies and procedures, audit and compliance, and
outreach and education. Visit www.privacyatchoicepoint.com [241] .
UPDATE (1/27/08): Has agreed to pay $10 million to settle a class action lawsuit
Information
Source:
Security Breach
Letter
February 12,
2005
BSO
STAT
45,000 employees
On Jan. 25 thieves broke into a SAIC facility and stole computers containing names, SSNs, and other personal information of
past and current employees. Stolen information included names, NNS, addresses, phone numbers and records of financial
transactions.
Information
Source:
Dataloss DB
January 22, 2005
University of Northern Colorado
Greeley, Colorado
EDU
PORT
30,000
A hard drive was apparently stolen. It contained information on current and former University employees and their
beneficiaries -- name, date of birth, SSN, address, bank account and routing number.
Information
Source:
Dataloss DB
January 18, 2005
University of California, San Diego
EDU
HACK
3,500
A hacker breached the security of two University computers that stored the Social Security numbers and names of students
and alumni of UCSD Extension.
Information
Source:
Dataloss DB
January 10, 2005
George Mason University
Fairfax, Virginia
EDU
HACK
32,000
Names, photos, and Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on
the University's main ID server.
Information
Source:
326
Dataloss DB
Breach Total
494,692,655 RECORDS BREACHED
(Please see explanation [91] about this total.)
from 1,651 DATA BREACHES made public since 2005
Source URL (retrieved on 2010-08-04 04:30 ): http://www.privacyrights.org/data-breach
Copyright © Privacy Rights Clearinghouse/UCAN. This copyrighted document may be copied and
distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint
guidelines. The text of this document may not be altered without express authorization of the Privacy
Rights Clearinghouse.
Links:
[1] http://www.privacyrights.org/sites/default/files/static/Chronology-of-Data-Breaches_-_Privacy-RightsClearinghouse.pdf
[2] http://www.privacyrights.org/data-breach/print
[3] http://www.privacyrights.org/#CP
[4] http://www.privacyrights.org/#1
[17] http://www.privacyrights.org/#Total
[18] http://www.privacyrights.org/about_us.htm
[19] http://datalossdb.org/primary_sources
[20] http://datalossdb.org/
[21] mailto:[email protected]
[22] http://datalossdb.org/download
[23] http://www.databreaches.net/
[24] http://www.pogowasright.org
[25] http://www.phiprivacy.net/
[26] http://www.naidonline.org
[27] http://www.privacyrights.org/fs/fs17b-SecurityBreach.htm
[28] https://microsite.accenture.com/dataprivacyreport/Pages/default.aspx
[29] https://microsite.accenture.com/dataprivacyreport/Documents/Accenture_Data_Privacy_Report.pdf
[30] http://www.microsoft.com/Presspass/press/2010/apr10/04-05MSRSAPR.mspx?rss_fdn=Press Releases
[31] https://www.otalliance.org/resources/Incident.html
[32] http://www.bbb.org/us/corporate-engagement/security/
[33] http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf
[34] http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
[35] http://www.privacyrights.org/ar/PreventITWorkplace.htm
[36] http://www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf
[37] http://www.privacyprotection.ca.gov/res/docs/pdf/ssnrecommendations.pdf
[38] http://www.privacyprotection.ca.gov/res/docs/pdf/COPP_Breach_Reco_Practices_6-09.pdf
[39] http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html
[40] http://www.privacyrights.org/ar/SecurityBreach.htm
[41] http://www.defendyourdollars.org/2005/02/states_with_not.html
[42] http://www.nymity.com/FormDownload.aspx?docid=E5AE006F-1947-4163-BDAC-0BFE129E5C89
[43] http://www.digestiblelaw.com/files/upload/securitybreach.pdf
[44] http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf
[45] http://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf
[46] http://www.crowell.com/pdf/SecurityBreachTable.pdf
[47] http://www.consumersunion.org/campaigns//learn_more/003484indiv.html
[48] http://www.pirg.org/consumer/credit/statelaws.htm
[49] http://www.mass.gov/Eoca/docs/idtheft/notificationsrpt20080918.pdf
[50] http://www.krollfraudsolutions.com/about-kroll/HIMSS-Security-Patient-Data-Report.aspx
[51] http://www.healthcareitnews.com/news/study-points-critical-gaps-hospital-data-security
[52] http://blogs.findlaw.com/technologist/2010/02/data-security-breaches-cost-real-money.html
[53] http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009 US Cost of Data Breach
Report Final.pdf
[54] http://www.ey.com/Publication/vwLUAssets/12th_annual_GISS/$FILE/12th_annual_GISS.pdf
327
[55] http://www.deloitte.com/view/en_US/us/industries/MediaEntertainment/e510f6b085912210VgnVCM100000ba42f00aRCRD.htm
[56] http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf
[57] http://web.interhack.com/news/n2009/taxonomy
[58] http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
[59] http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Dell Executive Summary FINAL
063008.pdf
[60] http://www.symantec.com/about/news/release/article.jsp?prid=20090223_01
[61]
http://mba.tuck.dartmouth.edu/digital/Research/ResearchProjects/JohnsonHemorrhagesFC09Proceedingd.pdf
[62] http://cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-506224.html
[63] http://www.jcampana.com/JCampanaDocuments/EducationSectorDataBreachStudy.pdf
[64] http://www.verizonbusiness.com/resources/security/databreachreport.pdf
[65] http://www.adamdodge.com/esi/yir_2007
[66] http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm
[67] http://www.yourcreditadvisor.com/blog/2007/07/how_many_times.html
[68] http://www.tech-404.com/calculator.html
[69] http://www.insidecounsel.com/Issues/2009/May-2009/Pages/Breach-Patrol.aspx
[70] http://law.bepress.com/cgi/viewcontent.cgi?article=1153&context=unswwps
[71] http://ssrn.com/abstract=1268926
[72]
http://www.csoonline.com/article/221322/CSO_Disclosure_Series_Data_Breach_Notification_Laws_State_By_State
[73] http://www.privacyrights.org/notification_laws.htm
[74] http://www.privacyrights.org/ar/notification_laws.htm
[75] http://www.paulschwartz.net/pdf/datasec_schwartz-janger.pdf
[76] http://www.jonesday.com/pubs/pubs_detail.aspx?pubID=S3225
[77] http://www.privacyrights.org/sites/default/files/imported/ar/Wernick_Dec06.pdf
[78] http://www.gibsondunn.com/practices/publications/detail/id/766/?pubItemId=7832
[79]
http://www.gibsondunn.com/publications/pages/SecurityBreachNotificationsaStateandFederalLawMaze.aspx
[80] http://media.gibsondunn.com/fstore/documents/pubs/072705-SecurityBreachCHART.pdf
[81] http://findarticles.com/p/articles/mi_m0BJK/is_10_18/ai_n19521336/
[82] http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
[83] http://datalossdb.org/search/primary_sources/7-maine-attorney-general
[84] http://www.idtheftcenter.org/artman2/publish/lib_survey/Press_Release_-_2007_Breach_List.shtml
[85] http://doj.nh.gov/consumer/breaches.html
[86] http://emergentchaos.com/archives/category/breaches
[87] http://www.databreaches.net
[88]
http://www.adamdodge.com/esi/stolen_sungard_higher_education_laptop_contained_csu_system_student_information
[89] http://www.numbrx.net/
[90] http://www.worldprivacyforum.org/testimony/NCVHStestimony_092005.html
[91] http://www.privacyrights.org/data-breach#2
[92] http://www.privacyrights.org/data-breach?order=field_breach_date_value_1&sort=asc
[93] http://www.privacyrights.org/data-breach?order=field_breach_total_value&sort=asc
[94] http://www.rainbowhospice.org/protection/
[95] http://www.childrenshospitaloakland.org/EnhancedPatientPrivacyProtection.asp
[97] http://www.wyndhamworldwide.com/customer_care/data-claim.cfm
[98] http://www.privacyrights.org/sites/default/files/AR-M450_20100223_180300223.pdf
[99] http://www.valdosta.edu/notify/
[101] http://www.army.mil/-news/2009/12/16/31955-laptop-containing-personal-information-about-mwrcustomers-stolen/
[102] http://www.thebeijingcenter.org/securityqns
[104] http://www.chaminade.edu/infosecure
[105] http://www.ftc.gov/opa/2009/10/choicepoint.shtm
[107] https://security.berkeley.edu/jschool-info
[108]
http://www.elance.com/p/trust/account_security.html>http://www.elance.com/p/trust/account_security.html
[110] http://www.justice.gov/usao/alm/press/current_press/2010_05_05_stovall.pdf
[111] http://www.treas.gov/tigta/auditreports/2009reports/200930059fr.pdf
[112] http://datatheft.berkeley.edu
[113] http://googledocs.blogspot.com/2009/03/on-yesterdays-email.html
[114] http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html
[115] http://news.uns.purdue.edu/Payroll0901.html
[116] http://help.monster.com/besafe/
[117] http://help.monster.com/besafe/jobseeker/index.asp
[118] http://www.ftc.gov/opa/2009/01/navone.shtm
[119] http://www.justice.gov/opa/pr/2009/August/09-crm-810.html
[120] http://www.2008breach.com
[121] http://www.bankinfosecurity.com/articles.php?art_id=1200
[122] http://www.wired.com/images_blogs/threatlevel/2009/08/gonzalez.pdf
328
[123] http://www1.ftc.gov/opa/2009/02/compgeeks.shtm
[124] http://www.studentlife.osu.edu/dataexposure
[125] http://www.rbsworldpay.us/RBS_WorldPay_Press_Release_Dec_23.pdf
[126] http://louisville.bizjournals.com/louisville/othercities/atlanta/stories/2008/12/22/daily24.html
[127] http://www.forever21.com/notice/notice.html
[128] http://www.ivytech.edu/about/security/
[129] http://www.rit.edu/news/?v=46283
[130] http://www.cwdataclaims.com/
[131] http://www.utdallas.edu/infosecurity/
[132] http://www.ohiocore.org/answers
[133] http://www.sec.gov/litigation/admin/2008/34-58515.pdf
[134]
http://www.computerworld.com/s/article/9177702/Insurer_says_it_s_not_liable_for_University_of_Utah_s_3.3M_data_breach
[135] http://www.computerworld.com/s/article/9096721/Thieves_steal_tapes_holding_2.2M_billing_records
[137] http://www.sungardhe.com/custom.aspx?id=1554&LangType=1033
[138] http://www.bnymellon.com/tapequery
[139] http://www.courant.com/business/hc-mellon0531.artmay31,0,4507316,print.story
[142] http://www.ssnbreach.org
[144] http://eu.montana.edu/security
[146] http://www.osfa.state.la.us/notice.htm
[147] http://eu.montana.edu/security/
[148] http://www.uiowa.edu/~phil/SSN.shtml
[149] http://www.mass.gov/dpl
[150] http://gapinc.com/securityassistance/
[151] http://www.dispatch.com
[152] http://www.elvey.com/IDTheft/spam_faq.cfm.html
[153] http://datalossdb.org/incident_highlights/30-legal-sub-project-elvey-v-td-ameritrade
[154] http://www.voxant.com
[155] http://www.purdue.edu/news/coa0709.html
[156] http://www.idahoarmyguard.org/
[157] http://www.saic.com/response/
[158] http://www.datasettlement.com/
[161] http://www.virginia.edu/uvatoday/newsRelease.php?id=2217
[164] https://apps.dot.state.nc.us/pio/releases/details.aspx?r=1179
[165] http://www.idfpr.com
[166] http://www.stonybrook.edu/sb/disclosure/
[167] http://www.goshen.edu/news/pressarchive/05-11-07-security.html
[170] http://phx.corporate-ir.net/phoenix.zhtml?c=118113&p=irol-recentdata
[171] http://www.usda.gov/wps/portal/!ut/p/_s.7_0_A/7_0_1OB?
contentidonly=true&contentid=2007/04/0110.xml
[172] http://www.osu.edu/news/newsitem1673
[173] http://news.ucsf.edu/releases/ucsf-computer-server-with-research-subject-information-is-stolen/
[174] http://security.ucsf.edu/alert/information.html
[175] http://sos.georgia.gov/pressrel/20070411a.htm
[176] http://www.ncua.gov/news/press_releases/2007/MR07-0411.htm
[177]
http://www.bhsu.edu/AboutBHSU/NewsEvents/tabid/3454/articleType/ArticleView/articleId/339/Default.aspx
[178] http://dch.georgia.gov/vgn/images/portal/cit_1210/19/38/80010015Public_NoticeMissing_Personal_Data.pdf
[179] http://www.hortica-insurance.com/hotTopics/26.PDF
[183] http://www.oag.state.tx.us/oagNews/release.php?id=1961
[184] http://www.ghc.org/news/news.jhtml?reposid=/common/news/news/20070323-missing_laptops.html
[185] http://www.spr.k12.oh.us/
[186] http://www.spr.k12.oh.us./ourboard/treasdocs/notificationofDataTheft.pdf
[187] http://www.usda.gov/oig/webdocs/50501-8-FM.pdf
[188] http://www.census.gov/Press-Release/www/releases/archives/miscellaneous/009732.html
[189] http://www.mscd.edu/securityalert/
[190] http://www.cchealth.org/press_releases/dhs_breach_03_2007.php
[191] http://www.applications.dhs.ca.gov/pressreleases/store/PressReleases/07-17 breach of personal
information.html
[193] http://www.ccsf.edu/securityalert
329
[194] http://www.ecu.edu/incident/
[195] http:www.mass.gov/dia
[196] http://www1.va.gov/opa/pressrel/pressrelease.cfm?id=1294
[197] http://www.hawaii.gov/dcca/quicklinks/id_theft_info
[198] http://www.tjx.com/
[199] https://www.massbankers.org/pdfs/DataBreachSuitNR5.pdf
[200] http://online.wsj.com/article_email/article_print/SB117824446226991797lMyQjAxMDE3NzA4NDIwNDQ0Wj.html
[201] http://privacy.wi.gov/alerts/jan0107.jsp
[202] http://www.colorado.edu/its/security/awareness/privacy/identitytheft.pdf
[203] http://www.identityalert.ucla.edu
[204] http://www.utdallas.edu/datacompromise/form.html
[205] http://www.treas.gov/tigta/auditreports/2007reports/200720048fr.pdf
[207] http://www.denverda.org/News_Release/Releases/2006 Release/Computer security alert.pdf
[208] http://www.uta.edu/oit/iso/Datatheft.php
[209] http://www.nysun.com/national/gop-donors-personal-data-disclosed-in-rnc-privacy/41341/
[210] http://www.portseattle.org
[211] https://www.census.gov/Press-Release/www/releases/archives/miscellaneous/007497.html
[212] http://www.savannahga.gov/security
[213] http://www.berry.edu/stulife/idprotect/
[214] http://blog.secondlife.com/2006/09/08/urgent-security-announcement/
[215] http://old.ts.vcu.edu/security/id_exposure.html
[216] http://www.chicagofop.org/Updates/links/nrs.pdf
[218] http://www.dlssonline.com
[219] http://www.hcahealthcare.com
[221] http://www.oag.state.ny.us/press/2007/apr/apr26a_07.html
[222] http://www.northwestern.edu/newscenter/stories/2006/07/data.html
[223] http://security.tennessee.edu
[224] http://www.taxes.state.mn.us/taxes/publications/press_releases/content/taxpayer_information.shtml
[225] http://www.sfsu.edu/~admisrec/reg/idtheft.html
[226] http://www.ohio.edu/datasecurity
[227] http://www.ohio.edu/datasecurity/
[228] http://www.firstgov.gov/usdainfo.shtml
[229] http://www.wiu.edu/securityalert/
[230] http://www.applications.dhs.ca.gov/pressreleases/store/PressReleases/06-41.html
[231] http://www.veteransclass.com
[232] http://www.wired.com/science/discoveries/news/2006/03/70380
[233] http://www.doj.state.or.us/releases/2006/rel092606a.shtml
[234] http://www.ftc.gov/os/caselist/0623057/index.htm
[235] http://www.isu.edu/announcement/
[236] http://www.box.net/shared/static/180zctq8dz.pdf
[237] http://www.ftc.gov/opa/2006/01/choicepoint.htm
[238] http://www.ftc.gov/opa/2006/12/choicepoint.htm
[239] http://www.ftc.gov/bcp/cases/choicepoint/index.shtm
[241] http://www.privacyatchoicepoint.com
330

Chronology of Data Breaches

Transcription

Similar documents

STOKE CITY FC Carlo Nash - National Literacy Trust

a risk based approach to cyber security

Securing Your Agile, Mobile Clinicians — Breach Case Study

View Our April 2014 Newsletter

money matters

all about your tie - Greene King Pub Partners

Cyber-Liability Insurance

Product Manual