| |
A Chronology of Data Breaches
Skip
the introductory text and go directly to the listing
of data breaches below.
What does the Chronology of Data Breaches contain?
The data
breaches noted below have been reported because the
personal information compromised includes data elements useful to identity
thieves, such as Social Security numbers, account numbers, and driver's
license numbers. Some breaches that do NOT expose such sensitive information
have been included in order to underscore the variety and frequency of
data breaches. However, we have not included the number of records
involved in such breaches in the total because we want this compilation
to reflect breaches that expose individuals to identity theft as well
as breaches that qualify for disclosure under state laws. The breaches
posted below include only those reported in the United States. They do
not include incidents in other countries.
What does the Total Number indicate?
The running total
we maintain at the end of the Chronology represents the approximate number
of *records* that have been compromised due to security breaches, not
necessarily the number of *individuals* affected. Breaches for specific
years are noted below -- 2005, 2006,
2007 and 2008. Some individuals may be the victims of more
than one breach, which would affect the totals.
In reality, the number given below should be much larger. For many of the breaches listed, the number of records is unknown. How often is the Chronology updated?
We usually update this list twice each week.
Where do you obtain information about the data breaches that are reported on this Web page?
Most of the breaches summarized below on this page have been obtained from the Attrition-Dataloss list-serve.
Attrition also provides an open source database of its data breach records, called the Data Loss Database - Open Source, or DLDOS. It is a flat comma-separated value file that can be imported into a database or spreadsheet program for your own data analysis. Visit attrition.org/dataloss/dataloss.csv.
What should I do if my personal information has been compromised in a data breach?
For tips on what to do if your personal information has been exposed due to a security breach, read our guide at www.privacyrights.org/fs/fs17b-securitybreach.htm.
Are there resources for businesses and other organizations on how to avoid having sensitive data breached?
Learn about security and privacy protection practices for your workplace.
What should I do if my business or organization experiences a security breach?
The following resources guide businesses who have experienced a security breach through the notification process and in working with law enforcement.
Do states have laws that require those entities that experience a data breach to notify those affected?
Yes. The catalyst for reporting data breaches to the affected individuals has been the California law that requires notice of security breaches. It is the first of its kind in the nation, implemented July 2003.
More than 3/4 of states have since passed laws requiring that
individuals be notified of security breaches. For a list of states enacting
security breach and freeze laws, visit these Web sites:
Congress is considering several security breach
notice bills in 2007. Consumers Union lists them here:
www.consumersunion.org/finance/DataPrivacy2007.htm
Has anyone analyzed this and other data breach listings in order to compile statistics and arrive at other observations? Have any analyses of security breach laws been published?
STATISTICAL ANALYSES
- 2008 Data Breach Investigations Report (Verizon),
www.verizonbusiness.com/resources/security/databreachreport.pdf
- Adam Dodge has compiled a report, "ESI Year in
Review - 2007," on the information security incidents occurring at colleges
and universities around the world as reported in the news during 2007
(posted February 10, 2008). http://www.adamdodge.com/esi/yir_2007
- For a statistical breakdown of types of breaches
and an analysis by industry sector for 2006, see Beth Rosenberg's report,
www.privacyrights.org/ar/DataBreaches2006-Analysis.htm
- David Shettler has developed a Web site that
provides statistical analysis of security breach data, at www.etiolated.org
.
- Jimmy Atkinson's "Ask the Advisor" blog features
a post, "How Many Times Has Your Personal Information Been Stolen This
Year?" at www.yourcreditadvisor.com/blog/2007/07/how_many_times.html
- To use an online "calculator" to arrive at an
estimated cost of a breach based on the number of records exposed, visit
this Web site: www.tech-404.com/calculator.html
(no product endorsements are implied).
LEGAL ANALYSES
- Read the June 2008 study,"Do Data Breach
Disclosure Laws Reduce Identity Theft?" weis2008.econinfosec.org/papers/Romanosky.pdf
- CSO Online, "Data Breach Notification Laws, State by State (with map),"
(Feb. 12, 2008), at www.csoonline.com/read/020108/ammap/ammap.html.
- Read an analysis by California attorney Alan
Mansfield about the California security breach law, at www.privacyrights.org/notification_laws.htm
- Read law school professors Schwartz and Janger's
law review article on data breach notice laws at www.paulschwartz.net/pdf/datasec_schwartz-janger.pdf.
- Read commentary by Jeffrey Rawitz, Jones Day
law firm, "Security Breach Notification Requirements," www.jonesday.com/pubs/pubs_detail.aspx?pubID=S3225
- Read an analysis
of state security breach notice laws by Alan Wernick, Esq., in the Journal
of AHIMA (Nov.-Dec, 2006)
- Read "Security Breach Notifications: a State
and Federal Law Maze," (July 27, 2005) by Gibson, Dunn & Crutcher
LLP, www.gibsondunn.com.
For a state-by-state analysis, view this
chart.
- Read "The Cyber Risks of Outsourcing "
by Branner and Freeman (Sept. 2007) aT www.findarticles.com/p/articles/mi_m0BJK/is_10_18/ai_n19521336.
Are there other resources with additional information about security breaches?
| DATE MADE PUBLIC |
NAME(Location) |
TYPE
OF BREACH |
NUMBER
OF RECORDS |
| 2005 |
|
|
|
| Jan. 10, 2005 |
George Mason University
(Fairfax, VA) |
Names, photos, and Social
Security numbers of 32,000 students and staff were compromised because
of a hacker attack on the university's main ID server. |
32,000 |
| Jan. 18, 2005 |
Univ. of CA, San Diego
(San Diego, CA) |
A hacker breached the
security of two University computers that stored the Social Security
numbers and names of students and alumni of UCSD Extension. |
3,500 |
| Jan. 22, 2005 |
University of Northern
Colorado
(Greeley, CO) |
A hard drive was apparently
stolen. It contained information on current and former University
employees and their beneficiaries -- name, date of birth, SSN, address,
bank account and routing number.. |
30,000 |
| Feb. 12, 2005 |
Science Applications International
Corp. (SAIC)
(San Diego, CA) |
On Jan. 25 thieves broke
into a SAIC facility and stole computers containing names, SSNs, and
other personal information of past and current employees. Stolen information
included names, NNS, addresses, phone numbers and records of financial
transactions. |
45,000 employees |
| Feb. 15, 2005 |
ChoicePoint
(Alpharetta, GA) |
Bogus accounts established by ID thieves. The initial number
of affected records was estimated at 145,000 but was later revised
to 163,000.
UPDATE (1/26/06):
ChoicePoint settled with the Federal
Trade Commission for $10 million in civil penalties and $5
million for consumer redress.
UPDATE (12/06/06):
The FTC
announced that victims of identity theft as a result of the
data breach who had out-of-pocket expenses can now be reimbursed.
The claims deadline is Feb. 4, 2007.
UPDATE (06/24/07):
Starting Dec. 2006, the FTC began mailing claims forms to victims
of the breach. Its Web
site provides information about the claims process. Deadline
is Aug. 18, 2007. Victims can be reimbursed for out-of-pocket
expenses resulting from identity theft connected to the breach.
Call (888) 884-8772, or email cpredress@ftc.gov.
UPDATE (11/04/07):
Since its 2005 data security incident, ChoicePoint has implemented
enhancements to its privacy and information security framework
including the establishment of an Office of Privacy, Ethics and
Compliance to reinforce the responsible use and protection of
information at ChoicePoint through policies and procedures, audit
and compliance, and outreach and education. Visit www.privacyatchoicepoint.com.
UPDATE (1/27/08):
Has agreed to pay $10 million to settle a class action lawsuit
|
|
| Feb. 18, 2005 |
Univ. of Chicago Hospital
(Chicago, IL) |
Dishonest insider |
85 |
| Feb. 25 , 2005 |
Bank
of America
(Charlotte, NC) |
Lost
backup tape |
1,200,000 |
| Feb. 25, 2005 |
PayMaxx
(Miramar, FL) |
Exposed
online |
25,000 |
| March 8, 2005 |
DSW/Retail
Ventures
(Columbus, OH) |
Hacking |
100,000 |
| March 10, 2005 |
LexisNexis
(Dayton, OH) |
Passwords
compromised
UPDATE
(06/30/06): Last week, five men were arrested in connection with this
breach.
|
32,000
Additional
280,000
|
| March 11, 2005 |
Univ.
of CA, Berkeley
(Berkeley, CA) |
Stolen
laptop |
98,400 |
| March 11, 2005 |
Kaiser Permanente
(Oakland, CA) |
A disgruntled employee
posted informaton on her blog noting that Kaiser Permanente included
private patient information on systems diagrams posted on the Web.
UPDATE (6/21/2005): The California Department of Managed
Health Care fined Kaiser $200,000 for exposing the confidential health
information. |
140 |
| March 11, 2005 |
Boston
College
(Boston, MA) |
Hacking |
120,000 |
| March 12, 2005 |
NV
Dept. of Motor Vehicle |
Stolen
computer. UPDATE:
The computer was later recovered. |
[8,900]
Not included
in total below |
| March 20, 2005 |
Northwestern Univ.
(Evanston, IL) |
Hacking |
21,000 |
| March 20, 2005 |
Univ.
of NV., Las Vegas
(Las Vegas, NV) |
Hacking |
5,000 |
| March 22, 2005 |
Calif.
State Univ.
(Chico, CA) |
Hacking |
59,000 |
| March 23, 2005 |
Univ.
of CA.
(San Francisco, CA) |
Hacking |
7,000 |
| March 25, 2005 |
Purdue University
(West Lafayette, IN) |
Computers in the College
of Liberal Arts' Theater Dept. were hacked, exposing personal information
of employees, students, graduates, and business affiliates. |
1,200
(not included in total because news stories are not clear if SSNs
or financial information were exposed) |
| April ?, 2005 |
Georgia DMV |
Dishonest insider |
465,000 |
| April 5, 2005 |
MCI
(Ashburn, VA) |
Stolen laptop |
16,500 |
| April 5, 2005 |
Univ. of CA, Davis
(Davis, CA) |
The names and Social Security
numbers of students, faculty, visiting speakers and staff may have
been compromised when a hacker accessed a main computer. |
1,100 |
| April 6, 2005 |
University of California,
San Francisco |
A server in the accounting
and personnel departments was hacked. It contained information on
7,000 students, faculty, and staff members. The affected individuals
were notified March 23. |
7,000 |
| April 8, 2005 |
Eastern National |
Hacker |
15,000 |
| April 8, 2005 |
San
Jose Med. Group
(San Jose, CA) |
Stolen
computer
UPDATE (10/10/07):
A former branch manager at the San Jose Medical Group has been sentenced
to almost two years in prison for stealing medical records for about
187,000 patients. The accused pleaded guilty in May to one count
of health care-related theft after he stole computer equipment from
his former employer, including a DVD that contained patients' names,
Social Security numbers, medical diagnoses and other information. |
187,000 |
| April 11, 2005 |
Tufts
University
(Boston, MA) |
Hacking |
106,000 |
| April 14, 2005 |
Polo
Ralph Lauren/HSBC
(New York, NY) |
Hacking
UPDATE (07/10/07): U.S. Secret Service
agents found Ralph Polo Lauren customers' credit card numbers in
the hands of Eastern European cyber thieves who created high-quality
counterfeit credit cards. Victims are from the U.S., Europe, Asia
and Canada, among other places, Several Cuban nationals in Florida
were arrested with more than 200,000 credit card account numbers.
|
180,000 |
| April 14, 2005 |
Calif. Fastrack |
Dishonest Insider |
4,500 |
| April 15, 2005 |
CA Dept. of Health Services
|
Stolen laptop |
21,600 |
| April 18, 2005 |
DSW/
Retail Ventures
(Columbus, OH) |
Hacking |
Additional
1,300,000 |
| April 20, 2005 |
Ameritrade
(Bellevue, NE) |
Lost
backup tape |
200,000 |
| April 21, 2005 |
Carnegie Mellon Univ.
(Pittsburg, PA) |
Hacking |
19,000 |
| April 26, 2005 |
Mich. State Univ's Wharton
Center |
Hacking |
40,000 |
| April 26, 2005 |
Christus St. Joseph's Hospital
(Houston, TX) |
Stolen computer |
19,000 |
| April 28, 2005 |
Georgia Southern Univ. |
Hacking |
"tens of
thousands" |
| April 28, 2005 |
Wachovia,
Bank of America,
PNC Financial Services Group and
Commerce Bancorp |
Dishonest insiders |
676,000 |
| April 29, 2005 |
Oklahoma State Univ. |
Missing laptop |
37,000 |
| May 2, 2005 |
Time Warner
(New York, NY) |
Lost backup tapes |
600,000 |
| May 4, 2005 |
CO. Health Dept. |
Stolen laptop |
1,600
(families) |
| May 5, 2005 |
Purdue Univ.
(West Lafayette, IN) |
Hacking |
11,360 |
| May 7, 2005 |
Dept. of Justice
(Washington, D.C.) |
Stolen laptop |
80,000 |
| May 11, 2005 |
Stanford Univ.
(Stanford, CA) |
Hacking |
9,900 |
| May 12, 2005 |
Hinsdale Central High School
(Hinsdale, IL) |
Hacking |
2,400 |
| May 16, 2005 |
Westborough Bank
(Westborough, MA) |
Dishonest insider |
750 |
| May 18, 2005 |
Jackson Comm. College
(MI) |
Hacking |
8,000 |
| May 18, 2005 |
Univ. of Iowa |
Hacking |
30,000 |
| May 19, 2005 |
Valdosta State Univ.
(GA) |
Hacking |
40,000 |
| May 25, 2005 |
North Carolina Div. of Motor
Vehicles
(Greensboro, NC) |
On Feb. 10, an employee
downloaded addresses of 3.8 million people but was detected and stopped
before being able to retrieve more sensitive information such as driver's
license numbers. |
None |
| May 26, 2005 |
Duke Univ.
(Durham, NC) |
Hacking |
5,500 |
| May 27, 2005 |
Cleveland State Univ.
(Cleveland, OH). |
Stolen laptop
UPDATE
(12/24): CSU
found the stolen laptop |
[44,420]
Not included
in total below |
| May 28, 2005 |
Merlin Data Services
(Kalispell, MT) |
Bogus acct. set up |
9,000 |
| May 30, 2005 |
Motorola |
Computers stolen |
Unknown |
| June 6, 2005 |
CitiFinancial |
Lost backup tapes |
3,900,000 |
| June 10, 2005 |
Fed. Deposit Insurance Corp.
(FDIC) |
Not disclosed |
6,000 |
June 16, 2005
|
CardSystems |
Hacking |
40,000,000 |
| June 17, 2005 |
Kent State Univ. |
Stolen laptop |
1,400 |
| June 18, 2005 |
Univ. of Hawaii |
Dishonest Insider |
150,000 |
| June 22, 2005 |
Eastman Kodak |
Stolen laptop |
5,800 |
| June 22, 2005 |
East Carolina Univ. |
Hacking |
250 |
| June 25, 2005 |
Univ. of CT (UCONN) |
Hacking |
72,000 |
| June 28, 2005 |
Lucas Cty. Children Services
(OH) |
Exposed by email |
900 |
| June 29, 2005 |
Bank of America |
Stolen laptop |
18,000 |
| June 30, 2005 |
Ohio State Univ. Med. Ctr.
|
Stolen laptop |
15,000 |
| July 1, 2005 |
Univ. of CA, San Diego |
Hacking |
3,300 |
| July 6, 2005 |
City National Bank |
Lost backup tapes |
Unknown |
| July 7, 2005 |
Mich. State Univ. |
Hacking |
27,000 |
| July 19, 2005 |
Univ. of Southern Calif.
(USC) |
Hacking |
270,000
possibly accessed; "dozens"exposed |
| July 21, 2005 |
Univ. of Colorado-Boulder |
Hacking
UPDATE
(08/20/2005) The number of students affected was increased from an
estimate of 42,000 to 49,000. |
49,000 |
| July 30, 2005 |
San Diego Co. Employees
Retirement Assoc. |
Hacking |
33,000 |
| July 30, 2005 |
Calif. State Univ., Dominguez
Hills |
Hacking |
9,613 |
| July 31, 2005 |
Cal Poly-Pomona |
Hacking |
31,077 |
| Aug. 2, 2005 |
Univ. of Colorado |
Hacking |
36,000 |
| Aug. 9, 2005 |
Sonoma State Univ. |
Hacking |
61,709 |
| Aug. 9, 2005 |
Univ. of Utah |
Hacking |
100,000 |
| Aug. 10, 2005 |
Univ. of North Texas |
Hacking |
39,000 |
| Aug. 17, 2005 |
Calif. State University,
Stanislaus |
Hacking |
900 |
| Aug. 19, 2005 |
Univ. of Colorado |
Hacking |
49,000 |
| Aug. 22, 2005 |
Air Force |
Hacking |
33,300 |
| Aug. 27, 2005 |
Univ. of Florida, Health
Sciences Center/ChartOne |
Stolen Laptop |
3,851 |
| Aug. 30, 2005 |
J.P. Morgan Chase &
Co.
(Dallas, TX) |
Stolen laptop (Aug. 8) containing
personal and financial account information of customers of its private
bank. |
Unknown |
| Aug. 30, 2005 |
Calif. State University,
Chancellor's Office |
Hacking |
154 |
| Sept. 2, 2006 |
Iowa Student Loan
(W. Des Moines) |
Compact disk containing
personal information, including SSNs, was lost when shipped by private
courier. |
165,000 |
| Sept. 10, 2005 |
Kent State Univ. |
Stolen computers |
100,000 |
| Sept. 15, 2005 |
Miami Univ. |
Exposed online |
21,762 |
| Sept.
16, 2005 |
ChoicePoint
(2nd notice, see 2/15/05)
(Alpharetta, GA) |
ID thieves
accessed; also misuse of IDs & passwords. |
[Total later revised to
163,000 -- see 2/15/05 above]
|
| Sept. 17, 2005 |
North Fork Bank, NY |
Stolen laptop (7/24/05)
with mortgage data |
9,000 |
| Sept. 19, 2005 |
Children's Health Council,
San Jose CA |
Stolen backup tape |
5,000 - 6,000 |
| Sept. 22, 2005 |
City University of New York
|
Exposed online |
350 |
Sept. 23,
2005 |
Bank of America |
Stolen laptop with info
of Visa Buxx users (debit cards) |
Not disclosed |
| Sept. 28, 2005 |
RBC Dain Rauscher |
Illegitimate access to customer
data by former employee |
100+ customers' records
compromised out of 300,000 |
| Sept. 29, 2005 |
Univ. of Georgia |
Hacking |
At least 1,600 |
| Oct. 12, 2005 |
Ohio State Univ. Medical
Center |
Exposed online. Appointment
information including SSN, DOB, address, phone no., medical no., appointment
reason, physician. |
2,800 |
| Oct. 15, 2005 |
Montclair State Univ. |
Exposed online |
9,100 |
| Oct. 21, 2005 |
Wilcox Memorial Hospital,
Hawaii |
Lost backup tape |
130,000 |
| Nov. 1, 2005 |
Univ. of Tenn. Medical Center |
Stolen laptop |
3,800 |
| Nov. 4, 2005 |
Keck School of Medicine,
USC |
Stolen computer |
50,000 |
| Nov. 5, 2005 |
Safeway, Hawaii |
Stolen laptop |
1,400 in Hawaii, perhaps
more elsewhere |
| Nov. 8, 2005 |
ChoicePoint
(Alpharetta, GA) |
Bogus accounts established
by ID thieves. Total affected now reaches 163,000
(See Feb. 15 & Sept. 16)
|
[Total later revised to
163,000 -- see 2/15/05 above] |
| Nov. 9, 2005 |
TransUnion |
Stolen computer |
3,623 |
| Nov. 11, 2005 |
Georgia Tech
Ofc. of Enrollment Services |
Stolen computer,
Theft 10/16/05 |
13,000 |
| Nov. 11, 2005 |
Scottrade Troy Group |
Hacking |
Unknown |
| Nov. 19, 2005 |
Boeing |
Stolen laptop with HR data
incl. SSNs and bank account info.
|
161,000 |
| Dec. 1, 2005 |
Firstrust Bank |
Stolen laptop |
100,000 |
| Dec. 1, 2005 |
Univ. of San Diego
(San Diego, CA) |
Hacking. Faculty, students
and employee tax forms containing SSNs |
7,800 |
| Dec. 2, 2005 |
Cornell Univ. |
Hacking. Names, addresses,
SSNs, bank names and acct. numbers. |
900 |
| Dec. 6, 2005 |
WA Employment Security Dept.
|
Stolen laptop. Names, SSNs
and earnings of former employees. |
530 |
| Dec. 7, 2005 |
Idaho State University,
Office of Institutional Research
(Pocatello, ID)
Contact Information Technology
Services, (208) 282-2872 |
ISU discovered a security
breach in a server containing archival information about students,
faculty, and staff, including names, SSNs, birthdates, and grades.
|
Unknown |
| Dec. 12, 2005 |
Sam's
Club/Wal-Mart |
Exposed credit card data
at gas stations. |
Unknown |
| Dec. 16, 2005 |
La
Salle Bank, ABN AMRO Mortgage Group
|
Backup
tape with residential mortgage customers lost in shipment by DHL,
containing SSNs and account information.
UPDATE
(12/20/05): DHL found the lost tape.
|
[2,000,000]
Not included in total below. |
| Dec. 16, 2005 |
Colorado Tech. Univ. |
Email erroneously sent containing
names, phone numbers, email addresses, Social Security numbers and
class schedules. |
1,200 |
| Dec. 20, 2005 |
Guidance Software, Inc.
|
Hacking. Customer credit
card numbers.
UPDATE
(4/3/07): The FTC came to a settlement agreement and final
consent order against Guidance Software. |
3,800 |
| Dec. 22, 2005 |
Ford Motor Co. |
Stolen computer. Names and
SSNs of current and former employees. |
70,000 |
| Dec. 25, 2005 |
Iowa State Univ. |
Hacking. Credit card information
and Social Security numbers. |
5,500 |
Dec. 25, 2005
|
Ameriprise
Financial Inc.
(Minneapolis, MN)
(877) 267-7408 |
A laptop was stolen from
an employee's car Christmas eve. It contained customers' names and
Social Security numbers and in some cases, Ameriprise account information.
UPDATE (08/06): The
laptop was recovered by local law enforcement in the community where
it was stolen.
UPDATE
(12/11/06): The company settled with the Massachusetts securities
regulator in the office of the Secretary of State. Ameriprise agreed
to hire an independent consultant to review its policies and procedures
for employees' and contractors' use of laptops containing personal
information. Ameriprise will pay the state regulator $25,000 for the
cost of the investigation. |
260,000 |
2005
[Exact date unknown] |
U.S. Dept. of Veteran's
Affairs
(Washington, D.C.) |
A laptop being stored in
the trunk of a car was stolen in Minneapolis, Minnesota. 2 people
later reported identity fraud problems. |
66 |
| 2006 |
NAME
(Location) |
TYPE OF BREACH |
NUMBER OF RECORDS
|
| Jan. 1, 2006 |
University of Pittsburgh
Medical Center, Squirrel Hill Family Medicine |
6 Stolen computers. Names,
Social Security numbers, birthdates |
700 |
| Jan. 2, 2006 |
H&R Block |
SSNs exposed in 40-digit
number string on mailing label |
Unknown |
| Jan. 9, 2006 |
Atlantis Hotel - Kerzner
Int'l |
Dishonest insider or hacking.
Names, addresses, credit card details, Social Security numbers, driver's
licence numbers and/or bank account data. |
55,000 |
| Jan. 12, 2006 |
People's Bank |
Lost computer tape containing
names, addresses, Social Security numbers, and checking account numbers. |
90,000 |
| Jan. 17, 2006 |
City of San Diego, Water
& Sewer Dept.
(San Diego, CA) |
Dishonest employee accessed
customer account files, including SSNs, and committed identity theft
on some individuals. |
Unknown |
| Jan. 20, 2006 |
Univ. Place Conference
Center & Hotel, Indiana Univ. |
Hacking. Reservation information
including credit card account number compromised. |
Unknown |
| Jan. 21, 2006 |
California Army National
Guard |
Stolen briefcase with personal
information of National Guardsmen including a "seniority roster,"
Social Security numbers and dates of birth. |
"hundreds of officers"
|
| Jan. 23, 2006 |
Univ. of Notre Dame |
Hackers accessed Social
Security numbers, credit card information and check images of school
donors. |
Unknown |
| Jan. 24, 2006 |
Univ. of WA Medical Center
|
Stolen laptops containing
names, Social Security numbers, maiden names, birth dates, diagnoses
and other personal data. |
1,600 |
| Jan. 25, 2006 |
Providence Home Services
(Portland, OR) |
Stolen backup tapes and
disks containing Social Security numbers, clinical and demographic
information. In a small number of cases, patient financial data was
stolen.
UPDATE:
(9/26/06)
Providence Health System and the Oregon
Attorney General have filed a settlement agreement. Providence
will provide affected patients with free credit monitoring, offer
credit restoration to patients who are victims of identity fraud,
and reimburse patients for direct losses that result from the data
breach. The company must also enhance its security programs.
|
365,000 |
| Jan. 27, 2006 |
State of RI web site (www.RI.gov) |
Hackers obtained credit
card information in conjunction with names and addresses.
|
4,117 |
| Jan. 31, 2006 |
Boston Globe and The Worcester
Telegram & Gazette |
Inadvertently exposed.
Credit and debit card information along with routing information for
personal checks printed on recycled paper used in wrapping newspaper
bundles for distribution. |
240,000 potentially exposed
|
| Feb. 1, 2006 |
Blue Cross and Blue Shield
of North Carolina |
Inadvertently exposed.
SSNs of members printed on the mailing labels of envelopes with information
about a new insurance plan. |
600 |
| Feb. 4, 2006 |
FedEx |
Inadvertently exposed.
W-2 forms included other workers' tax information such as SSNs and
salaries. |
8,500 |
| Feb. 9, 2006 |
Unknown retail merchants,
apparently OfficeMax and perhaps others. |
Hacking. Debit card accounts
exposed involving bank and credit union accounts nationwide (including
CitiBank, BofA, WaMu, Wells Fargo).
[3/13/06 Crime ring arrested.] |
200,000, although total
number is unknown. |
| Feb. 9, 2006 |
Honeywell International
|
Exposed online. Personal
information of current and former employees including Social Security
numbers and bank account information posted on an Internet Web site. |
19,000 |
| Feb. 13, 2006 |
Ernst & Young
(UK) |
Laptop stolen from employee's
car with customers' personal information including Social Security
numbers. |
38,000 BP employees in
addition to Sun, Cisco and IBM employees. |
| Feb. 15, 2006 |
Dept. of Agriculture |
Inadvertently exposed
Social Security and tax identification numbers in FOIA request. |
350,000 |
| Feb. 15, 2006 |
Old Dominion Univ. |
Exposed online. Instructor
posted a class roster containing names and Social Security numbers
to a web site. |
601 |
| Feb. 16, 2006 |
Blue Cross and Blue Shield
Jacksonville, FL |
Contractor sent names
and Social Security numbers of current and former employees, vendors
and contractors to his home computer in violation of company policies.A
judge today ordered a former computer consultant to reimburse the
Jacksonville-based health insurer $580,000 for expenses related to
his theft . |
27,000 |
| Feb. 17, 2006 |
Calif. Dept. of Corrections,
Pelican Bay
(Sacramento, CA) |
Inmates gained access to
files containing employees' Social Security numbers, birth dates and
pension account information stored in warehouse. |
Unknown |
| Feb. 17, 2006 |
Mount St. Mary's Hospital
(1 of 10 hospitals with patient info. stolen)
(Lewiston, NY)
|
Two laptops containing
date of birth, address and Social Security numbers of patients was
stolen in an armed robbery in the New Jersey. |
17,000 |
| Feb. 18, 2006 |
Univ. of Northern Iowa
|
Hacking. Laptop computer
holding W-2 forms of student employees and faculty was illegally accessed.
|
6,000 |
| Feb. 23, 2006 |
Deloitte & Touche
(McAfee employee information) |
External auditor lost
a CD with names, Social Security numbers and stock holdings in McAfee
of current and former McAfee employees. |
9,290 |
| Mar. 1, 2006 |
Medco Health Solutions
(Columbus, OH) |
Stolen laptop containing
Social Security numbers for State of Ohio employees and their dependents,
as well as their birth dates and, in some cases, prescription drug
histories. |
4,600 |
| Mar. 1, 2006 |
OH Secretary of State's
Office |
SSNs, dates of birth, and
other personal data of citizens routinely posted on a State web site
as part of standard business practice. |
Unknown |
| Mar. 2, 2006 |
Olympic Funding
(Chicago, IL) |
3 hard drives containing
clients names, Social Security numbers, addresses and phone numbers
stolen during break in. |
Unknown |
| Mar. 2, 2006 |
Los Angeles Cty. Dept.
of Social Services
(Los Angeles, CA) |
File boxes containing names,
dependents, Social Security numbers, telephone numbers, medical information,
employer, W-2, and date of birth were left unattended and unshredded.
|
[Potentially 2,000,000,
but number unknown]
Not included in number below. |
| Mar. 2, 2006 |
Hamilton County Clerk of
Courts
(OH) |
SSNs, other personal data
of residents posted on county Web site, were stolen and used to commit
identity theft.
UPDATE
(9/28/06): An identity thief was sentenced
to 13 years in prison for the crimes. She stole 100 identities and
nearly $500,000. The Web site now blocks access to court documents
containing personal information. |
[1,300,000]
Not included in number below. |
| Mar. 3, 2006 |
Metropolitan State College
(Denver, CO) |
Stolen laptop containing
names and Social Security numbers of students who registered for Metropolitan
State courses between the 1996 fall semester and the 2005 summer semester. |
93,000 |
| Mar. 5, 2006 |
Georgetown Univ.
(Washington, D.C.) |
Hacking. Personal information
including names, birthdates and Social Security numbers of District
seniors served by the Office on Aging. |
41,000 |
| Mar. 8, 2006 |
Verizon Communications
(New York, NY) |
2 stolen laptops containing
employees' personal information including Social Security numbers. |
"Significant number" |
| Mar. 8, 2006 |
iBill
(Deerfield Beach, FL) |
Dishonest insider or possibly
malicious software linked to iBill used to post names, phone numbers,
addresses, e-mail addresses, Internet IP addresses, logins and passwords,
credit card types and purchase amount online. Credit card account
numbers, expiration dates, security codes, and SSNs were NOT included,
but in our opinion the affected individuals could be vulnerable to
social engineering to obtain such information. |
[17,781,462]
Not
included in total below. |
| Mar. 11, 2006 |
CA Dept. of Consumer Affairs
(DCA)
(Sacramento, CA) |
Mail theft. Applications
of DCA licensees or prospective licensees for CA state boards and
commissions were stolen. The forms include full or partial Social
Security numbers, driver's license numbers, and potentially payment
checks.
|
"A small number"
|
| Mar. 14, 2006 |
General Motors
(Detroit, MI) |
Dishonest insider keep
Social Security numbers of co-workers to perpetrate identity theft.
|
100 |
Mar. 14
2006 |
Buffalo Bisons and Choice
One Online
(Buffalo, NY) |
Hacker accessed sensitive
financial information including credit card numbers names, passwords
of customers who ordered items online. |
Unknown |
Mar. 15,
2006 |
Ernst & Young
(UK) |
Laptop lost containing
the names, dates of birth, genders, family sizes, Social Security
numbers and tax identifiers for current and previous IBM, Sun Microsystems,
Cisco, Nokia and BP employees exposed. |
Unknown |
Mar. 16,
2006 |
Bananas.com
(San Rafael, CA) |
Hacker accessed names,
addresses, phone numbers and credit card numbers of customers. |
274 |
Mar. 23,
2006 |
Fidelity Investments
(Boston, MA) |
Stolen laptop containing
names, addresses, birth dates, Social Security numbers and other information
of 196,000 Hewlett Packard, Compaq and DEC retirement account customers
was stolen. |
196,000 |
Mar. 24,
2006 |
CA State Employment Development
Division
(Sacramento, CA)
|
Computer glitch sends state
Employment Development Division 1099 tax forms containing Social Security
numbers and income information to the wrong addresses, potentially
exposing those taxpayers to identity theft. |
64,000 |
Mar. 24,
2006 |
Vermont State Colleges
(VT) |
Laptop stolen containing
Social Security numbers and payroll data of students, faculty and
staff associated with the five-college system from as long ago as
2000. |
14,000 |
Mar. 30,
2006 |
Marines
(Monterey, CA) |
Portable drive lost that
contains personal information used for research on re-enlistment bonuses.
|
207,750 |
Mar. 30,
2006 |
Georgia Technology Authority
(Atlanta, GA) |
Hacker exploited security
flaw to gain access to confidential information including Social Security
numbers and bank-account details of state pensioners. |
573,000 |
Mar. 30,
2006 |
Conn. Technical High School
System
(Middletown, CT) |
Social Security numbers
of students and faculty mistakenly distributed via email. |
1,250 |
| April 1, 2006 |
Con Edison
(New York) |
Con Edison shipped 2 cartridge
tapes to JPMorgan Chase in upstate Binghamton so it could input data
on behalf of the NY Dept. of Taxation and Finance. One tape was apparently
lost containing employees' W-2 data, including names, addresses, SSNs,
taxes paid and salaries. |
15,000 Con Edison employees
|
April 6,
2006 |
Progressive Casualty Insurance
(Mayfield Village, OH) |
Dishonest insider accessed
confidential information, including names, Social Security numbers,
birth dates and property addresses on foreclosure properties she was
interested in buying. |
13 |
April 7,
2006 |
DiscountDomain
Registry.com
(Brooklyn, NY) |
Exposed online. Domain
registrants' personal information including usernames, passwords and
credit card numbers were accessible online. |
"thousands of domain
name registrations" |
April 9,
2006 |
University of Medicine
and Dentistry of New Jersey
(Newark, NJ) |
Hackers accessed Social
Security numbers, loan information, and other confidential financial
information of students and alumni. |
1,850 |
April 12,
2006 |
Ross-Simons
(Providence, RI) |
Security breach exposed
account and personal information of those who applied for its private
label credit card. Information exposed includes private label credit
card numbers and other personal information of applicants. |
Unknown |
| April 14, 2006 |
NewTech Imaging
(Honolulu, HI) |
Records containing the
names, Social Security numbers and birth dates of more than 40,000
members of Voluntary Employees Benefit Association of Hawaiiwere illegally
reproduced at a copying business before they were to be put onto a
compact disc for the State. Police later found the data on a computer
that had been confiscated as part of a drug investigation. |
40,000 |
April 14,
2006 |
Univ. of South Carolina
(Columbia, SC) |
Social Security numbers
of students were mistakenly e-mailed to classmates. |
1,400 |
| April 15, 2006 |
Scott County, IA |
The Social Security numbers
of people who obtained mortgages in the early 1990s are visible in
documents posted on the county's website. The county will redact the
information at the individuals' request. |
Unknown |
| April 21, 2006 |
University of Alaska, Fairbanks
(Fairbanks, AK) |
A hacker accessed names,
Social Security numbers, and partial e-mail addresses of current and
former students, faculty, and staff. |
38,941 |
| April 21, 2006 |
Boeing
(Seattle, WA) |
A laptop was taken from
a Boeing human resources employee at Sea-Tac airport. It contained
SSNs and other personal information, including personnel information
from the 2000 acquisition of Hughes Space and Communications |
3,600 current and former
employees |
April 21,
2006 |
Ohio
University
Innovation Center
(Athens, OH) |
a server containing data
including e-mails, patent and intellectual property files, and 35
Social Security numbers associated with parking passes was compromised.
|
Unknown |
April 24,
2006 |
University of Texas' McCombs
School of Business
(Austin, TX)
|
Hackers accessed records
containing names, biographical information and, in some cases, Social
Security numbers and dates of birth of current and prospective students,
alumni, faculty members, corporate recruiters and staff members. |
197,000 |
April 24,
2006 |
Ohio
University
(Athens, OH) |
Hackers accessed a computer
system of the school's alumni relations department that included
biographical information and 137,000 Social Security numbers of
alum.
UPDATE
(8/30/07) :
An Ohio judge has granted a motion to dismiss a case against Ohio
University (OU) regarding security breaches of the school's computer
systems that compromised alumni data. The two alumni who filed the
lawsuit wanted OU to pay for credit monitoring services for everyone
whose data were compromised. The judge said the pair had not proven
that they had suffered damages for which they could be compensated. |
300,000 |
April 26,
2006 |
Purdue University
(West Lafayette, IN) |
Hacker accessed personal
information including Social Security numbers of current and former
graduate students, applicants to graduate school, and a small number
of applicants for undergraduate scholarships. |
1,351 |
April 26,
2006 |
Aetna -- health insurance
records for employees of 2 members, including Omni Hotels and the
Dept. of Defense NAF
(Hartford, CT) |
Laptop containing personal
information including names, addresses and Social Security numbers
of Dept. of Defense (35,253) and Omni Hotel employees (3,000) was
stolen from an Aetna employee's car. |
38,000 |
April 27,
2006 |
MasterCard
(Potentially UK only) |
Though MasterCard refused
to say how the breach occurred, fraudsters stole the credit card details
of holders in a major security breach. |
[2,000]
Not
included in total below. |
April 27,
2006 |
Long Island Rail
Road
(Jamaica, NY) |
Data tapes containing personal
information including names, addresses, Social Security numbers and
salary figures of "virtually everyone" who worked for the
agency was lost by delivery contractor Iron Mountain while enroute.
Data tapes belonging to the U.S. Department of Veteran's Affairs may
also have been affected. |
17,000 |
April 28,
2006 |
Ohio's Secretary of State
(Cleveland, OH)
|
The names, addresses, and
Social Security numbers of potentially millions of registered voters
in Ohio were included on CD-ROMs distributed to 20 political campaign
operations for spring primary election races. The records of about
7.7 million registered voters are listed on the CDs, but it's unknown
how many records contained SSNs, which were not supposed to have been
included on the CDs.
UPDATE (9/15/06):
A news report said that some SSNs still remain on the agency's Web
site. |
"Potentially millions
of registered voters" |
April 28,
2006 |
Dept. of Defense
(Washington, DC) |
Hacker accessed a Tricare
Management Activity (TMA) public server containing personal information
about military employees. |
Unknown |
May 2,
2006 |
Georgia State Government
(Atlanta, GA) |
Government surplus computers
that sold before their hard drives were erased contained credit card
numbers, birth dates, and Social Security numbers of Georgia citizens. |
Unknown |
May 4,
2006 |
Idaho Power Co.
(Boise, ID) |
Four company hard drives
were sold on eBay containing hundreds of thousands of confidential
company documents, employee names and Social Security numbers, and
confidential memos to the company's CEO. |
Unknown |
May 4,
2006 |
Ohio
University
Hudson Health Center
(Athens, OH) |
Names, birth dates, Social
Security numbers and medical information were accessed in records
of students dating back to 2001, plus faculty, workers and regional
campus students. |
60,000 |
| May 2006 |
Ohio
University
(Athens, OH) |
A breach was discovered
on a computer that housed IRS 1099 forms for vendors and independent
contractors for calendar years 2004 and 2005. |
2,480 |
| May 2006 |
Ohio
University
(Athens, OH) |
A breach of a computer
that hosted a variety of Web-based forms, including some that processed
on-line business transactions. Although this computer was not set
up to store personal information, investigators did discover files
that contained fragments of personal information, including Social
Security numbers. The data is fragmentary and it is not certain if
the compromised information can be traced to individuals. Also found
on the computer were 12 credit card numbers that were used for event
registration. |
Unknown |
May 5,
2006 |
U.S. Dept. of Veteran's
Affairs
(Washington, D.C.) |
A data tape disappeared
from a VA facility in Indianapolis, IN that contained information
on legal cases involving U.S. veterans and included veterans' Social
Security numbers, dates of birth and legal documents.
UPDATE
(10/11/06):
The VA's Office of the General Counsel is offering identity theft
protection services to those affected by the missing tape.
|
16,500 |
May 5,
2006 |
Wells Fargo
(San Francisco, CA) |
Computer containing names,
addresses, Social Security numbers and mortgage loan deposit numbers
of existing and prospective customers may have been stolen while being
delivered from one bank facility to another. |
Unknown |
May 12,
2006 |
Mercantile Potomac Bank
(Gaithersburg, MD) |
Laptop containing confidential
information about customers, including Social Security numbers and
account numbers was stolen when a bank employee removed it from the
premises, in violation of the bank's policies. The computer did not
contain customer passwords, personal identification numbers (PIN numbers)
or account expiration dates. |
48,000 |
May 19,
2006 |
American Institute of Certified
Public Accountants (AICPA)
(New York, NY) |
An unencrypted hard drive
containing names, addresses and Social Security numbers of AICPA members
was lost when it was shipped back to the organization by a computer
repair company.
|
330,000
[Updated
6/16/06] |
May 19,
2006 |
Unknown retail merchant |
Visa, MasterCard, and other
debit and credit card numbers from banks across the country were stolen
when a national retailer's database was breached. No names, Social
Security numbers or other personal identification were taken. |
Unknown |
May 22,
2006 |
U.S.
Dept. of Veteran's Affairs
(Washington, DC)
(800) 827-1000 |
On May 3, data of all American
veterans who were discharged since 1975 including names, Social Security
numbers, dates of birth and in many cases phone numbers and addresses,
were stolen from a VA employee's home. Theft of the laptop and computer
storage device included data of 26.5 milliion veterans. The data did
not contain medical or financial information, but may have disability
numerical rankings.
UPDATE: An
additional 2.1 million active and reserve service members were added
to the total number of affected individuals June 1st | |
