Chronology of Data Breaches


Send to PrinterSend to Printer
 

Printing tip: Use the "landscape" setting for best results when printing the breach list.

Skip the introductory text and go directly to the listing of data breaches below.

What does the Chronology of Data Breaches contain?

The data breaches noted below have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included the number of records involved in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws. The breaches posted below include only those reported in the United States. They do not include incidents in other countries.

What does the Total Number indicate?

The running total we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Breaches for specific years are noted below -- 2005,2006,2007, 2008 and 2009. Some individuals may be the victims of more than one breach, which would affect the totals.

In reality, the number given below should be much larger. For many of the breaches listed, the number of records is unknown. Further, this list is not a comprehensive compilation of all breach data (see below).

Is the Chronology of Data Breaches a complete listing of all breaches?

No, it is not a complete listing of breaches. The list is a useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches. But the list is not a comprehensive listing. Most of the information is derived from the Open Security Foundation list-serve (see below) which is in turn derived from verifiable media stories, government web sites/pages, or blog posts with information pertinent to the breach in question. Many breaches (particularly smaller ones) may not be reported. If a breached entity has failed to notify its customers or a government agency of a breach, then it is unlikely that the breach will be reported anywhere. If you are aware of a breach that is not included in our list, below, feel free to contact us here: http://www.privacyrights.org/about_us.htm .

Are there state-specific breach listings?

Some states have state laws that require breaches to be reported to a centralized data base. These states include Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic breaches affecting more than 1,000 residents).  However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests.  These states include California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin.  For details, see the Open Security Foundation Datalossdb website: http://datalossdb.org/primary_sources

How often is the Chronology updated?

We usually update this list twice each week.

Where do you obtain information about the data breaches that are reported on this Web page?

Most of the breaches summarized below on this page have been obtained from the Open Security Foundation list-serve.

  • The Open Security Foundation's DataLossDB.org (www.datalossdb.org) offers a free e-mail list-serve on the latest breaches.
    To subscribe to DataLoss, send a message to: dataloss-subscribe@datalossdb.org
  • The DataLossDB.org page includes a search engine and news articles for the breaches listed below, and also provides an open source database of its data breach records. It is a flat comma-separated value file that can be imported into a database or spreadsheet program for your own data analysis. Visit http://datalossdb.org/download.

What should I do if my personal information has been compromised in a data breach?

For tips on what to do if your personal information has been exposed due to a security breach, read our guide at http://www.privacyrights.org/fs/fs17b-SecurityBreach.htm.

Are there resources for businesses and other organizations on how to avoid having sensitive data breached?

Learn about security and privacy protection practices for your workplace.

What should I do if my business or organization experiences a security breach?

The following resources guide businesses who have experienced a security breach through the notification process and in working with law enforcement.

Do states have laws that require those entities that experience a data breach to notify those affected?

Yes. The catalyst for reporting data breaches to the affected individuals has been the California law that requires notice of security breaches. It is the first of its kind in the nation, implemented July 2003.

More than 3/4 of states have since passed laws requiring that individuals be notified of security breaches. For a list of states enacting security breach and freeze laws, visit these Web sites:

Which states have laws that require breached organizations to report breaches and submit notice letters to a central clearinghouse?

The state of Massachusetts requires that breached entities report data breaches to the Massachusetts Office of Consumer Affairs and Business Regulation.

The Open Security Foundation and Chris Walsh have compiled breach notice letters from the states that require breached entities to submit such letters to a central repository. These states are: Maryland, New Hampshire, New York, North Carolina, and Vermont. To view these letters, visit http://datalossdb.org/primary_sources.

Has anyone analyzed this and other data breach listings in order to compile statistics and arrive at other observations? Have any analyses of security breach laws been published?

Are there other resources with additional information about security breaches?


Chronology of Data Breaches
Go to Breaches for 2005, 2006, 2007, 2008 or 2009
DATE MADE PUBLIC
NAME(Location)
TYPE OF BREACH
NUMBER
OF RECORDS
2005      
Jan. 10, 2005 George Mason University
(Fairfax, VA)		 Names, photos, and Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the university's main ID server. 32,000
Jan. 18, 2005 Univ. of CA, San Diego
(San Diego, CA)		 A hacker breached the security of two University computers that stored the Social Security numbers and names of students and alumni of UCSD Extension. 3,500
Jan. 22, 2005 University of Northern Colorado
(Greeley, CO)		 A hard drive was apparently stolen. It contained information on current and former University employees and their beneficiaries -- name, date of birth, SSN, address, bank account and routing number.. 30,000
Feb. 12, 2005 Science Applications International Corp. (SAIC)
(San Diego, CA)		 On Jan. 25 thieves broke into a SAIC facility and stole computers containing names, SSNs, and other personal information of past and current employees. Stolen information included names, NNS, addresses, phone numbers and records of financial transactions. 45,000 employees
Feb. 15, 2005
ChoicePoint
(Alpharetta, GA)

Bogus accounts established by ID thieves. The initial number of affected records was estimated at 145,000 but was later revised to 163,000.
UPDATE (1/26/06): ChoicePoint settled with the Federal Trade Commission for $10 million in civil penalties and $5 million for consumer redress.
UPDATE (12/06/06): The FTC announced that victims of identity theft as a result of the data breach who had out-of-pocket expenses can now be reimbursed. The claims deadline is Feb. 4, 2007.
UPDATE (06/24/07): Starting Dec. 2006, the FTC began mailing claims forms to victims of the breach. Its Web site provides information about the claims process. Deadline is Aug. 18, 2007. Victims can be reimbursed for out-of-pocket expenses resulting from identity theft connected to the breach. Call (888) 884-8772, or email cpredress@ftc.gov.
UPDATE (11/04/07): Since its 2005 data security incident, ChoicePoint has implemented enhancements to its privacy and information security framework including the establishment of an Office of Privacy, Ethics and Compliance to reinforce the responsible use and protection of information at ChoicePoint through policies and procedures, audit and compliance, and outreach and education. Visit www.privacyatchoicepoint.com.
UPDATE (1/27/08): Has agreed to pay $10 million to settle a class action lawsuit

163,000

 

 
Feb. 18, 2005 Univ. of Chicago Hospital
(Chicago, IL)		 Dishonest insider 85
Feb. 25 , 2005
Bank of America
(Charlotte, NC)
Lost backup tape
1,200,000
Feb. 25, 2005
PayMaxx
(Miramar, FL)
Exposed online
25,000
March 8, 2005
DSW/Retail Ventures
(Columbus, OH)
Hacking
100,000
March 10, 2005
LexisNexis
(Dayton, OH)
Passwords compromised
UPDATE (06/30/06): Last week, five men were arrested in connection with this breach.

32,000

Additional
280,000
March 11, 2005
Univ. of CA, Berkeley
(Berkeley, CA)
Stolen laptop
98,400
March 11, 2005 Kaiser Permanente
(Oakland, CA)		 A disgruntled employee posted informaton on her blog noting that Kaiser Permanente included private patient information on systems diagrams posted on the Web.
UPDATE (6/21/2005): The California Department of Managed Health Care fined Kaiser $200,000 for exposing the confidential health information.		 140
March 11, 2005
Boston College
(Boston, MA)
Hacking
120,000
March 12, 2005
NV Dept. of Motor Vehicle
Stolen computer. UPDATE: The computer was later recovered.
[8,900]
Not included
in total below
March 20, 2005 Northwestern Univ.
(Evanston, IL)		 Hacking 21,000
March 20, 2005
Univ. of NV., Las Vegas
(Las Vegas, NV)
Hacking
5,000
March 22, 2005
Calif. State Univ.
(Chico, CA)
Hacking
59,000
March 23, 2005
Univ. of CA.
(San Francisco, CA)
Hacking
7,000
March 25, 2005 Purdue University
(West Lafayette, IN)		 Computers in the College of Liberal Arts' Theater Dept. were hacked, exposing personal information of employees, students, graduates, and business affiliates. 1,200
(not included in total because news stories are not clear if SSNs or financial information were exposed)
April ?, 2005 Georgia DMV Dishonest insider 465,000
April 5, 2005 MCI
(Ashburn, VA)		 Stolen laptop 16,500
April 5, 2005 Univ. of CA, Davis
(Davis, CA)		 The names and Social Security numbers of students, faculty, visiting speakers and staff may have been compromised when a hacker accessed a main computer. 1,100
April 6, 2005 University of California, San Francisco A server in the accounting and personnel departments was hacked. It contained information on 7,000 students, faculty, and staff members. The affected individuals were notified March 23. 7,000
April 8, 2005 Eastern National Hacker 15,000
April 8, 2005
San Jose Med. Group
(San Jose, CA)
Stolen computer
UPDATE (10/10/07): A former branch manager at the San Jose Medical Group has been sentenced to almost two years in prison for stealing medical records for about 187,000 patients. The accused pleaded guilty in May to one count of health care-related theft after he stole computer equipment from his former employer, including a DVD that contained patients' names, Social Security numbers, medical diagnoses and other information.
187,000
April 11, 2005
Tufts University
(Boston, MA)
Hacking
106,000
April 14, 2005
Polo Ralph Lauren/HSBC
(New York, NY)
Hacking
UPDATE (07/10/07): U.S. Secret Service agents found Ralph Polo Lauren customers' credit card numbers in the hands of Eastern European cyber thieves who created high-quality counterfeit credit cards. Victims are from the U.S., Europe, Asia and Canada, among other places, Several Cuban nationals in Florida were arrested with more than 200,000 credit card account numbers.
180,000
April 14, 2005 Calif. Fastrack Dishonest Insider 4,500
April 15, 2005 CA Dept. of Health Services Stolen laptop 21,600
April 18, 2005
DSW/ Retail Ventures
(Columbus, OH)
Hacking
Additional
1,300,000
April 20, 2005
Ameritrade
(Bellevue, NE)
Lost backup tape
200,000
April 21, 2005 Carnegie Mellon Univ.
(Pittsburg, PA)		 Hacking 19,000
April 26, 2005 Mich. State Univ's Wharton Center Hacking 40,000
April 26, 2005 Christus St. Joseph's Hospital
(Houston, TX)		 Stolen computer 19,000
April 28, 2005 Georgia Southern Univ. Hacking "tens of
thousands"
April 28, 2005 Wachovia,
Bank of America,
PNC Financial Services Group and
Commerce Bancorp		 Dishonest insiders 676,000
April 29, 2005 Oklahoma State Univ. Missing laptop 37,000
May 2, 2005 Time Warner
(New York, NY)		 Lost backup tapes 600,000
May 4, 2005 CO. Health Dept. Stolen laptop 1,600
(families)
May 5, 2005 Purdue Univ.
(West Lafayette, IN)		 Hacking 11,360
May 7, 2005 Dept. of Justice
(Washington, D.C.)		 Stolen laptop 80,000
May 11, 2005 Stanford Univ.
(Stanford, CA)		 Hacking 9,900
May 12, 2005 Hinsdale Central High School
(Hinsdale, IL)		 Hacking 2,400
May 16, 2005 Westborough Bank
(Westborough, MA)		 Dishonest insider 750
May 18, 2005 Jackson Comm. College
(MI)		 Hacking 8,000
May 18, 2005 Univ. of Iowa Hacking 30,000
May 19, 2005 Valdosta State Univ.
(GA)		 Hacking 40,000
May 25, 2005 North Carolina Div. of Motor Vehicles
(Greensboro, NC)		 On Feb. 10, an employee downloaded addresses of 3.8 million people but was detected and stopped before being able to retrieve more sensitive information such as driver's license numbers. None
May 26, 2005 Duke Univ.
(Durham, NC)		 Hacking 5,500
May 27, 2005 Cleveland State Univ.
(Cleveland, OH).		 Stolen laptop
UPDATE (12/24): CSU found the stolen laptop 		[44,420]
Not included
in total below
May 28, 2005 Merlin Data Services
(Kalispell, MT)		 Bogus acct. set up 9,000
May 30, 2005 Motorola Computers stolen Unknown
June 6, 2005 CitiFinancial Lost backup tapes 3,900,000
June 10, 2005 Fed. Deposit Insurance Corp. (FDIC) Not disclosed 6,000
June 16, 2005
 CardSystems
(Tucson, AZ)
The motion to dismiss by Savvis
www.box.net/shared/static/180zctq8dz.pdf
For more information, see article.
http://infoseccompliance.com/2009/06/23/merrick-bank-v-savvis-update-savvis-files-motion-to-dismiss/		 Over 40 million card accounts were exposed to potential fraud due to a security breach that occurred at a third-party processor of payment card transactions. Of the more than 40 million accounts exposed, information on only 68,000 Mastercard accounts, 100,000 Visa accounts and 30,000 accounts from other card brands are known to have been exported by the hackers. The data exported included names, card numbers and card security codes.
UPDATE (5/28/2009)
Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations less than a year before the payment processor's systems were hacked, compromising up to 40 million credit card accounts. Less than a year later the security breach occurred. Hackers were able to get hold of the data because CardSystems kept unencrypted card information on its servers - in contravention of the regulations for which Savvis certified it.
UPDATE (7/6/2009)
The motion to dismiss by Savvis:
 40,000,000
June 17, 2005 Kent State Univ. Stolen laptop 1,400
June 18, 2005 Univ. of Hawaii Dishonest Insider 150,000
June 22, 2005 Eastman Kodak Stolen laptop 5,800
June 22, 2005 East Carolina Univ. Hacking 250
June 25, 2005 Univ. of CT (UCONN) Hacking 72,000
June 28, 2005 Lucas Cty. Children Services (OH) Exposed by email 900
June 29, 2005 Bank of America Stolen laptop 18,000
June 30, 2005 Ohio State Univ. Med. Ctr. Stolen laptop 15,000
July 1, 2005 Univ. of CA, San Diego Hacking 3,300
July 6, 2005 City National Bank Lost backup tapes Unknown
July 7, 2005 Mich. State Univ. Hacking 27,000
July 19, 2005 Univ. of Southern Calif. (USC) Hacking 270,000
possibly accessed; "dozens"exposed
July 21, 2005 Univ. of Colorado-Boulder Hacking
UPDATE (08/20/2005) The number of students affected was increased from an estimate of 42,000 to 49,000.		 49,000
July 30, 2005 San Diego Co. Employees Retirement Assoc. Hacking 33,000
July 30, 2005 Calif. State Univ., Dominguez Hills Hacking 9,613
July 31, 2005 Cal Poly-Pomona Hacking 31,077
Aug. 2, 2005 Univ. of Colorado Hacking 36,000
Aug. 9, 2005 Sonoma State Univ. Hacking 61,709
Aug. 9, 2005 Univ. of Utah Hacking 100,000
Aug. 10, 2005 Univ. of North Texas Hacking 39,000
Aug. 17, 2005 Calif. State University, Stanislaus Hacking 900
Aug. 19, 2005 Univ. of Colorado Hacking 49,000
Aug. 22, 2005 Air Force Hacking 33,300
Aug. 27, 2005 Univ. of Florida, Health Sciences Center/ChartOne Stolen Laptop 3,851
Aug. 30, 2005 J.P. Morgan Chase & Co.
(Dallas, TX)		 Stolen laptop (Aug. 8) containing personal and financial account information of customers of its private bank. Unknown
Aug. 30, 2005 Calif. State University, Chancellor's Office Hacking 154
Sept. 2, 2006 Iowa Student Loan
(W. Des Moines)		 Compact disk containing personal information, including SSNs, was lost when shipped by private courier. 165,000
Sept. 10, 2005 Kent State Univ. Stolen computers 100,000
Sept. 15, 2005 Miami Univ. Exposed online 21,762
Sept. 16, 2005 ChoicePoint 
(2nd notice, see 2/15/05)
(Alpharetta, GA)

ID thieves accessed; also misuse of IDs & passwords.

 [Total later revised to 163,000 -- see 2/15/05 above]
Sept. 17, 2005 North Fork Bank, NY Stolen laptop (7/24/05) with mortgage data 9,000
Sept. 19, 2005 Children's Health Council, San Jose CA Stolen backup tape 5,000 - 6,000
Sept. 22, 2005 City University of New York Exposed online 350

Sept. 23,
2005

 Bank of America Stolen laptop with info of Visa Buxx users (debit cards) Not disclosed
Sept. 28, 2005 RBC Dain Rauscher Illegitimate access to customer data by former employee 100+ customers' records compromised out of 300,000
Sept. 29, 2005 Univ. of Georgia Hacking At least 1,600
Oct. 12, 2005 Ohio State Univ. Medical Center Exposed online. Appointment information including SSN, DOB, address, phone no., medical no., appointment reason, physician.

2,800
Oct. 15, 2005 Montclair State Univ. Exposed online 9,100
Oct. 21, 2005 Wilcox Memorial Hospital, Hawaii Lost backup tape 130,000
Nov. 1, 2005 Univ. of Tenn. Medical Center Stolen laptop 3,800
Nov. 4, 2005 Keck School of Medicine, USC Stolen computer 50,000
Nov. 5, 2005 Safeway, Hawaii Stolen laptop 1,400 in Hawaii, perhaps more elsewhere
Nov. 8, 2005 ChoicePoint
(Alpharetta, GA)		 Bogus accounts established by ID thieves. Total affected now reaches 163,000
(See Feb. 15 & Sept. 16)
[Total later revised to 163,000 -- see 2/15/05 above]
Nov. 9, 2005 TransUnion Stolen computer 3,623
Nov. 11, 2005 Georgia Tech
Ofc. of Enrollment Services		 Stolen computer,
Theft 10/16/05		 13,000
Nov. 11, 2005 Scottrade Troy Group Hacking Unknown
Nov. 19, 2005 Boeing Stolen laptop with HR data incl. SSNs and bank account info.
161,000
Dec. 1, 2005 Firstrust Bank Stolen laptop 100,000
Dec. 1, 2005 Univ. of San Diego
(San Diego, CA)		 Hacking. Faculty, students and employee tax forms containing SSNs 7,800
Dec. 2, 2005 Cornell Univ. Hacking. Names, addresses, SSNs, bank names and acct. numbers. 900
Dec. 6, 2005 WA Employment Security Dept. Stolen laptop. Names, SSNs and earnings of former employees. 530
Dec. 7, 2005 Idaho State University, Office of Institutional Research
(Pocatello, ID)
Contact Information Technology Services, (208) 282-2872		 ISU discovered a security breach in a server containing archival information about students, faculty, and staff, including names, SSNs, birthdates, and grades. Unknown
Dec. 12, 2005 Sam's Club/Wal-Mart Exposed credit card data at gas stations. Unknown
Dec. 16, 2005 La Salle Bank, ABN AMRO Mortgage Group
Backup tape with residential mortgage customers lost in shipment by DHL, containing SSNs and account information.
UPDATE (12/20/05): DHL found the lost tape.
[2,000,000]
Not included in total below.
Dec. 16, 2005 Colorado Tech. Univ. Email erroneously sent containing names, phone numbers, email addresses, Social Security numbers and
class schedules.		 1,200
Dec. 20, 2005 Guidance Software, Inc. Hacking. Customer credit card numbers.
UPDATE (4/3/07): The FTC came to a settlement agreement and final consent order against Guidance Software.		 3,800
Dec. 22, 2005 Ford Motor Co. Stolen computer. Names and SSNs of current and former employees. 70,000
Dec. 25, 2005 Iowa State Univ. Hacking. Credit card information and Social Security numbers. 5,500
Dec. 25, 2005
 Ameriprise Financial Inc.
(Minneapolis, MN)
(877) 267-7408		 A laptop was stolen from an employee's car Christmas eve. It contained customers' names and Social Security numbers and in some cases, Ameriprise account information.
UPDATE (08/06): The laptop was recovered by local law enforcement in the community where it was stolen.
UPDATE (12/11/06): The company settled with the Massachusetts securities regulator in the office of the Secretary of State. Ameriprise agreed to hire an independent consultant to review its policies and procedures for employees' and contractors' use of laptops containing personal information. Ameriprise will pay the state regulator $25,000 for the cost of the investigation.		 260,000
2005
[Exact date unknown]		 U.S. Dept. of Veteran's Affairs
(Washington, D.C.)		 A laptop being stored in the trunk of a car was stolen in Minneapolis, Minnesota. 2 people later reported identity fraud problems. 66
2006 NAME
(Location)		 TYPE OF BREACH NUMBER OF RECORDS
Jan. 1, 2006 University of Pittsburgh Medical Center, Squirrel Hill Family Medicine 6 Stolen computers. Names, Social Security numbers, birthdates 700
Jan. 2, 2006 H&R Block SSNs exposed in 40-digit number string on mailing label Unknown
Jan. 9, 2006 Atlantis Hotel - Kerzner Int'l Dishonest insider or hacking. Names, addresses, credit card details, Social Security numbers, driver's licence numbers and/or bank account data. 55,000
Jan. 12, 2006 People's Bank Lost computer tape containing names, addresses, Social Security numbers, and checking account numbers. 90,000
Jan. 17, 2006 City of San Diego, Water & Sewer Dept.
(San Diego, CA)		 Dishonest employee accessed customer account files, including SSNs, and committed identity theft on some individuals. Unknown
Jan. 20, 2006 Univ. Place Conference Center & Hotel, Indiana Univ. Hacking. Reservation information including credit card account number compromised. Unknown
Jan. 21, 2006 California Army National Guard Stolen briefcase with personal information of National Guardsmen including a "seniority roster," Social Security numbers and dates of birth. "hundreds of officers"
Jan. 23, 2006 Univ. of Notre Dame Hackers accessed Social Security numbers, credit card information and check images of school donors. Unknown
Jan. 24, 2006 Univ. of WA Medical Center Stolen laptops containing names, Social Security numbers, maiden names, birth dates, diagnoses and other personal data. 1,600
Jan. 25, 2006

Providence Home Services
(Portland, OR)

 

 Stolen backup tapes, laptops and disks containing Social Security numbers, clinical and demographic information. In a small number of cases, patient financial data was stolen.
UPDATE:  (9/26/06)
Providence Health System and the Oregon Attorney General have filed a settlement agreement.  Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach.  The company must also enhance its security programs.
UPDATE:  (7/15/08) : Providence Health will pay $100,000 and adhere to a compliance plan under the first ever "Resolution Agreement" negotiated by CMS (Centers for Medicare and Medicaid Services of the U.S. Dept. of Health and Human Services) under the HIPAA Privacy and Security Standards.
The Corrective Action Plan requires Providence to revamp its security policies to include physical protections for portable devices and off-site transport and storage of backup media. Further, it must implement technical safeguards, such as encryption and password protection. And it must conduct random compliance audits and submit compliance reports to HHS for the next three years		 365,000
Jan. 27, 2006 State of RI web site (www.RI.gov) Hackers obtained credit card information in conjunction with names and addresses.
 4,117
Jan. 31, 2006 Boston Globe and The Worcester Telegram & Gazette Inadvertently exposed. Credit and debit card information along with routing information for personal checks printed on recycled paper used in wrapping newspaper bundles for distribution. 240,000 potentially exposed
Feb. 1, 2006 Blue Cross and Blue Shield of North Carolina Inadvertently exposed. SSNs of members printed on the mailing labels of envelopes with information about a new insurance plan. 600
Feb. 4, 2006 FedEx Inadvertently exposed. W-2 forms included other workers' tax information such as SSNs and salaries. 8,500
Feb. 9, 2006 Unknown retail merchants, apparently OfficeMax and perhaps others. Hacking. Debit card accounts exposed involving bank and credit union accounts nationwide (including CitiBank, BofA, WaMu, Wells Fargo).
[3/13/06 Crime ring arrested.]		 200,000, although total number is unknown.
Feb. 9, 2006 Honeywell International Exposed online. Personal information of current and former employees including Social Security numbers and bank account information posted on an Internet Web site. 19,000
Feb. 13, 2006 Ernst & Young
(UK)		 Laptop stolen from employee's car with customers' personal information including Social Security numbers. 38,000 BP employees in addition to Sun, Cisco and IBM employees.
Feb. 15, 2006 Dept. of Agriculture Inadvertently exposed Social Security and tax identification numbers in FOIA request. 350,000
Feb. 15, 2006 Old Dominion Univ. Exposed online. Instructor posted a class roster containing names and Social Security numbers to a web site. 601
Feb. 16, 2006 Blue Cross and Blue Shield
Jacksonville, FL		 Contractor sent names and Social Security numbers of current and former employees, vendors and contractors to his home computer in violation of company policies.A judge today ordered a former computer consultant to reimburse the Jacksonville-based health insurer $580,000 for expenses related to his theft . 27,000
Feb. 17, 2006 Calif. Dept. of Corrections, Pelican Bay
(Sacramento, CA)		 Inmates gained access to files containing employees' Social Security numbers, birth dates and pension account information stored in warehouse. Unknown
Feb. 17, 2006 Mount St. Mary's Hospital (1 of 10 hospitals with patient info. stolen)
(Lewiston, NY)
 Two laptops containing date of birth, address and Social Security numbers of patients was stolen in an armed robbery in the New Jersey. 17,000
Feb. 18, 2006 Univ. of Northern Iowa Hacking. Laptop computer holding W-2 forms of student employees and faculty was illegally accessed. 6,000
Feb. 23, 2006 Deloitte & Touche (McAfee employee information) External auditor lost a CD with names, Social Security numbers and stock holdings in McAfee of current and former McAfee employees. 9,290
Mar. 1, 2006 Medco Health Solutions
(Columbus, OH)		 Stolen laptop containing Social Security numbers for State of Ohio employees and their dependents, as well as their birth dates and, in some cases, prescription drug histories. 4,600
Mar. 1, 2006 OH Secretary of State's Office SSNs, dates of birth, and other personal data of citizens routinely posted on a State web site as part of standard business practice. Unknown
Mar. 2, 2006 Olympic Funding
(Chicago, IL)		 3 hard drives containing clients names, Social Security numbers, addresses and phone numbers stolen during break in. Unknown
Mar. 2, 2006 Los Angeles Cty. Dept. of Social Services
(Los Angeles, CA)		 File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W-2, and date of birth were left unattended and unshredded. [Potentially 2,000,000, but number unknown]
Not included in number below.
Mar. 2, 2006 Hamilton County Clerk of Courts
(OH)		 SSNs, other personal data of residents posted on county Web site, were stolen and used to commit identity theft.
UPDATE (9/28/06): An identity thief was sentenced to 13 years in prison for the crimes. She stole 100 identities and nearly $500,000. The Web site now blocks access to court documents containing personal information.		 [1,300,000]
Not included in number below.
Mar. 3, 2006 Metropolitan State College
(Denver, CO)		 Stolen laptop containing names and Social Security numbers of students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester. 93,000
Mar. 5, 2006 Georgetown Univ.
(Washington, D.C.)		 Hacking. Personal information including names, birthdates and Social Security numbers of District seniors served by the Office on Aging. 41,000
Mar. 8, 2006 Verizon Communications
(New York, NY)		 2 stolen laptops containing employees' personal information including Social Security numbers. "Significant number"
Mar. 8, 2006 iBill
(Deerfield Beach, FL)		 Dishonest insider or possibly malicious software linked to iBill used to post names, phone numbers, addresses, e-mail addresses, Internet IP addresses, logins and passwords, credit card types and purchase amount online. Credit card account numbers, expiration dates, security codes, and SSNs were NOT included, but in our opinion the affected individuals could be vulnerable to social engineering to obtain such information. [17,781,462]
Not included in total below.
Mar. 11, 2006 CA Dept. of Consumer Affairs (DCA)
(Sacramento, CA)		 Mail theft. Applications of DCA licensees or prospective licensees for CA state boards and commissions were stolen. The forms include full or partial Social Security numbers, driver's license numbers, and potentially payment checks.
"A small number"
Mar. 14, 2006 General Motors
(Detroit, MI)		 Dishonest insider keep Social Security numbers of co-workers to perpetrate identity theft. 100
Mar. 14
2006		 Buffalo Bisons and Choice One Online
(Buffalo, NY)		 Hacker accessed sensitive financial information including credit card numbers names, passwords of customers who ordered items online. Unknown
Mar. 15,
2006		 Ernst & Young
(UK)		 Laptop lost containing the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees exposed. Unknown
Mar. 16,
2006		 Bananas.com
(San Rafael, CA)

Hacker accessed names, addresses, phone numbers and credit card numbers of customers.

 274
Mar. 23,
2006		 Fidelity Investments
(Boston, MA)		 Stolen laptop containing names, addresses, birth dates, Social Security numbers and other information of 196,000 Hewlett Packard, Compaq and DEC retirement account customers was stolen. 196,000
Mar. 24,
2006		 CA State Employment Development Division
(Sacramento, CA)
Computer glitch sends state Employment Development Division 1099 tax forms containing Social Security numbers and income information to the wrong addresses, potentially exposing those taxpayers to identity theft. 64,000
Mar. 24,
2006		 Vermont State Colleges (VT) Laptop stolen containing Social Security numbers and payroll data of students, faculty and staff associated with the five-college system from as long ago as 2000. 14,000
Mar. 30,
2006		 Marines
(Monterey, CA)		 Portable drive lost that contains personal information used for research on re-enlistment bonuses. 207,750

Mar. 30,
2006

 Georgia Technology Authority
(Atlanta, GA)		 Hacker exploited security flaw to gain access to confidential information including Social Security numbers and bank-account details of state pensioners. 573,000
Mar. 30,
2006		 Conn. Technical High School System
(Middletown, CT)		 Social Security numbers of students and faculty mistakenly distributed via email. 1,250
April 1, 2006 Con Edison
(New York)		 Con Edison shipped 2 cartridge tapes to JPMorgan Chase in upstate Binghamton so it could input data on behalf of the NY Dept. of Taxation and Finance. One tape was apparently lost containing employees' W-2 data, including names, addresses, SSNs, taxes paid and salaries. 15,000 Con Edison employees
April 6,
2006		 Progressive Casualty Insurance
(Mayfield Village, OH)		 Dishonest insider accessed confidential information, including names, Social Security numbers, birth dates and property addresses on foreclosure properties she was interested in buying. 13
April 7,
2006		 DiscountDomain
Registry.com
(Brooklyn, NY)		 Exposed online. Domain registrants' personal information including usernames, passwords and credit card numbers were accessible online. "thousands of domain name registrations"
April 9,
2006		 University of Medicine and Dentistry of New Jersey
(Newark, NJ)		 Hackers accessed Social Security numbers, loan information, and other confidential financial information of students and alumni. 1,850
April 12,
2006		 Ross-Simons
(Providence, RI)		 Security breach exposed account and personal information of those who applied for its private label credit card. Information exposed includes private label credit card numbers and other personal information of applicants. Unknown
April 14, 2006 NewTech Imaging
(Honolulu, HI)		 Records containing the names, Social Security numbers and birth dates of more than 40,000 members of Voluntary Employees Benefit Association of Hawaiiwere illegally reproduced at a copying business before they were to be put onto a compact disc for the State. Police later found the data on a computer that had been confiscated as part of a drug investigation. 40,000
April 14,
2006		 Univ. of South Carolina
(Columbia, SC)		 Social Security numbers of students were mistakenly e-mailed to classmates. 1,400
April 15, 2006 Scott County, IA The Social Security numbers of people who obtained mortgages in the early 1990s are visible in documents posted on the county's website. The county will redact the information at the individuals' request. Unknown
April 21, 2006 University of Alaska, Fairbanks
(Fairbanks, AK)		 A hacker accessed names, Social Security numbers, and partial e-mail addresses of current and former students, faculty, and staff. 38,941
April 21, 2006 Boeing
(Seattle, WA)		 A laptop was taken from a Boeing human resources employee at Sea-Tac airport. It contained SSNs and other personal information, including personnel information from the 2000 acquisition of Hughes Space and Communications 3,600 current and former employees
April 21,
2006		 Ohio University
Innovation Center
(Athens, OH)		 a server containing data including e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes was compromised. Unknown
April 24,
2006		 University of Texas' McCombs School of Business
(Austin, TX)
Hackers accessed records containing names, biographical information and, in some cases, Social Security numbers and dates of birth of current and prospective students, alumni, faculty members, corporate recruiters and staff members. 197,000
April 24,
2006		 Ohio University
(Athens, OH)

Hackers accessed a computer system of the school's alumni relations department that included biographical information and 137,000 Social Security numbers of alum.

UPDATE (8/30/07) :
An Ohio judge has granted a motion to dismiss a case against Ohio University (OU) regarding security breaches of the school's computer systems that compromised alumni data. The two alumni who filed the lawsuit wanted OU to pay for credit monitoring services for everyone whose data were compromised. The judge said the pair had not proven that they had suffered damages for which they could be compensated.

 300,000
April 26,
2006		 Purdue University
(West Lafayette, IN)		 Hacker accessed personal information including Social Security numbers of current and former graduate students, applicants to graduate school, and a small number of applicants for undergraduate scholarships. 1,351
April 26,
2006		 Aetna -- health insurance records for employees of 2 members, including Omni Hotels and the Dept. of Defense NAF
(Hartford, CT)		 Laptop containing personal information including names, addresses and Social Security numbers of Dept. of Defense (35,253) and Omni Hotel employees (3,000) was stolen from an Aetna employee's car. 38,000
April 27,
2006		 MasterCard
(Potentially UK only)		 Though MasterCard refused to say how the breach occurred, fraudsters stole the credit card details of holders in a major security breach. [2,000]
Not included in total below.
April 27,
2006		 Long Island Rail
Road
(Jamaica, NY)		 Data tapes containing personal information including names, addresses, Social Security numbers and salary figures of "virtually everyone" who worked for the agency was lost by delivery contractor Iron Mountain while enroute. Data tapes belonging to the U.S. Department of Veteran's Affairs may also have been affected. 17,000
April 28,
2006		 Ohio's Secretary of State
(Cleveland, OH)
The names, addresses, and Social Security numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to 20 political campaign operations for spring primary election races. The records of about 7.7 million registered voters are listed on the CDs, but it's unknown how many records contained SSNs, which were not supposed to have been included on the CDs.
UPDATE (9/15/06): A news report said that some SSNs still remain on the agency's Web site.		 "Potentially millions of registered voters"
April 28,
2006		 Dept. of Defense
(Washington, DC)		 Hacker accessed a Tricare
Management Activity (TMA) public server containing personal information about military employees.		 Unknown
May 2,
2006		 Georgia State Government
(Atlanta, GA)		 Government surplus computers that sold before their hard drives were erased contained credit card numbers, birth dates, and Social Security numbers of Georgia citizens. Unknown
May 4,
2006		 Idaho Power Co.
(Boise, ID)		 Four company hard drives were sold on eBay containing hundreds of thousands of confidential company documents, employee names and Social Security numbers, and confidential memos to the company's CEO. Unknown
May 4,
2006		 Ohio University
Hudson Health Center
(Athens, OH)		 Names, birth dates, Social Security numbers and medical information were accessed in records of students dating back to 2001, plus faculty, workers and regional campus students. 60,000
May 2006 Ohio University
(Athens, OH)		 A breach was discovered on a computer that housed IRS 1099 forms for vendors and independent contractors for calendar years 2004 and 2005. 2,480
May 2006 Ohio University
(Athens, OH)		 A breach of a computer that hosted a variety of Web-based forms, including some that processed on-line business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration. Unknown
May 5,
2006		 U.S. Dept. of Veteran's Affairs
(Washington, D.C.)		 A data tape disappeared from a VA facility in Indianapolis, IN that contained information on legal cases involving U.S. veterans and included veterans' Social Security numbers, dates of birth and legal documents.
UPDATE (10/11/06):
The VA's Office of the General Counsel is offering identity theft protection services to those affected by the missing tape.
16,500
May 5,
2006		 Wells Fargo
(San Francisco, CA)		 Computer containing names, addresses, Social Security numbers and mortgage loan deposit numbers of existing and prospective customers may have been stolen while being delivered from one bank facility to another. Unknown
May 12,
2006		 Mercantile Potomac Bank
(Gaithersburg, MD)		 Laptop containing confidential information about customers, including Social Security numbers and account numbers was stolen when a bank employee removed it from the premises, in violation of the bank's policies. The computer did not contain customer passwords, personal identification numbers (PIN numbers) or account expiration dates. 48,000
May 19,
2006		 American Institute of Certified Public Accountants (AICPA)
(New York, NY)		 An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company.
330,000
[Updated 6/16/06]
May 19,
2006		 Unknown retail merchant Visa, MasterCard, and other debit and credit card numbers from banks across the country were stolen when a national retailer's database was breached. No names, Social Security numbers or other personal identification were taken. Unknown
May 22,
2006		 U.S. Dept. of Veteran's Affairs
(Washington, DC)
(800) 827-1000
To download the claim form and to get more information, go to www.veteransclass.com. Read the FAQ and note the particulars on out-of-pocket expenses and actual damages. You also can call (888) 288-9625.		 On May 3, data of all American veterans who were discharged since 1975 including names, Social Security numbers, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and computer storage device included data of 26.5 milliion veterans. The data did not contain medical or financial information, but may have disability numerical rankings.
UPDATE: An additional 2.1 million active and reserve service members were added to the total number of affected individuals June 1st.
UPDATE (6/29/06): The stolen laptop computer and the external hard drive were recovered.
UPDATE (7/14/06): FBI claims no data had been taken from stolen computer.
UPDATE (8/5/06): Two teens were arrested in the theft of the laptop.
UPDATE (8/25/06): In an Aug. 25 letter, Secretary Nicholson told veterans of the decision to not offer them credit monitoring services. Rather the VA has contracted with a company to conduct breach analysis to monitor for "patterns of misuse."
UPDATE (11/23/07): A federal judge questioned the Veterans Affairs Department's computer security and ruled Friday that lawsuits can go forward over the theft of computer equipment containing data on 26.5 million veterans. The lawsuits have been filed as potential class-action cases representing every veteran whose data was released.
UPDATE (1/23/09): The Department of Veterans Affairs has agreed to pay $20 million to current and former military personnel to settle a class action lawsuit.
UPDATE (6/16/09): No less than $75 will be paid for any valid claim, up to a cap of $1,500. If your expenses were higher than that, you might want to opt out of the class-action portion so you can file for your actual damages. In that case, you need to file a letter so it is received by June 29, 2009. You have until Nov. 27, 2009, to mail your claim form to VA Settlement Claims, P.O. Box 6727, Portland, OR 97228-9767. Be sure to keep a copy of the claim form, along with your proof of mailing. To download the claim form and to get more information, go to www.veteransclass.com. Read the FAQ and note the particulars on out-of-pocket expenses and actual damages. You also can call (888) 288-9625.		 28,600,000
May 23,
2006		 Univ. of Delaware
(Newark, DE)		 Security breach of a Department of Public Safety computer server potentialy exposes names, Social Security numbers and driver's license numbers. 1,076
May 23,
2006		 M&T Bank
(Buffalo, NY)		 Laptop computer, owned by PFPC, a third party company that provides record keeping services for M & T's Portfolio Architect accounts was stolen from a vehicle. The laptop contained clients' account numbers, Social Security numbers, last name and the first two letters of their first name. Unknown
May 23, 2006 Butler Co. Dept. of Mental Retardation & Developmental Disabilities
(Cincinatti, OH)		 Three laptop computers were stolen "last month" from the agency's office. They contained personal information on mental health clients, including SSNs. 100 clients
May 23, 2006 Mortgage Lenders Network USA
(Middletown, CT)		 A former employee was arrested for extortion for attempting to blackmail his former employer for $6.9 million. He threatened to expose company files containing sensitive customer information - including customers' names, addressess, Social Security numbers, loan numbers, and loan types - if the company didn't pay him. He stole the files over the 16 months he worked there. 231,000
May 24,
2006		 Sacred Heart Univ.
(Fairfield, CT)		 It was discovered on May 8th that a computer containing personal information including names, addresses and Social Security numbers was breached. Unknown
May 24,
2006		 American Red Cross, St. Louis Chapter
(St. Louis,		 Dishonest employee had access to Social Security numbers of donors to call urging them to give blood again. The employee misused the persoal information of at least 3 people to perpetrate identity theft and had access to the personal information of 1 million donors. 1,000,000
May 25, 2006 Vystar Credit Union
(Jacksonville, FL)		 Hacker gained access to member accounts "a few weeks ago" and stole personal information including names, addresses, birth dates, mother's maiden names, SSNs and/or email addresses. Approx. 34,400
("less than 10% of its 344,000 members")
May 30,
2006		 Texas Guaranteed Student Loan Corp.
(Round Rock, TX)
via subcontractor, Hummingbird
(Toronto, Canada)		 Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers.
UPDATE (6/16/06): TG now says a total of 1.7 million people's information was compromised, 400,000 more than original estimate of 1.3 million.		 1,300,000
plus 400,000
for total of 1,700,000
May 30,
2006		 Florida Int'l Univ.
(Miami, FL)		 Hacker accessed a database that contained personal information, such as student and applicant names and Social Security numbers. "thousands"
May 31, 2006 Humana
(Louisville, KY)		 On May 5, 2006, Medicare drug benefit applications were stolen from an insurance agent's unlocked car in Brooklyn Park, MN. Information included applicants' name, address, date of birth, Social Security number, and bank routing information. 268 Minnesota and North Dakota applicants
June 1,
2006		 Miami University
(Oxford, OH)		 An employee lost a hand-held personal computer containing personal information of students who were enrolled between July 2001 and May 2006. 851
June 1,
2006		 Ernst & Young
(UK)		 A laptop containing names, addresses and credit or debit card information of Hotels.com customers was stolen from an employee's car in Texas. 243,000
June 1,
2006		 Univ. of Kentucky
(Lexington, KY)		 Personal information of current and former University of Kentucky employees including Social Security numbers was inadvertently accessible online for 19 days last month. 1,300
June 2,
2006		 Buckeye Community Health Plan
(Columbus, OH)		 Four laptop computers containing customer names, Social Security numbers, and addresses were stolen from the Medicaid insurance provider. 72,000
June 2,
2006		 Ahold USA
(Landover, MD)
Parent company of Stop & Shop, Giant stores and Tops stores via subcontractor Electronic Data Systems
(Plano, TX)
An EDS employee lost a laptop computer during a commercial flight that contained pension data of former employees of Ahold's supermarket chains including Social Security numbers, birth dates and benefit amounts. Unknown
June 2,
2006		 YMCA
(Providence, RI)		 Laptop computer containing personal information of members was stolen. The information included credit card and debit card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare programs and medical information about the children, such as allergies and the medicine they take, though the type of stolen information about each person varies. 65,000
June 2,
2006
Humana
(Louisville, KY)		 Personal information of Humana customers enrolled in the company's Medicare prescription drug plans could have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file. 17,000 current and former Medicare enrollees
June 5,
2006		 Internal Revenue Service
(Washington, DC)		 A laptop computer containing personal information of employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth, was lost during transit on an airline flight 291
June 6,
2006		 Univ. of Texas
(El Paso, TX)		 Students demonstrated that student body and faculty elections could be rigged by hacking into student information including Social Security numbers. 4,719
June 8,
2006		 Univ. of Michigan Credit Union
(Ann Arbor, MI)
Paper documents containing personal information of credit union members were stolen from a storage rooms. The documents were supposed to have been digitally imaged and then shredded. Instead, they were stolen and used to perpetrate identity theft. 5,000
June 11,
2006		 Denver Election Commission
(Denver, CO)		 Records containing personal information on more than 150,000 voters are missing at city election offices. The microfilmed voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new offices in February. The files contain voters' Social Security numbers, addresses and other personal information. 150,000
June 12,
2006		 U.S. Dept. of Energy
(Washington, D.C.)		 Names, Social Security numbers, security clearance levels and place of employment for mostly contract employees who worked for National Nuclear Security Administration may have been compromised when a hacker gained entry to a computer system at a service center in Albuquerque, N.M. eight months ago.
1,502
June 13,
2006		 Minn. State Auditor
(St. Paul, MN)		 Three laptops possibly containing Social Security numbers of employees and recipients of housing and welfare benefits along with other personal information of local governments the auditor oversees have gone missing. 493
June 13,
2006		 Oregon Dept. of Revenue
(Salem, OR)		 Electronic files containing personal data of Oregon taxpayers may have been compromised by an ex-employee's downloaded a contaminated file from a porn site. The "trojan" attached to the file may have sent taxpayer information back to the source when the computer was turned on. 2,200
June 13,
2006		 U.S. Dept of Energy, Hanford Nucear Reservation
(Richland, WA)		 Current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation. 4,000
June 14,
2006		 American Insurance Group (AIG), Indiana Office of Medical Excess, LLC
(New York, NY)		 The computer server was stolen on March 31 containing personal information including names, Social Security numbers, birth dates, and some medical and disability information. 930,000
June 14,
2006		 Western Illinios Univ.
(Macomb, IL)		 On June 5th, a hacker compromised a University server that contained names, addresses, credit card numbers and Social Security numbers of people connected to the University.
UPDATE (7/5/06): Number affected reduced from 240,000.		 180,000
June 16,
2006		 Union Pacific
(Omaha, NE)		 On April 29th, an employee's laptop was stolen that contained data for current and former Union Pacific employees, including names, birth dates and Social Security numbers.
30,000
June 16,
2006		 NY State Controller's Office
(Albany, NY)		 State controller data cartridge containing payroll data of employees who work for a variety of state agencies was lost during shipment. The data contained names, salaries, Social Security numbers and home addresses. 1,300
June 16,
2006		 ING
(Miami, FL)

Two ING laptops that carried sensitive data affecting of Jackson Health System hospital workers were stolen in December 2005. The computers, belonging to financial services provider ING, contained information gathered during a voluntary life insurance enrollment drive in December and included names, birth dates and Social Security numbers.

 8,500
June 16,
2006		 Univ. of Kentucky
(Lexington, KY)		 The personal data of current and former students including classroom rosters names, grades and Social Security numbers was reported stolen on May 26 following the theft of a professor's flash drive. 6,500
June 17,
2006		 ING
(Washington, D.C.)		 Laptop stolen from employee's home containing retirement plan information including Social Security numbers of D.C. city employees. 13,000
June 17,
2006		 Automatic Data Processing (ADP)
(Roseland, NJ)		 Personal and payroll information of workers were intended to be faxed between ADP offices and were mistakenly sent to a third party. 80
June 17,
2006		 CA Dept. of Health Services (CDHS)
(Sacramento, CA)

CDHS documents were inappropriately emptied from an employee's cubicle on June 5 and 9 rather than shredded.
The documents contained state employees and other individuals applying for employment with the state including names, addresses, Social Security numbers and home and work telephone numbers. They were mostly expired state employment certification lists, but also included requests for personnel action, copies of e-mail messages and handwritten notes.

 1,550
June 20,
2006		 Equifax
(Atlanta, GA)		 On May 29, a company laptop containing employee names and partial and full Social Security numbers was stolen from an employee. 2,500
June 20,
2006		 Univ. of Alabama
(Birmingham, AL)		 In February a computer was stolen from a locked office of the kidney transplant program at the University of Alabama at Birmingham that contained confidential information of donors, organ recipients and potential recipients including names, Social Security numbers and medical information.
 9,800
June 21,
2006		 U.S. Dept. of Agriculture (USDA)
(Washington, D.C.)		 During the first week in June, a hacker broke into the Department's computer system and may have obtained names, Social Security numbers and photos of current and former employees and contractors. 26,000
June 21, 2006 Cape Fear Valley Health System
(Fayetteville, NC)		 Portable computer containing personal information of more than 24,000 people was stolen from ambulance of Cumberland Co. Emergency Medical Services on June 8th. It contained information on people treated by the EMS, including names, addresses, and birthdates, plus SSNs of 84% of those listed. 24,350
June 21, 2006
(Date of letter sent to doctors. Date of news story is July 28, 2006)		 Lancaster General Hospital
(Lancaster, PA)		 A desktop computer with personal information of hundreds of doctors was stolen from a locked office June 10. The unencrypted data included names, practice addresses, and SSNS of physicians on medical and dental staff. "Hundreds of local physicians" (not included in total below)
June 22,
2006		 Federal Trade Commission (FTC)
(Washington, D.C.)		 Two laptop computers containing personal and financial data were stolen from an employee's vehicle. The data included names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers gathered in law enforcement investigations. 110
June 23,
2006		 San Francisco State Univ.
(San Francisco, CA)		 a faculty member's laptop was stolen from a car on June 1 that contained personal information of former and current students including Social Security numbers, and names and ins some instance, phone numbers and grade point averages. 3,000
June 23,
2006		 U.S. Navy
(Washington, D.C.)		 Navy personnel were notified on June 22 that a civilian web site contained files with personal information of Navy members and dependents including names, birth dates and Social Security numbers. 30,000
June 23,
2006		 CA Dept. of Health Services (CDHS)
(Sacramento, CA)

On June 12, a box of Medi-Cal forms from December 2005 were found in the cubicle of a CDHS employee. The claim forms contained the names, addresses, Social Security numbers and prescriptions for beneficiaries or their family members.

 323
June 23,
2006		 Catawba County Schools
(Newton, NC)

On June 22, it was discovered that a web site posted names, Social Security numbers, and test scores of students who had taken a keyboarding and computer applications placement test during the 2001-02 school year.
UPDATE: The web site containing the data has been removed.

 619
June 23,
2006		 King County Records, Elections, and Licensing Services Division
(Seattle, WA)		 Social Security numbers for potentially thousands of current and former county residents may be exposed on the agency's web site. Residents can request that the image of any document that contains a Social Security number, Mother's Maiden Name or Drivers License be removed. Officials state that they are unable to alter original public documents and cannot choose to not record documents presented for recording. 
Unknown
June 27,
2006		 Gov't Accountability Office (GAO)
(Washington, D.C.)
Data from audit reports on Defense Department travel vouchers from the 1970s were inadvertently posted online and included some service members' names, Social Security numbers and addresses. The agency has subsequently removed the information. "Fewer than 1,000"
[1,000 used in total]
June 28,
2006		 AAAAA Rent-A-Space
(Colma, CA)		 Customer's account information including name, address, credit card, and Social Security number was easily accessible due to a security gap in its online payment system. 13,000
June 29,
2006		 AllState Insurance
Huntsville branch
(Huntsville, AL)		 Over Memorial Day weekend, a computer containing personal data including images of insurance policies, correspondence and Social Security numbers was stolen. 2,700
June 29,
2006		 Nebraska Treasurer's Office
(Lincoln, NE)		 A hacker broke into a child-support computer system and may have obtained names, Social Security numbers and other information such as tax identification numbers for 9,000 businesses. 309,000
June 29, 2006 Minnesota Dept. of Revenue
(St. Paul, MN)		 On May 16, a package containing a data tape used to back up the regional office's computers went missing during delivery. The tape contained personal information including individuals' names, addresses, and Social Security numbers.
UPDATE (7/20/06): The package was reported delivered 2 months later, but apparently had been temporarily lost by the U.S. Postal Service.		 50,400
June 30, 2006

Nat'l Institutes of Health Federal Credit Union
(Rockville, MD)

 NIHFCU is investigating with law enforcement the identity theft of some of its 41,000 members. No details given on type of information stolen, or how it was stolen. "Very few" of 41,000 members affected
[not included in total]
July 1, 2006 American Red Cross, Farmers Branch
(Dallas, TX)		 Sometime in May, 3 laptops were stolen, one of them containing encrypted personal information including names, SSNs, dates of birth, and medical information of all regional donors. They also report losing a laptop with encrypted donor information in June 2005. Unknown
July 5, 2006 Bisys Group Inc.
(Roseland, NJ)

Personal details about 61,000 hedge fund investors were lost when an employee's truck carrying backup tapes was stolen. The data included SSNs of 35,000 individuals. The tapes were being moved from one Bisys facility to another on June 8 when the theft occurred.

 61,000
July 6, 2006 Automated Data Processing (ADP)
(Roseland, NJ)		 Payroll service company ADP gave scam-artist names, addresses, and number of shares held of investors, although apparently not SSNs or account numbers. The leak occurred from Nov. '05 to Feb. '06 and involved individual investors with 60 companies including Fidelity, UBS, Morgan Stanley , Bear Stearns, Citigroup, Merrill Lynch. "Hundreds of thousands"
[not included in total]
July 7, 2006 University of Tennessee
(866) 748-1680
Hacker broke into UT computer containing names, addresses and SSNs of about 36,000 past and current employees. Intruder apparently used computer from Aug. '05 to May '06 to store and transmit movies. 36,000
July 7, 2006 Nat'l Association of Securities Dealers (NASD)
(Boca Raton, FL)
Ten laptops were stolen on Feb. 25 '06 from NASD investigators. They included SSNs of securities dealers who were the subject of investigations involving possible misconduct. Inactive account numbers of about 1,000 consumers were also contained on laptops. 73
July 7, 2006 Naval Safety Center SSNs and other personal information of naval and Marine Corps aviators and air crew, both active and reserve, were exposed on Center web site and on 1,100 computer discs mailed to naval commands. "more than 100,000"
July 7, 2006 Montana Public Health and Human Services Dept.
(Helena, MT)
 A state government computer was stolen from the office of a drug dependency program. during a 4th of July break-in. It was not known if sensitive information such as SSNs was compromised. Unknown
July 7, 2006 City of Hattiesburg
(Hattiesburg, MS)		 Video surveillance cameras caught 2 intruders stealing hard drives from 18 computers June 23. Data files contained names, addresses, and SSNs of current and former city employees and registered voters as well as bank account information for employees paid through direct deposit and water system customers who paid bills electronically. "thousands of city workers and contractors"
July 13, 2006 Moraine Park Technical College
(Beaver Dam, Fond du Lac, & West Bend, WI)		 Computer disk (CD) with personal information of 1,500 students was reported missing. Information includes names, addresses, phone numbers & SSNs of apprenticeship students back to 1993. 1,500
July 14, 2006 Northwestern Univ.
(Evanston, IL)
(888-209-0097)		 Files containing names and some personal information including SSNs were on 9 desktop computers that had been accessed by unauthorized persons outside the University. The computers were in the Office of Admissions and Financial Aid Office. "As many as 17,000 individuals' records" exposed
July 14, 2006 University of Iowa
(Davenport, IA)		 Laptop computer containing personal information of current and former MBA students was stolen. Data files included SSNs and some contact info. 280
July 14, 2006
(Date of letter sent to students. Date of news story is 8/1/06)

California Polytechnic State University (Cal Poly)
(San Luis Obispo, CA)
(Call (805) 756-2226 or (805) 756-2171)

 Laptop computer was stolen from the home of a physics department professor July 3. It included names and SSNs of physics and astronomy students from 1994-2004. 3,020 students
July 14, 2006 Treasurer's computer in Circuit Court Clerk's office
(Hampton, VA)		 Public computer in city government building containing taxpayer information was found to display SSNs of many residents -- those who paid personal property and real estate taxes. It was shut down and confiscated by the police on July 12th.
UPDATE: (7/27/2006) Investigation concluded that the data was exposed due to software problem.		 "Over 100,000 records"
(The number containing SSNs is not known yet and not included in total below.)
July 16, 2006 Mississippi Secretary of State
(Jackson, MS)

The state agency's web site listed 2 million+ Uniform Commercial Code (UCC) filings in which thousands of individuals' SSNs were exposed.

 Among the 2 million postings are "thousands" containings SSNs
(not included in total)
July 17, 2006 Vassar Brothers Medical Center
(Poughkeepsie, NY)
(845) 483-6990		 Laptop was stolen from the emergency department between June 23-26. It contained information on patients dating back to 2000, including SSNs and dates of birth.
UPDATE (10/5/06) Private investigators determined the laptop did not contain personally identifiable patient information.
[257,800 patients were initially notified, but an analysis by Kroll later determined that the laptop contained no personal information. This number is not included in the total below.]
July 18, 2006 Nelnet Inc.
(Lincoln, NE)
(800) 552-7925		 Computer tape containing personal information of student loan customers and parents, mostly from Colorado, was lost when shipped via UPS. The loans were previously serviced by College Access Network 188,000
July 18, 2006 CS Stars, subsidiary of insurance company Marsh Inc.
(Chicago, IL)		 On May 9, CS Stars lost track of a personal computer containing records of more than a half million New Yorkers who made claims to a special workers' comp fund. The lost data includes SSNs and date of birth but apparently no medical information.
UPDATE (7/26/06): Computer was recovered.
UPDATE (04/26/07): The New York Attorney General's office found that CS Stars violated the state's security breach law. CS Stars must pay the Attorney General's office $60,000 for investigation costs. It was determined that the computer had been stolen by an employee of a cleaning contractor, the missing computer was located and recovered, and that the data on the missing computer had not been improperly accessed.		 540,000
July 18, 2006 U.S. Dept. of Agriculture
(Wellington, KS)		 Laptop computer and printout containing names, addresses and SSNs of 350 employees was stolen from an employee's car and later recovered. 350
July 24, 2006 New York City Dept. of Homeless Services The personal information of 8,400 homeless persons, including SSNs, was leaked in an e-mail attachment July 21, when accidentally sent to homeless advocates and city officials. 8,400
July 25, 2006 Armstrong World Industries
(Lancaster Co., PA)		 A laptop containing personal information of current and former employers was stolen. The computer was in the possession of the company's auditor, Deloitte & Touche. Data included names, home addresses, phone numbers, SSNs, employee ID numbers, salary data, and bank account numbers of employees who have their checks directly deposited. 12,000
July 25, 2006 Belhaven College
(Jackson, MS)		 An employee carrying laptop was robbed at gunpoint on July 19 while walking to his car. Computer contained names and SSNs of college employees. 300 employees
July 25, 2006 Georgetown University Hospital
(Washington, DC)		 Patient data was exposed online via the computers of an e-prescription provider, InstantDx. Data included names, addresses, SSNs, and dates of birth, but not medical or prescription data. GUH suspended the trial program with InstantDX. "between 5,600 and 23,000 patients were affected"
(23,000 added to total below)
July 25, 2006 Old Mutual Capital Inc., subsidiary of United Kingdom-based financial services firm Old Mutual PLC Laptop was stolen sometime in May containing personal information of U.S. clients, including names, addresses, account numbers and some SSNs. 6,500 fund shareholders
July 25, 2006 Cablevision Systems Corp.
(lost when shipped to Dallas-based ACS)		 A tape en route to the company's 401(k) plan record-keeper ACS was lost when shipped by FedEx to Dallas, TX. No customer data was on the tape. 13,700 current and former employees
July 26, 2006 U.S. Navy recruitment offices
(Trenton, NJ, and Jersey City, NJ)		 Two laptop computers with information on Navy recruiters and applicants were stolen in June and July. Also included was information from selective service and school lists. About 4,000 records contained SSNs. Files were password protected. 31,000 records were stolen, with about 4,000 containing SSNs. The latter number is included in the total below.
July 26, 2006 West Virginia Div. of Rehabilitation Services
(Beckley, WV)		 A laptop was stolen July 24 containing clients' names, addresses, SSNs, and phone numbers. Data was password protected. Unknown
July 27, 2006

Kaiser Permanente Northern Calif. Office
(Oakland, CA)
(866) 453-3934

 A laptop was stolen containing names, phone numbers, and the Kaiser number for each HMO member. The data file did not include SSNs. The data was being used to market Hearing Aid Services to Health Plan members. 160,000 records. Because the data file did not include SSNs, this number is not added to the total below.
July 27, 2006

Los Angeles County
(Los Angeles, CA)

 In May, a laptop was stolen from the home of a community and senior services employee. It contained information on LA County employees. Unknown
July 27, 2006

Los Angeles Co., Community Development Commission (CDC)
(Monterey Park, CA)

 Earlier in July, a computer hacker located in Germany gained access to the CDC's computer system, containing personal information on 4,800 public housing residents. 4,800 records. Because it is not clear if SSNs were included, this number is not added to the total below.
July 27, 2006 Los Angeles County, Adult Protective Services
(Burbank, CA)		 Last weekend 11 laptops were stolen from the Burbank office. It is not clear what type of personal information was included. Unknown
July 28, 2006 Matrix Bancorp Inc.
(Denver, CO)
(877-250-7742)
Two laptop computers were stolen during daytime while staffers were away from their desks. One computer contained customers' account information. The bank says data is encrypted and password protected. Unknown
July 28, 2006 Riverside, Calif., city employees The SSNs and financial information regarding 401(k) accounts was accidentally e-mailed to 2,300 city employees due to a computer operator's error. The data was intended for the city payroll dept. "nearly 2,000 employees"
July 29, 2006 Sentry Insurance
(Stevens Point, WI)		 Personal information including SSNs on worker's compensation claimants was stolen, some of which was later sold on the Internet. No medical records were included. The thief was a lead programmer-consultant who had access to claimants' data. The consultant was arrested and faces felony charges. Information on 72 claimants was sold on the Internet. Data on an additional 112,198 claimants was also stolen with no evidence of being sold online.
Total affected is 112,270
Aug. ?, 2006 CoreLogic for ComUnity Lending
(Sacramento, CA)
(877) 510-3700
identityprotection@
corelogic.com		 In early August, CoreLogic notified customers of ComUnity Lending that a computer with customers' data was stolen from its office. Data included names, SSNS, and property addresses related to an existing or anticipated mortgage loan. Unknown
Aug. 1, 2006 U.S. Bank
(Covington, KT)		 A bank employee's briefcase was stolen from the employee's car with documents containing names, phone numbers, and SSNs of customers. "very small" number
Aug. 1, 2006 Wichita State University
(Wichita, KS)		 WSU learned on June 29 that someone gained unauthorized access into 3 computers in its College of Fine Arts box office, containing credit card information for about 2,000 patrons. 2,000
Aug. 1, 2006 Wichita State University
(Wichita, KS)		 An intrusion into a WSU psychology department's server was discovered July 16. It contained information on about 40 applicants to the doctoral program. 40
(not included in total below because it is not known if SSNs were included in breached data)
Aug. 1, 2006 Dollar Tree
(Carmichael and Modesto, CA, as well as Ashland, OR, and perhaps other locations)		 Customers of the discount store have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. Data may have been intercepted by a thief's use of a wireless laptop computer with the thief then creating counterfeit ATM cards and using them to withdraw money.
UPDATE (10/5/06):
Parkev Krmoian was indicted by a federal grand jury for allegedly using phony ATM cards made from gift cards. The case is tied to the Dollar Tree customer bank account thefts.
Total number unknown
Aug. 1, 2006

Ron Tonkin Nissan
(Portland, OR)
Questions? Call:
(503) 251-3349

Several months ago the car dealership experienced a security breach affecting the personal information of those who bought cars or applied for credit between 2001 and March 2006.

 Up to 16,000 affected
Aug. 4, 2006 Toyota plant
(San Antonio, TX)		 Laptop belonging to contractor and containing personal information of job applicants and employees was stolen. Data included names and SSNs. 1,500
Aug. 4, 2006 PSA HealthCare
(Norcross, GA)
(866) 752-5259		 A company laptop was stolen from an employee's vehicle in a public parking lot July 15. It contained names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims. 51,000 current and former patients
Aug. 6, 2006

American Online (AOL)
(nationwide)

 In late July AOL posted on a public web site data on 20 million web queries from 650,000 users. Some search records exposed SSNs, credit card numbers, or other pieces of sensitive information.
UPDATE (9/26/06):
Three individuals whose data were exposed have filed a lawsuit against AOL.		 Unknown how many records contain high-risk personal information
Aug. 7, 2006 U.S. Dept. of Veteran's Affairs through its contractor Unisys Corp.
(Reston, VA)		 Computer at contractor's office was reported missing Aug. 3, containing billing records with names, addresses, SSNs, and dates of birth of veterans at 2 Pennsylvania locations.
UPDATE (9/15/06): Law enforcement recovered the computer and arrested an individual who had worked for a company that provides temporary labor to Unisys.		 5,000 Philadelphia patients,
11,000 Pittsburgh patients,
2,000 deceased patients,
plus possibly 20,000 more
(18,000 is included in total below)
Aug. 8, 2006 Virginia Bureau of Insurance
(804) 726-2630		 The Bureau has advised insurance agents in the state that their SSN may have been exposed on its web site from June 13 through July 31, 2006, due to a programming error. The SSNs were not shown on any web page, but could have been found by savvy computer users using the source code tool of a web browser. Unknown
Aug. 8, 2006 Linens 'n Things
(Sterling, VA)		 A folder holding about 90 receipts was missing from the store. Receipts included full credit or debit account number and name of the card holder. 90
Aug. 9, 2006 U.S. Dept. of Transportation
(800) 424-9071
hotline@
oig.dot.gov		 The DOT's Office of the Inspector General reported a special agent's laptop was stolen on July 27 from a government-owned vehicle in Miami, FL, parked in a restaurant parking lot. It contained names, addresses, SSNs, and dates of birth for 80,670 persons issued commercial drivers licenses in Miami-Dade County; 42,800 persons in FL with FAA pilot certificates; and 9,000 persons with FL driver's licenses.
UPDATE (11/21/06): A suspect was arrested in the same parking lot where the theft occurred, but the laptop has not been recovered. Investigators found a theft ring operating in the vicinity of the restaurant parking lot.		 132,470
Aug. 11, 2006 Madrona Medical Group
(Bellingham, WA)		 On Dec. 17, 2005, a former employee accessed and downloaded patient files onto his laptop computer. Files included name, address, SSN, and date of birth. The former employee has since been arrested. At least 6,000 patients
Aug. 15, 2006 University of Kentucky

The names and SSNs of 630 students were posted on the University's financial aid web site between Friday and Monday, Aug. 11-14.

 630
Aug. 15, 2006 University of Kentucky About 80 geography students were notified Aug. 14 that their SSNs were inadvertently listed on an e-mail communication they all received telling them who their academic advisor would be for the coming year. 80
Aug. 15, 2006 U.S. Dept. of Transportation
(Orlando, FL)		 On April 24, a DOT employee's laptop computer was stolen from an Orlando hotel conference room. It contained several unencrypted case files. Investigators are determining if it contained sensitive personal information. Unknown
Aug. 16, 2006 Chevron
(San Ramon, CA)		 Chevron informed its U.S. workers Aug. 14 that a laptop was stolen from "an employee of an independent public accounting firm" who was auditing its benefits plans. The theft apparently occurred Aug. 5. Files contained SSNs and sensitive information related to health and disability plans. Total employees affected is unclear. Nearly half of its 59,000 workers are from North America.
Aug. 17, 2006 Williams-Sonoma
(San Francisco, CA)		 On July 10, a laptop was stolen from the Los Angeles home of a Deloitte & Touche employee who was conducting an audit for W-S. Computer contained employees' payroll information and SSNs. 1,200 current and former employees
Aug. 17, 2006

HCA, Inc.
Hospital Corp. of America
(Nashville, TN)
(800) 354-1036
hcahealthcare.com

 10 computers containing Medicare and Medicaid billing information and records of employees and physicians from 1996-2006 were stolen from one of the company's regional offices. Some patient names and SSNs were exposed, but details are vague. Records for patients in hospitals in the following states were affected: CO, KS, LA, MS, OK, OR, TS, WA. "thousands of files"
Aug. 18, 2006 Calif. Dept. of Mental Health
(916) 654-2309		 Computer tape with employees' names, addresses, and SSNs has been reported missing. Employees were notified Aug. 17 by e-mail. 9,468 employees
Aug. 21, 2006 U.S. Dept. of Education via contractor, DTI Associates
(Washington, DC)		 Two laptops were stolen from DTI's office in downtown DC containing personal information on 43 grant reviewers for the Teacher Incentive Fund. DTI could not rule out that the data included SSNs. 43
Aug. 22, 2006 AFLAC
American Family Life Assurance Co.
(Greenville, SC)
(888) 794-2352		 A laptop containing customers' personal information was stolen from an agent's car. It contained names, addresses, SSNs, and birth dates of 612 policyholders. They were notified Aug. 11. 612 policyholders
Aug. 22, 2006 Beaverton School District
(Beaverton, OR)		 Time slips revealing personal information were missing and presumed stolen following a July 24 break-in at a storage shed on the administration office's property. The time slips included names and SSNs but not addresses. 1,600 employees
Aug. 22, 2006 Beaumont Hospital
(Troy, MI)		 A vehicle of a home health care nurse was stolen from outside a senior center Aug. 5. Although it was recovered nearby, a laptop left in the rear of the car was not recovered. It contained names, addresses, SSNs, and insurance information of home health care patients.
UPDATE (8/23/06). The laptop was returned Aug. 23 by a woman who said she found it in her yard.		 28,400 home care patients
Aug. 23, 2006 U.S. Dept. of Education, Direct Loan Servicing Online
(Atlanta, GA)
www.dlssonline.com
and
dlservicer.ed.gov		 A faulty Web site software upgrade resulted in personal information of 21,000 student loan holders being exposed on the Department's loan Web site. Information included names, birthdates, SSNs, addresses, phone numbers, and in some cases, account information. Affiliated Computer Services Inc. is the contractor responsible for the breach. The breach did not include those whose loans are managed through private companies. 21,000
Aug. 25, 2006 Dominion Resources
(Richmond, VA)		 Two laptops containing employee information were stolen earlier in August. It was not clear what type of data were included. No customer records were on the computers. Dominion operates a gas and electric energy distribution company. Unknown
Aug. 25, 2006 U.S. Dept. of Transportation, Federal Motor Carrier Safety Administration
(Baltimore, MD)
(800) 832-5660		 A laptop that "might contain" personal information of people with commercial driver's licenses was stolen Aug. 22. FMCSA said the data might include names, dates of birth, and commercial driver's license numbers of 193 individuals from 40 trucking companies. 193
(not added to total)
Aug. 25, 2006 Sovereign Bank
(New Bedford, MA)		 Personal data may have been compromised when 3 managers' laptops were stolen from 2 separate locations in early August. Customers were notified Aug. 21. Sovereign serves New England and the Mid-Atlantic. The bank said the data included unspecified customer information, but not account data. "thousands of customers"
Aug. 26, 2006 PortTix
(Portland, ME)		 Credit card information for about 2,000 people who ordered tickets online through PortTix was accessed by someone who hacked into the Web site. PortTix is Merrill Auditorium's ticketing agency. The Web site was secured as of Aug. 24. 2,000
Aug. 26, 2006 University of South Carolina
(Columbia, SC)		 A security audit this summer found that a computer server was hacked in Sept. 2005. A database could have been accessed with names, SSNs, and birthdates of current and former students. 6,000 current and former students
Aug. 27, 2006 New Mexico Administrative Office of the Courts
(Santa Fe, NM)		 For 8 days in late May, an unsecured document was exposed on the agency's FTP site on the state's computer server. It contained names, birth dates, SSNs, home addresses and other personal information of judicial branch employees. The FTP site was shut down June 2 and has since be redesigned. 1,500 employees
Aug. 29, 2006
 Valley Baptist Medical Center
(Harlingen, TX)
(877) 840-5999		 A programming error on the hospital's web site exposed names, birth dates, and SSNs of healthcare workers in late August. The error was fixed but it is not known how long the personal information was compromised. The affected individuals are workers from outside the hospital who provide services and bill the hospital via an online form. Unknown
Aug. 29, 2006 AT&T
via vendor that operates an order processing computer
(San Francisco, CA)

Computer hackers accessed credit card account data and other personal information of customers who purchased DSL equipment from AT&T's online store. The company is notifying "fewer than 19,000" customers."
UPDATE (9/1/06).
The breach was followed by a bogus phishing e-mail to those customers that attempted to trick them into revealing more info such as SSN and birthdate -- essential for crime of identity theft.

 "Fewer than 19,000" customers
Aug. 29, 2006 Compass Health
(Everett, WA)
(800) 508-0059		 Compass Health notified some of its clients that a laptop containing personal information, including SSNs, was stolen June 28. The agency serves people who suffer from mental illness. "A limited number of people"
Aug. 31, 2006 Labcorp
(Monroe, NJ)
(800) 788-9091 x3925		 During a break-in June 4 or 5, a computer was stolen that contained names and SSNs, but according to the company did not have birth dates or lab test results. Unknown
Aug. 31, 2006 Diebold, Inc.
(Canton, OH)		 An employee's laptop was stolen containing employee information, including name, SSN, and if applicable, corporate credit card number. Unknown
Sept. 1, 2006 Wells Fargo via unnamed auditor
(San Francisco, CA)
In a letter dated Aug. 28, the company notified its employees that a laptop and data disk were stolen from the locked trunk of an unnamed auditor, hired to audit the employees' health plan. Data included names, SSNs, and information about drug claim cost and dates from 2005, but no prescription information said the company. Unknown
Sept. 1, 2006 Virginia Commonwealth University
(Richmond, VA)
www.ts.vcu.edu		 Personal information of freshmen and graduate engineering students from 1998 through 2005 was exposed on the Internet for 8 months (Jan. - Aug.) due to human error. It was discovered by a student who used a search engine to find her name. The data included SSNs and e-mail addresses. 2,100 current and former students
Sept. 1, 2006 City of Chicago via contractor Nationwide Retirement Solutions, Inc.
(Chicago, IL)
(800) 638-1485
www.chicagofop.org		 A laptop was stolen from the home of contractor's employee last April 2005. It was reported to the city July 2006 more than a year later. Data included names, addresses, phone numbers, birthdates and SSNs for those in the city's deferred compensation plan. "Up to 38,443 city employees and retirees"
Sept. 2, 2006 Lloyd's of London
(Port St. Lucie, FL)		 A thief reprogrammed more than 150 Lloyd's of London credit card numbers onto phone cards and used them to withdraw money from an ATM in Port St. Lucie, FL (stealing more than $20,000 over 3 days). Key personal and financial information had been skimmed from the magnetic strip on the victims' cards. Unknown
Sept. 5, 2006 Transportation Security Administration (TSA) via Accenture
(Washington, DC)		 In late August 2006, Accenture, a contractor for TSA mailed documents containing former employees' SSN,, date of birth, and salary information to the wrong addresses due to an administrative error. 1,195 former TSA employees
Sept. 7, 2006 Florida National Guard
(Bradenton, FL)		 A laptop computer was stolen from a soldier's vehicle contained training and administrative records, including Social Security numbers of up to 100 Florida National Guard soldiers. 100
Sept. 7, 2006 Circuit City and Chase Card Services, a division of JP Morgan Chase & Co.
(Wilmington, DE)		 Chase Card Services mistakenly discarded 5 computer data tapes in July containing Circuit City cardholders' personal information. 2.6 million past and current Circuit City credit cardholders
Sept. 8, 2006 Linden Lab
(San Francisco, CA)
www.secondlife.com
On Sept. 6, Linden Lab discovered that a hacker accessed its Second Life database through web servers. The affected data included unencrypted account names, real life names, and contact information, plus encrypted account passwords and payment information. Second Life is a 3-D virtual world. Unknown
Sept. 8, 2006 University of Minnesota
(Minneapolis, MN)		 On August 14-15 eve, two computers were stolen from the desk of an Institute of Technology employee, containing information on students who were freshmen from 1992-2006 -- including names, birthdates, addresses, phone numbers, high schools attended, student ID numbers, grades, test scores, and, academic probation. SSNs of 603 students were also exposed. 13,084 students including SSNs of 603 students
Sept. 8, 2006 Berks Co. Sheriff's Office via contractor Canon Technology Solutions
(Reading, PA)		 A confidential list of some of the County's 25,000 gun permit holders was exposed on the Web by the contractor that is developing a Web-based computer records program for the Sheriff's Office. Personal information included names, addresses and SSNs.
UPDATE (10/6/06): The Berks County solicitor's office says the entire list of more than 25,000 gun permit holders was exposed.
25,000 gun permit holders exposed, although initially the number was unknown
Sept. 9, 2006 Cleveland Clinic
(Naples, FL)
(866) 907-0675		 A clinic employee stole personal information from electronic files and sold it to her cousin, owner of Advanced Medical Claims, who used it to file fraudulent Medicare claims totaling more than $2.8 million. Information included names, SSNs, birthdates, addresses and other details. Both individuals were indicted. 1,100 patients
Sept. 11, 2006 Telesource
via Vekstar
(Indianapolis, IN)		 Employees discovered their personnel files in a Dumpster after the company had been bought out by another company Vekstar. The files were discarded when the office was being cleaned out and shut down. Files contained SSNs, dates of birth and photocopies of SSN cards and driver's licenses. Unknown
Sept. 13, 2006 American Family Insurance
(Madison, WI)		 The office of an insurance agent was broken into and robbed last July. Among the items stolen was a laptop with customers' names, SSNs, and driver's license numbers. 2,089 customers
Sept. 14, 2006 Nikon Inc. and Nikon World Magazine
(Melville, NY)		 Workers at a Montgomery, AL, camera store discovered that subscription information for the magazine Nikon World was exposed on the Web for at least 9 hours. Data included subscribers' names, addresses and credit card numbers. 3,235 magazine subscribers
Sept. 14, 2006 Illinois Dept. of Corrections
(Springfield, IL)		 A document containing employees' personal information was found outside the agency's premises "where it should not have been." It has since been retrieved. Information included employees' names, SSNs, and salaries. Unknown
Sept. 15, 2006 Mercy Medical Center
(Merced, CA)		 A memory stick containing patient information was found July 18 by a local citizen on the ground at the County Fairgrounds near the hospital's information booth. It was returned to the hospital 4 weeks later. Data included names, SSNs, birthdates, and medical records. 295 patients
Sept. 15, 2006 Whistle Junction restaurant
(Orlando, FL)		 Personnel files of employees of the now-closed restaurant were found in a nearby Dumpster. Papers included names and SSNs of former employees, Unknown
Sept. 16, 2006 Michigan Dept. of Community Health
(Detroit, MI)		 Residents who participated in a scientific study were notified that a flash drive was discovered missing as of Aug. 4, and likely stolen, from an MDCH office.The portable memory device contained names, addresses, phone numbers, dates of birth, and SSNs of participants. The study tracked the long-term exposure to flame retardents ingested by residents in beef and milk. 4,000 Michigan residents
Sept. 16, 2006 Beaumont Hospital
(Royal Oak, MI)		 The hospital mistakenly mailed medical reports on 3 patients to a retired dentist in Texas. Reports included name, test results, date of birth and patient ID numbers. The hospital admitted to both human and computer error. A new computer system mixed similar names, and staff did not catch it. 3 patients
Sept. 17, 2006 Direct Loans, part of William D. Ford Federal Direct Loan Program within U.S. Dept. of Education and Federal Student Aid via its IT contractor ACS A security breach exposed private information of student loan borrowers from Aug. 20-22 during a computer software upgrade. Users of the Direct Loans Web site were able to view information other than their own if they used certain options. SSNs were among the data elements exposed online. 21,000 accounts
Sept. 18, 2006 Howard, Rice, Nemerovski, Canady, Falk & Rabkin law firm
(San Francisco, CA)
via its auditor Morris, Davis & Chan
(Oakland, CA)		 A laptop was stolen from the trunk of the car of the law firm's auditor, containing confidential employee pension plan information -- names, SSNs, remaining balances, 401(k) and profit-sharing information. 500 current and former employees
Sept. 18, 2006 DePaul Medical Center, Radiation Therapy Dept.
(Norfolk, VA)
(757) 889-5945		 Two computers were stolen, one on August 28 and the other Sept. 11. Personal data included names, date of birth, treatment information, and some SSNs. "More than 100 patients"
Sept. 19, 2006 Life Is Good
(Hudson, NH)		 Hackers accessed the retailer's database containing customer's credit card numbers. The company said no other personal information was in the database. 9,250 customers' credit card numbers
Sept. 20, 2006 City of Savannah, Georgia
(912) 651-6565
savannahga.gov		 Because of a "hole in the firewall,"a City server exposed personal information online for 7 months. Individuals identified by the Red Light Camera Enforcement Program are affected -- name, address, driver's license number, vehicle identification number, and SSNs of those individuals whose driver's license number is still the SSN. 8,800 individuals whose identities were captured by red-light cameras
Sept. 20, 2006 Berry College via consultant Financial Aid Services Inc.
(Mount Berry, GA)
(800) 961-4692
www.berry.edu		 Student applications for need-based financial aid were misplaced by a consultant -- in both paper and digital form. Data included name, SSN, and reported family income for students and potential students for the 2005-06 academic year. 2,093 students and potential students (of those, 1,322 are currently enrolled)
Sept. 21, 2006 Pima Co. Health Dept.
(Tucson, AZ)		 Vaccination records on 2,500 clients had been left in the trunk of a car that was stolen Sept. 12. The car and records have since been recovered. Records included names, dates of birth and ZIP codes, but no SSNs or addresses. 2,500
(not included in Total below)
Sept. 21, 2006 U.S. Dept. of Commerce and Census Bureau
(Washington, DC)		 The agency reported that 1,137 laptops have been lost or stolen since 2001. Of those, 672 were used by the Census Bureau, with 246 of those containing personal data. Secretary Gutierrez said the computers had "protections to prevent a breach of personal information." Unknown
Sept. 22, 2006 Purdue University College of Science
(West Lafayette, IN)
(866) 307-8520
www.purdue.edu		 A file in a desktop computer in the Chemistry Department may have been accessed illegitimately. The file contained names, SSNs, school, major, and e-mail addresses of people who were students in 2000. 2,482 students from the year 2000
Sept. 22, 2006 University of Colorado-Boulder, Leeds School of Business
(Boulder, CO)
(303) 492-8741		 Two computers had been placed in storage during the school's move to temporary quarters in May. When they were to be retrieved Aug. 28, they were found missing. They had been used by 2 faculty members and included students' names, SSNs, and grades.
UPDATE (9/25/06): One of the computers was found.		 1,372 students and former students
Sept. 22, 2006 Several Indianapolis pharmacies
(Indianapolis, IN)		 Earlier this year a local TV reporter from WTHR found that "dozens" of pharmacies disposed of customer records in unsecured garbage bins. Now the Indiana Board of Pharmacy has launched an investigation of 30 pharmacies. Both the Board and the Attorney General say that the pharmacies violated state law. Unknown
Sept. 23, 2006 An illegal dumping site northwest of Quinlan, TX Investigators found boxes of private medical records containing names and personal information of patients of a doctor who lives in Dallas and who has a Greenville, TX, practice. They had apparently been dumped there by a contractor who was hired to remodel his house. The contractor was indicted on a charge of illegal dumping. Unknown
Sept. 23, 2006 Erlanger Health System
(Chattanooga, TN)		 Records of hospital employees disappeared from a locked office on Sept. 15. They were stored on a USB "jump drive." Information was limited to names and SSNs. Those affected included anyone who went through job "status changes" from Nov. 2003 to Sept. 2006. 4,150 current and former employees
Sept. 25, 2006 Movie Gallery
(Gastonia, NC)

A large number of Movie Gallery's files and videos were found in a dumpster. The files contained personal information of people employed by Movie Gallery and people applying for jobs at the video store as well as people applying for movie rental membership. Movie Gallery has agreed to pay $50,000 to the State of NC.

 Unknown
Sept. 25, 2006

General Electric
(US Corporate HQ: Fairfield , CT )

 An employee's laptop computer holding the names and Social Security numbers of approximately 50,000 current and former GE employees was stolen from a locked hotel room while he was traveling for business. 50,000 employees
Sept. 28, 2006

North Carolina Dept. of Motor Vehicles
(Louisville , NC)
(888) 495-5568

A computer was stolen from a NC Dept. of Motor Vehicles office, reported Sept. 10. It contains names, addresses, driver's license numbers, SSNs, and in some cases immigration visa information of 16,000 people who have been issued licenses in the past 18 months. Most are residents of Franklin County.

 16,000
Sept. 28, 2006 Illinois Dept. of Transportation
(Springfield, IL)

Documents found by state auditors in recycling bins in a hallway contained IDOT employee names and SSNs.

 40
Sept. 28, 2006 Stevens Hospital Emergency Room via dishonest employee of billing company Med Data
(Edmonds, WA)		 A manager for the hospital's billing company, Med Data, stole patients' credit card numbers. She gave them to her brother who bought $30,000 worth of clothes and gift cards over the Internet. The woman is scheduled for sentencing in Nov. and her brother's trial is expected Jan. 2007. "about 30 patients"
Sept. 29, 2006

University of Iowa Dept of Psychology
(Iowa City, IA)

 A computer containing SSNs of 14,500 psychology department research study subjects was the object of an automated attack designed to store pirated video files for subsequent distribution. 14,500 individuals who had participated in a research study
Sept. 29, 2006

Kentucky Personnel Cabinet
(Frankfort, KY)

State employees received letters from the Kentucky Personnel Cabinet with their SSNs visible through the envelope windows.

 146,000
Sept. ??, 2006

Adams State College
(Alamosa, CO)

 A laptop computer stolen from a locked closet at Adams State College contained personally identifiable data belonging to 184 high school students who participated in the college's Upward Bound program over the last four years. The theft occurred on August 14, but it was not until late September that staff realized the computer held students' data. 184 Upward Bound students
Oct. 2006 (posted 10/16/09) Wal-Mart
 Wal-Mart declined to respond to questions about the initial date of the attack. Nonetheless, Wal-Mart’s security team was able to identify over 800 machines that the attacker either tried to brute force or actually made a successful connection. The breach apparently began when someone used a Nortel VPN connection from a Canadian Wal-Mart employee to gain access to key systems. To be precise, it was the connection of a former Wal-Mart Canada employee–an account that IT had neglected to shut down after the employee left. After some 17 months of rummaging through the system, the intruder/intruders ran into a bit of bad luck. When trying to install a password-cracking tool, a glitch brought the whole server down. When Wal-Mart went to repair the server, it discovered the tool and realized the chain had been breached. The attackers in this case spent all of their time focusing on information about POS systems, but names and credit card numbers may have been accessed. Unknown
Oct. 2, 2006

Port of Seattle
(Seattle, WA)
(888) 902-PORT

Six CDs missing from the ID Badging office at Seattle-Tacoma International Airport hold the personal information of 6,939 airport workers. The data include names, addresses, birth dates, SSNs and driver's license numbers, telephone numbers, employer information, and height/weight. The data on the disks were scanned from paper applications for airport badges. The port learned of the missing disks on September 18 and sent letters to the affected employees on Oct. 2.

6,939 current and former Seattle-Tacoma International Airport employees
Oct. 3, 2006 Cumberland County, PA

Cumberland County (PA) officials removed salary board meeting minutes from their Web site because they contained the SSNs of 1,200 county employees. The information was included in minutes from meetings prior to 2000. The county no longer uses SSNs as unique identifiers for employees. Employees will be informed of the data breach in a note included with their paychecks.

 1,200 employees of the county
Oct. 3, 2006

Willamette Educational Service District
(Salem, OR)

Seven computers stolen from a Willamette Educational service District office were believed to contain personal information of 4,500 Oregon high school students. Backup tapes indicate the computers hold information about the students' school clubs but do not contain sensitive information.

 4,500 Oregon high school students
[not included in total because not thought to contain sensitive info. such as SSNs]
Oct. 3, 2006

Picatinny Arsenal
(Rockaway Twp., NJ)
(If you have tips, call (973) 989-0652)

 28 computers are missing from the Picatinny Arsenal, a Department of Defense Weapons Research Center. The computers were reported lost or stolen over the last two years. None of the computers was encrypted. Officials state the computers did not contain classified information. Unknown
Oct. 4, 2006 Orange County Controller (FL) A Florida woman discovered her marriage license was visible on the Orange County (FL) controller's Web site with no information blacked out, not even SSNs. She discovered the breach because someone had applied for a loan in her name. The Orange County Comptroller is reportedly paying a vendor $500,000 to black out all SSNs by January 2008. Unknown
Oct. 5, 2006 San Juan Capistrano Unified School District (CA) Five computers stolen from the HQ of San Juan Capistrano Unified School District likely contain the names, SSNs and dates of birth of district employees enrolled in an insurance program. Unknown
Oct. 6, 2006

Cleveland Air Route Traffic Control Center
(Oberlin, OH)

 A computer hard drive missing from the Cleveland Air Route Traffic Control Center in Oberlin (OH) contains the names and SSNs of at least 400 air traffic controllers. At least 400
Oct. 6, 2006

Camp Pendleton Marine Corps base via Lincoln B.P. Management
(Camp Pendleton near Oceanside, CA)

 A laptop missing from Lincoln B.P. Management Inc. holds personally identifiable data about 2,400 Camp Pendleton residents. 2,400
Oct. 9, 2006
(Letter mailed Oct. 5, 2006)

Troy Athens High School
(Troy, MI)
(For questions or comments, call (248) 823-4035)

A hard drive stolen from Troy Athens High School in August contained transcripts, test scores, addresses and SSNs of students from the graduating classes of 1994 to 2004. The school district and the superintendent have notified all affected alumni by regular mail.

 4,400
Oct. 10, 2006 Florida Labor Department The names and SSNs of 4,624 Floridians were accessible on the Internet for approximately 18 days in September. The data were not accessible through Web sites, but an individual came across the information when Googling his own name. The agency has asked Google to remove the pages from its cache, and has notified all affected individuals by mail. 4,624 individuals who had registered with Florida 's Agency for Workforce Innovation
Oct. 11, 2006 Republican National Committee
(Washington, D.C.)

The Republican National Committee (RNC) inadvertently emailed a list of donors' names, SSNs and races to a New York Sun reporter.

 76 RNC donors
Oct. 12, 2006 U.S. Census Bureau

This spring, residents of Travis County, TX helped the Census Bureau test new equipment. When the test period ended, 15 devices were unaccounted for. The Census Bureau and the Commerce Department issued a press release saying the devices held names, addresses and birthdates, but not income or SSNs.

 Unknown number of Travis Co., TX, residents
Oct. 12, 2006 Congressional Budget Office
(Washington, D.C.)

Hackers broke into the Congressional Budget Office's mailing list and sent a phishing e-mail that appeared to come from the CBO.
Unknown number of e-mail addresses
Oct. 12, 2006 University of Texas at Arlington

Two computers stolen from a University of Texas faculty member's home hold the names, SSNs, grades, e-mail addresses and other information belonging to approximately 2,500 students enrolled in computer science and engineering classes between fall 2000 and fall 2006. The theft occurred on September 29 and was reported on October 2.

 2,500 students
Oct. 13, 2006 Ohio Ethics Committee
(Columbus, OH)		 Papers belonging to the Ohio Ethics Commission were found floating on the wind in an alley. The documents are related to state employees' finances and contained SSNs and financial statements. They were supposed to be in the possession of the state archives.

Unknown number of Ohio state employees
Oct. 13, 2006 Orchard Family Practice
(Englewood, CO)		 When a bankrupt Colorado doctor was evicted from his office, the landlord with help from the sheriff's dept.dumped everything from his office in the parking lot, including file cabinets containing personal information of his patients. Scavengers were seen carting off desks and file cabinets, some containing records. The exposed documents were thought to consist of business records containing names, SSNs, dates of birth, and addresses, but not medical information, which the doctor had previously removed. Unknown
Oct. 14, 2006

T-Mobile USA Inc.
(Bellvue, WA)

 A laptop computer holding personally identifiable information of approximately 43,000 current and former T-Mobile employees disappeared from a T-Mobile employee's checked luggage. T-Mobile has reportedly sent letters to all those affected. The data are believed to include names, addresses, SSNs, dates of birth and compensation information. 43,000 current and former employees
Oct. 15, 2006

Poulsbo Department of Licensing
(Poulsbo, WA)

 An unspecified “storage device” containing personally identifiable data of approximately 2,200 North Kitsap (WA) residents has been lost from the Poulsbo Department of Licensing. The data include names, addresses, photographs and driver's license numbers of individuals who conducted transactions at the Poulsbo branch in late September. 2,200
Oct. 16, 2006

Germanton Elementary School
(Germanton, NC)

 A computer stolen from Germanton Elementary school holds students' SSNs. The data on the computer are encrypted. Unknown
Oct. 16, 2006 VISA/FirstBank FirstBank sent a letter to an unknown number of customers informing them their FirstTeller Visa Check Card numbers were compromised when someone accessed “a merchant card processor's transaction database.” The FirstBank letter said customers would receive new cards by October 27. Unknown
Oct. 16, 2006

Dr, Charles Kay of Orchard Family Practice
(Englewood, CO)

 Sheriff's deputies evicting Dr. Charles Kay put files from his office in a nearby parking lot. In a news report, Dr. Kay said he had removed the patient files but not the business files. Unknown
Oct. 17, 2006

City of Visalia, Recreation Division
(Visalia, CA)

 Personally identifiable information of approximately 200 current and former Visalia Recreation Department employees was exposed when copies of city documents were found scattered on a city street. 200 current and former employees
Oct. 19, 2006

Allina Hospitals and Clinics
(Minneapolis-St. Paul, MN)

A laptop stolen from a nurse's car on October 8 contains the names and SSNs of individuals in approximately 17,000 households participating in the Allina Hospitals and Clinics obstetric home-care program since June 2005.

 Individuals in 17,000 households
Oct. 19, 2006 University of Minnesota/Spain In June, a University of Minnesota art department laptop computer stolen from a faculty member while traveling in Spain holds personally identifiable information of 200 students. 200 students (not included in total)
Oct. 20, 2006 Manhattan Veteran's Affairs Medical Center, New York Harbor Health Care System
(New York, NY)		 On Sept. 6, an unencrypted laptop computer containing veterans' names, Social Security numbers, and medical diagnosis, was stolen from the hopsital. 1,600 veterans who receive pulmonary care at the facility
Oct. 21, 2006 Bowling Green Police Dept.
(Bowling Green, OH)		 The police dept. accidentally published a report on their website containing personal information on nearly 200 people the police had contact with on Oct. 21. Data included names, Social Security numbers, driver's license numbers, etc. Approx. 200 victims or suspects
Oct. 23, 2006

Sisters of St. Francis Health Services via Advanced Receivables Strategy (ARS), a Perot Systems Company
(Indianapolis, IN)
(866) 714-7606

 On July 28, 2006, a contractor working for Advanced Receivables Strategy, a medical billing records company, misplaced CDs containing the names and SSNs of 266,200 patients, employees, physicians, and boad members of St. Francis hospitals in Indiana and Illinois. Also affected were records of Greater Lafayette Health Services. The disks were inadvertently left in a laptop case that was returned to a store. The purchaser returned the disks. The records were not encrypted even though St. Francis and ARS policies require encryption. 260,000 patients and about 6,200 employees, board members and physicians for a total of 266,200
Oct. 23, 2006

Chicago Voter Database
(Chicago, IL)

 An official from the not-for-profit Illinois Ballot Integrity Project says his organization hacked into Chicago's voter database, compromising the names, SSNs and dates of birth of 1.35 million residents. The Chicago Election Board is reportedly looking into removing SSNs from the database. Election officials have patched the flaw that allowed the intrusion. 1.35 million Chicago residents
Oct. 24, 2006 Jacobs Neurological Institute
(Buffalo, NY)		 The laptop of a research doctor was stolen from her locked office at the Institute. It included records of patients and her research data. Unknown
Oct. 25, 2006

Transportation Security Administration (TSA)
(Portland, OR)

 A thumb drive is missing from the TSA command center at Portland International Airport and believed to contain the names, addresses, phone numbers and Social Security numbers of approximately 900 current and former employees. 900 current and former Oregon TSA employees
Oct. 25, 2006 Swedish Medical Center, Ballard Campus
(Seattle, WA)
(800) 840-6452		 An employee stole the names, birthdates, and Social Security numbers from patients who were hospitalized or had day-surgeries from June 22 to Sept 21. She used 3 patients' information to open multiple credit accounts. Up to 1,100 patients
Oct. 25, 2006 Tuscarawas County and Warren County
(OH)		 The Social Security numbers of some Tuscarawas and Warren County voters were available on the LexisNexis Internet database service.
UPDATE (11/1/06): LexisNexis says it has now removed the SSNs.		 Unknown
Oct. 26, 2006 Akron Children's Hospital
(Akron, OH)		 Overseas hackers broke into two computers at Children's Hospital. One contains private patient data (including Social Security numbers) and the other holds billing and banking information. 235,903
Oct. 26, 2006 Empire Equity Group
(Charlotte, NC)		 Mortgage files that included personal financial details about loan applicants were found in a dumpster. Empire Equity will pay $12,500 to the State of NC. Unknown
Oct. 26, 2006 LimeWire
(Denver, CO)		 The Denver Police Dept. reports that LimeWire's file-sharing program was exploited to access personal and financial information from
approximately 75 different individual and business account names from all over the country. The
information, which included tax records, bank account information, online bill paying records and
other material, appears to have been stolen directly from computers that were using LimeWire's filesharing
software program.		 75
Oct. 26, 2006 Hilb, Rogal & Hobbs
(Plymouth Meeting, PA)		 In September 2006, a laptop computer was stolen from the insurance brokerage firm. It contained client information including the names, birthdates, and drivers license numbers of Villanova University students and staff who drive university vehicles. 1,243 Villanova University students and staff
Oct. 27, 2006 Gymboree
(San Francisco, CA)		 A thief stole 3 laptop computers from Gymboree's corporate headquarters. They contained unencrypted human resources data (names and Social Security numbers) of thousands of workers. up to 20,000 employees
Oct. 27, 2006 Hancock Askew & Co.
(Savannah, GA)		 On October 5, 2006, a laptop computer containing 401(k) information for employees of at least one company (Atlantic Plastics, Inc.) was stolen from accounting firm Hancock Askew. Unknown
Oct. 27, 2006 Hertz Global Holdings, Inc.
(Oklahoma City, OK)
1-888-222-8086		 The names and Social Security numbers of Hertz employees dating back to 2002 were discovered on the home computer of a former employee. Unknown
Oct. 30, 2006 Georgia county clerk of courts' web sites A Georgia TV station reported that SSNs could be found on some records posted on county clerk of court web sites, specifically for individuals with federal tax liens filed against them. At least one county clerk -- Cherokee County -- is now removing SSNs from the web site. Unknown
Oct. 30, 2006

Nissan Motor Co., Ltd.
(Tokyo, Japan)

 The Japanese weekly magazine "The Weekly Asahi" reported that Nissan experienced the leak of a database containing customers' personal information sometime between May 2003 and February 2004. The data includes the customer name, gender, birth date, address, telephone number, vehicle model owned (including base and class), and license plate number. 5,379,909 customers
(not included in total because data apparently does not contain financial account information or SSNs)
Oct. 31, 2006

Avaya
(theft occurred in Maitland, FL, office of company, headquartered in Basking Ridge, NJ)

A laptop stolen from an Avaya employee on October 16 in Florida contained personally identifiable information, including names, addresses, W-2 tax form information and SSNs.
Unknown
Nov. 2006 Home Finance Mortgage, Inc.
(Cornelius, NC)		 Company dumped files containing names, addresses, Social Security numbers, credit card numbers, and bank account numbers of people who had applied for mortgage loans. Home Finance and its owners have agreed to pay the State of NC $3,000 for their violations.  Unknown
Nov. 1, 2006 U.S. Army Cadet Command
(Fort Monroe, VA)
1-866-423-4474
Email: mydata@
usaac.army.mil
A laptop computer was stolen that contained the names, addresses, telephone numbers, birthdates, Social Security numbers, parent names, and mother's maiden names of applicants for the Army's four-year ROTC college scholarship. 4,600 high school seniors
Nov. 2, 2006 Colorado Dept. of Human Services via Affiliated Computer Services (ACS)
(Dallas, TX)
For questions, call ACS at (800) 350-0399		 On Oct. 14, a desktop computer was stolen from a state contractor who processes Colorado child support payments for the Dept. of Human Services. Computer also contained the state's Directory of New Hires.
UPDATE (12/07/2006) When initially posted to this list, the number 1.4 million was not added to the total because we could not confirm if SSNs were exposed. The PRC was contacted by an affected individual today who confirmed that names, addresses, SSNs and dates of birth were exposed.
Up to 1.4 million
Nov. 2, 2006 Greater Media, Inc.
(Philadelphia, PA)		 A laptop computer containing the Social Security numbers of the radio broadcasting company's current and former employees was stolen from their Philadelphia offices.
 Unknown
Nov. 2, 2006

McAlester Clinic and Veteran's Affairs Medical Center
(Muskogee, OK)

 Three disks containing billing information, patient names and Social Security numbers, were lost in the mail. 1,400 veterans
Nov. 2, 2006 Intermountain Health Care
(Salt Lake City, UT)
A computer was purchased at a second-hand store, Deseret Industries, that contained the names, Social Security numbers, employment records, and other personal information about Intermountain Health Care employees employed there in 1999-2000. 6,244
Nov. 2, 2006 Compulinx
(White Plains, NY)		 The CEO of Compulinx was arrested for fraudulently using employees' names, addresses, Social Security numbers and other personal information for credit purposes. (It is unclear whether customers' data was also used). Up to 50 Compulinx employees
Nov. 3, 2006 University of Virginia
(Charlottesville, VA)		 Due to a computer programming error, Student Financial Services sent e-mail messages to students containing 632 other students' Social Security numbers. 632 students
Nov. 3, 2006 West Shore Bank
(Ludington, MI)		 Customers' debit cards and possibly credit cards were compromised from a security break last summer at a common MasterCard point-of-purchase provider. About 1,000
Nov. 3, 2006 Wesco
(Muskegon, MI)		 Wesco gas stations experienced a breach in credit card transactions from July 25-Sept. 7 resulting in inaccurate charges to customer accounts. Unknown
Nov. 3, 2006 Starbucks Corp.
(Seattle, WA)
1-800-453-1048		 Starbucks lost track of four laptop computers. Two held employee names, addresses, and Social Security numbers. 60,000 current and former U.S. employees and about 80 Canadian workers and contractors
Nov. 3, 2006 Several Joliet area motels
(Joliet, IL)		 Motel owners and employees allegedly stole and sold customers' credit card numbers. Unknown
Nov 7, 2006 City of Lubbock
(Lubbock, TX)		 Hackers broke into the city's web site and compromised the online job application database, which included Social Security numbers. 5,800
Nov. 9, 2006 Four ARCO gas stations
(Costa Mesa, CA)
(Westminster, CA)
(Torrance, CA)		 From Sept. 29 to Oct. 9, thieves used card skimmers to steal bank account numbers and PIN codes from gas station customers and used the information to fabricate debit cards and make ATM withdrawals.

At least 440
Nov. 10, 2006 KSL Services, Inc.
(Los Alamos, NM)		 A disk containing the personal information of approximately 1,000 KSL employees is missing. KSL is a contractor for Los Alamos National Laboratory. Approximately 1,000
Nov. 13, 2006 Connors State College
(Warner, OK)
(918) 463-6267
perline@
connorsstate.edu		 On Oct. 15, a laptop computer was discovered stolen from the college. (It has since been recovered by law enforcement). The computer contains Social Security numbers and other data for Connors students plus 22,500 high school graduates who qualify for the Oklahoma Higher Learning Access Program scholarships. Considerably more than 22,500
Nov. 15, 2006 Internal Revenue Service
(Washington, DC)

According to document s obtained under the Freedom of Information Act, 478 laptops were either lost or stolen from the IRS between 2002 and 2006. 112 of the computers held sensitive taxpayer information such as SSNs.
UPDATE (04/05/07): A report by the Treasury Inspector General for Tax Administration noted that at least 490 IRS computers have been stolen or lost since 2003 in 387 security breach incidents that potentially jeopardized tax payers' personal information.
UPDATE (04/17/07): The Inspector General's assessment of 20 buildings in 10 cities discovered four separate locations at which hackers could have easily gained access to IRS computers and taxpayer data using wireless technology.

 2,359
Nov. 16, 2006

American Cancer Society
(Louisville , KY, offices, HQ in Atlanta , GA)
If you have tips, call (502) 574-5673

An unspecified number of laptop computers were stolen from the Louisville offices of the American Cancer Society. It is not clear what personal information was exposed, if any.

 Unknown
Nov. 16, 2006 Carson City residents
(Carson City, NV)		 The Sheriff's Department reported that at least 50 residents had their credit card information stolen by employees of local businesses. The employees apparently sell the account information to international crime rings that produce counterfeit cards. The crime is called "skimming." 50
Nov. 17, 2006

Jefferson College of Health Sciences
(Roanoke, VA)

An email containing the names and SSNs of 143 students intended for one employee was inadvertently sent to the entire student body of 900.

 143
Nov. 17, 2006

Automatic Data Processing (ADP)
(Roseland , NJ)

 ADP sent paperwork for a small Wisconsin company to a Cordova, TN coffee house. The paperwork contained names, birth dates, SSNs, addresses, salaries, and bank account and routing numbers Unknown
Nov. 20, 2006

Administration for Children's Services
(New York , NY)

More than 200 case files from the Emergency Children's Services Unit of ACS were found on the street in a plastic garbage bag. The files contain sensitive information of families, social workers and police officers.

 200 case files
(not included in Total because it is not clear if SSNs were exposed)
Nov. 25, 2006

Indiana State Department of Health via Family Health Center of Clark County
(Jeffersonville, IN)

Two computers stolen from an Indiana state health department contractor contained the names, addresses, birth dates, SSNs and medical and billing information for more than 7,500 women. The data were collected as part of the state's Breast and Cervical Cancer Program.

 7,700
Nov. 27, 2006

Johnston County, NC

Personal data, including SSNs, of thousands of taxpayers, were inadvertently posted on the county web site. The information was removed from the site within an hour after officials became aware of the situation.

 Unknown
Nov. 27, 2006

Greenville County School District
(Greenville, SC)

School district computers sold to the WH Group at auctions between 1999 and early 2006 contained the birth dates, SSNs, driver's license numbers and Department of Juvenile Justice records of approximately 100,000 students. The computers also held sensitive data for more than 1,000 school district employees.
UPDATE (12/10/06): A judge ordered the WH Group to return the computers and the confidential data on them to the school district.

 At least 101,000 students and employees
Nov. 27, 2006

Chicago Public Schools via All Printing & Graphics, Inc.
(Chicago, IL)

A company hired to print and mail health insurance information to former Chicago Public School employees mistakenly included a list of the names, addresses and SSNs of the nearly 1,740 people receiving the mailing. Each received the 125-page list of the 1,740 former employees.

1,740 former Chicago Public School employees
Nov. 28, 2006 Kaiser Permanente Colorado -- its Skyline and Southwest offices
(Denver, CO)
For members who have questions:
(866) 529-0813.		 A laptop was stolen from the personal car of a Kaiser employee in California on Oct. 4. It contained names, Kaiser ID number, date of birth, gender, and physician information. The data did not include SSNs. 38,000
(not included in total, because SSNs were apparently not exposed)
Nov. 28, 2006 Cal State Los Angeles, Charter College of Education
(Los Angeles, CA)
(800) 883-4029		 An employee's USB drive was inside a purse stolen from a car trunk. It contained personal information on 48 faculty members and more than 2,500 students and applicants of a teacher credentialing program. Information included names, SSNs, campus ID numbers, phone numbers, and e-mail addresses. 2,534
Nov. 30, 2006 Pennsylvania Dept. of Transportation
(Hanover township driver's license facility, Dunmore, PA)
Affected individuals can call (800) PENNDOT if you have questions.
Call PA Crimestoppers if you have tips, (800) 4PATIPS, reward offered.		 Thieves stole equipment from a driver's license facility late evening Nov. 28, including computers containing personal information on more than 11,000 people. Information included names, addresses, dates of birth, driver's license numbers and both partial and complete SSNs (complete SSNs for 5,348 people). Also stolen were supplies used to create drivers licenses and photo IDs. The state maintains 97 driver's license facilities. 11,384
Nov. 30, 2006 TransUnion Credit Bureau via Kingman, AZ, court office Four different scam companies downloaded the credit information of more than 1,700 individuals, including their credit histories and SSNs. They were able to illegitimately obtain the password to the TransUnion account held by the Kingman, AZ, court office, which apparently has a subscription to the bureau's services. "more than 1,700 people"
Dec. 1, 2006 TD Ameritrade
(Bellevue, NE)
(201) 369-8373		 According to a letter sent to employees, a laptop was removed (presumably stolen) from the office Oct. 18, 2006, that contained unencrypted information including names, addresses, birthdates, and SSNs. about 300 current and former employees
Dec. 2, 2006 Gundersen Lutheran Medical Center
(LaCrosse, WI)		 A Medical Center employee used patient information, including SSNs and dates of birth, to apply for credit cards in their names. As patient liaison, her duties included insurance coverage, registration, and scheduling appointments. She was arrested for 37 counts of identity theft, and was convicted of identity theft and uttering forged writing, according to the criminal complaint. unknown
Dec. 3, 2006 City of Grand Prairie
(Grand Prairie, TX)		 Employees of the city of Grand Prairie were notified that personal records were exposed on the city's Web site for at least a year. Included were the names and SSNs of "hundreds of employees." The information has since been removed. The city had been working with a contractor on a proposal for workers' compensation insurance. Along with the proposal, names and SSNs were mistakenly listed. "hundreds of employees"
Dec. 5, 2006 Army National Guard 130th Airlift Wing
(Charleston, WV)		 A laptop was stolen from a member of the unit while he was attending a training course. It contained names, SSNs, and birth dates of everyone in the 130th Airlift Wing. Unknown
Dec. 5, 2006 Nassau Community College
(Garden City, NY)		 A printout is missing that contans information about each of NCC's 21,000 students, including names, SSNs, addresses, and phone numbers. It disappeared from a desk in the Student Activities Office. 21,000 students
Dec. 5, 2006 H&R Block Many past and present customers received unsolicited copies of the program TaxCut that displayed their SSN on the outside. Unknown
Dec. 6, 2006 Premier Bank
(Columbia, MO, with HQ in Jefferson City, MO)		 A report was stolen the evening of Nov. 16 from the car of the bank's VP and CFO while employees were celebrating an award received by the bank. The document contained names and account numbers of customers, but reportedly no SSNs. 1,800 customers
Dec. 8, 2006 Segal Group of New York, via web site of Vermont state agency used to call for bids on state contracts
(Montpelier, VT)		 Names and SSNs of "several hundred" physicians, psychologists and other health care providers were mistakenly posted online by Segal Group, a contractor hired by the state to put its health management contract out for bid. The information was posted from May 12 to June 19. It was discovered when a doctor found her own SSN online. "several hundred, likely more" health care providers
UPDATE (1/14/07):
SSNS of "more than 1,100 doctors, psychothereapists and other health professionals" were exposed.
Dec. 9, 2006 Virginia Commonwealth University
(Richmond, VA)		 Personal information of 561 students was inadvertently sent as attachments on Nov. 20 in an e-mail, including names, SSNs, local and permanent addresses and grade-point averages. The e-mail was sent to 195 students to inform them of their eligibility for scholarships. 561 students
Dec. 12, 2006

University of California - Los Angeles
(Los Angeles, CA)
Affected individuals can call UCLA at (877) 533-8082.
www.identityalert.
ucla.edu

 Hacker(s) gained access to a UCLA database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants, including those who did not attend. Exposed records contained names, SSNs, birth dates, home addresses, and contact information. About 3,200 of those notified are current or former staff and faculty of UC Merced and current and former staff of UC's Oakland headquarters. 800,000
Dec. 12, 2006 University of Texas - Dallas
(Dallas, TX)
Affected individuals can call (972) 883-4325
www.utdallas.edu/
datacompromise/
form.html		 The University discovered that personal information of current and former students, faculty members, and staff may have been exposed by a computer network intrusion -- including names, SSNs, home addresses, phone numbers and e-mail addresses.
UPDATE (12/14/06): The number of people affected was first thought to be 5,000, but was increased to 6,000.
UPDATE (01/19/07):
Officials now say 35,000 individuals may have been exposed.		 35,000 current and former students, faculty, staff, and others
Dec. 12, 2006 Aetna / Nationwide / Wellpoint Group Health Plans via Concentra Preferred Systems
(Dayton, OH)		 A lockbox holding personal information of health insurance customers was stolen Oct. 26. Thieves broke into an office building occupied by insurance company vendor, Concentra Preferred Systems. The lockbox contained computer backup tapes of medical claim data for Aetna and other Concentra health plan clients. Exposed data includes member names, hospital codes, and either SSNs or Aetna member ID numbers. SSNs of 750 medical professionals were also exposed. Officials downplay the risk by stating that the tapes cannot be used on a standard PC.
UPDATE (12/23/06): The lockbox also contained tapes with personal information of 42,000 NY employees insured by Group Health Insurance Inc.)
UPDATE (1/24/07): Personal data of 28,279 Nationwide's Ohio customers were also compromised.		 130,000
plus 42,000 reportedlater
plus 28,279 reported later
Dec. 13, 2006 Boeing
(Seattle, WA)		 In early December, a laptop was stolen from an employee's car. Files contained names, salary information, SSNs, home addresses, phone numbers and dates of birth of current and former employees.
UPDATE (12/14/06): Boeing fired the employee whose laptop was stolen.
UPDATE (1/26/07): The laptop was recovered.		 382,000 current and former employees
NOTE: The 100 million mark was reached Dec. 13, 2006.

Click here for a news story in IDG about this dubious milestone. And read Poulsen and Singel in Wired Blogs. Here is an article from VNUnet, and another from Washington Post. Read also the NY Times and GovExec.

The major source for the breaches reported in this list is the list-serve and web site of Attrition.org.

 Please note:
The number refers to *records,* NOT persons. Many individuals have experienced more than one breach. For a commentary by PogoWasRight on this matter, click here.
Dec. 14, 2006

Electronic Registry Systems affecting Emory University (Emory Hospital, Emory Crawford Long Hospital, Grady Memorial Hospital), Geisinger Health System (Pennyslvania), Williamson Medical Center
(Nashville, TN)

On Nov. 23, 2006, two computers (one desktop, one laptop) were stolen from Electronic Registry Systems, a business contractor in suburban Springdale, OH, that provides cancer patient registry data processing services. It contained the personal information (name, date of birth, Social Security number, address, medical record number, medical data and treatment information) of cancer patients from hospitals in Pennsylvania , Tennessee , Ohio and Georgia , dating back to 1977 at some hospitals.
UPDATE (1/14/07): The number of affected patients was increased from 25,000 to 63,000.

 More than 63,000 patients
Dec. 14, 2006 Riverside High School
(Durham, NC)		 Two students discovered a breach in the security of a Durham Public Schools computer as part of a class assignment. They reported to school officials that they were able to access a database containing SSNs and other personal information of thousands of school employees. The home of one student was searched by Sheriff's deputies and the family computer was seized. "thousands of school employees"
Dec. 14, 2006 St. Vrain Valley School District
(Longmont, CO)		 Paper records containing student information were stolen, along with a laptop, from a nurse's car Nov. 20. Personal information included students' names, dates of birth, names of their schools, what grade they are in, their Medicaid numbers (presumably SSNs), and their parents' names. The laptop contained no personal data. 600 students
Dec. 14, 2006 Bank of America
(Charlotte, NC)

A former contractor for Bank of America unauthorizedly accessed the personal information (name, address, phone number, Social Security number) of an undisclosed number of customers, for the purpose of committing fraud.

 Unknown
Dec. 15, 2006 University of Colorado - Boulder, Academic Advising Center
(Boulder, CO)
www.colorado.edu		 A server in the Academic Advising Center was the subject of a hacking attack. Personal information exposed included names and SSNs for individuals who attended orientation sessions from 2002-2004. CU-Boulder has since ceased using SSNs as identifiers for students, faculty, staff, and administrators. 17,500
Dec. 15, 2006 City of Wickliffe
(Wickliffe, OH)		 Hackers breached security in one of the city's three computer servers containing personal information on some city employees, including names and SSNs. 125 employees
Dec. 19, 2006 Mississippi State University
(Jackson, MS)		 SSNs and other personal information were "inadvertently" posted on a publicly accessible MSU Web site. The breach was discovered "last week" and the information has since been removed. 2,400 students and emplolyees
Dec. 20, 2006 Lakeland Library Cooperative - serving 80 libraries in 8 counties
(Grand Rapids, MI)		 Personal information of 15,000 library users in West Michigan was displayed on the Cooperative's Web site due to a technical problem. Information exposed included names, phone numbers, e-mail addresses, street addresses, and library card numbers. Children's names were also listed along with their parents' names on a spreadsheet document. The information has since been removed. 15,000 library users
Dec. 20, 2006 Big Foot High School
(Walworth, WI)		 Personal information was accidentally exposed on the High School's Web site for a short time, perhaps for about 36 minutes, according to a report. Information included last names, SSNs, and birthdates. 87 current and former employees
Dec. 20, 2006 Lake County residents, plus Major League Baseball players
(Northbrook, IL)		 A Chicago man apparently removed documents from a trash bin outside SFX Baseball Inc., a sports agency that deals with Major League Baseball. He used information found on those documents to commit identity theft on at least 27 Lake County residents. Information found during a search of the thief's home included SSNs, birthdates, canceled paychecks, obituaries, and infant death records. 27 residents of Lake County plus about 90 current and retired Major League Baseball players for a total of 117 individuals
Dec. 20, 2006 Deb Shops, Inc.
(Philadelphia, PA)
(800) 460-9704		 A hacker illegally accessed company Web pages and a related data base used for Internet-based purchases. The intruder may have accessed customers' credit card information including names on cards and credit card numbers. Unknown
Dec. 21, 2006 Santa Clara County employment agency
(Santa Clara County, CA)		 A computer stolen from the agency holds the SSNs of approximately 2,500 individuals. 2,500
Dec. 22, 2006

Texas Woman's University
(Dallas, Denton, and Houston, TX)

 A document containing names, addresses and SSNs of 15,000 TWU students was transmitted over a non-secure connection. 15,000 students
Dec. 27, 2006 Montana State University
(Bozeman, MT)		 A student working in the loan office mistakenly sent packets containing lists of student names, Social Security numbers, and loan information to other students 259 students
Dec. 28, 2006 U.S. State Department A bag containing approximately 700 completed passport applications was reported missing on December 1. The bag, which was supposed to be shipped to Charlotte, NC, was found later in the month at Los Angeles International Airport. 700
(not included in total)
Dec. 30, 2006

KeyCorp
(Cleveland, OH)

 A laptop computer stolen from a KeyCorp vendor contains personally identifiable information, including SSNs, of 9,300 customers in six states. 9,300
2007 NAME (Location) TYPE OF BREACH NUMBER OF RECORDS
Jan. 1, 2007 Wisconsin Dept. of Revenue via Ripon Printers
(Madison, WI)
(608) 224-5163
www.privacy.wi.gov		 Tax forms were mailed to taxpayers in which SSNs were inadvertently printed on the front of some Form 1 booklets. Some were retrieved before they were mailed. 171,000 taxpayers
Jan. 2, 2007

Deaconess Hospital
(Evansville, IN)

 A computer missing from the hospital holds personal information, including SSNs, of 128 respiratory therapy patients. 128 patients
Jan. 2, 2007 Notre Dame University
(Notre Dame, IN, South Bend, IN)		 A University Director's laptop was stolen before Christmas. It contained personal information of employees, including names, SSNs, and salary information. Unknown
Jan. 2, 2007 News accounts are not clear as to source, but thought to be a realty office
(Las Vegas, NV)		 About 40 boxes of financial paperwork, thought to be from loan applications, was found in a dumpster. One of the boxes visible to news reporters was said to contain paperwork with bank account details, photocopies of driver's licenses, SSNs and "other private information." Unknown
Jan. 4, 2007 Selma, NC, Water Treatment Plant
(Johnston County, NC)		 A laptop stolen from the water treatment facility holds the names and SSNs of Selma volunteer firefighters. Unknown
Jan. 4, 2007 Unnamed medical center, via Newark Recycling Center
(Stockton, CA)		 An individual found unshredded medical records in 36 boxes at the Newark Recycling Center. Unknown
Jan. 5, 2007 Dr. Baceski's office, internal medicine
(Somerset, PA)		 A hard drive was stolen containing personal information on "hundreds of patients." "hundreds of patients"
Jan. 9, 2007 Altria, the parent company of Philip Morris (Kraft Foods), also United Technologies, via benefits consultant, Towers Perrin.
(New York, NY)		 5 laptops were stolen from Towers Perrin, allegedly by a former employee. The theft occurred Nov. 27, 2006. The computers contain names, SSNs, and other pension-related information, presumably of several companies, although news reports are not clear.
UPDATE (1/11/07): NY police arrested "a junior-level administrative employee" of the company in the theft of the laptops.		 18,000 past and present employees, presumably of Altria
(total number of affected invididuals is unknown)
Jan. 10, 2007 University of Arizona
(Tucson, AZ)		 Breaches occurred in November and December 2006 that affected services with UA Student Unions, University Library, and UA Procurement and Contracting Services. Some services were shut down for several days. Unknown
Jan. 11, 2007 University of Idaho, Advancement Services office
(Moscow, ID)
(866) 351-1860
www.identityalert.
uidaho.edu		 Over Thanksgiving weekend, 3 desktop computers were stolen from the Advancement Services office containing personal information of alumni, donors, employees, and students. 331,000 individuals may have been exposed, with as many as 70,000 records containing SSNs, names and addresses. 70,000
Jan. 12, 2007 MoneyGram International
(Minneapolis, MN)		 MoneyGram, a payment service provider, reported that a company server was unlawfully accessed over the Internet last month. It contained information on about 79,000 bill payment customers, including names, addresses, phone numbers, and in some cases, bank account numbers. 79,000
Jan. 13, 2007 North Carolina Dept. of Revenue
(Raleigh, NC)		 A laptop computer containing taxpayer data was stolen from the car of a NC Dept. of Revenue employee in mid-December. The files included names, SSNs or federal employer ID numbers , and tax debt owed to the state. 30,000 taxpayers
Jan. 16, 2007 University of New Mexico
(Albuquerque, NM)		 At least 3 computers and 4 monitors were stolen from the associate provost's office overnight between Jan. 2 and 3. They may have included faculty members' names and SSNs. Unknown
Jan. 17, 2007 TJ stores (TJX), including TJMaxx, Marshalls, Winners, HomeSense, AJWright, TKMaxx, and possibly Bob's Stores in U.S. & Puerto Rico -- Winners and HomeGoods stores in Canada -- and possibly TKMaxx stores in UK and Ireland
(Framingham, Mass.)
U.S.: Call (866) 484-6978
Canada: (866) 903-1408
U.K. & Ireland: 0800 77 90 15
www.tjx.com
The TJX Companies Inc. experienced an "unauthorized intrusion" into its computer systems that process and store customer transactions including credit card, debit card, check, and merchandise return transactions. It discovered the intrusion mid-December 2006. Transaction data from 2003 as well as mid-May through December 2006 may have been accessed. According to its Web site, TJX is "the leading off-price retailer of apparel and home fashions in the U.S. and worldwide."
UPDATE (2/22/07): TJX said that while it first thought the intrusion took place from May 2006 to January 2007, it now thinks its computer system was also hacked in July 2005 and on "various subsequent dates" that year.
UPDATE (3/21/07): Information stolen from TJX's systems was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials.
UPDATE (3/29/07): The company reported in its SEC filing that 45.7 million credit and debit card numbers were hacked, along with 455,000 merchandise return records containing customers' driver's license numbers, Military ID numbers or Social Security numbers.
UPDATE (4/22/07): Initially, TJX said the break-in started seven months before it was discovered. Then, on Feb. 18, the company noted the perpetrators had access to data for 17 months, and apparently began in July 2005.
UPDATE (04/26/07): Three states' banking associations (MA, CT, and ME) filed a class action lawsuit against TJX to recover the costs of damages totaling "tens of millions of dollars" incurred for replacing customers' debit and credit cards.
UPDATE (05/04/07): An article in the WSJ notes that because TJX had an outdated wireless security encryption system, had failed to install firewalls and data encryption on computers using the wireless network, and had not properly install another layer of security software it had bought, thieves were able to access data streaming between hand-held price-checking devices, cash registers and the store's computers. 21 U.S. and Canadian lawsuits seek damages from the retailer for reissuing compromised cards.
UPDATE (07/10/07): U.S. Secret Service agents found TJX customers' credit card numbers in the hands of Eastern European cyber thieves who created high-quality counterfeit credit cards. Victims are from the U.S., Europe, Asia and Canada, among other places, Several Cuban nationals in Florida were arrested with more than 200,000 credit card account numbers.
UPDATE (08/31/07): The U.S. Secret Service Agency earlier this week said it has arrested and indicted four members of an organized fraud ring in South Florida, charging each of them with aggravated identity theft, counterfeit credit-card trafficking, and conspiracy.
UPDATE (09/21/07): A ring leader in the TJX Cos.-linked credit card fraud, was sentenced to five years in prison and has been ordered to pay nearly $600,000 in restitution for damages resulting from stolen financial information.
UPDATE (09/25/07): TJX announced the terms of a settlement for customers affected by the data breach -- with strings attached. Credit monitoring will be offered to about 455,000 of the 46 million affected. TJX will reimburse customers who had to replace driver's licenses as a result of the breach if they submit documentation for the time and money spent on replacing licenses. The company will give a $30 store voucher to those customers who submit documentation about their lost time and money. And TJX will hold a special 3-day sale with a 15% discount sometime in 2008. The settlement still needs to be approved by the court.
UPDATE (10/23/07): Court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million.
UPDATE (10/23/07): The total number of records increased from 167 million to 215 million. Recent court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million, up considerably from 45,7 million credit and debit card account numbers initially thought to be compromised. Breach costs have been estimated at $216 million.
UPDATE (11/30/07): Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc.
UPDATE (12/05/07): An InternetNews.com article estimates TJX expenses at $500 million to $1 billion. In a settlement with VISA USA, TJX will pay a maximum of $40.9 million to fund an alternative recovery payments program for customers affected by the breach. At least 19 lawsuits have been filed, and there are investigations underway by the Federal Trade Commission and 37 state Attorneys General.
UPDATE (12/18/07): TJX has settled the lawsuit for an undisclosed amount.Although both sides said the settlement total would remain confidential, TJX said the costs were covered by a $107 million reserve that it set aside against its second-quarter earnings.TJX also has said that $107 million would cover the costs of another breach agreement: a Nov. 30 deal with Visa Inc. to help pay a maximum $40.9 million to help the network's card-issuing banks recover expenses to replace customers' Visa cards.
UPDATE (2/10/08): Notices are going out to millions of customers who may have had credit card information compromised in a data breach. The notices contain information about eligibility for compensation such as vouchers and credit monitoring to be provided under a proposed settlement.
UPDATE (4/2/08): TJX Cos. reached a settlement with MasterCard Inc. in which it will pay up to $24 million to banks and other institutions to cover fraud losses stemming from a massive data breach disclosed last year. They also struck a similar deal with rival card network Visa in which it agreed to pay up to $40.9 million. As in that deal, TJX said the costs of its MasterCard settlement are included in the $256 million the company has set aside to pay for computer work and other costs associated with the breach.
UPDATE (5/14/08): The TJX Companies, Inc. today announced that it completed its previously announced settlement with MasterCard International Incorporated and its issuers. Financial institutions representing 99.5% of eligible MasterCard accounts worldwide claimed to have been affected by the unauthorized computer intrusion(s) at TJX accepted the alternative recovery offer under TJX's previously announced Settlement Agreement with MasterCard.
UPDATE (8/5/08): Eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft. This is the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. An indictment was returned on Aug. 5, 2008. Conspirators obtained the credit and debit card numbers by "wardriving" and hacking into the wireless computer networks of major retailers -- including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. The indictments are the result of a three-year undercover investigation conducted out of the San Diego Field Office of the U.S. Secret Service.
UPDATE (8/30/08): TrustCo BankCorp NY sued TJX in August 2008 to recoup costs it incurred from reissuing an estimated 4,000 customer MasterCard debit cards after hackers accessed the TJX computer network. The bank stated its cost for the breach was up to $20 per affected account, explaining that it suffered losses from administrative expenses and lost interest and transaction fees. Later in the month, TJX in turn claimed that Trustco "failed to implement policies or procedures" that would have enabled the bank to avoid canceling and replacing customer debit cards.
UPDATE (9/22/08):One of the 11 people arrested last month in connection with the massive data theft at T JX Companies Inc., BJ Wholesale Clubs Inc. and several other retailers pleaded guilty yesterday to four felony counts, including wire and credit card fraud and aggravated identity theft. Many of the Internet attacks that he facilitated were SQL injection attacks, according to court documents. The stolen data was sold to cybercriminals in Eastern Europe and the U.S. or used to make fraudulent credit and debit cards.
UPDATE (6/26/09):
TJX has agreed to pay $9.75 million to 41 states and to implement and maintain a comprehensive information security program, designed to safeguard consumer data and address any weaknesses in TJX's systems in place at the time of the breach. Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation. Further, $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the state Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers’ personal information.
UPDATE (7/28/09):
Pennsylvania and 40 other states reached a $9.75 million settlement.
UPDATE (9/4/09): TJX settles for $525K with four banks. As part of the settlement with AmeriFirst Bank, Trustco Bank, HarborOne Credit Union and SELCO Community Credit Union, the Framingham, Mass.-based retailer paid $525,000. The money primarily will be used to cover the banks' expenses in pursuing the legal action.		 45,700,000 credit and debit card account numbers

455,000 merchandise return records containing customer names and driver's license numbers.

Recovery of about 200,000 stolen credit card account numbers.

Latest records say an additional 48 million people have been affected for a total of more than 94 million.

breaches now seem to have affected over 100 million accounts.
Jan. 17, 2007 Rincon del Diablo Municipal Water District
(Escondido, CA, plus unincorporated neighborhoods outside the city, and parts of San Marcos and San Diego, CA)
(760) 745-5522		 2 computers were stolen from the district office. One included names and credit card numbers of customers. 500 customers
Jan. 18, 2007 KB Home
(Charleston, SC)		 A computer was stolen from one of the home builder's offices. It likely contained names, addresses, and SSNs of people who had visited the sales office for Foxbank Plantation in Berkeley County near Charleston. 2,700
Jan. 19, 2007 U.S. Internal Revenue Service via City of Kansas City
(Kansas City, MO)		 26 IRS computer tapes containing taxpayer information were reported missing after they were delivered to City Hall. They potentially contain taxpayers' names, SSNs, bank account numbers, or employer information. The 26 tapes were the entire shipment received by the City last August. The disappearance was noticed late December 2006. Unknown
Jan. 22, 2007 U.S. Dept. of Veteran's Affairs
(Seattle, WA)		 Folders of veterans' personal information were stolen from a locked car in Bremerton, WA. News stories are not clear on the type of information contained in the folders. Unknown
Jan. 22, 2007 Chicago Board of Elections
(Chicago, IL)		 About 100 computer discs (CDs) with 1.3 million Chicago voters' SSNs were mistakenly distributed to aldermen and ward committeemen. CDs also contain birth dates and addresses. 1.3 million voters
Jan. 23, 2007 Rutgers-Newark University, Political Science Dept.
(Newark, NJ)		 An associate professor's laptop was stolen, containing names and SSNs of 200 students. Rutgers no longers uses SSNs as student IDs, but student IDs from past years are still SSNs. 200 students
Jan. 25, 2007 Clay High School
(Oregon, OH)		 A former high school student obtained sensitive staff and student information through an apparent security breach. The data was copied onto an iPod and included names, birth dates, SSNs, addresses, and phone numbers. Unknown
Jan. 25, 2007 Ohio Board of Nursing
(Columbus, OH)		 The agency's Web site posted names and SSNs of newly licensed nurses twice in the past 2 months. SSNs were supposed to have been removed before posting. 3,031 newly licensed nurses
Jan. 25, 2007 Washiawa Women, Infants and Children program (WIC)
(Honolulu, HI)
(808) 586-8080
www.hawaii.gov
A WIC employee apparently stole the personal information of agency clients, including SSNs, and committed identity theft on at least 3 families and perhaps 2 more. The Health Director said the agency will no longer use SSNs in its data base. 11,500 current and former clients
Jan. 26, 2007 Indiana Dept. of Transportation
(Indianapolis, IN)		 The names and SSNs of INDOT employees were inadvertently posted on an internal network computer drive sometime between Sept. 6 and Dec. 4, 2006. 4,000 employees
Jan. 26, 2007 Vanguard University
(Costa Mesa, CA)
(800) 920-7312
www.identityalert.
vanguard.edu		 On Jan. 16, 2 computers were discovered stolen from the financial aid office. Data included names, SSNs, dates of birth, phone numbers, driver's license numbers, and lists of assets. 5,015 financial aid applicants for 2005-2006 and 2006-2007 school years
Jan. 26, 2007 WellPoint's Anthem Blue Cross Blue Shield
(Virginia)
(800) 284-9779		 Cassette tapes containing customer information were stolen from a lock box held by one of its vendors. Data included names and SSNs. 196,000 customers
Jan. 26, 2007 Chase Bank and the former Bank One, now merged
(Shreveport, LA)		 A Bossier woman bought a used desk from a furniture store. She discovered a 165-page spread sheet in a drawer that included names and SSNs of bank employees. The document was returned to the bank. 4,100 current and former employees "from all over Louisiana"
Jan. 26, 2007 Eastern Illinois University
(Charleston, IL)		 A desktop computer was stolen from the Student Life office containing membership rosters -- including SSNs, birthdates, and addresses -- of the University's 23 fraternities and sororities. A hard drive and memory from 2 other computers were also stolen. 1,400 currently enrolled students
Jan. 29, 2007 Mendoza College of Business, Notre Dame University
(Notre Dame, IN, South Bend, IN)		 A file of individuals who took the GMAT test (Graduate Management Admissions Test) was mistakenly left on a computer that was decommissioned. The computer was later reactivated and plugged into the Internet. Its files were available through a file-sharing program. Data included names, scores, SSNs and demographic information from 2001. Unknown
Feb. 2, 2007 Massachusetts Dept. of Industrial Accidents
(Boston, MA)
(800) 323-3249 ext. 560
www.mass.gov/dia		 A former state contractor allegedly accessed a workers' compensation data file and stole personal information, including SSNs. The thief used the data to commit identity theft on at least 3 individuals. 1,200 people who submitted claims
Feb. 2, 2007 Indian Consulate via Haight Ashbury Neighborhood Council recycling center
(San Francisco, CA)		 Visa applications and other sensitive documents were accessible for more than a month in an open yard of a recycling center. Information included applicants' names, addresses, phone numbers, birthdates, professions, employers, passport numbers, and photos. A sampling of documents indicated that the paperwork included everyone who applied in the Western states from 2002-2005. Applicants were current and former executives of major Bay Area companies that have operations in India. Unknown
Feb. 2, 2007 Wisconsin Assembly
(Madison, WI)		 A document containing personal information of Wisconsin Assembly members was stolen from a legislative employee's car while she was exercising at a local gym. It contained names, addresses, and SSNs. 109 Assembly members and aides
Feb. 2, 2007 University of Missouri, Research Board Grant Application System
(Columbia, MO)		 A hacker broke into a UM computer server mid-January and might have accessed personal information, including SSNs, of 1,220 researchers on 4 campuses. The passwords of 2,579 individuals might also have been exposed. 3,799
Feb. 2, 2007 New York Dept. of State
(Albany, NY)		 The agency's Web site posted commercial loan documents that mistakenly contained SSNs. The forms are posted to let lenders know the current financial status of loan recipients. Unknown
Feb. 2, 2007 U.S. Dept. of Veteran's Affairs, VA Medical Center
(Birmingham, AL)
(877) 894-2600

An employee reported a portable hard drive stolen or missing that might contain personal information about veterans including Social Security numbers.
UPDATE (2/10/07): VA increases number of affected veterans to 535,000, included in the total below.
UPDATE (2/12/07): VA reported that billing information for 1.3 million doctors was also exposed, including names and Medicare billing codes, not included in the total below.
UPDATE (3/19/07): The VA's Security Operations Center has referred 250 incidents since July 2006 to its inspector general, which has led to 46 separate investigations.
 UPDATE (6/18/07):More than $20 million to respond to its latest data breach, the breach potentially puts the identities of nearly a million physicians and VA patients.

48,000 veterans
plus 535,000

 
Feb. 3, 2007 CTS Tax Service
(Cassopolis, MI)		 The computer and hard drive of a tax preparation company were stolen. Data included names, bank account numbers, routing numbers, birthdates, SSNs, and addresses. 800
Feb. 6, 2007 NY Dept. of Labor
(Glenn Falls, NY)		 Laptop computer containing personal information for people who were employed by 13 Capital Region businesses stolen from state tax auditor's apartment. 537
Feb. 6, 2007

Metro Credit Services
(Hurst, TX)

 Files of the defunct bill collection company containing medical records, phone bills and Social Security numbers were found in a trash bin. "thousands"
Feb. 7, 2007 University of Nebraska
(Lincoln, NE)		 An employee accidentally posted SSNs of 72 students, professors, and staff on UNL's public Web site where they remained for 2 years. They have since been removed. 72
Feb. 7, 2007 Johns Hopkins University and Johns Hopkins Hospital
(Baltimore, MD)

Johns Hopkins reported the disappearance of 9 backup computer tapes containing personal information of employees and patients, Eight of the tapes contained payroll information on 52,000 past and present employees, including SSNs and in some cases bank account numbers. The 9th tape contained "less sensitive" information about 83,000 hospital patients.

 

 52,000 past and present employees
plus
83,000 patients
Feb. 7, 2007 Front Range Ski Shop
(Denver, CO)		 The shop's Web site was broken into and customer information including credit card account data may have been accessed. 15,000 customers
Feb. 7, 2007 A Toronto, Ontario, residence
(Canada)		 Credit card data for more than 35,000 individuals from across North America were discovered by police when they executed a search warrant at a Toronto residence. A man has since been arrested on fraud and counterfeiting charges. The number is not included in the total below because it is not known how many of the affected individuals are from the U.S.
Feb. 7, 2007 Central Connecticut State University
(New Britain, CT)		 Social Security numbers of about 750 CCSU students were exposed in the name and address window on envelopes mailed to them. The envelopes were not folded correctly. They contained IRS 1098T forms. 750 students
Feb. 8, 2007 Piper Jaffrey
(Minneapolis, MN)

W-2s sent to current and former employees in January included employees' Social Security numbers on the outside of the envelope. Though the numbers were not identified as Social Security numbers, they followed the standard XXX-XX-XXXX format. Executives indicated the mishap was an error by a third-party vendor.

 "more than 1,000 employees"
Feb. 8, 2007 St. Mary's Hospital
(Leonardtown, MD)		 A laptop was stolen in December that contained names, SSNs, and birthdates for many of the Hospital's patients. 130,000
Feb. 9, 2007 East Carolina University
(Greenville, NC)
www.ecu.edu/incident/
877-328-6660		 A programming error resulted in personal information of 65,000 individuals being exposed on the University's Web site. The data has since been removed. Included were names, addresses, SSNs, and in some cases credit card numbers. 65,000 students, alumni, and staff members
Feb. 9, 2007 Radford University, Waldron School of Health and Human Services
(Radford, VA)		 A computer security breach exposed the personal information, including SSNs, of children enrolled in the FAMIS program, Family Access to Medical Insurance Security. 2,400 children
Feb. 10, 2007 Official Indiana State Web site
www.IN.gov
(888) 438-8397
Email: securityconcerns
@www.IN.gov		 A hacker gained access to the State Web site and obtained credit card numbers of individuals who had used the site's online services and gained access to Social Security numbers for 71,000 health-care workers.
UPDATE (3/22/07): Investigators have identified a teen they believe hacked into the IN.gov as a prank.		 5,600 individuals and businesses and 71,000 health-cae workers
Feb. 14, 2007 Kaiser Medical Center
(Oakland, CA)
(866) 529-0779		 A doctor's laptop was stolen from the Medical Center containing medical information of 22,000 patients. But only 500 records contained SSNs. 22,000 patients, but apparently only 500 records contained SSNs (the latter number is included in total below)
Feb. 14, 2007 Iowa Dept. of Education Up to 600 files of G.E.D. recipients were viewed when the online database was hacked. Files included names, addresses, birthdates, and SSNs of G.E.D. graduates from 1965 to 2002. 600
Feb. 14, 2007 Conn. Office of the State Comptroller
(Hartford, CT)		 Personal information of state employees including names and Social Security numbers was inadvertently posted on the Internet in a spreadsheet of vendors used by the state. 1,753
Feb. 15, 2007 City College of San Francisco
(San Francisco, CA)
(800) 436-0108
www.ccsf.edu		 Names, grades, and SSNs were posted on an unprotected Web site after summer session in 1999. CCSF stopped using SSNs as studens IDs in 2002. 11,000 students
Feb. 19, 2007 Seton Healthcare Network
(North Austin, TX)		 A laptop with uninsured patients' names, birth dates and Social Security numbers was stolen last week from the Seton hospital system. The uninsured patients had gone to Seton emergency rooms and city health clinics since July 1, 2005. 7,800
Feb. 19, 2007 Clarksville-Montgomery County middle and high schools
(Clarksville, TN)		 Staff and faculty Social Security numbers, used as employee identification numbers, were embedded in file photos by the company that took yearbook pictures and inadvertently placed in a search engine on school system's Web site. 633
Feb. 19, 2007 Stop & Shop Supermarkets
(Rhode Island and Southern MA)
877-366-2668		 Credit and debit card account information including PIN numbers was stolen by high-tech thieves who apparently broke into checkout-line card readers and PIN pads and tampered with them. Unknown
Feb. 19, 2007 Social Security Admin.
(Milwaukee, WI)		 Files of disability applicants containing Social Security numbers, addresses, phone numbers of family members, dates of birth and work history, and detailed medical information were lost/stolen when a telecommuting employee abandoned them in a locked filing cabinet at home after a threat of domestic violence. Several of the files were mailed back to the local SSA office months later; others were found in a dumpster recently, and four were never recovered. 13
Feb. 20, 2007 Back and Joint Institute of Texas
(San Antonio, TX)		 20 boxes containing Social Security numbers, photocopies of driver's license numbers, addresses, phone numbers and private medical history of chiropractic patients were found in a dumpster. "hundreds"
Feb. 21, 2007 Georgia Institute of Technology
(Atlanta, GA)
404-894-2499
hr@gatech.edu

Personal information of former employees mostly in the School of Electrical and Computer Engineering including names, addresses, Social Security number, other sensitive information, and about 400 state purchasing card numbers was compromised by unauthorized access to a Georgia Tech computer account.

 3,000
Feb. 22, 2007 Speedmark
(Woodlands, TX)		 Thieves stole several computers, one of which contained a database with personally identifying information including names, addresses, e-mail accounts, and Social Security numbers of Speedmark's mystery shopper employees and contractors. 35,000
Feb. 23, 2007 Rabun Apparel Inc., former subsidiary of Fruit of the Loom
(Rabun Gap, GA)		 Names and Social Security numbers of former employees were accessible on the Internet from Jan. 15 until Feb. 20.
 1,006
Feb. 28, 2007 Gulf Coast Medical Center
(Nashville, TN & Tallahassee, FL)		 Patient information including names and Social Security numbers was compromised when two computers went missing. 1,900 individuals were affected by a theft in Nashville, TN in November and 8,000 when another computer was stolen in Tallahassee in February. 9,900
Mar. 1, 2007 Westerly Hospital
(Westerly, RI)		 Patient names, Social Security numbers, contact information as well as insurance information were posted on a publicly-accessible Web site. 2,242
Mar. 2, 2007 Calif. Dept. of Health Services
(Sacramento, CA)		 Benefit notification letters containing names addresses, Medicare Part D plan names and premium payment amounts of some individuals enrolled in the California AIDS Drug Assistance Program (ADAP) were mailed to another enrollee. 54
Mar. 3, 2007 Metropolitan State College of Denver
(Denver, CO)
866-737-6622		 A faculty member's laptop computer that contained the names and Social Security numbers of former students was stolen from its docking station on campus. 988
Mar. 3, 2007 Johnny's Selected Seeds
(Winslow, ME)		 Hacker accessed credit card account information of online customers. About 20 credit cards have been used fraudulently. 11,500
Mar. 7, 2007 Los Rios Community College
(Northern Calif.)		 Student information including Social Security numbers were accessible on the Internet after the school used actual data to test a new onine application process in October. 2,000
Mar. 7, 2007 U.S. Census Bureau
(Washington, D.C.)

Personal information of 302 households including names, addresses, phone numbers, birth dates and family income ranges were posted on a public Internet site multiple times over a five-month period from October 2006 to Feb. 15, 2007 when Census employees working from home tested new software records.

 302 households
Mar. 9, 2007 California National Guard
(Sacramento, CA)		 A computer hard drive containing Social Security numbers, home addresses, birth dates and other identifying information of California National Guard troops deployed to the U.S.-Mexico border was stolen.
 1,300
Mar. 10, 2007 University of Idaho
(Moscow, ID)
www.vandalidentity.net
888-900-3783		 A data file posted to the school's Web site contained personal information including names, birthdates and Social Security numbers of University employees. 2,700
Mar. 12, 2007 Dai Nippon
(Tokyo, Japan)		 A former contract worker of a Japanese commercial printing company stole nearly 9 million pieces of private data on customers from 43 clients. The stolen data includes confidential information such as names, addresses and credit card numbers intended for use in direct mailing and other printing services. Customers of U.S.-based American Home Assurance Co. and Toyota Motor were affected. Unknown
Mar. 13, 2007 U.S. Dept. of Agriculture
(Washington, D.C.)		 A total of 95 USDA computers were lost or stolen between Oct. 1, 2005, and May 31, 2006. Some may have contained personal information such as names, addresses, Social Security numbers and payment information. Two-thirds of the computers contained unencrypted data. Unknown
Mar. 14, 2007 Wellpoint's Empire Blue Cross and Blue Shield unit in NY
(Indianapolis, IN)
800-293-3443

An unencrypted disc containing patient's names, Social Security numbers, health plan identification numbers and description of medical services back to 2003 was lost en route to a subcontractor.

UPDATE (3/14/07): The subcontrator reported that the CD that was reported missing on Feb. 9 has been found.

 75,000
Mar. 16, 2007

Ohio State Auditor
(Springfield, OH)
www.spr.k12.oh.us
Click on Notification of Data Theft

A laptop containing personal information of current and former employees of Springfield City Schools including their names and Social Security numbers was stolen from a state auditor employee's vehicle while parked at home in a garage.
 1,950
Mar. 19, 2007

Science Applications International Corp. (SAIC)
(Boise, ID)

 Barrels filled with thousands of sensitive documents including printed copies of e-mail and performance evaluations along with documents marked “internal use only – not for public release” and “for official use only” were found on the curb outside of SAIC's local office.
 Unknown
Mar. 20, 2007 Health Resources, Inc.
(Evansville, IN)		 From Jan 24, 2007 to Feb 6, 2007, a Web site glitch allowed employers with access to private health information to obtain the name, address, Social Security number, dependent names and birthdates of other patients. 2,031
Mar. 20, 2007 Tax Service Plus
(Santa Rosa, CA)		 Thieves stole the company's backup computer, which contained financial data on thousands of tax returns dating back three years. 4,000
Mar. 23, 2007 Group Health Cooperative Health Care System
(Seattle, WA)		 Two laptops containing names, addresses, Social Security numbers and Group Health ID numbers of local patients and employees have been reported missing. 31,000
Mar. 23, 2007 Swedish Urology Group
(Seattle, WA)		 Three computer hard drives with personal files on hundreds of local patients including was stolen.
"hundreds"
Mar. 26, 2007 Fort Monroe
(Fort Monroe, VA)		 A laptop computer containing the names, Social Security numbers and payroll information for as many as 16,000 civilian employees was stolen from an employee's personal vehicle. Bank account and bank routing information were not included. 16,000
Mar. 27, 2007 St. Mary Parish
(Centerville, LA)		 Personal information including Social Security numbers of St. Mary Parish public school employees was available on the Internet when a Yahoo!Web crawler infiltrated the server of the school's technology department. 380
Mar. 28, 2007 RadioShack
(Portland, TX)		 20 boxes of discarded records including sales receipts with names, addresses, Social Security numbers, credit card information. and personal information of store employees spanning from 2001 to 2005 were found in a dumpster.
UPDATE (04/03/07): The Texas Attorney General's Office filed an action against the Radio Shack store for violating the state's violating the 2005 Identity Theft Enforcement and Protection Act.		 Unknown
Mar. 28, 2007 TJX Companies -- TJ Maxx and Marshalls See initial Jan. 17, 2007 posting for updated numbers and summary of breach information -- 45.7 million credit and debit card numbers and 455,000 customer return records.

See 1/17/07 posting
Mar. 30 2007 Los Angeles County Child Support Services
(Los Angeles, CA)		 Three laptops containing personal information including about 130,500 Social Security numbers — most without names, 12,000 individuals' names and addresses, and more than 101,000 child support case numbers
were apparently stolen from the department's office.		 243,000
Mar. 30, 2007 Naval Station San Diego's Navy College Office
(San Diego, CA)
(866) U-ASK-NPC
CSCMailbox@navy.mil 		Three laptops were reported missing that may contain Sailors' names, rates and ratings, Social Security numbers, and college course information. The compromise could impact Sailors and former Sailors homeported on San Diego ships from January 2003 to October 2005 and who were enrolled in the Navy College Program for Afloat College Education. Unknown
Mar. 30, 2007 Univ. of Montana - Western
(Dillon, MT)		 A computer disk containing students' Social Security numbers, names, birth dates, addresses and other personal information was stolen from a professor's office. The stolen information belonged to students enrolled in the TRIO Student Support Services program, which offers financial and personal counseling and other assistance. 400
Apr. 4, 2007 UC San Francisco
(San Francisco, CA)
(415) 353-8100)
isecurity@ucsf.edu
http://oaais.ucsf.edu/notice		 An unauthorized party may have accesed the personal information including names, Social Security numbers, and bank account numbers of students, faculty, and staff associated with UCSF or UCSF Medical Center over the past two years by compromising the security of a campus server. 46,000
Apr. 5, 2007 DCH Health Systems
(Tuscaloosa, AL)		 An encrypted disc and hardcopy documents containing retirement benefit information including Social Security numbers and other personal information were lost. Tracking data indicates the package was delivered to the addressee's building, but the intended recipient never received the package. 6,000
Apr. 5, 2007 Security Title Agency
(Phoenix, AZ)		 Hackers defamed the company's Web site and may have accessed customer information which is stored on the same server as the site. Unknown
Apr. 6, 2007 Hortica
(Edwardsville, IL)
(800) 851-7740
securedata@hortica-insurance.com 		A locked shipping case of backup tapes containing personal information including names, Social Security numbers, drivers' license numbers, and bank account numbers is missing. Unknown
Apr. 6, 2007 Chicago Public Schools
(Chicago, IL)
(773) 553-1142		 Two laptop computers contain the names and Social Security numbers of current and former employees was stolen from Chicago Public Schools headquarters. 40,000
Apr. 9, 2007 Turbo Tax Using Turbo Tax online to access previous returns, a Nebraska woman was able to access tax returns for other Turbo Tax customers in different parts of the country. The returns contained personal information needed to e-file including bank account numbers with routing digits and Social Security numbers. Unknown
Apr. 10, 2007 Georgia Dept. of Community Health
(Atlanta, GA)
(866) 213-3969
A computer disk containing personal information including addresses, birthdates, dates of eligibility, full names, Medicaid or children's health care recipient identification numbers, and Social Security numbers went missing from a private vendor, Affiliated Computer Services (ACS), contracted to handle health care claims for the state. 2,900,000
Apr. 11, 2007 New Horizons Community Credit Union
(Denver, CO)		 A laptop computer that contained personal information of members who had loans with the credit union was stolen from Protiviti, a consultant employed by Bellco Credit Union conducting due diligence to prepare a possible acquisition bid. 9,000
Apr. 11, 2007 ChildNet
(Ft. Lauderdale, FL)		 An organization responsible for managing Broward County's child welfare system believe a dishonest former employee stole a laptop from the agency's office. It contains personal information of adoptive and foster-care parents including financial and credit data, Social Security numbers, driver's license data and passport numbers. 12,000
Apr. 11, 2007 Black Hills State Univ.
(Spearfish, SD)
(605) 642-6215		 Names and Social Security numbers of scholarship winners were inadvertently posted and publicly available on the university's web site. 56
Apr. 12, 2007 Bank of America
(Charlotte, NC)		 A laptop containing personal information of current, former and retired employees including names, addresses, dates of birth and Social Security numbers was stolen when an employee was a "victim of a recent break-in." "limited" number of people
Apr. 12, 2007 Univ. of Pittsburgh, Med. Center
(Pittsburgh, PA)		 Personal information including names, Social Security numbers, and radiology images of patients were previously included in two medical symposium presentations that were posted on UPMC's Web site. Though the presentation was later removed in 2005, the presentations were apparently inadvertently re-posted on the site and only recently removed again. 88
Apr. 12, 2007 GA Secretary of State
(Atlanta, GA)		 30 boxes of Fulton County voter registration cards that contain names, addresses and Social Security numbers were found in a trash bin. 75,000
Apr. 15, 2007 CVS Pharmacy
(Liberty, TX)		 The Attorney General of Texas filed a complaint against CVS Pharmacy for illegally disposing of personal information including active debit and credit card numbers, complete with expiration dates and medical prescription forms with customer's name, address, date of birth, issuing physician and the types of medication prescribed. The information was found in a dumpster behind a store that apparently was being vacated. "hundreds"
Apr. 18, 2007 Ohio State Univ.
(Columbus, OH)		 A hacker accessed the names, Social Security numbers, employee ID numbers and birth dates of 14,000 current and former staff members. In a separate incident, the names, Social Security numbers and grades of 3,500 former chemistry students were on class rosters housed on two laptop computers stolen from a professor's home in late February. 17,500
Apr. 18, 2007 Univ. of CA, San Francisco
(San Francisco, CA)
(866) 485-8777
www.ucsf.edu/alert

A computer file server containing names, contact information, and Social Security numbers for study subjects and potential study subjects related to studies on causes and cures for different types of cancer was stolen from a locked UCSF office. For some individuals, the files also included personal health information.

 3,000
Apr. 19, 2007 New Mexico State Univ.
(Las Cruces, NM)		 The names and Social Security numbers of students who registered online to attend their commencement ceremonies from 2003 to 2005 were accidentally posted on the school's Web site when an automated program moved what was supposed to be a private file into a public section of the Web site. 5,600
Apr. 20, 2007 Los Alamos National Laboratory
(Alburquerque, NM)		 The names and Social Security numbers of lab workers were posted on a Web site run by a subcontractor working on a security system.
550
Apr. 20, 2007 U.S. Agriculture Dept.
(Washington, DC)		 The Social Security numbers of people who received loans or other financial assistance from two Agriculture Department programs were disclosed since 1996 in a publicly available database posted on the Internet. 37,000
Apr. 21, 2007 Albertsons (Save Mart Supermarkets)
(Alameda, CA)
(510) 337-8340		 Credit and debit card numbers were stolen using bogus checkout-line card readers resulting in card numbers processed at those terminals being captured and some to be misused. 81
Apr. 23, 2007 Fed. Emergency Management Agency (FEMA)
Washington, DC
Social Security numbers of Disaster Assistance Employees were printed on the outside address labels of . reappointment letters 2,300
Apri. 24, 2007 Purdue Univ.
(West Lafayette, IN)
(866) 307-8513		 Personal information including names and Social Security numbers of students who were enrolled in a freshman engineering honors course was on a computer server connected to the Internet that had been indexed by Internet search engines and consequently was available to individuals searching the Web. 175
Apr. 24, 2007 Baltimore County Dept. of Health
(Baltimore, MD)		 A laptop containing personal information including names, date of birth, Social Security numbers, telephone numbers and emergency contact information of patients who were seen at the clinic between Jan. 1, 2004 and April 12 was stolen.
 6,000
Apr. 25, 2007 Neiman Marcus Group
(Dallas, TX)
(800) 456-7019

Computer equipment in the possession of a pension consultant containing files with sensitive information including name, address, Social Security number, date of birth, period of employment and salary information of Neiman Marcus Group's current and former employees and their spouses was stolen.

 160,000
Apr. 26, 2007 Ceridian Corp.
(Minneapolis, MN)		 A former employee had data containing the personal information of employees including "ID" and bank-account data and then, accidentally posted it on a personal Web site. 150
Apr. 27, 2007 Google Ads
(Mountain View, CA)		 Top sponsored Google ads linked to 20 popular search terms were found to install a malware program on users' computers to capture personal information and used to access online accounts for 100 different bank.
 Unknown
Apr. 27, 2007 Caterpillar, Inc.
(Peoria, IL)
A laptop computer containing personal data of employees including Social Security numbers, banking information and addresses was stolen from a benefits consultant that works with the company. Unknown
Apr. 28, 2007 Couriers on Demand
(Dallas, TX)		 Personal information of job applicants was accidentally published to the Internet. "Hundreds"
Apr. 29, 2007 Univ. of New Mexico
(Alburquerque, NM)		 Employees' personal information including names, e-mail and home addresses, UNM ID numbers and net pay for a pay period for staff, faculty and a few graduate students may have been stored on a laptop computer stolen from the San Francisco office of an outside consultant working on UNM's human resource and payroll systems. [3,000]
(Not included in Total below because SSNs were apparently not compromised)
May 1, 2007 Healing Hands Chiropractic
(Sterling, CO)		 Medical records containing the personal information of chiropractic patients including records Social Security numbers, birth dates, addresses and, in some cases, credit card information wee thrown in a dumpster “due to lack of office space.” "Hundreds"
May 1, 2007 J. P. Morgan
(New York, N.Y.)		 Documents containing personal financial data of customers including names, addresses and Social Security numbers were found in garbage bags outside five branch offices in New York. Unknown
May 1, 2007 Maine State Lottery Commission
(Hallowell, ME)		 Documents containing personal information such as names, Social Security numbers, references to workers compensation claim records, psychiatric and other medical records, and police background checks were found in a dumpster. Unknown
May 1, 2007 Champaign Police Officers
(Champaign, IL)		 The names and Social Security numbers of Champaign police officers were left on a computer donated to charity. 139
May 1, 2007 J. P. Morgan
(Chicago, IL)		 A computer tape containing personal information of wealthy bank clients and some employees was delivered to a secure off-site facility for storage but was later reported missing. 47,000
May 3, 2007 Maryland Dept. of Natural Resources
(Annapolis, MD)		 Personal information of current and retired employees including names and Social Security numbers was downloaded to a "thumb drive" by an employee who wanted to work at home but was lost en route. 1,433
May 3, 2007 Louisiana State Univ., E.J. Ourso College of Business
(Baton Rogue, LA)		 A laptop stolen from a faculty member's home contained personally identifiable information including may have included students' Social Security numbers, full names and grades of University students.
750
May 3, 2007 Montgomery College
(Conroe, TX)		 A new employee posted the personal information of all graduating seniors including names, addresses and Social Security numbers on a computer drive that is publicly accessible on all campus computers. Unknown
May 5, 2007 Transportation Security Administration
(Crystal City, VA)		 A computer hard drive containing payroll data from January 2002 to August 2005 including employee names, Social Security numbers, birth dates, bank account and routing information of current and former workers including airport security officers and federal air marshals was stolen.
UPDATE (5/14/07); The American Federation of Government Employees is suing the TSA for the loss of the hard drive. It calls the breach a violation of the Privacy Act.		 100,000
May 7, 2007 Indiana Dept. of Administration
(Indianapolis, IN)		 An employee uploaded a list of certified women and minority business enterprises to the department's Web site and inadvertently included their tax identification numbers, which for some businesses and sole proprietorships is the owner's Social Security number. "dozens" to "no more than a couple hundred"
May 8, 2007 Univ. of Missouri
(Columbia, MO)
(866) 241-5619
A hacker accessed a computer database containing the names and Social Security numbers of employees of any campus within the University system in 2004 who were also current or former students of the Columbia campus. 22,396
May 11, 2007 Univ. Calif. Irvine Medical Center
(Irvine, CA)		 About 1,600 file boxes stored in an off-site university warehouse were discovered missing. Some of the files included patients' names, addresses, Social Security numbers and medical record numbers. 287
May 11, 2007 Highland Hospital
(Rochester, NY)
HighlandHospitalAdmin@
urmc.rochester.edu
www.stronghealth.com/
(866) 917-5034		 Two laptop computers, one containing patient information including Social Security numbers, were stolen from a business office. The computers were sold on eBay, and the one containing personal information was recovered. 13,000
May 12, 2007 Goshen College
(Goshen, IN)
info@goshen.edu
(866) 877-3055		 A hacker accessed a college computer that contained the names, addresses, birth dates, Social Security numbers and phone numbers of students and information on some parents with the suspected motivation of using the system to send spam e-mails. 7,300
May 12, 2007 Doctor and dentist
(Leon Valley, TX)		 A local TV news reporter exposed that a medical office disposed of patient records without shredding them. Included were SSNs and dates of birth, as well as medical information. Unknown
May 14, 2007 Community College of Southern Nevada
(North Las Vegas, NV)		 A virus attacked a computer server and could have allowed a hacker to access students' personal information including names, Social Security numbers and dates of birth, but the school is not certain whether anything was actually stolen from the school's computer system. 197,000
May 15, 2007 IBM
(Armonk, NY)		 An unnamed IBM vendor lost computer tapes containing information on IBM employees -- mostly ex-workers -- including SSNs, dates of birth, and addresses. They went missing in transit frm a contractor's vehicle. Unknown
May 15, 2007 San Diego Unified School District
(San Diego, CA)
H.R. Services Division Identity Theft Hotline: (619) 725-8086, operational through June 1, 2007, 8am to 5pm, M-F		 In a letter to its employees, the School District said it had been notified by law enforcement that a former employee had access to personal identification information of "a select number of district employees." Those employees were notified separately. The letter said it has "no specific knowledge of any attempted fraud..." Unknown
May 17, 2007 Detroit Water and Sewerage Department
(Detroit, MI)		 A laptop containing City employee information was stolen from the vehicle of an insurance company employee . 3,000
Not included in Total below because it is not known if the data included SSNs.
May 17, 2007 Georgia Div. of Public Health
(statewide)		 The GA Dept. of Human Resources notified parents of infants born between 4/1/06 and 3/16/07 that paper records containing parents' SSNs and medical histories -- but not names or addresses -- were discarded without shredding. 140,000
May 18, 2007 Alcatel-Lucent
(Murray Hill, NJ)		 The telecom and networking equipment maker notified employees that a computer disk containing personal information was lost in transit to Aon Corp., another vendor. It contained names, addresses, SSNs, birth dates, and salary information of current and former employees. Unknown
May 18, 2007 Yuma Elementary School District No. 1
(Yuma, AZ)		 SSNs of 91 substitute teachers were stolen May 7 when a district employee's car was broken into and a brief case was taken containing payroll reports. The reports did not include bank account information.. 91
May 18, 2007 Indianapolis Public Schools
(Indianapolis, IN)		 A local newspaper reporter discovered that sensitive personal information was accessible online, including employee performance reviews, student gradebooks, student special education needs, and essays 7,500 students
Not included in Total because it is not clear if SSNs were exposed.
May 19, 2007 Texas Commission on Law Enforcement Standards and Education
(Austin, TX)		 A computer was stolen from the state agency that licenses police officers. It contained information on every licensed peace officer in Texas, including SSNs, driver's license numbers, and birth dates. 230,000
May 19, 2007 Illinois Dept. of Financial and Professional Regulation
(Chicago, IL)
For information about breach,
www.idfpr.com
For information about ID theft, www.illinoisattorneygeneral.gov		 A computer server in the office of the Illinois Dept. of Financial and Professional Regulation was breached earlier this year. SSNs, tax numbers, and addresses of banking and real estate professionals were exposed. The hacking incident was discovered May 3. 300,000 licensees and applicants
May 19, 2007 Stony Brook University
(Stony Brook, NY)
www.stonybrook.edu/disclosure
Call Center, (866) 645-5830 (available until July 15, 2007)		 SSNs and university ID numbers of faculty, staff, students, alumni, and other community members were visible via the Google search engine after they were posted to a Health Sciences Library Web server April 11. It was discovered and removed 2 weeks later. 90,000
May 20, 2007 Northwestern University financial aid office
(Chicago, IL)		 A laptop belonging to the financial aid office was stolen. It contained SSNs and other information of "some alumni." Unknown
May 21, 2007 Columbia Bank
(Fair Lawn, NJ)		 Columbia Bank notified its online banking customers of a hacking incident. Names and SSNs were accessed, but account numbers and passwords were not. Unknown
May 22, 2007 University of Pittsburgh Medical Center
(Pittsburgh, PA)		 UPMC mailed a fundraising letter to 6,000 former patients on May 7. The donor response cards "inadvertently" included each individual's SSN in the tracking code, visible through the envelope window. 6,000 former patients
May 22, 2007 University of Colorado-Boulder
(Boulder, CO)
www.colorado.edu
Hotline: (303) 492-1655		 A hacker launched a worm that attacked a University computer server used by the College of Arts and Sciences. Information for 45,000 students enrolled at UC-B from 2002 to the present was exposed, including SSNs. The breach was discovered May 12. Apparently anti-virus software had not been properly configured. 45,000 students
May 23, 2007 Waco Independent School District
(Waco, TX)		 Two high school seniors recently hacked into the district's computer network potentially compromising the personal information including Social Security numbers of students and employees. 17,400
May 23, 2007 Check into Cash
(Champaign, IL)		 Consumer loan documents and related reports were found in a trash bin behind the shopping center where Check into Cash is located. Documents contained Social Security numbers, addresses, copies of driver's licenses and other personal information of the company's customers. Unknown
May 24, 2007 Beacon Medical Services
(Aurora, CO)		 Private medical and financial information including patient records from at least 10 Colorado clinics and hospitals, and one hospital in Peoria, Illinois that should have been only accessible through VPN access were inadvertently available on the Internet. 5,000
May 25, 2007 North Carolina Dept. of Transportation
(Raleigh, NC)		 A computer server used to back up employee identification badge records that included the names and Social Security numbers of NCDOT employees, contractors and other state employees was compromised. 25,000
May 25, 2007 Booker T. Washington Community Center
(Auburn, NY)		 A laptop computer with personal information of individuals who applied for Family Health Plus or Child Health Plus state health insurance program benefits was recovered when a woman tried to sell it at a pawn shop. Unknown
May 26, 2007 Cover Tennessee
(Nashville, TN.)		 A computer error at the Cover Tennessee health insurance program caused small business owners who chose not to print out their forms from the Web site to have their personal information including Social Security numbers added to the next user's printout request. 279
May 31, 2007 Priority One Credit Union
(South Pasadena, CA)		 Priority One Credit Union sent out election ballots to members with Social Security numbers and account numbers printed on the outside of the envelopes Unknown
June 1, 2007

Fresno County/Refined Technologies Inc.
(Fresno, CA)

 Missing computer disk contains names, addresses, Social Security numbers.The county sent it by courier to a software vendor's office in San Jose to determine workers' eligibility for health care benefits.The software company, Refined Technologies Inc., said they never received the disk. 10,000
June 1, 2007 Jax Federal Credit Union
(Jacksonville, FL)		 Social Security numbers and account numbers of clients were accidentally posted on the Internet, then indexed by Google. JFCU was transmitting information to a printer for a preapproved auto loan mailing when the information was picked up by Google from the printer's Web site. JFCU normally transmits information on an encrypted disk delivered by courier, but when the printer couldn't open the disk, the information was sent again, but wasn't encrypted and included Social Security numbers and account numbers.
7,766
June 1, 2007

Northwestern University
(Evanston,Ill)
c-loebbaka@northwestern.edu
(847) 491-4887

 Files containing personal information of students and applicants were available online. 4,000
June 3, 2007 Gadsden State Community College
(College Gadsden, AL)		 Students who took an Art Appreciation class at the Ayers Campus between 2005 and 2006 had their names, grades and Social Security numbers scattered across a local business' driveway. 400
June 4, 2007 Stevens Hospital
(Edmonds, WA)
(425) 673-3745		 Laptop exposed to Internet, information did include names, addresses, and Social Security numbers.The situation occurred when one of the subcontractors had a lapse in its data security procedures. 550
June 6, 2007 Cedarburg High School
(Cedarburg, WI)		 Students obtained names, addresses and Social Security numbers and might have accessed personal bank account information of current and former district employees.. Unknown
June 6, 2007 Dearfield Medical Building
(Greenwich, CT)		 A box was discovered at inside a trash bin in May and contains information about lab tests and insurance approvals as well as other medical issues, documents are not medical charts, but do contain patient names and contact information. Unknown
June 6, 2007 HarborOne Credit Union
(Brockton, MA.)		 Data compromise disclosed by the retailer in January. The breach resulted in HarborOne having to block and reissue about 9,000 debit cards. 9,000
June 7, 2007 Huntsville County
Huntsville, AL		 As many as 400 people and banking institutions may be victims in a credit card or debit card cloning. In Alabama and Georgia card numbers were stolen after the cards were used at Huntsville restaurants and carry-out businesses. 400
June 8, 2007 University of Virginia
(Charlottesville, VA)
identity-assistance@virginia.edu
(866) 621-5948		 A breach in one of the computer applications that resulted in exposure of sensitive information belonging to current and former U.Va. faculty members. The information included names, Social Security numbers and dates of birth. The investigation has revealed that on 54 separate days between May 20, 2005 and April 19, 2007, hackers tapped into the records of 5,735 faculty members. 5,735
June 8, 2007 University of Iowa
www.grad.uiowa.edu/news/incident.htm
(Iowa City, IA)		 Social Security numbers of faculty, students and prospective students were stored on the Web database program that was compromised. 1,100
June 9, 2007 Concord Hospital
(Concord, NH)
mhanna@cmonitor.com		 Names, addresses, dates of birth and Social Security numbers exposed on the internet “for a period of time,”security lapsed from a subcontractor that handles its online billing.
UPDATE (6/20/07):
Washington-based company that was managed its online billing system was fired. Hospital officials now are asking for an audit to verify that Verus Incorporated has removed all of its patient information from its servers.		 9,000
June 11, 2007 Pfizer
(New York, NY)
866-274-3891		 Installation of certain file sharing software on a Pfizer laptop, exposed files containing names, Social Security numbers, addresses and bonus information of present and former Pfizer colleagues. Investigation revealed that certain files containing data were accessed and copied. 17,000
June 11, 2007 Grand Valley State University
(Allendale, MI)
Jann Joseph (616) 331-2110		 A flash drive containing confidential information was stolen. Social Security numbers of current and former students were on the flash drive, stolen from the English department.
 3,000
June 14, 2007

Division of Workforce Services
(Salt Lake City, Utah)
(801) 281-1267

 Children's Social Security numbers are believed to have been compromised by identity thieves. 20,000
June 14, 2007 Hamburger Hamlet Restaurant
(Los Angeles CA)		 Former waitress made off with the credit or debit card numbers of at least half a dozen patrons - and possibly as many as 40. Already, about $16,300 in unauthorized charges have been linked to the scam. 40
June 14, 2007 Georgia Tech Univ.
(Atlanta, GA)		 An electronic file containing the personal information of current and former Georgia Tech students was exposed briefly.

23,000
Not included in Total because it's not clear SSNs or account numbers were exposed.
June 14, 2007 Lynchburg City
(Lynchburg, VA)
(434) 455-3964
IDsupport@lynchburgva.gov
 Personal information of Lynchburg city employees and retirees was accidentally posted on the city's website among that information employee's prescription medications.
 1,200
Not included in Total because it's not clear SSNs or account numbers were exposed.
June 15, 2007

Ohio state workers
(Columbus, OH)
(888) 644-6648
(taped-message)
(877) 742-5622
(Ohio Consumers' Counsel)
or (800) 267-4474

 A backup computer storage device with the names and Social Security numbers of every state worker was stolen out of a state intern's car. The tape, which was stolen in June, contains personally identifiable information of nearly 84,000 current and former Ohio state employees and more than 47,000 state taxpayers.
UPDATE (6/20/07) :
The storage device also had the names and Social Security numbers of 225,000 taxpayers,
UPDATE (6/22/07) :
Previous news stories reported smaller amounts, but the most recent news story shows 500,000 .		 500,000
June 18, 2007 Parisexposed.com
(Bellevue, WA)		 Investigation by The Smoking Gun Web site said that by changing a few characters on the web page URL it was possible to see the subscriber's name, email address, password, phone number, mailing address and credit card number.
 750
June 18, 2007 Shamokin Area School District
(Coal Township, PA)		 A local newspaper employee gained unauthorized access to the Shamokin Area School District's computer database. It is the same system that stores students' personal information, including Social Security numbers. That newspaper employee brought the security flaw to the attention of school officials. Unknown
June 18, 2007 Texas A&M University
(Corpus Christi, TX)		 A professor vacationing off the coast of Africa took data with him on a small computer, which was lost or stolen. It is thought to contains SSNs and dates of birth for students enrolled in the spring, summer and fall semesters of 2006
 8,000
June 20, 2007 American Airlines
(Fort Worth, TX)		 Personal information including Social Security numbers of pilots and other employees at American Airlines, including the chief executive, was exposed on a company Web site.

 

 365
June 20, 2007 University Community Hospital
(Tampa, FL)		 A parent says his son should never have received bills in the mail for a pre-employment drug screening visit. Among the bills there's something else he was surprised to see, information about others who were also tested, "Like 17 of them here with the Social Security numbers." Unknown
June 22, 2007 Texas First Bank
(Texas City, TX)		 Information such as account numbers, Social Security numbers, names and addresses may have been stored on a stolen laptop computer during a car theft in Dallas.
 4,000
June 23, 2007 Winn-Dixie
(Pascagoula,MS)		 Pharmacy documents were found behind closed Winn-Dixie, containing telephone numbers, Social Security numbers and addresses of thousands. Apparently when they closed up, they put these bundles outside to be picked up and they were never picked up. Unknown
June 25, 2007 Fresno County
(Fresno, CA)
(559) 453-6450		 A disk containing information pertaining to home health-care workers -- including their names, addresses and Social Security numbers was lost. Unknown
June 27, 2007 Milwaukee PC
(Milwaukee, WI)
(414) 258-2275		 Credit card information for 65,000 was possibly compromised. A service center noticed a file in their server and was concerned that file could contain customers' credit card numbers and personal information. 65,000
June 27, 2007 Bowling Green State University
(Bowling Green, OH)		 Lost storage device contained Social Security numbers, and names of 199 former students. 199
June 27, 2007 University of California, Davis
(Davis, CA)
www.vetmed.ucdavis.edu/
computer_security
deansoffice@vetmed.ucdavis.edu
(530) 752-8032.		 Computer-security safeguards were breached and accessed information including the applicants' names, birth dates and, in most cases, Social Security numbers. 1,120
June 29, 2007 Harrison County Schools
(Charleston WV)		 Several computers that contained the personal information, including Social Security numbers, of several Harrison County school employees were stolen. Workers Comp claims between January of 2001 and February of 2007 are at risk. Unknown
July 3, 2007 Fidelity National Information Services
Certegy Check Services Inc.
(Jacksonville, FL)

A worker at one of the company's subsidiaries (Certegy Check Services, Inc.) stole customer records containing credit card, bank account and other personal information.
UPDATE (8/27/07) :
The company first estimated that about 2.3 million records were affected but quickly boosted that number to 8.5 million in filings with the U.S. Securities and Exchange Commission. A California law firm has filed a class-action suit charging Fidelity National Information Services (FIS) and one of its subsidiaries with negligence in connection with a data breach.
UPDATE (11/23/07) : A former database analyst at Certegy Check Services Inc., has agreed to plead guilty to federal fraud and conspiracy charges in connection with the theft of data.
UPDATE (7/7/08) :A man has been sentenced to four years and nine months in jail and fined US $3.2 million for his part in the theft of consumer records from Certegy Check Services.
UPDATE (7/7/08) : A new settlement provides that all class members whose personal or financial information was stolen can get compensated up to $20,000 for certain unreimbursed identity theft losses caused by the data theft. The losses covered could have occurred from Aug. 24, 1998, to Dec. 31, 2010. www.datasettlement.com

2,300,000

Additional 6.2 million

Total 8.5 million
July 5, 2007 Highlands University
(Las Vegas, NM)		 A building on the campus had been broken into, and the affected offices might have had such personal information as Social Security numbers, credit card and bank account information exposed. 420
July 7, 2007 Cuyahoga County Dept. of Development
(Cleveland, OH)		 Names and Social Security numbers on memory stick stolen in carjacking. 3,000
July 9, 2007 Girl Scouts Mile Hi
(Denver, CO)
(303) 778-8774		 Tapes stolen from a car held personal information from a membership database, including names, addresses, phone numbers. A very limited number of credit card numbers and Social Security numbers were included in the stolen data from the camp and event registration database. Unknown
July 11, 2007 South County Hospital
(South Kingstown, RI)		 Paperwork containing personal details from customers was left in a briefcase inside a car that was stolen. That batch of paperwork contained details including names, addresses, Social Security numbers, phone numbers and a summary of hospital accounts. 79
July 11, 2007 Texas A&M University
(Corpus Christi, TX)		 College of Business officials are investigating a faculty member for the misplacement of a business law class roster containing the names and Social Security numbers of students. 49
July 11, 2007 Disney Movie Club / Alta Resources
(Neenah, WI)		 A contract employee stole an unknown number of credit card numbers. Credit-card information was sold by an employee of a Disney contractor to a federal agent as part of an undercover sting operation. Unknown
July 13, 2007 City of Encinitas
(Encinitas, CA)
(760) 633-2788		 Credit card or checking account information and addresses of people who had enrolled in Encinitas' youth recreation programs was inadvertently posted on the city's Web site. 1,200
July 13, 2007 Metropolitan St. Louis Sewer District
(St.Louis, MO)		 A employee had downloaded Social Security numbers of current or former district employees to a home computer. The Social Security numbers were part of a computer file the district uses to make sure workers get the proper pay. 1,600
July 15, 2007 Westminster College
(Salt Lake City, UT)		 Names of students, former and current were printed in two files along with each student's Social Security number. The files were on a student Web server used by Westminster students. 100
July 16, 2007 Prudential Financial Inc.
(Newark, NJ)		 Data exposed in the breach was faxed to a company by doctors and clinics across the U.S.. Data included the patients' Social Security numbers, bank details and health care information.

 

 1,000
July 16, 2007 TSA
(Arlington, VA)		 Authorities realized in May a storage device was missing from TSA headquarters. The drive contained historical payroll data, Social Security numbers, dates of birth, addresses, time and leave datas, bank account, routing information, and details about financial allotments and deductions. 100,000
July 17, 2007 Western Union
(Greenwood Village, CO)		 Credit card information and names were hacked from a database.The thieves got names, addresses, phone numbers and complete credit-card information. 20,000
July 17, 2007 Louisiana Board of Regents
(Baton Rouge, LA)		 Records of students and staff including Social Security numbers,names, and addresses exposed on web.In all, more than 80,000 names and Social Security numbers were accessible for perhaps as long as two years on an internal Internet site. 80,000
July 17, 2007 Kingston Technology Co.
(Fountain Valley, CA)		 Security breach that remained undetected until "recently" may have compromised the names, addresses and Credit Card details of online customers. 27,000
July 18, 2007 Purdue University
(West Lafayette, IN)
(866) 605-0013		 Files which were no longer in use were discovered on a computer server connected to the Internet. The files contained names and Social Security numbers of students who were enrolled in an industrial engineering course. 50
July 18, 2007 Connecticut General Assembly Transportation Committee
(Hartford, CT)		 Social Security numbers of former employees of defunct L.G. Defelice Inc. was posted on CT transportation committee website. 300
July 19, 2007 Cricket Communications Documents stolen from store result in loss of 300 credit card numbers. 300
July 19, 2007 Jackson Local Schools
(Massillon, OH)		 The Social Security numbers of present and former Jackson Local Schools’ employees were at risk of public access on a county maintained Web site.
 1,800
July 20, 2007 SAIC
(San Diego, CA)
www.saic.com/response/
(703) 676-6533		 Pentagon contractor may have compromised personal information. Information such as names, addresses, birth dates, Social Security numbers and health information about military personnel and their relatives because it did not encrypt data transmitted online. 580,000
July 21, 2007 University of Michigan
(Ann Arbor, MI)		 University databases were hacked. Names, addresses, Social Security numbers, birth dates, and in some cases, the school districts where former students were teaching were exposed. 5,500
July 23, 2007 Fox News A security hole on the Fox News web server Sunday exposed sensitive content to the public, including login information that allowed hackers to access names, phone numbers, and email addresses of at least 1.5 million people

1.5 million

Not added to total. It does not appear that SSNs or financial account numbers were exposed.
July 24, 2007 St. Vincent Hospital
(Indianapolis, IN)		 A security lapse compromised names, addresses and Social Security numbers. 51,000
July 25, 2007 Hidalgo County Commissioner’s Office
(Hidalgo County, TX)		 The private medical information, including Social Security numbers and treatment details of people who sought medical assistance from the county was posted on the Hidalgo County Website. 25
July 26, 2007 United States Marine Corps / Penn State University
(Harrisburg, PA)		 Names and Social Security numbers of Marines were found through Google Internet search engine. 10,554
July 27, 2007 Flexible Benefits Administrators
(Virgina Beach VA)		 A former employee allegedly stole Virginia Beach city and school district employees' personal information and used it to commit prescription fraud. Police discovered a list of names and Social Security numbers at the employees home. 2,000
July 27, 2007 City Harvest
(New York, NY)
(917) 351-8763		 City Harvest is currently investigating a potential improper access of systems that contained credit card information of their donors. 12,000
July 27, 2007 American Education Services
(Harrisburg, PA)
Personal information was on a laptop stolen in a burglary at a subcontractor's headquarters. The information, which was not encrypted, included names, addresses, phone numbers, e-mail addresses and Social Security numbers. 5,000
July 28, 2007 Yuba County Health and Human Services
(Yuba County, CA)		 A laptop stolen from a building contained personally identifiable information of individuals whose cases were opened before May 2001. The laptop was being used as a backup system for the county's computer system. The data include Social Security numbers, birth dates, driver’s license numbers and other private information. 70,000
Aug. 1, 2007 Lifetime Fitness
(Dallas, TX)		 Staff had discarded customer records in easily accessible trash cans behind Dallas businesses. Information that was discarded contained names, addresses, Social Security numbers, driver's license numbers and credit card information, as well as the date of birth of several children. Lifetime Fitness is based in Minnesota. Unknown
Aug. 2, 2007 E.On - U.S.(energy services)
(Louisville, KY)		 A laptop with names, Social Security numbers and birth dates of most E.On U.S. employees and some retirees was stolen last month. Unknown
Aug. 2, 2007 University of Toledo
(Toledo, OH)
(419) 530-4836
(419) 530-3661
(419) 530-1472		 A computer was stolen with two hard drives containing student and staff Social Security numbers, names, and grade change information.

Unknown
Aug. 3, 2007 WorkCare Orem
(Pleasant Grove, UT)		 A truck driver found medical documents containing personal information in his truck and on the ground while he picked up a load at a garbage transfer station. The documents contained names, addresses, telephone numbers, Social Security numbers and birth dates. Unknown
Aug. 3, 2007 Wabash Valley Correctional Facility
(Indianapolis, IN)		 A database containing Social Security numbers, dates of birth and names of people employed at the facility between 1997 and 2002 was unintentionally moved “from a secure private drive that was accessible only by the human resources department to a shared directory that could be accessed by other employees here.”
 Unknown
Aug. 4, 2007 Kellogg Community Federal Credit Union
(Battle Creek, MI)

A computer containing personal information on an undisclosed number members was stolen. A file containing some members' names, addresses, telephone numbers, birth dates, Social Security numbers and account numbers was on the computer's hard drive.

 

 Unknown
Aug. 6, 2007 Verisign
(Mountain View, CA)		 A laptop containing extensive personal information on an undisclosed number of VeriSign employees was stolen from an employee's car. The information included names, addresses, Social Security numbers, dates of birth, telephone numbers, and salary records. Unknown
Aug. 7, 2007 Electronic Data Systems
(Montgomery, AL)		 A former employee was arrested this week for allegedly trafficking in stolen identities she received through her work with the company. She "obtained the names and identifying information of 498 Alabama Medicaid recipients and subsequently sold 50 of those identities. 498
Aug. 7, 2007 Merrill Lynch
(Hopewell, NJ)		 A computer device apparently was stolen containing sensitive personal information, including Social Security numbers, about some 33,000 employees.

 

 33,000
Aug. 8, 2007 Yale University
(New Haven, CT)		 Social Security numbers for over 10,000 current and former students, faculty and staff were compromised last month following the theft of two University computers 10,000
Aug. 10, 2007 Loyola University
(Chicago, IL)		 A computer with the Social Security numbers of 58 hundred students was discarded before its hard drive was erased, forcing the school to warn students about potential identify theft. 5,800
Aug. 10, 2007 Legacy Health System
(Portland, OR)
(503) 445-9533		 A primary care physician practice has discovered the theft of $13,000 in cash and personal data for patients. Patient receipts, credit card transaction slips and checks are also missing, in addition to Social Security numbers and dates of birth for patients. 747
Aug. 11, 2007 Providence Alaska Medical Center
(Anchorage, AL)
(888) 387-3392.
 A laptop computer that contains the personal information of patients is missing. On the laptop there maybe names, medical record numbers, dates of birth, patient diagnoses, Social Security numbers and addresses. 250
Aug. 13, 2007 Pfizer/Axia Ltd.
(New York, NY)
(866) 274-3891		 Axia Ltd. had notified Pfizer on June 14 of an incident in which two Pfizer laptops were stolen from a locked car. The laptops, which disappeared May 31 in Boston, included the names and Social Security numbers of health-care professionals who “were providing or considering providing contract services for Pfizer,” according to the letter.
950
Aug. 15, 2007 Idaho Army National Guard
(Boise, ID)
http://www.idahoarmyguard.org or call the Idaho National Guard Joint Operations Center		 A small computer drive containing Social Security numbers and other personal information about every Army National Guard soldier in Idaho has been stolen. 3,400
Aug. 15, 2007 Greater Detroit Hospital
(Detroit, MI)		 It's a repeat of a problem that emerged late last year at the Greater Detroit Hospital where metal thieves stripped everything from copper piping to windows, exposing rows of abandoned patient files. Neighbors said there are hundreds of boxes of patient files and payroll records inside, full of credit card and Social Security numbers. Unknown
Aug. 15, 2007 Sky Lakes Medical Center / Verus Inc.
(Klamath Falls, OR.)		 The company that maintained the hospital's online bill payment system, transferred patient information from one server to another to perform maintenance but didn't take security measures, leaving information such as names, addresses and Social Security numbers exposed. 30,000
Aug. 16, 2007 Utica Title and Escrow
(Bixby, OK)		 Boxes belonging to Utica Title and Escrow had been stored at a storage unit in Bixby. When Utica quit paying rent the storage company went through the legal process to be able to sell everything left behind. No one wanted to buy the boxes of paper so the boxes were thrown out. The boxes contained private information, including Social Security numbers, bank accounts and pay stubs.

 

 Unknown
Aug. 20, 2007 University of Toledo
(Toledo OH.)
http://eitnetwork.utoledo.edu/
information_privacy/		 A laptop computer has been stolen from an office in the Student Recreation Center that contained some student and employee names and Social Security numbers. Unknown
Aug. 21, 2007 Walter Reed Army Institute of Research
(Silver Spring, MD)		 Boxes of documents containing personal information were supposed to be shredded but instead turned up last week in an off-base trash bin. Police do not believe anyone had access to the information other than the person who found the records. An investigation is under way to determine precisely what information they held and why they appeared off base. Unknown
Aug. 21, 2007 West Virginia Board of Barbers and Cosmetologists
(Charleston, WV)		 Every barber and cosmetologist licensed in the state of West Virginia since 1986 could now potentially be a victim of identity theft. Someone broke into the second floor office of the Board of Barbers and Cosmetologists and stole a safe. The director of the agency says the safe contains the personal information of thousands of hair dressers.

 

 Unknown
Aug. 22, 2007 California Public Employees' Retirement System (CalPERS)
(Sacramento, CA)
http://www.calpers.ca.gov/index.jsp?bc=/member/security-breach.xml&pst=RETIRED&pca=ST		 Roughly 445,000 retirees across the state received the brochures announcing an upcoming election to fill a rare vacancy on the board of the California Public Employees' Retirement System. All or a portion of each person's Social Security number appeared without hyphens on the address panel. 445,000
Aug. 23, 2007 New York City Financial Information Services Agency
(New York, NY)		 A laptop loaded with financial information on as many as 280,000 city retirees was stolen from a consultant who took the computer to a restaurant.

280,000

Not added to total. It is not clear that SSNs or financial account numbers were exposed.
Aug. 23, 2007 Loomis Chaffee School
(Windsor, CT)		 Valuable computer equipment, including two large storage devices were stolen during a night time burglary from the locked IT facility on campus. The stolen storage devices contained information about some recent graduates of the school, including their names, Social Security numbers, and contact information from their days as students at the school. Unknown
Aug. 23, 2007 Monster.com
(Maynard, MA)
http://help.monster.com/besafe/

Monster announced that the details of some 1.6 million job seekers had been stolen. Fewer than 5,000 of those 1.6 million users affected are based outside the United States. The information stolen was limited to names, addresses, phone numbers and email addresses, and no other details including bank account numbers were uploaded.
UPDATE (8/29/07) :
Hackers have stolen the names, e-mail addresses and telephone numbers of about 146,000 subscribers to USAJOBS.gov. The hackers accessed the information from the resume database run by Monster.com, which provides the technology for USAJOBS.gov. Monster Worldwide told OPM that no Social Security numbers were compromised.

1.6 Million

Not added to total. It does not appear that SSNs or financial account numbers were exposed.
Aug. 26, 2007 American Ex-Prisoners of War
(TX)		 Personal records including addresses and Social Security numbers of more than 35,000 veterans and their families were stolen this month from the offices of a POW support organization in Texas. Digital and paper records included information on the group’s entire membership, including addresses, dates of birth, Social Security numbers and VA claims data. 35,000
Aug. 27, 2007 University of Illinois
(Champaign-Urbana, IL)		 An e-mail sent Aug. 24 to about 700 University of Illinois engineering students contained a spreadsheet listing personal information, including addresses and grade point averages, of thousands of students. The spreadsheet attached to the mass mail did not contain Social Security numbers or the students' university identification numbers. But, the person who sent the mass e-mail attached a spreadsheet containing information on all 5,247 students in the College of Engineering. The spreadsheet included each student's name, e-mail address, major, gender, race and ethnicity, class, date admitted, spring 2007 grade point average, cumulative GPA, plus local address and phone number.

5,247

Not added to total. It does not appear that SSNs or financial account numbers were exposed.
Aug. 28, 2007 Connecticut Department of Revenue Services
(Hartford, CT)

A computer laptop with the names and Social Security numbers of more than 100,000 Connecticut taxpayers has been stolen. The Department of Revenue Services intends to launch a web page soon that residents can search to determine whether their personal information was stored on the laptop.

UPDATE (9/14/07): More than 2 dozen state laptops have gone missing since July 2006.

UPDATE (10/19/07): A supervisor at the state Department of Revenue Services was suspended without pay. His computer was stolen from his car in August at a hotel in New York. Police say it was possible the vehicle was not locked because there were no signs of a break-in.

 106,000
Aug. 30, 2007 Maryland Department of the Environment
(Annapolis, MD)		 A laptop computer containing personal information on people with state licenses has been stolen from a vehicle. It contains four databases that include personal information related to licenses issued by four state boards. Unknown
Aug. 30, 2007 AT&T
(Global Headquarters San Antonio, TX)		 A laptop containing unencrypted personal data on current and former employees of the former AT&T Corp. was stolen recently from the car of an employee of a professional services firm doing work for the company. That theft prompted the company to notify an unspecified number of individuals about the potential compromise of their Social Security numbers, names and other personal details. Unknown
Sept. 1, 2007 Johns Hopkins Hospital
(Baltimore, MD)		 A desktop computer containing the personal information of 5,783 Johns Hopkins Hospital patients was stolen. The computer included patients' names, Social Security numbers, birth dates and medical histories. 5,783
Sept. 4, 2007 Pfizer
(New York, NY)
(866) 274-3891		 A security breach may have caused employees' names, Social Security numbers, addresses, dates of birth, phone numbers, bank account numbers, credit card information, signatures and other personal information to be publicly exposed. The breach occurred late last year when a Pfizer employee removed copies of confidential information from a Pfizer computer system without the company's knowledge or approval. Pfizer didn't become aware of the breach until July 10. 34,000
Sept. 4, 2007 Brevard Public Schools
(Viera, FL)

A missing piece of luggage belonging to a state auditor contains the personal information of 61 Brevard Public Schools employees and had district personnel scrambling before the holiday weekend began to notify people that their names and Social Security numbers might be compromised.

UPDATE (9/21/07): Melbourne International Airport police arrested a 44-year-old defense subcontractor from California on charges of stealing luggage. He is in the Brevard County Jail, facing at least two charges of grand theft.

 

 61
Sept. 6, 2007 University of South Carolina
(Columbia, SC)		 A number of files containing Social Security numbers, test scores and course grades were exposed online. It appears the person responsible for the breach may not have known enough about computers to realize the information could be accessed outside the university system. 1,482
Sept. 9, 2007 De Anza College
(Cupertino, CA)
(408) 864-8292		 Thousands of former students might be at risk for identity fraud after an instructor's laptop computer, containing students' personal information, was stolen last month. The computer contained the students' names, addresses, grades and in many cases Social Security numbers. 4,375
Sept. 9, 2007 McKesson
(San Francisco, CA)
(866) 554-6366		 McKesson Health-care services company, is alerting thousands of its patients that their personal information is at risk after two of its computers were stolen from an office. Unknown (thousands)
Sept. 10, 2007 Purdue University
(West Lafayette, IN)
www.purdue.edu/news/coa0709.html
(866) 275-1181		 The university is warning those who were students in the fall of 2004 that information about them was inadvertently posted on the Internet. The information was in a document that contained the names and Social Security numbers of students in the Animal Sciences 102 class. The page was no longer in use but was on a computer server connected to the Internet. The document was found recently through an internal search and reported to the chief information security officer at Purdue. 111
Sept. 11, 2007 Pennsylvania Public Welfare Department
(Harrisburg, PA)		 Two computers containing the mental health histories of more than 300,000 medical-assistance recipients were stolen. The computer work stations were taken during an overnight break-in at an office. The mental health information on the computers identified people by codes and not by name. The information also was protected by multiple passwords, but full names and Social Security numbers of nearly 2,000 people were also on the computers. 2,000
Sept. 11, 2007 Gander Mountain
(Greensburg, PA)
(866) 986-2988		 Somebody either lost or stole a computer potentially containing the credit card information of anyone who has shopped at the Greensburg store since it first opened more than five years ago. Gander Mountain said credit card information for 112,000 customers of its Greensburg store might have been compromised. That includes 10,000 records with names, card numbers and expiration dates. 10,000
Sept. 12, 2007 TennCare / Americhoice Inc.
(Knoxville, TN)
To sign up for the free ID theft protection you must call AmeriChoice at (800) 690-1606.		 There are 67,000 TennCare enrollees at risk of identity theft after a courier service lost their personal information. The lost information includes names, Social Security Numbers, birthdays and addresses. 67,000
Sept. 13, 2007 Voxant.com
(Reston, VA)
(703) 964-0696		 The Voxant online ecommerce store server was hacked using what appeared to be a typical phishing scheme. The server is seperate from the primary business at www.voxant.com. The affected server was immediately taken offline and removed the offending phising pages. Encrypted credit card numbers could have been accessed during the incident. Although the credit card numbers were encrypted, the encryption key was not well protected. The database up through June 19-20 could have been affected, representing approximately 4,500 US customers. 4,500
Sept. 14, 2007 TD Ameritrade Holding Corp.
(Omaha, NE)
FAQ at http://www.elvey.com/IDTheft/spam_faq.cfm.html
For links to key legal documents, see http://datalossdb.org/incident_highlights/30-legal-sub-project-elvey-v-td-ameritrade
See also Settlement Documents:
http://www.stockspamsettlement.com/notice.html		 One of TD Ameritrade's databases was hacked and contact information for its more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based company said more sensitive information in the same database, including Social Security numbers and account numbers, does not appear to have been taken. "We were able to conclude that while Social Security Numbers are stored in this particular database, your SSN were not retrieved." The company said names, e-mail addresses, phone numbers, and home addresses were taken in the data breach. Company customers received unwanted spam because of this breach.
UPDATE (4/28/09):
It is our practice to include in the "Total" the number of records in which sensitive personal information such as SSNs and financial account numbers have been exposed. After further review, we have added 6 million to this list's "Total." To the best of our knowledge, this represents the number of records in this breach containing SSNs. Source: http://www.citizen.org/ litigation/forms/cases/ CaseDetails.cfm?cID=499 TD Ameritrade sent a mass email on September 14, 2007 to its customers admitting SSNs had been compromised: "[W]e recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases ... to be retrieved by an external source [and] Social Security Numbers are stored in this particular database... " A copy can be found at http://www.bargaineering.com/
articles/td-ameritrade-
discovers-database-breach.html.		 6.3 million
Sept. 14, 2007 Tennessee Tech University
(Cookeville, TN)		 Some 3,100 current or past students who owe the university money were notified today that some of their personal data may have been compromised. A technical problem in the way student bills are printed resulted in the chance that some student social security numbers and personal identification numbers may have been sent to another student's address. 3,100
Sept. 19, 2007 Kansas University
(Lawrence, KS)		 A number of documents containing Kansas University student, faculty and staff personal information were recovered from the recycling and trash in the Mathematics Department at Kansas University. The information included student exams, student change of grade forms, class rosters, copies of health insurance cards, copies of immigration forms as well as a copy of a Social Security card. Unknown
Sept. 19, 2007 University of Michigan School of Nursing
(Ann Arbor, MI)		 Backup tapes containing patient information like Social Security numbers, patient names and addresses were stolen from the School of Nursing two weeks ago.

 

 8,585
Sept. 20, 2007 State of Connecticut/Accenture Ltd.
(Hartford, CT)

A backup tape was stolen in Ohio in June and contained data removed by Accenture from the state's Core-CT computer system, which performs all of the state's payroll, personnel, purchasing, accounting and inventory functions. The backup tape contained state agency bank account numbers, bank names and types of accounts, as well as the names and Social Security numbers of 58 of Connecticut taxpayers. Connecticut officials today revealed plans to file a civil complaint against IT consulting giant Accenture Ltd. related to this security breach involving stolen records tied to state agency bank accounts worth millions of dollars.

 58
Sept. 21, 2007

City of Columbus, Ohio
(Columbus, OH)
For Info: The Columbus Dispatch, http://www.dispatch.com

 

 

 The city of Columbus is offering identity-theft protection services to more than 3,000 people whose Social Security numbers were on three computers stolen from a warehouse. The theft affected people who had signed up for the city's Mobile Tool Library, which lends power tools, lawn mowers and supplies. 3,500
Sept. 21, 2007 Citigroup/ABN Amro Mortgage Group
(Norridge, IL)		 Three spreadsheets containing 5,200 Social Security numbers and other personal details about customers were inadvertently leaked over an online file-sharing network by a former employee. Tiversa, a company that monitors P2P networks, found Excel spreadsheets from the desktop of a financial analyst at ABN Amro Mortgage Group running LimeWire. Although Tiversa found over 10,000 files, deduplication revealed only 5,208 unique Social Security numbers, along with names and what type of mortgage each customer had. 5,208
Sept. 24, 2007 Utah Department of Workforce Services
(American Fork, UT)		 A laptop computer containing a spreadsheet with the the Social Security numbers and other personal information of about 2,000 people was reported stolen. 2,000
Sept. 28, 2007 Gap Inc.
(San Francisco, CA)
(866) 237-4007
www.gapsecurityassistance.com		 A laptop containing the personal information of certain job applicants was recently stolen from the offices of an experienced third-party vendor that manages job applicant data for Gap Inc. Personal data for approximately 800,000 people who applied online or by phone for store positions at one of Gap Inc.'s brands between July 2006 and June 2007 was contained on the stolen laptop. Social Security numbers were included in the information on the laptop. 800,000
Oct. 2, 2007 The Nature Conservancy
(Arlington, VA/ also Arkansas-located in Little Rock, Fayetteville, Arkadelphia, Batesville and Ponca)		 A hacker illegally gained access to a computer of The Nature Conservancy containing personal information on current and former employees and their dependents. The stolen information included the names, home addresses, Social Security numbers and birth dates. It also included direct deposit bank account numbers for employees who were on the payroll between 2000 and 2004, as well as the Social Security numbers of those employees’ dependents. When employees accessed a particular Web site, the site planted a program on the employees’ computers that copied the contents of the hard drives and sent the information to the hacker. 14,000
Oct. 2, 2007 Athens Regional Health Services
(Athens, GA)
(706) 475-4369		 A computer missing from a Regional First Care clinic in Watkinsville held the personal information of more than 1,400 people, according to Athens Regional Health Services. Workers first noticed on Sept. 24 that the computer was missing. The computer held Social Security numbers for 85 people, some health information for 545 people and the name, address and/or telephone numbers of 811 people. No credit card or other financial information was stored on the computer, which was a backup server for the Watkinsville clinic. 1,400 only 85 people were affected by SSn.
Oct. 4, 2007 Massachusetts Division of Professional Licensure
(Boston, MA)
mass.gov/dpl or call (617) 973-8100		 Social Security numbers of about 450,000 licensed professionals were inadvertently released. The information was mailed last month to agencies that submitted a public records request for the names and addresses of professionals licensed by the division. The division mailed 28 computer disks to 23 agencies that use the information as a marketing or promotional tool. The disks would normally contain only the names and addresses of individuals licensed through the Division of Professional Licensure and the Division of Health Professions Licensure. However, the disks also included Social Security numbers. 450,000
Oct. 8, 2007 University of Iowa
(Iowa City, IA)
www.uiowa.edu/~phil/SSN.shtml		 A laptop computer was stolen from a former teaching assistant. The theft of the computer, which occurred last month in a break-in of the instructor's home, contained class records such as attendance, test scores, and grades of students who took his philosophy courses at the UI between 2002 and 2006. Social Security numbers were also present in 100 of the records. 184
Oct. 8, 2007 Carnegie Mellon University
(Pittsburgh, PA)		 Two laptops were stolen from the office of a computer science professor. Both of the computers were believed to have contained significant personal identifying data, such as Social Security numbers. Unknown
Oct. 8, 2007 Semtech
(Camarillo, CA)		 A laptop computer and other personal belongings were stolen from one of Semtech's vendors. The computer was not stolen from a Semtech facility, but may have contained computerized data relating to Semtech employees. Semtech declined to provide further details of the incident, such as what personal employee data may have been put at risk, when the theft happened or how long it took the company to inform its workers of the potential breach. Unknown
Oct. 9, 2007 Pembroke Schools
(Pembroke, MA)
(781) 829-1178
 Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district’s computer system. The information included names, birth dates and Social Security numbers. Unknown
Oct. 10, 2007 Wheels Inc./Pfizer
(Des Plaines, IL)		 The spouses and domestic partners of about 1,800 Pfizer employees, including 23 from Connecticut, learned late last month about a data breach at Wheels Inc., which provides cars to the company, mostly for use by its sales force. The breach at Wheels, first reported by the Pharmalot Web site, released onto the Internet names, addresses, birth dates and driver's license numbers, but not Social Security numbers, according to the company. 1,800 + 23
Not included in Total because it is not clear if SSNs were exposed.
Oct. 10, 2007 Commerce Bank
(Wichita, KS)		 A hacker gained access to a database with about 3,000 customer records and accessed data belonging to 20 of them. The bank is contacting those who may have been affected. The hacking was quickly detected and stopped, according to Commerce Bank, which then notified law enforcement. 20
Oct. 12, 2007 King County Transportation Department
(Seattle, WA)		 A laptop computer containing personal information about current and former employees has been stolen. Workers' names, addresses and Social Security numbers were on the password-protected laptop, which was stolen during a Sept. 28 home burglary. The information was not encrypted. 1,400
Oct. 13, 2007 Montana State University
(Bozeman, MT)
(406) 994-6550
eu.montana.edu/security		 An unknown hacker remotely accessed a computer server that housed records containing credit card numbers and Social Security numbers of students who enrolled online for MSU Extended University courses during the last two years. The data in question were encrypted, and there is no evidence that personal information was stolen. 1,400
Oct. 15, 2007 Transportation Security Administration
(Arlington, VA)		 Two laptop computers with detailed personal information about commercial drivers across the country who transport hazardous materials are missing and considered stolen. The laptops contained the names, addresses, birthdays, commercial driver's license numbers and, in some cases, Social Security numbers of 3,930 people. 3,930
Oct. 16, 2007 Administaff Inc.
(Houston, TX)		 Current and former workers personal data may be compromised because of a stolen laptop. The data wasn't encrypted when it was stored on the portable computer, which is password-protected. Data stored on the laptop included names, addresses and Social Security numbers for most employees paid by Administaff in 2006. 159,000
Oct. 17, 2007 Home Depot
(Boston, MA)		 A laptop computer containing about 10,000 employees' personal data was stolen from a regional manager's car. The computer, which was password protected, didn't contain any customer information. The laptop contained names, home addresses and Social Security numbers of certain Home Depot employees. 10,000
Oct. 17, 2007 Louisiana Office of Student Financial Assistance
(Baton Rouge, LA)
http://www.osfa.state.la.us/notice.htm		 Sensitive data for virtually all Louisiana college applicants and their parents over the past nine years were in a case lost last month during a move. The data included Social Security numbers for applicants and their parents. The bank account information for START account holders also was involved. The data included Social Security numbers for applicants and their parents. The bank account information for START account holders also was involved. Unknown
Oct. 18, 2007 University of Cincinnati
(Cincinnati, OH)		 The personal information of thousands of University of Cincinnati students and graduates has been stolen. A flash drive was taken from a UC employee last month. It contained the Social Security numbers and other data for more than 7,000 people. 7,000
Oct. 23, 2007 West Virginia Public Employees Insurance Agency
(Charleston, WV)
(800) 435-4351		 West Virginia officials are alerting 200,000 past and current members of three health insurance programs that a computer tape containing full names, addresses, phone numbers, Social Security numbers and marital status was lost last week while being shipped via United Parcel Service. 200,000
Oct. 23, 2007 Blockbuster
(Sarasota, FL)		 A Sarasota resident was fishing in a trash container for boxes when he found 400 documents. These documents included membership forms and employment applications with names, addresses, credit card numbers and Social Security numbers. Unknown
Oct. 23, 2007 Dixie State College
(St George, UT)
(866) 295-3033
idprotect@dixie.edu		 An unauthorized person reportedly gained access to a computer system and confidential files, including Social Security numbers, birth date information and addresses for some 11,000 alumni and current DSC employees who graduated or worked at DSC from 1986 to 2005. 11,000
Oct. 23, 2007 Bates College
(Lewiston, ME)		 Two publicly accessible documents that contained the records of nearly 500 recipients of the federal Perkins Loan, along with each recipient's address, date of birth, Social Security number, legal name and loan amount, were accessible on the Bates network. 500
Oct. 24, 2007 Not Your Average Joe's
(Dartmouth, MA)		 Massachusetts restaurants were targeted by an individual or individuals seeking to illegally obtain credit card data. The data that was compromised included credit card numbers, expiration date and name associated with the card. Unknown
Oct. 25, 2007 University of Akron
(Akron, OH)		 A microfilm containing the personal information of alumni were missing. Names, previous addresses, phone numbers, birth dates and Social Security numbers was on the missing microfilm. 1,200
Oct. 28, 2007 Art.com
(Lockbourne, OH)		 Cyberspace criminals gained systems entry despite "multiple security layers" and accessed some credit card transactions. The retailer of posters, prints and framed art alerted customers that hackers had gotten into the website to access credit card accounts. Unknown
Oct. 29, 2007 United States Postal Service
(Oahu, HI)		 Employees' names, Social Security numbers and other information were on a laptop computer that was stolen. 3,000
Oct. 29, 2007 ABC Phones/ACC Communications
(Greenville, NC)		 Two men found a box in a dumpster. The cell phone business recently moved and threw away documents that contained personal information from customers. The information contained driver's license numbers, Social Security number, bank account numbers, credit card numbers, work and home addresses. Unknown
Oct. 30, 2007 University of Nevada, Reno
(Reno, NV)		 A University of Nevada, Reno a administrative employee has lost a flash drive that contained the names and Social Security numbers of 16,000 current and former students. 16,000
Oct. 30, 2007 Hartford Financial Services Group
(Hartford, CT/ OH)		 Three backup tapes that contained personal information of 230,000 customers, including 9,200 Ohioans, mainly of the company's property lines, were misplaced.

230,000
Oct. 30, 2007 Pathology Group
(Memphis, TN)		 Someone broke into a locked office building, several computers with flat screen monitors were stolen. One of those computers had patient information on about 75,000 people. This information included names, addresses, Social Security number, even medical information 75,000
Nov. 1, 2007 City University of New York
(New York City, NY)		 A broken laptop containing personal information was taken from the school's financial aid office. 20,000
Nov. 2, 2007 Montana State University
(Bozeman, MT)
(406) 994-6550
eu.montana.edu/security		 MSU learned that an employee's laptop computer had been stolen somewhere off-campus. It contained the Social Security numbers of 216 students and employees who lived in on-campus housing from 1998 to 2007 216
Nov. 2, 2007 Montana State University
(Bozeman, MT)
(406) 994-6550
eu.montana.edu/security		 An independent security watchdog group informed MSU that an Excel spreadsheet with the names and Social Security numbers of 42 people, most of them hired in the summer of 2006, was publicly accessible on MSU's Web site. 42
Nov. 2, 2007 Montana State University
(Bozeman, MT)
(406) 994-6550
eu.montana.edu/security		 While investigating that breach, MSU data-security staff found another Excel spreadsheet accidentally posted on the MSU Web site since 2002. It contained the Social Security numbers of 13 people who got travel vouchers from the computer science department in the College of Engineering.
 13
Nov. 5, 2007 Alabama Department of Public Health
(Montgomery, AL)		 The personal information, including the names, ages and Social Security numbers of families enrolled in the state's ALL Kids health care coverage program, were accidentally sent to the wrong families last week. 1,554 affected families were alerted that some of their confidential information might have been released. 1,554
Not added to total due to unclear total.
Nov. 6, 2007 Butte Community Bank
(Chico, CA)
(866) 488-8588		 A laptop with customers' personal information including names, addresses, Social Security numbers and bank account numbers was stolen from Butte Community Bank. Unknown
Nov. 7, 2007

University of Connecticut Foundation/Convio
(Storrs, CT)
(800) 269-9965
security@foundation.uconn.edu
http://www.friends.uconn.edu/ct/x1qm7ud1qm0J/

 UConn was notified of a security breach by an outside party on the network of Convio, Inc., a vendor used by The University of Connecticut Foundation, Inc. for processing online gift transactions and communicating by e-mail. This breach affected 92 of Convio’s clients nationwide, including the UConn Foundation. User name and password for Convio account preferences was compromised in this breach. Unknown
Nov. 7, 2007 Carolinas Medical Center - NorthEast
(Concord, NC)		 A paramedic left a computer on the back bumper of an ambulance and then drove away. The laptop contains names, addresses, phone numbers and Social Security numbers of approximately 28,000 people who have been cared for by the Cabarrus County EMS over the last four years. 28,000
Nov. 13, 2007

Commerce Bancorp
(Philadelphia, PA)

 

 A Commerce Bancorp Inc. employee gave out personal information on an unspecified number of the Cherry Hill bank's customers. The Bank discovered the breach through an internal investigation and sent letters to affected customers. The bank does not know if the information included account numbers and Social Security numbers. Unknown
Nov 15, 2007 Roudebush Veteran's Administration Medical Center
(Indianapolis, IN)		 Two personal computers and a laptop computer were allegedly stolen from an unsecured room. One of the stolen computers contained the names, Social Security numbers and dates of service of approximately 12,000 veterans.
UPDATE (3/19/08) : A 50 year old Indianapolis man was arrested Monday on one count of Class D felony theft after investigators identified him from surveillance video. A probable cause affidavit, a sworn police statement filed in support of the charge, identifies him as a former patient at the facility.The man has been charged in the disappearance of hospital computer equipment that contained the records of nearly 12,000 patients.		 12,000
Nov. 16, 2007 A.J. Falciani Realty Company
(Vineland, NJ)		 Computers containing the personal information of between 500 to 1,000 clients of A.J. Falciani Realty Company were taken in a burglary. Many of the stolen computers stored the names, addresses, Social Security numbers, dates of birth, telephone numbers and other information on the company's clients. Unknown
Nov. 16, 2007 University of Wisconsin-Whitewater
(Whitewater, WI)		 Officials were notified by one individual about his ability to access a online search feature for the schools website. A search feature that could be used to see student names and Social Security numbers along with some other limited student information. Access to the feature was promptly disabled upon notification of the problem. Unknown
Nov. 16, 2007 U.S. Department of Veteran Affairs
(Washington D.C)		 Investigation from a man's home uncovered a computer that held about 1.8 million Social Security numbers from the U.S. Department of Veteran Affairs, where he had been employed as an auditor. Veterans Affairs' officials have said only 185,000 numbers are at risk because many were repeated in the file. 185,000
Nov. 17, 2007 Ohio Masonic Home / Battelle & Battelle LLC
(Springfield, OH)		 A laptop stolen from a Kettering auditing firm contained personal information on employees of up to 10 businesses, including Springfield-based Ohio Masonic Home. Battelle & Battelle LLC would not disclose the number of individuals affected by the theft but Masonic Home officials said 600 of its employees' information was stored in the laptop. 600
Nov. 21, 2007 University of Florida
(Gainesville, FL)
Those who suspect their Social Security numbers were posted can search their names on the Web site www.ssnbreach.org

More than 400 former UF students might have been put at risk for identity theft after their Social Security numbers were posted on UF's Computing & Networking Services Web site. A news release from the Liberty Coalition, a group that works to preserve the privacy of individuals, said 14 files on the Web site contained "sensitive information" of 534 former UF students, including 415 Social Security numbers.

 415
Nov. 21, 2007 United Healthcare
(New York, NY)		 United Healthcare posted the Social Security numbers of doctors at Columbia University’s faculty practice on a public Web site. United posted the taxpayer identification numbers, some of which were Social Security numbers, alongside the names of 993 providers at Columbia who participate in the insurer’s network. The list was supposed to be accessible to Columbia employees during the current open enrollment period Unknown
Nov. 29, 2007 American Red Cross
(North Dallas)		 Six boxes were left unattended in a public hallway for more than six hours. The files contained personal information of current and former employees and were placed there by human resources. Names, addresses and social security numbers could have easily been stolen. The files also contained embarrassing information, including disciplinary actions, results from a drug test, a sexual harassment case; even someone's criminal record from another state. Unknown
Nov.30, 2007 Prescription Advantage
(MA)
(866) 523-6846 or (877) 610-0241 for those who are hearing impaired.		 The state of Massachusetts is warning 150,000 members of its Prescription Advantage insurance program that their personal information may have been snatched by an identity thief. Local authorities arrested a lone identity thief who had been using information taken from the program in an attempted identity theft scheme. Although the thief used information from just a small number of participants in the scheme, state data-breach laws require that the 150,000 people who could have possibly been affected by the breach be contacted. 150,000
Dec. 1, 2007 Community Blood Center/Battelle & Battelle LLC
(Oakwood, OH)		 Battelle & Battelle LLC was conducting an audit of the blood center's 401K plan when a laptop was stolen from a Battelle employee's vehicle. Up to 600 employees appeared to be affected. 600
Dec. 4, 2007 Indianapolis Power and Light
(Indianapolis, IN)
(317) 261-4845		 The private information of thousands of customers was inadvertently posted online for up to four years. Data included names, addresses and Social Security numbers. 3,000
Dec. 4, 2007 Duke University
(Durham, NC)		 Social Security numbers of about 1,400 prospective law school applicants may have been compromised when a school Web site was accessed illegally. 1,400
Dec. 5, 2007 Memorial Blood Centers
(Duluth, MN)
Hot Line (888) 333-1491
Contacts:
Memorial Blood Centers
Laura Kaplan, (651) 332-7220
lkaplan@mbc.org
or
Weber Shandwick
Jim McCartney,(952) 346-6688
A laptop computer holding donor information was stolen. About 268,000 donor records on this laptop computer contain a donor name in combination with the donor’s Social Security number. 268,000
Dec. 5, 2007 Forrester Research
(Cambridge, MA)		 Thieves stole a laptop from the home of a Forrester Research employee, potentially exposing the names, addresses and Social Security numbers of an undisclosed number of current and former employees and directors. unknown
Dec. 6, 2007 Oak Ridge National Laboratory
(Oak Ridge, TN)		 Hackers may have infiltrated a non-classified database containing names, Social Security numbers and birth dates of every lab visitor between 1990 and 2004. The assault was in the form of phony e-mails containing attachments, which when opened allowed hackers to penetrate the lab's computer security. The lab has sent letters to about 12,000 potential victims. 12,000
Dec. 7, 2007 Beacon Medical Services
(Aurora, CO)		 Detailed, personally identifiable medical records of thousands of Colorado residents were viewable on a publicly accessible Internet site for an uncertain period of time. The data included details of patients' visits to emergency rooms -- what ailments they complained of, diagnoses, treatments, and medical histories, along with the patients' names, occupations, addresses, phone numbers, insurance providers, and in some cases, Social Security numbers. The company is trying to determine the exact number of patients affected, but Beck says the number looks to be fewer than 5,000. Unknown
Dec. 7, 2007 Colorado Board of Dental Examiners
(Lone Tree, CO)		 More than a hundred Colorado dentists and their patients could be at risk for identity theft after a car containing a bag of sensitive information was stolen. Authorities found the car a few days later at an apartment complex where one of the alleged thieves lived. Inside the unit, police discovered a massive amount of personal information from previous crimes. Social Security numbers, dates of birth, the credit card numbers, the pin numbers to those credit cards, they even have the photo IDs of the individuals they stole those credit cards from. Unknown
Dec. 10, 2007 Cameron County
(Brownsville, TX)		 An employee released an e-mail with a list of all county officials and employees. It reportedly contained names, Social Security numbers, and salaries. Unknown
Dec. 10, 2007 Sutter Lakeside Hospital
(Lakeport, CA)
(866) 785-6443.		 A laptop computer containing personal and medical information of approximately 45,000 former patients, employees and physicians has been stolen from the residence of a contractor. 45,000
Not added to total. It is not clear if SSNs or financial account numbers were exposed.
Dec. 10, 2007 Iowa Department of Natural Resources
(Des Moines, IA)		 A contractor working for the DNR revealed that a computer jump drive containing the names and Social Security numbers for 7000 people is missing. The contractor believes the jump drive fell off of his desk and into a garbage can. 7,000
Dec. 14, 2007 Deloitte & Touche
(New York, NY)		 A laptop containing the personal information of an undisclosed number of Deloitte & Touche partners, principals and employees was stolen while in possession of a contractor responsible for scanning the accounting firm's pension fund documents. The computer contained confidential data, including names, Social Security numbers, birth dates, and other personnel information, such as hire and termination dates. Unknown
Dec. 17, 2007 West Penn Allegheny Health System
(Pittsburgh, PA)
(866) 559-6309 Monday through Friday from 10 a.m. to 6 p.m. or e-mail the hospital at askquestions@wpahs.org.		 The names, Social Security numbers, phone numbers, addresses and patient care information of 42,000 patients were all on a laptop computer stolen from a nurse’s home. Only home care and hospice patients could be impacted, not patients at the hospitals. 42,000
Dec. 18, 2007 Brownsville School District
(Brownsville, PA)		 Forms with employee personal information littered the fence of a Brownsville school district warehouse. Information on litter contained confidential letters with names, bank account numbers, and Social Security numbers. The forms may be more than ten years old, but they each contain information that's still valuable. Unknown
Dec. 18, 2007 Pennsylvania Department of Aging
(Harrisburg, PA)		 A state Department of Aging-owned laptop computer containing personal information on senior citizens was stolen from a Johnstown home. The information included names, addresses, Social Security numbers and some medical information. 21,000
Dec. 20, 2007 Dormitory Authority of the State of New York
(Manhattan, NY)		 Data tapes containing Social Security numbers, phone numbers and addresses for up to 800 current and former employees of the state Dormitory Authority are missing. 800
Dec. 20, 2007 Greenville County School District
(Greenville, SC)		 The district notified employees last week that the computers had been compromised and that employees' personal information was taken, including their names, home phone numbers and Social Security numbers. Unknown
Dec. 21, 2008 Connecticut Department of Motor Vehicles
(Wethersfield, CT)		 The Connecticut Department of Motor Vehicles is notifying customers that their personal information may have been on a computer stolen from a mobile service center vehicle while it was being repaired. Personal data on the computer included names, addresses, date of birth, license numbers, photo and signature. 155
Dec. 21, 2007 Franklin County Municipal Court
(Columbus, OH)		 At least six central Ohioans are now under investigation by the U.S. Secret Service for hacking into a government Web site and stealing Social Security numbers to create false credit accounts. More than 270 people nationwide might have been victimized by a security lapse in the Franklin County Municipal Court Web site. Someone was randomly feeding Social Security numbers into a clerk's site, which contained personal information for thousands of people charged with misdemeanors, some guilty of only a speeding ticket. Once a number was hit on, the name, address, age and other information could be used to obtain credit cards and open bank accounts.

 

 270
Dec. 28, 2007 Minnesota Department of Commerce
(St. Paul, MN)		 A laptop computer containing personal information on Minnesotans licensed by the state Commerce Department was stolen from one of its Pennsylvania vendors. 219
Dec. 28, 2007 Davidson County Election Commission
(Nashville, TN)		 Someone broke into several county offices over Christmas and stole laptop computers that county officials now believe may have contained Social Security numbers and other personal information for every registered voter in Davidson County.
UPDATE (1/19/08): Metro Police confirmed late Thursday they have recovered the hard drive from the laptop computer, containing names and complete Social Security numbers for 337,000 registered voters, that was stolen from the Election Commission in December.

 

 337,000
Dec. 28, 2007 United States Air Force
(Washington DC)		 A military laptop computer is missing and it contains personal information including Social Security numbers, birth dates, addresses, and telephone numbers of active and retired Air Force members. The laptop belonged to an Air Force band member at Bolling Air Force Base, he reported it missing from his home. 10,501
2008 NAME (Location) TYPE OF BREACH NUMBER OF RECORDS
Jan. 2, 2008 Workers Compensation Fund
(Salt Lake City, UT)		 Officials with one of Utah's largest insurance companies are searching for a stolen laptop containing Social Security numbers and other personal information for about 2,800 people and 1,400 companies. The computer was taken from a car parked in the home garage of an auditor for the Workers Compensation Fund. 2,800
Jan. 3, 2008 Robotics Industries Association
(Ann Arbor, MI)		 A hacker accessed the administration site for Robotics Online gaining access to individual orders that contained credit card information. Seven residents of NH were affected, but national totals were not indicated. Unknown
Jan. 3, 2008 Dorothy Hains Elementary School
(Augusta, GA)		 The library door was kicked in and the circulation computer was stolen, something the principal desperately wants back because it has the Social Security numbers of students and teachers on it. Unknown
Jan. 4, 2008 Health Net
(Mountain View, CA/CT)		 Thousands of Health Net employees in Connecticut and other states have been notified that their names and Social Security numbers were on a laptop computer that was stolen more than a month ago from a company vendor. The laptop had information on about 5,000 employees companywide and an undisclosed number of health-care providers outside the Northeast. 5,000
Jan. 4, 2008 Florida Department of Children and Families
(Orange, Seminole, Osceola, FL)		 Social Security numbers, birth dates and other information about day-care workers in Orange, Seminole and Osceola counties were among the data on five laptop computers that were stolen from the DCF office near Orlando. 1,200
Jan. 4, 2008 Maryland Department of Assessments and Taxation
(Baltimore, MD)		 The Maryland Department of Assessments and Taxation Web site may have exposed Social Security numbers online because the application system did not have a necessary security certificate to encrypt the information before it was sent out over the Internet. Roughly 900 people used the system. 900
Jan. 5, 2008 New Mexico State University
(Las Cruces, NM)		 A computer hard drive containing the names and Social Security numbers of current and former NMSU employees is missing from the Pan American Center. Unknown
Jan. 7, 2008 Sears/ManageMyHome.com
(Cook County, IL)		 Sears' ManageMyHome.com site exposed customer purchase data to any online visitor who asked about it. Unknown
Jan. 7, 2008 Geeks.com
(Oceanside, CA)		 Personal and financial data may have been compromised by an intrusion into the systems of the online retailer's Web site. Compromised information included the names, addresses, telephone numbers and Visa credit card numbers. Unknown
Jan. 8, 2008 Wisconsin Department of Health and Family Services
(Madison, WI)		 Social Security numbers were printed on about 260,000 informational brochures sent by a vendor hired by the state, Electronic Data Systems Inc. (EDS), to recipients of SeniorCare, BadgerCare and Medicaid. The company agreed to pay $250,000 to the state for the mistake, as well as paying for an identity theft monitoring service for the affected individuals, for a total of about $1 million.. 260,000
Jan. 8, 2008 University of Georgia
(Athens, GA)		 Former and perspective residents of a university housing complex effected by a hacker that was able to access a server containing personal information, including Social Security numbers. A computer with an overseas IP address was able to access the personal information — including Social Security numbers, names and addresses — of 540 current graduate students living in graduate family housing and 3,710 former students and applicants. 4,250
Jan. 10, 2008 Select Physical Therapy
(Levelland, TX)		 The company dumped about 4,000 pieces of sensitive customer information in garbage containers behind its facility. The records included Social Security numbers, credit and debit card account numbers, names, addresses and telephone numbers. 4,000
Jan. 11, 2008

University of Akron
(Akron, OH)

A portable hard drive containing personal information is missing and may have been discarded or destroyed. The device contained Social Security numbers, names and addresses of students and graduates.

 800
Jan. 11, 2008 University of Iowa
(Iowa City, IA)		 Iowa College of Engineering has notified some of its former students that some of their personal information, including Social Security numbers, was inadvertently exposed on the Internet for several months. 216
Jan. 11, 2008 Virginia Department of Social Services
(Richmond, VA)		 The Department of Social Services has mailed about 1,500 letters to warn of a "potential security breach" involving a department computer that police suspect was used to commit fraud. A woman is accused of using her work computer while employed by Social Services last summer to apply for a credit card using her landlord's information. She was charged with two felony counts, credit card fraud and forgery, and is accused of spending nearly $1,000 on the card.

 

 1,500
Jan. 12, 2008 California State University, Stanislaus
(Turlock, CA)		 A possible data breach occurred on a food vendor's computer server. Credit card numbers, cardholder names and expiration dates were exposed, leaving hundreds, possibly thousands, of university students, staff and guests open to identity theft, with victims reporting fake charges on their cards. Social Security numbers were not accessible. Unknown
Jan. 14, 2008 Tennessee Tech University
(Cookeville, TN)		 A portable storage drive containing the names and Social Security numbers of 990 students has been lost. A school employee transferred the information onto a portable flash drive when the printer where he was working did not print. The employee noticed the drive was missing the next morning. 990
Jan. 15, 2008 Department of Revenue Wisconsin
(Lena, Marinette, Little Suamico, Freedom, Kaukauna, Kimberly, Little Chute, Krakow, Keshena and Lakewood, WI)		 Taxpayers in northeastern Wisconsin had their Social Security numbers exposed in a state mailing. A folding error, apparently the result of a faulty machine, allowed the Social Security numbers to be seen through the clear address window of the envelope. 5,000
Jan. 15, 2008 Naval Surface Warfare Center Dahlgren Division
(White Oak, MD)
(800) 352-7967		 Officials at the Naval Surface Warfare Center are warning past and present employees that their identities and credit ratings could be at risk. Two pages of a Naval Surface Warfare Center Employment Verification Report was found when four people were arrested in Bensalem Township, Pa., last week for attempted identity fraud. The report included names, Social Security numbers, birth dates, position titles, tenure codes, pay grades, salaries and other information about the employees. Unknown
Jan. 16, 2008 University of Wisconsin-Madison
(Madison, WI)		 The personal information, including e-mail addresses, phone numbers, Social Security numbers and campus ID numbers of faculty and staff who made purchases from the DoIT computer shop had been accessible on a campus Internet site. Unknown
Jan. 17, 2008 GE Money / Iron Mountain
(Boston, MA)		 Personal information on customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing. The missing information includes Social Security numbers for about 150,000 people. 150,000
Jan. 23, 2008 Baylor University
(Waco, TX)		 A student employee breached the security of the Baylor Information Network to access the Bear ID and passwords of those logging on to the BIN. This access didn't include sensitive information like Social Security Numbers, financial information or academic records. It was just unlawful access to Bear IDs and passwords. The information did, however, give access to Baylor e-mail and Blackboard accounts. Unknown
Jan. 24, 2008 Fallon Community Health Plan
(Worcester, MA)		 A vendor computer containing personal information on patients of Fallon Community Health Plan has been stolen. The data included names, dates of birth, some diagnostic information and medical ID numbers. Some of which may be based on Social Security numbers. 30,000
Jan. 24, 2008 OmniAmerican Bank
(Fort Worth, TX)		 An international gang of cyber criminals hacked into the bank's records. They stole account numbers, created new PINs, fabricated debit cards, then withdrew cash from ATMs in Eastern Europe, Russia, Ukraine, Britain, Canada and New York. Fewer than 100 accounts, some of them dormant, were compromised. Unknown
Jan. 25, 2008 Penn State University
(University Park, PA)		 A university laptop containing archived information and Social Security numbers for 677 students attending Penn State between 1999 and 2004 was recently stolen from a faculty member. 677
Jan. 28, 2008 T. Rowe Price Retirement Plan Services
(Baltimore, MD)		 Current and former participants in “several hundred” retirement plans had their names and Social Security numbers contained in files on computers that were stolen. 35,000
Jan. 29, 2008 Georgetown University
(Washington, DC)		 A hard drive containing the Social Security numbers of Georgetown students, alumni, faculty and staff was reported stolen from the office of Student Affairs. 38,000
Jan. 29, 2008 Wake County (NC) Emergency Medical Services
(Raleigh, NC)		 A Panasonic Toughbook used by county paramedics to store patient information on ambulance runs went missing from the WakeMed emergency department and now is thought to have been stolen. The laptop contained names, addresses and Social Security numbers.
UPDATE (2/7/08): They have raised the patients estimate from 850 to 1,188. The laptop also may have the names and Social Security numbers of 3,454 emergency personnel. The number includes county paramedics, firefighters and contracted emergency medical technicians and paramedics from municipal agencies.		 1,188
plus 3,454
Jan. 29, 2008 Horizon Blue Cross Blue Shield
(Newark, NJ)		 More than 300,000 members names, Social Security numbers and other personal information were contained on a laptop computer that was stolen. The laptop was being taken home by an employee who regularly works with member data. 300,000
Jan. 29, 2008 Trans Union/Intelenet Global Services
(Fullerton, CA/Plano, TX)		 Credit profiles of “50 to 100 Americans have been altered” by the two employees of Malad-based Intelenet Global Services. the two arrested Intelenet employees—had been accessing and altering the data since August 2005. The statements of bank accounts of the two men revealed that money was being deposited from an international source for the past few months. Unknown at this time.
Jan. 30, 2008 Davidson Companies
(Great Falls, MT)		 A computer hacker broke into a database and obtained the names and Social Security numbers of virtually all of the Great Falls financial services company's clients. The database also included information such as account numbers and balances. 226,000
Jan. 31, 2008 South Carolina Department of Health and Environmental Control
(Spartanburg, Cherokee, Union, Greenville and Pickens counties, SC)		 A laptop containing the names and Social Security numbers of state health department employees is missing. The computer was inside a worker's vehicle when it was stolen last week from a convenience store. State officials say the password-protected computer contains personal information of state health department workers from Spartanburg, Cherokee, Union, Greenville and Pickens counties. 400
Jan. 31, 2008 University of Minnesota Reproductive Medicine Center
(Minneapolis, MN)		 A doctor at the fertility clinic lost a flash drive that was used to back up his computer. The drive held details of infertility treatments for 3,100 patients going back to 1999. The lost drive included names, birthdates, and in some cases, diagnostic information, details of treatments, whether or not patients had conceived, baby names, and birth weights -- but apparently no SSNs or financial information. 3,100
Feb. 1, 2008 Marine Corps Bases Japan
(Okinawa, Japan)		 A laptop was stolen , which contained personally identifiable information for clients of Marine Corps Community Services' New Parent Support Program. The laptop may contain names, ranks, Social Security numbers, dates of birth, children's names and mailing addresses of U.S. military service members, U.S. government employees and Status of Forces Agreement personnel on Okinawa and Marine Corps Air Station Iwakuni. It does not include driver's license numbers or bank and credit card information. 4,000
Feb. 2, 2008 Diocese of Providence
(Providence, RI)		 Four computers were taken, and one had personal information on current and former Catholic school employees. The theft possibly exposed names, addresses and Social Security numbers. 5,000
Feb. 7, 2008 Memorial Hospital
(South Bend, IN)

A laptop containing the personal information of full and part time employees and retirees is missing. The missing computer contains their names, addresses, birth dates, ID numbers and Social Security numbers.

 4,300
Feb. 8, 2008 MLSgear.com
(Louisville, KY)		 Injection attacks on web servers hosted by a third-party service provider has compromised the personal data of an unspecified number of individuals who had shopped on Major League Soccer's MLSgear.com Web site. The compromised information included names, addresses, credit card data, debit card data, and MLSgear.com passwords. Unknown
Feb. 10, 2008 Administrative Systems, Inc
(Seattle, WA)		 A desktop computer stolen from an Administrative Systems, Inc. (ASI) office in Seattle contained names and sensitive information about customers or employees of several of the firm's clients: Continental American Medical, EyeMed Vision/Kelly Services Vision, and Jefferson Pilot Financial Dental. Personal details may have included name, date of birth, mailing address, and Social Security number, depending on the service being provided. Unknown
Feb. 11, 2008 Jefferson County Public Schools
(Arvada, CO)		 A special education technician had a personal laptop and jump drive stolen during a home robbery. Student name and date of birth, Student ID number, School location If the student has received district transportation additional information such as parent or guardian name and contact information, may also have been on the jump drive. The stolen information did not contain any Social Security numbers or financial information. 2,900
Feb. 12, 2008 Modesto City Schools
(Modesto CA)
(209) 576-4192		 A computer hard drive holding the names, addresses, birth dates and Social Security numbers of Modesto City Schools’ employees was stolen. 3,500
Feb. 12, 2008 Long Island University
(Brookville, NY)		 Students tax forms mailed to them last week in were in defective mailers. The mailers containing each student's annual 1098-T "Tuition Statement" were supposed to have adhesive on all four sides. But one side of each envelope was missing adhesive. The statement contains the student's name, address and Social Security number. 30,000
Feb 13, 2008 Milwaukee County
(Milwaukee, WI)		 Milwaukee County officials mistakenly released numerous confidential court records for a citizens group's Web site that detail payments for tests and other costs linked to to mental competency, paternity and guardianship cases. Entries for psychiatric examinations and guardianship fees in which the clients' names were still listed, Unknown
Feb. 13, 2008 Lifeblood
(Memphis TN)		 Laptop computers with birth dates and other personal information of roughly 321,000 blood donors are missing and presumed stolen. Stored inside both computers were names, birth dates and addresses at the time of the individual's last donation or attempted donation. In most cases, the donors' Social Security numbers were also stored, along with driver's licenses, telephone numbers, e-mail addresses, ethnicity, marital status, blood type and cholesterol levels. Social Security numbers had been used to track blood from the donor to the recipients. 321,000
Feb. 13, 2008 Middle Tennessee State University
(Murfreesboro, TN)		 A professor left the university computer unattended in the mass communication department about two weeks ago and an unidentified person is believed to have used the machine to send spam e-mails. The computer contained the names and Social Security numbers of past and current students. 1,500
Feb. 14, 2008 Tenet Healthcare Corporation
(Dallas, TX)		 A ex-employee worked at a Frisco, Texas, billing center for less than two years, and is confirmed to have stolen the names, Social Security numbers and other personal information of about 90 patients. The employee also had access to 37,000 other accounts. 37,000
Feb. 15, 2008 Systematic Automation Inc
(Fullerton, CA)		 Police filed possession of stolen property charges against a prison parolee who was arrested for having a computer with more than 40,000 names, addresses and Social Security numbers of California residents. The computer was stolen from Systematic Automation Inc., which processes individualized annual statements customized for employees with a summary of their health and other employee benefits. The hard drive contained employee information from 19 agencies. Some of the larger agencies include the Modesto City Schools, Clovis Unified School District, Los Angeles Department of Water and Power, and the Torrance Unified School District. 40,000
Feb. 15, 2008 Lexmark International
(Lexington, KY)		 The employee personal data was inadvertently exposed, it included Social Security numbers, dates of birth, along with names and addresses. The data was accessed by two unknown parties when the data was loaded to a company file sharing site. Unknown
Feb. 15, 2008 Crosslines Ministries of Carthage
(Carthage, MO)		 One of the largest aid agencies in Carthage was burglarized and files, containing the personal information of about 2,000 families, were stolen. Among the items stolen were paper files containing names, addresses, Social Security numbers and other personal information of individuals served by Crosslines. 2,000
Feb. 16, 2008 Texas A&M University
(College Station, TX)		 A computer file containing the names and Social Security numbers of current and former Texas A&M University agricultural employees was inadvertently posted online and accessible to the public for three weeks. 3,000
Feb. 18, 2008 First Magnus Financial
(Ft. Lauderdale, FL)		 Outside a University of Phoenix Building in Ft. Lauderdale, files and paperwork belonging to the defunct First Magnus Financial were just lying in stacked boxes inside an industrial garbage container. The paperwork contained Social Security numbers, credit card information, addresses, and properties. Unknown
Feb. 25, 2008 Mecklenburg County
(Charlotte, NC)		 A County employee's car was stolen, and in that car was a printout of bank draft transactions within the Park and Recreation Department. bank account information of an unknown number of people in Mecklenburg County has been stolen. Unknown
Feb. 27, 2008 Health Net Federal Services
(Rancho Cordova, CA)		 Thousands of doctors in eleven states had their personal information openly posted on a company website. Social Security numbers were part of the personal information exposed. The states involved include Wisconsin, Michigan, Illinois, Indiana, Ohio, Pennsylvania, Tennessee, Iowa, Missouri, Kentucky and West Virginia. 103,000
Feb. 29, 2008 Wellesley Health Department
(Wellesley, MA)		 Information in an envelope that had been mailed by the town’s health department to a Medicare office in Boston say when the envelope arrived, it was open and the contents were missing. The material included social security numbers, addresses and dates of birth of seniors who had received flu shots from the town last fall. 480
Mar. 3, 2008 Kraft Foods
(Northfield, IL)		 A company-owned laptop computer was stolen from an employee of Kraft Foods traveling on company business. The laptop contained the names and may have contained Social Security numbers. 20,000
Mar. 5, 2008 Nevada Department of Public Safety
(Carson City, NV)		 A private firm working for the Nevada Department of Public Safety has lost personal information provided by individuals seeking jobs with the agency. Data included Social Security numbers, addresses and background check information. 109
Mar. 6, 2008 Cascade Healthcare Community
(Prineville, OR)		 A computer virus may have exposed to outside eyes the names, credit card numbers, dates of birth and home addresses individuals who donated to Cascade Healthcare Community. 11,500
Mar. 8, 2008 MTV Networks
(Los Angeles, CA)		 Computer files with confidential data on employees at MTV Networks were breached by someone outside the company. Personal information in the files included names, birth dates, Social Security numbers and compensation data. 5,000
Mar. 10, 2008 Texas Department of Health and Human Services
(Austin, TX)		 Information, including Social Security numbers that could be used to steal Medicaid clients' identity may have been stored on two computers stolen during a burglary. Computers could have contained personal information only on e-mails. The e-mails, however, would normally contain only an individual's case number. It is unlikely those e-mails would have listed Social Security numbers. Unknown
Mar. 10, 2008 Central Florida Regional Hospital
(Sanford, FL)		 The medical records of Central Florida Regional Hospital patients were sold last month at a Salt Lake City surplus store for about $20. The records were sold to a local school teacher looking for scrap paper for her fourth-grade class. The records contained detailed medical histories, phone numbers, addresses, Social Security numbers and insurance information. They were lost en route to a Medicare auditor in Las Vegas, NV. 28
Mar. 10, 2008 Blue-Cross Blue-Shield of Western New York
(Buffalo, NY)		 A laptop hard-drive containing vital information about members has gone missing. Blue-Cross Blue-Shield of Western New York says it is notifying its members about identity theft concerns after one of it's company laptops went missing. 40,000
Mar. 12, 2008 Harvard University
(Cambridge, MA)		 Harvard Graduate School of Arts and Sciences (GSAS) Web server may have compromised 10,000 sets of personal information from applicants and students, including 6,600 Social Security numbers and 500 Harvard ID numbers. 6,600
Mar. 13, 2008 University Health Care (Utah)
(SLC, UT)		 A laptop and flash drive containing patient data were stolen after hours from a locked office. Data included patients' names, addresses, and in some cases, medications, health insurance policy numbers, and Social Security numbers. 4,800
Mar. 15, 2008 Sterling Insurance and Associates
(Aspen, CO)		 A server stolen from the locked offices contained names, addresses, and Social Security numbers, dates of birth, driver's license numbers, and/or account information for an unspecified number of customers. Unknown
Mar. 15, 2008 Utah Division of Finance
(Salt Lake City, UT)		 Computer files containing the personal information of approximately 500 individuals may have been accessed by unauthorized persons during a security breach. An initial investigation indicates it is highly unlikely the person who breached the computer system was able to access any personal information. 500
Mar. 17, 2008

Hannaford Bros. Supermarket chain
(Portland, ME)
(866) 591-4580

 This security breach affects all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. The company is currently aware of about 1,800 cases of reported fraud related to the security breach. Credit and debit card numbers were stolen during the card authorization transmission process. It's unclear if personal information was exposed. [Delete "but no personal information was divulged" -- it's obvious that personal info WAS compromised -- people have suffered fraud)
UPDATE (4/2/2009): An April 2, 2009, news story indicated that between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. About 1,800 fraudulent charges had been made.
UPDATE (5/14/2009): A federal appeals court has revived a Tampa class-action suit seeking money for Florida shoppers whose credit and debit card numbers were swiped in a data breach that hit 109 Sweetbay Supermarkets. The suit seeks free credit monitoring, credit repair if necessary and undetermined money damages to be split up among victims of the breach, including those unaware they were victims.
UPDATE (5/22/2009): A Maine U.S. District Court dismissed most of a class action lawsuit against Hannaford, finding that there is no way to value the time and effort that consumers spent in correcting fraudulent activity resulting from the breach. The case of one named plaintiff was not dismissed. That plaintiff suffered actual monetary damages for unreimbursed fraudulent charges.		 4.2 million
Mar. 17, 2008 Minneola City
(Minneola, FL)		 Nine Minneola firefighters are trying to keep their names clean after their personal information ended up on the city's Web site. The city clerk accidentally published the information. Social security numbers, phone numbers, addresses and personal information from union application cards found its way onto the city's Web site for over 36 hours. 9
Mar. 17, 2008 Binghamton University
(Binghamton, NY)		 A university employee mistakenly sent an e-mail attachment containing the names, grade point averages and Social Security numbers of junior and senior accounting students to another group of School of Management students. 300
Mar. 19, 2008 Affordable Realty
(Flint, MI)		 Social Security numbers and financial records of customers. Affordable Realty occupied office space inside the Ben Agree building on Dort Highway for years. The company was evicted and all of its sensitive customer information ended up outside in a dumpster or on the ground nearby. Unknown
Mar. 19, 2008 The Dental Network
(New Hampshire)
(866) 879-7402		 A security breach of The Dental Network web site left access to member personal data, including names, Social Security numbers, addresses and dates of birth unprotected for approximately two weeks. The Dental Network is an independent licensee of the Blue Cross and Blue Shield Association. 75,000
Mar. 19, 2008 UCLA Medical Center
(Los Angeles, CA)

UCLA Medical Center has moved to fire 13 employees and suspended six others for unauthorized access to confidential medical records.
UPDATE (8/5/08): The latest report said 127 workers peeked into celebrities' medical records without permission, leading to several firings, suspensions and warnings. The report also detailed the case of one employee who looked at the records of about 900 patients "without any legitimate reason" and viewed Social Security numbers, health insurance information and addresses, from April 2003 to May 2007.

 900
Mar. 20, 2008 Rampage Marketing Services
(Columbus, OH)		 The company, a licensed insurance agency, threw 14 boxes of files containing sensitive financial and medical information into a trash bin. An insurance agent for another company noticed the boxes in the shared bin and sent them back to the Insurance Department Unknown
Mar. 20, 2008 Pennsylvania Department of State
(Harrisburg, PA)		 The state was forced to pull the plug on a voter registration Web site after it was found to be exposing sensitive data about voters. Because of a Web programming error, the Web site was allowing anyone on the Internet to view data such as the voter's name, date of birth, driver's license number, and political party affiliation. On some forms, the last four digits of Social Security numbers could also be seen. 30,000
Mar. 20, 2008 Lasell College
(Newton, MA)		 A hacker accessed data containing personal information on about current and former students, faculty, staff and alumni. Information included names and Social Security numbers. 20,000
Mar. 21, 2008 Compass Bank
(Birmingham, AL)		 A database containing names, account numbers and customer passwords was stolen. A credit-card encoder and software to encode the information onto blank cards was also used to acquire information from ATMs. A former programmer at Birmingham, Ala.-based Compass Bank stole a hard drive containing 1 million customer records and used some of that information to commit debit-card fraud. The thief had used the information stolen from Compass Bank's database to create about 250 counterfeit debit cards. He was able to use about 45 of those cards to access and withdraw cash from customer accounts at the bank before he was arrested. 1,000,000
Mar. 21, 2008 Rhode Island Department of Administration
(Cranston, RI)		 A state computer disk containing Social Security numbers is missing. The information was discovered missing within the last two weeks when human resources staff members who had relocated from Providence to Cranston could not find the data on the server. 1,400
Mar. 22, 2008 Agilent Technologies
(Santa Clara, CA)		 A laptop containing sensitive and unencrypted personal data on current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor. The data includes employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards. Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data - "in violation of the contracted agreement." 51,000
Mar. 22, 2008 Western Carolina University
(Cullowhee, NC)		 Someone had hacked into a computer server and had access to the Social Security numbers of 555 graduates of the university who had signed up for a newsletter. 555
Mar. 24, 2008 National Institutes of Health
(Bethesda, MD)		 A laptop was stolen from the trunk of a car. It contained information about heart disease patients, including their names, dates of birth and diagnoses of their medical conditions.
UPDATE (4/14/08): Ongoing review of the computer's last-known contents, performed on data backed up from the laptop before it was stolen, has found a file that, unbeknownst to the lead researcher, had been loaded onto the laptop by a research associate.That file included Social Security numbers for at least 1,281 of the 3,078 patients enrolled in the multi-year study, which is sponsored by the NIH's National Heart, Lung and Blood Institute.		 4,359
Mar. 26, 2008 Presbyterian Intercommunity Hospital
(Whittier, CA)		 About 5,000 past and current employees at Presbyterian Intercommunity Hospital had their private information stolen. The data included Social Security numbers, birth dates, full names and other records stored on a desktop computer that was stolen. 5,000
Mar. 26, 2008 Broward School District
(Coconut Creek, FL)		 An Atlantic Technical High School senior hacked into a district computer and collected Social Security numbers and addresses of district employees. 35,000
Mar. 26, 2008 Bank of New York Mellon
(Pittsburgh, PA)
(877) 278-3451
(877) 278-3461
www.bnymellon.com/tapequery/
Letter to customers:
www.privacyrights.org/ar/bnymellon-breachltr-aug08.pdf		 The company lost a box of computer data tapes storing personal information including names, Social Security numbers and possibly bank account numbers.
UPDATE (5/07/08): On February 27, Bank of New York Mellon gave the unencrypted backup tape containing information on about 4.5 million consumers -- hundreds of thousands of them People’s United Bank customers and investors -- and nine other tapes to a storage firm, Archive Systems, Inc., for transportation to a storage facility. When the storage company vehicle arrived at the storage facility, the tape was missing. The other nine tapes reached the facility safely.
UPDATE (5/31/08): The Hartford Courant reports the following figures regarding the number of Connecticut shareholders affected by the lost computer tape:
403,894 People's United Bank
33,586 John Hancock Financial
18,361 Walt Disney Co.
10,000 the remaining shareholders
UPDATE (8/30/08): The estimated number of people affected by a data breach at Bank of New York Mellon Corp has been raised from 4.5 million to 12.5 million.
UPDATE (2/19/09):
The Bank of New York Mellon will pay Connecticut $150,000 as part of a settlement. The bank will continue to provide those affected by the breach with credit monitoring and fraud alerts for a total of 36 months of protection. It will also reimburse anyone for funds stolen from their accounts as a direct result of the data breach.		 As many as 4.5 million customer records are thought to be compromised. Raised from 4.5 million to 12.5 million
Mar. 28, 2008 Antioch University
(Yellow Springs, OH)		 A computer system that contained personal information on about 70,000 people was breached by an unauthorized intruder three times. The system contained the names, Social Security numbers, academic records and payroll documents for current and former students, applicants and employees. 70,000
Mar. 28, 2008 Museum of Science, Boston
(Boston, MA)		 The museum has notified 140 patrons that their names, credit card numbers, and other personal information were exposed on the museum's website because of a contractor's error. 140
Mar. 29, 2008 Department of Human Resources
(Atlanta, GA)		 A thief has stolen computer records containing identifying information on current and former employees of the state Department of Human Resources, including names, Social Security numbers, birth dates and home contact information. An external hard drive that stored a database was removed by an unauthorized person. Unknown
Mar. 29, 2008 San Quentin State Prison
(San Quentin, CA)		 A flash memory drive containing names, birth dates and driver's license numbers of people who either volunteered or visited San Quentin State Prison in a group tour has been lost. 3,500
Mar. 31, 2008 Advance Auto Parts
(Roanoke, VA)		 The retailer reported that a "network intrusion" had exposed financial information and was the subject of a criminal investigation. Fourteen of the retailer's stores, including locations in Georgia, Ohio, Louisiana, Tennessee, Mississippi, Indiana, Virginia and New York, are believed to have been affected. 56,000
April 1, 2008 Okemo Mountain Resort
(Ludlow, VT)
(866) 756-5366		 The Ludlow ski area announced that its computer network was breached by an intruder who gained access to credit card data including cardholder names, account numbers and expiration dates. 28,168
April 4, 2008 Harley-Davidson, Inc.(HOG)
(Milwaukee, WI)		 A laptop computer containing certain HOG members' personal information was determined to be missing from their facilities. The personal information stored on the computer included names, addresses, credit card numbers, their expiration dates, and driver's license numbers. 60,000
April 4, 2008 University of California, Irvine
(Irvine, CA)		 7,000 current or former graduate students could be at risk of identity thieves who already used stolen data to file fake tax returns for 93 students. UCI doesn't know how the information was stolen or who is using it. 7,000
April 7, 2008 Pfizer Inc.
(New York, NY)		 A laptop was stolen by a burglar from the home of a contractor who helps arrange planning travel and meetings for Pfizer. Information on the laptop included names, credit card numbers and, in some instances, credit card expiration dates, various addresses and phone numbers, hotel loyalty program numbers and other information. It did not appear that any Social Security numbers or PIN codes were exposed. 800
April 7, 2008 Army Acquisition Support Center
(Ft. Belvoir, VA)		 A spreadsheet containing a "hidden" column of Social Security numbers belonging to about two dozen officers and civilian employees of one Army agency was left on the agency's website for five months after being notified of the presence of the personal information. The center has temporarily shut down its website to scrub the information from the spreadsheet. 24
April 7, 2008 Redbox
(Oakbrook Terrace, IL)
http://www.redbox.com/creditcardsecurity/		 Redbox rents DVD movies via vending machine in drugstores and supermarkets throughout the country. They announced that they'd found credit card skimmers attached to three of their kiosks. Unknown
April 8, 2008 WellPoint
(Indianapolis, IN)		 Personal information that may have included Social Security numbers and pharmacy or medical data for customers in several states was exposed online over the past year. 128,000
April 8, 2008 WellCare Health Plans Inc.
(Atlanta, GA)		 Private records of members of health insurance programs for the poor or working poor were accidentally made available on the Internet for several days. Those whose data was made available on the Internet included members of Medicaid, the federal health program for the poor, and PeachCare for Kids, a federal-state insurance plan for children of the working poor. About 10,500 members' Social Security numbers may have been viewed by unauthorized people on the Internet, all members of Medicaid or PeachCare. There is a possibility that an initial 59,000 members may have had some personal information made accessible. 71,000
April 9, 2008 People's United Bank
(Bridgeport, CT)		 For four months, a dumpster diver searched through trash bins outside People's United Bank branches in Fairfield County. He pulled out bags of paperwork with private information, including customers' Social Security numbers and account information.
UPDATE (5/1/08):
The man who discovered bank records in the garbage outside local branches of People’s United Bank in Connecticut has been sued to prevent him from informing people about the discovery. The man, discovered financial documents, including customer names, Social Security numbers, and account information. He was a no-show at a scheduled appearance in court. The bank won a restraining order against the man, which ordered him not to talk to bank customers, or disclose what he had discovered. He disregarded the order and made a documentary about the discovery. The man has already been fined $800 USD for refusing to hold his tongue, and now he has also been ordered to pay the bank’s legal costs. According to the Connecticut Post, those costs are already up to around $40,000 USD.		  
April 9, 2008 Norfolk's Community Services Board
(Norfolk, VA)		 The personal information of clients of Norfolk's Community Services Board was compromised when a case worker's briefcase was stolen. The briefcase was left in the worker's car in a Virginia Beach parking garage, but someone smashed a window and stole it. It's unclear what information was in the files but that it likely included Social Security numbers. 30
April 10, 2008 Joliet West High School
(Joliet, IL)		 A student using a school computer last month was able to access personal information about every student enrolled. The student allegedly downloaded a list of names and Social Security numbers to his iPod. Unknown
April 11, 2008 New York-Presbyterian Hospital/
Weill Cornell Medical Center
(New York, NY)		 An admissions employee is accused of selling 2,000 patients' data in an identity theft scheme and accessing nearly 50,000 records illegitimately. Records contained names, phone numbers and, in some cases, Social Security numbers of patients. The employee has since been charged with one count of conspiracy involving computer fraud, identity document fraud, transmission of stolen property and sale of stolen property. 50,000
April 12, 2008 Allied Waste
(Boston MA)		 A strap on the garage truck snapped sending reams of unshredded financial reports over downtown Boston streets. Unknow
April 12, 2008 West Seneca School District
(West Seneca, NY)		 Several current and former students are believed to have broken into the school district’s computer system and copied secure files that included the personal information and Social Security numbers of school employees 1,800
April 13, 2008 University of Toledo
(Toledo, OH)		 Personal information of the University of Toledo employees, the majority having worked on the Health Science Campus in 1993 and 1999 - last month was inadvertently placed on a server to which all employees had access. The information, which was used for payroll purposes, included names, addresses, and Social Security numbers and was accessible for about 24 hours. 6,488
April, 14, 2008 Stokes County High Schools
(Danbury, NC)		 A school computer containing the names, test scores and Social Security numbers of students from three Stokes County high schools was stolen from a locked closet. 800
April 14, 2008 Utah Department of Workforce Services
(Salt Lake City, UT)		 A former state employee who took applications from people seeking food stamps and other welfare aid worked with three others to steal the identity of Utah residents and charge tens of thousands of dollars in purchases. Unknown
April 15, 2008 First Federal Bank of California
(Los Angeles, CA)
Fiserv, Inc.
(Brookfield, WI)
 This bank was not the only financial institute impacted by a security breach that occurred in a banking in a "subsystem of a financial data processor," Fiserv, Inc. of Wisconsin last month.The bank said that it was "company policy" not to reveal any details about the breach including the number of banks involved, how many customers were impacted, the depth of information breached, how extensive the breach was geographically even which federal agencies were involved. However, non-public private account information might be at risk. Unknown
April 15, 2008 Oklahoma's Department of Corrections
(Oklahoma City, OK)		 The names, addresses, and Social Security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years on the ODC's website. 10,597
April 16, 2008 Hexter Elementary School
(Dallas, TX)		 Employee and volunteer records were found at a recycling bin near the school. It's unknow what type of documents were found. Unknown
April 16, 2008 University of Virginia
(Charlottesville, VA)		 A laptop stolen from a University of Virginia employee contained sensitive information about students, staff and faculty members. Stolen from an unidentified employee from an undisclosed location in Albemarle County, the laptop contained a confidential file filled with names and Social Security numbers. 7,000
April 17, 2008 SunGard/Connecticut State University System / Buffalo State / Northwest Missouri State University
www.sungardhe.com/laptoptheft
www.sungardhe.com/custom.aspx?id=1554
(866) 520-2408		 At least 18 colleges are scrambling to inform tens of thousands of students they are at risk of having their identities stolen. A laptop computer that was stolen from a vendor contained the data of current and former students from the four state universities, including Western Connecticut State University. The computer was password-protected but contained unencrypted files with personally identifiable data, including names and Social Security numbers. Totals are not known
April 17, 2008 University of Miami
(Miami, FL)
www.dataincident.miami.edu
(866) 628-4492		 Computer tapes containing confidential information of Miami patients was stolen last month when thieves took a case out of a van used by a private off-site storage company. The data included names, addresses, Social Security numbers or health information. 2,100,000
April 19, 2008 Central Collection Bureau
(Indianapolis, IN)		 A computer server containing Social Security numbers and other personal information was stolen last month from a Southside debt-collection bureau. The information includes customer-billing records for Indiana businesses, including Citizens Gas & Coke Utility, St. Vincent Health and Methodist Medical Group. 700,000
April 20, 2008 Helping Homeless Veterans and Families
Hoosier Veterans Foundation
(Indianapolis, IN)		 Hundreds of files containing medical histories and Social Security numbers were found in the trash on Indianapolis' east side. The records belong to homeless veterans. A lot of the things inside the folders are confidential information about the clients including Social Secrutiy numbers. Unknown
April 21, 2008 Brunswick Corp.
(Lake Forest, Il)		 An electronic devices that scans customers' drivers' licenses to make sure they're of legal drinking age was stolen from a company-owned bowling facility in suburban Naperville. The device contains information such as driver's license number, date of birth and first and last names of customers whose licenses were scanned. 700
April 22, 2208 LendingTree
(Charlotte, NC)		 Outside loan companies may have accessed information, including Social Security numbers, between October 2006 and early 2008 and used it to market their own mortgages to LendingTree customers. Several former employees may have shared confidential passwords with "a handful" of lenders that were not approved by the company. Unknown
April 22, 2008 University of Massachusetts
(Boston, MA)		 Hackers breached the computer system used by UMass Amherst's Health Services, potentially gaining access to thousands of medical records. More than half of the student population at UMass Amherst are patients on record at the University Health Services. Unknown
April 22, 2008 HealthNow New York
(Buffalo, NY)		 Clients may be at risk for identity theft, after a former employees laptop computer went missing with confidential information several months ago. The potential information includes names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers. Unknown
April 22, 2008 Fishback Financial Corp.
(Brookings, SD)		 There has been an unauthorized access to one of the database servers by a third party. The database includes names, addresses and Social Security numbers. Unknown
April 22, 2008 Central New England HealthAlliance
(Leominster, MA)		 Personal data could be at risk of exposure after a home health nurse reported that her handheld computer was missing. The unencrypted data include names, Social Security numbers, and health insurance records. 384
April 22, 2008 Smithtown Post Office
(Smithtown, NY)		 A Smithtown postal worker was arrested after he stole credit cards from the mail and went on a shopping spree. Unknown
April 22, 2008 CollegeInvest
(Denver, CO)		 Customers had personal information stored on a computer hard drive that disappeared during a recent move. CollegeInvest moved to a new office space recently using an international relocation firm that offered specialists in moving computer equipment. CollegeInvest discovered while unpacking at the new location that a hard drive was missing. 200,000
April 23, 2008 University of Texas Health Science Center
(Tyler, TX)		 About 2,000 medical bills were mailed last week with patients' Social Security numbers visible on the envelope. 2,000
April 23, 2008 Southern Connecticut State University
(New Haven, CT)		 Southern Connecticut State University is taking action to prevent its students from becoming victims of identity theft. The move comes after a website with student and alumni information was found to be easily accessible to hackers. It appears that no financial information was accessed but Social Security numbers were vulnerable. 11,000
April 24, 2008 Harmony Information Systems.
(Madison, WI)		 A computer program housing personal information about Wisconsin seniors and disabled people had a significant security hole. A senior center volunteer in McFarland said he could see hundreds of files of people's private information from across the country in the system run by Virginia-based Harmony Information Systems. The information is entered into an electronic record that includes the person's name and Social Security number. Unknown
April 24, 2008 Collections Lawyers Pellegrino & Feldstein
(Denville, NJ)		 Consumer information somehow escaped the New Jersey law offices of and ended up posted on several websites. The Liberty Coalition discovered cached versions of an Excel file that contained the full names, Social Security numbers, dates of birth, addresses, account numbers, and financial information. 530
April 25, 2008 University of Colorado at Boulder
(Boulder CO)		 Three computers in the Division of Continuing Education and Professional Studies were compromised, leaving people open to potential identity theft. One of the three computers had personal data, including names, Social Security numbers, addresses and grades.
UPDATE (5/1/08):
Upon further analysis, the University concluded that no personal data had been exposed. 9,500 records were initially thought to be comprised, but later this was revised to zero.		 9,500 revised to 0
April 25, 2008 Canton WiseBuys
(Canton, NY)		 Someone apparently hacked into the Canton WiseBuys store computer system during a changeover between December 5 and December 20. The hacker obtained personal identification and banking numbers of hundreds of customers. Unknown
April 25, 2008 Baltimore Highway Administration
(Baltimore, MD)		 An employee transferred personnel transaction data from a secure drive to a SHA shared drive. Sensitive personal information concerning employees, included names and Social Security numbers. 1,800
April 27, 2008 General Internal Medicine of Lancaster
(East Hempfield Township, PA)		 A laptop was stolen from a doctors office containing the Social Security numbers of patients. Unknown
April 28, 2008 Hough, MacAdam & Wartnik
(North Bend, OR)		 A notebook computer was stolen from a locked vehicle. The notebook's hard drive may have contained names, Social Security numbers, and other personal information. 500
May 1, 2008 Cove Creek Mortgage/Front Range Mortgage
(Englewood, CO)		 Sensitive mortgage files with people's personal information were recently found in a Dumpster. The files and computers contained sensitive information on many former customers of Front Range Mortgage, including names and addresses, Social Security numbers and bank, credit card and investment account information. Unknown
May 1, 2008 Lunardi's Supermarket
(Los Gatos, CA)		 An ATM and credit card reader in a checkout aisle at the Los Gatos Lunardi's supermarket was recently switched, resulting in cases of identity theft. Victims all had their card numbers stolen after officials from Lunardi's contacted them about a problem with one of their card readers."It was a switched card reader at one of the aisles,"
UPDATE (8/4/08): Police arrested a man Friday that was involved with the ATM scam at a Los Gatos supermarket that lost about $300,000. He was booked into the Santa Clara County Jail in connection with burglary, conspiracy, drunken driving, and further charges may be filed later, according to the district attorney's office.		 100/updated amount 250
May 2, 2008 Marine Corps Reserve Center
(San Antonio, TX)		 A former U.S. military contractor has pleaded guilty to exceeding authorized access to a computer and aggravated identity theft after he was accused of selling names and Social Security numbers of 17,000 military employees. 17,000
May 4, 2008 Staten Island University Hospital
(Staten Island, NY)		 Computer equipment stolen from an administrator contained personal information from patients. Social Security numbers and health insurance numbers were contained in computer files on a desktop computer and the backup hard drive. 88,000
May 5, 2008 Target America Inc./UCSF
(San Francisco, CA)		 Information on UCSF patients was accessible on the Internet. The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients' physicians also were available online. 6,313
Not added to total. It is not clear if SSNs or financial account numbers were exposed.
May 5, 2008 Iredell County Tax Administration
(Statesville, NC)
(704) 878-3020		 A courier vehicle providing services for First Citizens Bank was stolen in Charlotte. The stolen shipment contained a computer report of taxpayer's check information, including account numbers, check numbers, check amounts and routing numbers from various banks on which the checks were drawn. There were also copies of tax bills that contained taxpayer names, addresses and other public information related to tax payments. 486
May 6, 2008 Ohio State University Agricultural Technical Institute
(Wooster, OH)		 Personal information on faculty and staff members was accidentally emailed to about 680 students. The email contained spreadsheet information listing the names, positions, salaries and Social Security numbers. 192
May 6, 2008 International Visa Service
(Atlanta, GA)		 An employee has been arrested and charged with stealing the personal information of people who were applying for a passport and sold the identities on the black market. 1,000
May 6, 2008 Finjan
(San Jose, CA)		 Researchers at security vendor Finjan uncovered a server containing the sensitive email and Web-based data of thousands of people, including healthcare information, credit card numbers and business personnel documents and other sensitive data. Finjan notified more than 40 major international financial institutions located in the United States, Europe and India whose customers were compromised as well as various law enforcements around the world. Server logs contained a mountain of healthcare information, including personal data, health data, treatment, medications, insurance details, Social Security Numbers, and healthcare providers' data, including physician's name. Banking data, including credit card numbers and account login numbers were also discovered on the server. 5,878
May 6, 2008 Northeast Security
(West Haven, MA)		 News Channel 8 found Social Security numbers, bank account numbers and even canceled checks inside a dumpster. The files appear to belong to Northeast Security, a subcontractor for Safe Home Security, based out of Rocky Hill. Northeast Security recently moved out of a West Haven storefront, and it seems they left their clients personal information behind. Unknown
May 7, 2008 SAIC
(MD)
(877) 277-8001		 SAIC stockholders are at risk of identity theft after a box of magnetic backup tapes went missing. The tapes contained names, addresses, Social Security numbers, stock account information, transaction activity and possibly bank account numbers for current or former shareholders. 4,690
May 8, 2008 Dominican University
(River Forest, IL)		 Two students were able to access records on a staff network storage area. The files accessed were three spreadsheets that included the students names, addresses, phone numbers, birthdays and Social Security numbers. 5,000
May 8, 2008 Las Cruces Public Schools
(Las Cruces, NM)		 A part-time computer analyst for Las Cruces Public Schools inadvertently posted personal data for 50 special education students and 1,750 district employees on the Internet. Information posted included Social Security number, date of birth, name, the nature of disability and caseworker's name. 1,800
May 9, 2008 Princeton University Tower Club
(Princeton, NJ)		 Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and Social Security numbers was e-mailed to current club members. The document was attached to an apparently unrelated e-mail that informed current members about a club event. The spreadsheet was attached unintentionally because of a technical glitch in an email program. 103
May 12, 2008 Pfizer
(New York, NY)
(866) 274-3891		 About 13,000 employees at Pfizer Inc., including about 5,000 from Connecticut, had their personal information compromised when a company laptop and flash drive were stolen. No Social Security numbers were on the laptop, but names, home addresses, home telephone numbers, employee ID numbers, positions and salaries were possibly compromised. Other information possibly lost included the department employees worked in, the Pfizer site where the employees worked, the name of employees’ managers and descriptions of their jobs. 18,000
Not added to total. It does not seem that SSNs or financial account numbers were exposed.
May 14, 2008 Oklahoma State University
(Stillwater, OK)		 A breach in an Oklahoma State University computer server exposed names, addresses and Social Security numbers of students, staff and faculty who bought parking and transit services permits in the past six years. 70,000
May 15, 2008 BB&T Insurance
(Harrisonburg, VA)		 A BB&T Insurance laptop containing the personnel information of some Harrisonburg City Schools employees was stolen. The laptop, used by an outside sales representative to develop an insurance proposal for the school system, was stolen from a car. The information contained names, dates of birth, Social Security numbers, and, in some cases, medical history. Unknown
May 16, 2008 Spring Independent School District
(Spring, TX)		 A laptop computer containing the personal information of students was stolen from a employee’s car. The car burglars made off with her school laptop and an external flash drive. The flash drive contains students’ Social Security numbers, personal information, schools those students attend, as well as their grade level and birthdates. The drive also contained the Texas Assessment of Knowledge and Skills test results. 8,000
May 16, 2008 Greil Memorial Psychiatric Hospital
(Montgomery, Al)		 Index cards containing patients personal information, names, dates of birth, even Social Security numbers are gone. Hundreds of records have simply disappeared. Unknown
May 16, 2008 Amateur Athletic Union
(Lake Buena Vista, FL)		 Boxes filled with personal information were found in a dumpster. Information on athletes and their guardians included Social Security numbers and copies of birth certificates. Unknown
May 16, 2008 Chester County School District
(Downingtown, PA)		 A 15-year-old student gained access to files on a computer at Downingtown West High School. Private information, including names, addresses and Social Security numbers, of more than 50,000 people were accessed. The student apparently used a flash drive to save the personal data of about 40,000 taxpayers and 15,000 students. 50,000
May 17, 2008 University of Louisville
(Louisville, KY)		 Documents being copied and taken from a private office in the president’s office, to its Internal Audit Office and Department of Public Safety may have resulted in a security breach. The documents contained personal information — including Social Security numbers, student and employee identification numbers and salary information — for current and recent student employees. The university learned of the theft when salary information was shared anonymously with some employees in the office. 20
May 20, 2008 University of Florida College of Medicine
(Jacksonville, FL)
(866) 876-4472		 A UF assistant professor of plastic surgery at the UF College of Medicine-Jacksonville, stored unsecured digital photographs of his patients and identifying information -- such as names, dates of birth, Social Security numbers, and Medicare numbers -- on a computer. He then gave the computer to a family he was friends. 1,900
May 20, 2008 New York University
(New York City, NY)		 Duke University's Fuqua School of Business is notifying former New York University students that some of their personal information was inadvertently accessible by targeted Internet searches. The personal data included names and Social Security numbers and was contained in the faculty member's research records. The information could have been accessed only if searched by specific student names, along with a search code for Social Security numbers. 273
May 21, 2008 Oklahoma Corporation Commission
(Oklahoma City, OK)		 The Oklahoma Corporation Commission is removing hard drives from all surplus computer equipment after a server containing the names and Social Security numbers of thousands of residents was sold at an auction. 5,000
May 22, 2008 HealthSpring Inc.
(Franklin, TN)		 A laptop computer containing personal information of about 450 state residents was stolen. The laptop, believed to contain names, dates of birth and Social Security numbers of about 9,000 individuals, was stolen from a HealthSpring employee's locked car. 9,000
May 23, 2008 R.E. Moulton
(Irving, TX)		 Thieves broke intothe Irving, Texas regional office and stole a laptop computer containing personally information of numerous individuals, including names and Social Security numbers. 19,000
May 28, 2008 University of California, San Francisco
(San Francisco, CA)
(415) 353-7427
PathHotline@ucsf.edu		 During routine monitoring of a campus computer network, UCSF discovered unusual data traffic on one of its computers. During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on one computer by an unknown individual. Installation of this program required high-level system access. The computer contained files with lists of patients from the UCSF pathology department’s database. The data included information such as patient names, dates of pathology service, health information and, in some cases, Social Security numbers. 3,569
May 29, 2008 State Street Corp/Investors Financial Services
(Boston, MA)		 Computer equipment containing personal information on customers and employees of a State Street unit was stolen. The computer equipment was stolen from a vendor hired by Investors Financial Services to provide legal support services. The personal information included names, addresses and social security numbers. 45,500
May 30, 2008 Circuit Court of Louisville
(Louisville, KY)
(502) 595-3273		 Louisville Metro Police made an arrest, and during that arrest they found 312 stolen court traffic files in that person's possession. All of the files contain personal information of people in Louisville such as, name, address, date of birth and in some cases Social Security numbers and copies of drivers’ licenses. 312
May 31, 2008 Pocono Mountain School District
(Swiftwater, PA)
(570) 873-7121, ext. 10151		 A hacker apparently broke into the computers at Pocono Mountain School District and may have tapped into confidential information concerning students and their parents. Information may have included the students' birth dates, Social Security numbers, student IDs, home phones, and the parents' names, phone numbers and emergency phone numbers. ''If you see any unauthorized activity, promptly contract your service provider and or the office of the director of technology at 570-873-7121, ext. 10151,'' 11,000
June 2, 2008 Walter Reed Army Medical Center
(Washington, D.C.)
(877) 854-8542, ext. 9		 Sensitive information on patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach. The computer file that was breached did not include information such as medical records, or the diagnosis or prognosis for patients, but may have included names, Social Security numbers, birth dates as well as other information. 1,000
June 2, 2008 Connecticut Department of Labor
(Wethersfield, CT)		 Records with confidential information on about 2,100 people have been lost and might have been mistakenly shredded. The files contained copies of letters informing applicants that they were ineligible for the unemployment insurance. They were dated between May 2 and May 20 and contained names, addresses and Social Security numbers. 2,100
June 4, 2008 Oregon State University
(Corvallis, OR)		 The Oregon State Police are investigating the theft of personal information from online customers of the OSU Bookstore who used credit cards to purchase items. 4,700
June 4, 2008 AT&T
(San Antonio, TX)		 A laptop was stolen from the car of an employee. The data on the computer was not encrypted -- a violation of company policy -- and included names, Social Security numbers and in some cases, salary and bonus information. Unknown
June 6, 2008 Stanford University
(Stanford, CA)		 Stanford University determined that a university laptop, which was recently stolen, contained confidential personnel data. The university is not disclosing details about the theft as an investigation is under way. 72,000
June 7, 2008 Southington Water Department
(Southington, CT)		 Documents with the names and Social Security numbers of 26 people were found scattered by the Quinnipiac River. 26
June 7, 2008 East Tennessee State University
(Johnson City, TN)		 6,200 people may have had there identities compromised by the theft of a desktop computer. The computer is password protected and files cannot be easily accessed. But there is a small possibility that the information could be compromised. 6,200
June 9, 2008 University of South Carolina
(Columbia, SC)		 Several items were stolen from an office in the Moore School of Business. Among the items was a desktop computer. As a result of the computer being stolen, it is possible that some personally identifiable data could have been compromised. 7,000
June 10, 2008 1st Source Bank
(South Bend, IN)		 1st Source Bank is replacing ATM cards this month for all its account holders after cyber-thieves accessed an unknown amount of debit-related data. Unknown
June 10, 2008 University of Utah Hospitals and Clinics
(Salt Lake City, UT)		 Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center. The records, described only as backup information tapes, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years. 2.2 million
June 10, 2008 University of Florida
(Gainesville, FL)		 Current and former students had their Social Security numbers, names and addresses accidentally posted online. The information became available when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program between 2003 and 2005. 11,300
June 10, 2008 Wheeler's Moving Company
(Boca Raton, FL)		 Personal files with tax information, Social Security numbers and license numbers, were found in a Boca Raton dumpster. Unknown
June 11, 2008 Dickson County Board of Education
(Dickson, TN)		 A computer containing sensitive personal was stolen from the Dickson County Board of Education. The computer belongs to the new director of schools and was loaded with the name and Social Security number of every school employee from the 2006-2007 school year, a total of 850. 850
June 12, 2008 Columbia University
(New York, NY)		 A student employee had posted a database of students' housing information on a Google-hosted Web site. Their Social Security numbers had been searchable online for the last 16 months. 5,000
June 13, 2008 Texas Insurance Claims Services
(Dallas, TX)		 Hundreds of files with people's names, Social Security numbers and policy numbers were found in a Richardson dumpster. Unknown
June 15, 2008 Conn. Department of Administrative Services
(Hartford, CT)		 Department of Administrative Services posted the Social Security numbers of individual contractors on a state Web site. An audit also uncovered the Social Security numbers of prospective nursing employees accessible on an agency Web site for 19 months until a complaint was lodged. Unknown
June 18, 2008 Domino's Pizza
(Tucson, AZ)		 Investigators found credit card numbers blowing in the wind. These piles and papers contained hundreds of old receipts from Domino's Pizza stores. The former owner had been discarding boxes of old records and somehow all those receipts got loose. Unknown
June 19, 2008 Citibank
(New York City, NY)		 A Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached. The computer intrusion into the Citibank server led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines, pocketing at least $750,000 in cash Unknown
June 19, 2008 Petroleum Wholesale
(Houston, TX)		 The company dumped hundreds of records in a publicly accessible trash container outside its former headquarters. The records included receipts with customers' names and full credit or debit card numbers, including expiration dates. The records also included returned checks and forms containing customers' names and bank routing, driver's license and Social Security numbers. Unknown
June 23, 2008 Colt Express Outsourcing Services/CNET Networks
(Walnut Creek, CA)		 Burglars stole computer systems from the offices of the company that administers the Internet publisher's benefit plans. The computers contained names, birth dates, Social Security numbers and employment information of the beneficiaries of CNET's health insurance plans. CNET was only one of several clients affected.
UPDATE (8/26/08): Among the companies whose staffers have been exposed by the Colt break-in in Walnut Creek, Calif.: Google, Bebe Stores, Alston & Bird, and the California Bankers Assn.		 75,000
June 23, 2008 California Department of Consumer Affairs
(Sacramento, CA)		 A Microsoft Word document was improperly transmitted electronically outside of the department. The document contained the salaries and titles of everyone on the document. It may have also compromised their names and Social Security numbers. 5,000
June 23, 2008 Bank Atlantic
(Tampa Bay, FL)		 Bank Atlantic confirms they had a data loss, involving their MasterCard debit cards. It happened through a local merchant, but at this time, isn't saying which one. Unknown
June 24, 2008 Southeast Missouri State University
(Cape Girardeau, MO)
(573) 986-6800
(573) 335-6611, ex.123
lbavolek@semissourian.com		 A former employee has been indicted on two charges of identity fraud and one charge of computer trespass after being found in possession of 800 student names and Social Security numbers. 800
June 26, 2008 Texas Department of Public Safety
(Austin, TX)		 The personal information of 826 state employees was stolen from a Wichita Falls home office. Notices are in the mail to inform the hundreds of victims that their names, home addresses, dates of birth, driver's license and Social Security numbers are in the hands of criminals. 826
June 27, 2008 Montgomery Ward
(Cedar Rapids, IA)		 Hackers extracted stolen information from an online database that held credit card account information. 51,000
July 2, 2008 Baptist Health
(Little Rock, AR)		 Due to a breach by an unauthorized person in the information systems, there is a possibility that some personal information, such as name, address, date of birth, Social Security number, and reason for coming to Baptist Health. No information in the patient’s “medical records” and no information about the patient’s diagnosis or prognosis was accessed. 1,800
July 2, 2008 University of Nebraska at Kearney
(Kearney, NE)
(308) 865-8950		 Officials at the University of Nebraska at Kearney discovered a security breach involving nine university computers. Of the nine computers involved, five contained names and partial or complete Social Security numbers. 2,035
July 4, 2008 US Army Fort Lewis
(Fort Lewis, WA)		 A laptop computer that was reported stolen from an Army employee’s truck contained personal information on Fort Lewis soldiers. A 500 GB removable hard drive was also taken in the theft. UPDATE (7/11/08) :A 17-year-old Lacey boy faces a charge of suspicion of possession of stolen property after Tumwater police uncovered items from vehicle prowls, including a stolen Army laptop containing information on Fort Lewis soldiers. 700
July 4, 2008 Clark County Nevada District Court
(Las Vegas, NV)		 A contracted vendor released personal information on about 380 potential jurors to an employee's private e-mail address. The information provided to the e-mail account could have included names, addresses, Social Security numbers and birth dates. 380
July 7, 2008 Florida Agency for Health Care Administration
(Tallahassee, FL)		 A security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their Social Security numbers. Other data included donors' names, addresses, birth dates and driver license numbers. 55,000
July 8, 2008 LPL Financial
(formerly Linsco Private Ledger)
(Boston, MA)
www.sec.gov/litigation/admin/2008/34-58515.pdf		 Hackers obtained clients' unencrypted names, addresses and Social Security numbers from July 17, 2007, to February 15, 2008. They compromised the logon passwords of 14 financial advisers and four assistants.
UPDATE (9/11/08) : The U.S. Securities & Exchange Commission (SEC) fined LPL $275,000 and required that LPL strengthen its security safeguards involving customer information. It was found that the hacker(s) placed, or attempted to place, 209 unauthorized trades in 68 customer accounts of several of LPL’s registered representative, for more than $700,000 in trades in securities of 19 different companies. LPL reversed or eliminated the trades and compensated the customers for the resulting trading losses, which totaled approximately $98,900.		 10,219
July 9, 2008 Wichita Radiological Group
(Wichita, KS)		 A former employee stole patient records before being fired from the Wichita Radiological Group. Tens of thousands of patient records were in the database could have been compromised. Unknown
July 9, 2008 Wagner Resource Group
(McLean, VA)		 Sometime late last year, an employee of a McLean investment firm used the online file-sharing network LimeWire. In doing so, he inadvertently opened the private files of his firm to the public. That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer. 2,000
July 9, 2008 Division of Motor Vehicles Colorado
(Colorado)		 The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit. At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers 3.4 million
July 10, 2008 Williamson County (TN) Schools
(Franklin, TN)		 Social Security numbers and other personal information of 4,000 children were posted on the Internet. 4,000
July 14, 2008 Washington Metropolitan Area Transit Authority
(Washington, DC)		 Metro accidentally published the Social Security numbers of past and present employees on its Web site. The numbers were posted with a solicitation to companies for workers' compensation and risk management services. 4,700
July 15, 2008 Weber Law Firm
(Houston, TX)		 Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston. Box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more were found in the dumpster. Unknown
July 15, 2008 Missouri National Guard
(Jefferson City, MO)
(888) 526-6664 ext. 7888
(312) 555-9500 ext. 7888 Soldier deployed overseas		 The Missouri National Guard has called for a criminal investigation after it learned that the personal information of as many as 2,000 soldiers had been breached. The Guard would not release how the personal information had been taken -- whether by computer hackers or other means -- because it has asked for a full law enforcement investigation into the matter. 2,000
July 15, 2008 University of Texas at Austin
(Austin, TX)		 The personal information of University of Texas students and faculty has been exposed on the Internet. An independent watchdog discovered more than five dozen files containing confidential graduate applications, test scores, and Social Security numbers. The files were inadvertently posted by at least four different UT professors to a file server for the School of Biological Sciences. 2,500
July 16, 2008 Greensboro Gynecology Associates
(Greensboro, NC)		 A backup tape of patient information was stolen from an employee who was taking the tape to an off-site storage facility for safekeeping. The stolen information included patients' names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members. 47,000
July 16, 2008 Indiana State University
(Terre Haute, IN)		 A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen. The laptop contained data for students who took economics classes from 1997 through the spring semester 2008. The information includes names, grades, e-mail addresses and student identification numbers and in some cases Social Security numbers.
UPDATE (7/22/08) :The laptop computer was mailed anonymously back to the professor it was stolen from six days after it was stolen along with other personal items.		 2,500
July 17, 2008 Bristol-Myers Squibb
(Jacksonville, FL)		 A backup computer-data tape containing employees' personal information, including Social Security numbers, was stolen recently. The backup data tape was stolen while being transported from a storage facility. The information on the tapes included names, addresses, dates of birth, Social Security numbers and marital status, and in some cases bank-account information. Data for some employees' family members also were on the tape. 42,000
July 17, 2008 University of Maryland
(College Park, MD)		 University of Maryland accidentally released the addresses and Social Security numbers of thousands of students. A brochure with on-campus parking information was sent by U.S. Mail to students. The University discovered the labels on the mailing had the students' Social Security numbers on it. 23,000
July 17, 2008 Department of Consumer Affairs
(Sacramento, CA)		 A Consumer Affairs personnel specialist in Sacramento, emailed an alpha personnel file containing names and Social Security numbers of the department's more than 5,000 staff to a personal Yahoo email account at the end of the day, her last day at the department. 5,000
July 19, 2008 Minneapolis Veterans Home
(Minneapolis, MN)		 A backup computer server stolen from the Minneapolis Veterans Home contained telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses for the home's 336 residents. 336
July 23, 2008 San Francisco Human Services Department
(San Francisco, CA)		 Potentially thousands of files contaning personal information was exposed after a San Francisco agency left confidential files in unsecured curbside garbage and recycling bins. In some cases entire case files were discarded. Blown up copies of social security cards, driver's licenses, passports, bank statements and other sensitive personal information were all left in these unlocked bins. Unknown
July 24, 2008 Village of Tinley Park
(Chicago, IL)		 Computer backup tapes that contain thousands of Social Security numbers of Tinley Park residents have been lost. The tapes containing information from as long ago as 15 years were lost while being transferred from the village hall to another site within the Chicago suburb. 20,400
July 24, 2008 Saint Mary's Regional Medical Center
(Reno, NV)		 A unauthorized person may have accessed the Saint Mary's database. The database, used for Saint Mary's health education classes and wellness programs, contained personal information such as names and addresses, limited health information and some Social Security numbers. The database did not contain medical records or credit card information. 128,000
July 24, 2008 Hillsborough Community College
(Tampabay Bay, FL)		 Hillsborough Community College warned its employees to monitor their bank accounts because an HCC programmer's laptop was stolen from a hotel parking lot in Georgia. The programmer had been working on a payroll project for a group of employees using their names, bank-routing numbers, retirement information and Social Security numbers. 2,000
July 24, 2008 University of Houston
(Houston, TX)		 The names and Social Security numbers of University of Houston students were inadvertently posted on the Internet for more than two years. The posting occurred when a math department lecturer posted student grades on a UH Web server in October 2005. 259
July 25, 2008 Grady Memorial Hospital
(Atlanta, GA)		 Hospital records were stolen. It remains unknown how many patient records were stolen, which patients were affected or how the records were stolen. The records pertained to recorded physician comments that Grady sent to a vendor to transcribe into medical notes. The records were stolen from a subcontractor employed by the vendor. Unknown
July 25, 2008

Ohio University
(Columbus, OH)
www.ohiocore.org/answers
(866) 437-8698.

 A clerical error led to the online posting of the names and Social Security numbers of people who spoke at Ohio University's Centers for Osteopathic Research and Education. A spreadsheet that contained the information had been accessible since March 20 and was discovered when a nurse found the information last week while conducting online research. In addition to names and Social Security numbers, the spreadsheet included contact numbers, addresses, their speaking topics and federal employer identification numbers. 492
July 26, 2008 Connecticut College/Wesleyan University/Trinity College
(Middletown, CT)		 A Connecticut College library system was breached by hackers apparently looking to set up chat rooms or send spam e-mails. The systems database included the names, addresses and Social Security or driver's license numbers of approximately 2,800 Connecticut College library patrons, 12 Wesleyan University patrons and three from Trinity. 2815
July 28, 2008 Facebook Facebook accidentally publicly revealed personal information about its members, which could be useful to identity thieves. The full dates of birth of many of Facebook's 80 million active users were visible to others, even if the individual member had requested that the information remained confidential. Unknown
80 million Not added to total since the breach is not SSNs or financial account data.
July 29, 2008 Blue Cross and Blue Shield of Georgia
(Atlanta, GA)
(866) 800-8776		 Benefit letters containing personal and health information were sent to the wrong addresses last week. The letters included the patient's name and ID number, the name of the medical provider delivering the service, and the amounts charged and owed. A small percentage of letters also contained the patient's Social Security numbers. 202,000
July 29, 2008 Anheuser-Busch
(St. Louis, MO)
(800) 913-4502		 A laptop containing personal information of current and former employees, including some from Hampton Roads, was stolen from a St. Louis-area Anheuser-Busch office. Information contained on the computer included employees' Social Security numbers, home addresses and marital status. Unknown
July 31, 2008 City of Yuma
(Yuma, AZ)		 The Social Security numbers of about 300 city of Yuma employees were "unintentionally released" in an e-mail sent to city administrative personnel. 3000
July 31, 2008 University of Texas at Dallas
(Dallsa, TX)
www.utdallas.edu/infosecurity/		 A security breach in UTD’s computer network may have exposed Social Security numbers along with names, addresses, email addresses or telephone numbers.
4,406 students who were on the Dean’s List or graduated between 2000 and 2003
3,892 students who were contacted to take part in a survey by the Office of Undergraduate Education in 2002
88 staff members from Facilities Management
716 faculty and staff members listed in a space inventory record from 2001.		 9,100
Aug. 1, 2008 Tennessee Valley Authority
(Knoxville, TN)		 A laptop stolen from TVA contained Social Security numbers and reflects generally inadequate policies and procedures for tracking computers at the agency. The laptop was one of approximately 26 computer and computer-related items stolen from TVA between May 26, 2006, and Nov. 30, 2007, according to the IG, although the report stated it was unclear whether sensitive information was present on any of the laptops or PCs stolen from TVA. Unknown
Aug. 1, 2008 Delphi Automotive
Ohio Depart. of Job & Family Services
(Columbus, OH)		 A flash drive with Social Security numbers and other personal information from former Dayton-area Delphi workers was removed from the unattended laptop of a state employee and is missing. The drive included the names, addresses, telephone numbers as well as the Social Security numbers of the workers. 2,600
Aug. 2, 2008 Countrywide Financial Corp.
(Calabasas, CA)		 The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers. The breach occurred over a two-year period though July. The insider was a senior financial analyst at Full Spectrum Lending, Countrywide's subprime lending division. The alleged data thief was said to have downloaded about 20,000 customer profiles each week and sold files with that many names for $500, according to the affidavit. He typically would e-mail the data in Excel spreadsheets to his buyers, often using computers at Kinko's copying and business center stores. Some, perhaps most, and possibly all the names were being sold to people in the mortgage industry to make new pitches.
UPDATE (1/30/09):
Bank of America will pay Connecticut $350,000 as part of a settlement. The bank will also provide at least $25,000 to reimburse Connecticut residents forced to pay for freezing and unfreezing their credit reports.		 2,000,000
Aug. 2, 2008 Clarkson University
(Potsdam, NY)		 A non-malicious student intruder gained access to a restricted server and promptly reported the vulnerability to campus authorities. Approximately 245 employees and former employees had personal information, including name, social security number, and date of birth, compromised during the security breach. The file containing personal information was a record of employees that had university credit cards known as purchase cards (or p-cards). Any university member requesting a p-card must provide their social security number and date of birth on the application form. 245
Aug 3, 2008 Oakland School District
(Oakland, CA)		 Thieves stole 10 desktop computers containing employees' personal information from the Oakland school district's main office. District officials are still determining what information was on each computer, but the machines may contain personal information provided to the district when employees were hired. It is unknown how many employees' records were on the computers. Unknown
Aug. 4, 2008 Arapahoe Community College
(Littleton, CO)		 A contractor who manages the student information database had a flash drive lost or stolen. Information on the drive included the names, addresses, credit card numbers and Social Security numbers. 15,000
Aug. 5, 2008 The Clear Program
"Fast-pass" Registered Travel program
for airline passengers, operated by
Verified Identity Pass for the U.S.
Transportation Security Admin.
(New York, NY)
 A laptop containing personal information for about 33,000 people was reported stolen in a possible security breach for the Clear Program. The laptop was stolen at San Francisco International Airport. The stolen information included names, addresses, dates of birth, and driver's license numbers or passport numbers. 33,000
Aug. 7, 2008 Harris County Hospital
(Houston, TX)		 A lower-level Harris County Hospital District administrator downloaded medical and financial records for patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen. This may have been a violation of law. The data on the device included the patients' names, medical record numbers, billing codes, the facilities where the office visits occurred and other billing information. It also included the patients' Medicaid or Medicare numbers, which can indicate their Social Security numbers or those of their spouses. 1,200
Aug. 12, 2008 Wells Fargo
(Minneapolis, MN)		 Wells Fargo is notifying customers that hackers have accessed their confidential personal data by illegally using its access codes. Personal information including names, addresses, dates of birth, Social Security numbers, driver's licence numbers and in some cases, credit account information was accessed by "unauthorised persons". 5,000
Aug. 12, 2008 Child Protective Services
(San Antonio, TX)		 Hundreds of private, personal records were discarded with the trash, including records detailing medical histories of clients with diseases and drug addictions. Documents showing sexual abuse and information that could be used for identity theft, such as Social Security numbers, were also found in the trash. Unknown
Aug. 13, 2008 Charter Communications
(Greenville, SC)		 Computers were stolen from the company’s Greenville offices and contained records of more than 9,000 Charter employees nationwide. The information included Social Security numbers, dates of birth and driver's license numbers. 9,000
Aug. 14, 2008 Wuesthoff Medical Center
(Rockledge, FL)		 Hundreds of people in Brevard County found out their personal information was stolen. Names, Social Security numbers and even personal medical information were posted on the Internet. 500
Aug. 18, 2008 Dominion Enterprises
(Richmond, VA)
757-351-7951		 A computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008. The data intrusion resulted in the potential exposure of personal information, including the names, addresses, birth dates, and Social Security numbers of 92,095 applicants who submitted credit applications to IFMG's family of special finance Web sites. 92,095
Aug. 18, 2008 Keller High School
(Keller, TX)		 Keller family's received a mailing from Keller High School last week. Upon opening it, they found two enrollment forms. One was an emergency-care authorization form. But the other was a student information form containing another classmate’s Social Security number, student ID number, home address, phone number and contact information for his parents at home and at work. They quickly realized that their child’s private information, which they used to set up their college fund and other accounts, was mailed to someone else. 45
Aug. 18, 2008 The Princeton Review
(New York, NY)		 The test-preparatory firm accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site. One file on the site contained information on about 34,000 students in the public schools in Sarasota, Fl. Another folder contained dozens of files with names and birth dates for 74,000 students in the school system of Fairfax County, Va. 108,000
Aug. 19, 2008 Kingston Tax Service
(Kingston, WA)		 Office computers were stolen from the business. On each of the computers is information which can be used by identity thieves including credit card information and Social Security numbers. Unknown
Aug. 22, 2008 Liberty McDonald's Restaurant
(Liberty, KY)		 An employee at a Liberty McDonald's restaurant, took credit or debit cards from drive-through customers and used a device she had hidden near the window to swipe the cards to record their numbers. The information on the device then was downloaded and used to make new cards either in the names of the persons to which the original cards belonged or in the names of the perpetrators. Unknown
Aug. 26, 2008 Pennsylvania Department of Public Welfare
(Harrisburg, PA)		 Paper jams in a state Department of General Services mail inserter caused benefit renewal packets to go to the wrong Pennsylvania welfare client's homes. Nearly half of them included the intended recipients' Social Security numbers. 2,845
Aug. 26, 2008 Prince William County Public Schools
(Manassas, VA)		 Personal information of some students, employees and volunteers was accidentally posted online by a Prince William County Public Schools employee. Information for more than 2,600 people was exposed through a file-sharing program by an employee working from home on a personal computer. The compromised information included: names, addresses and student identification numbers of more than 1,600 students; names and Social Security numbers of 65 employees; other confidential information for about 250 employees; and the names, addresses and e-mail addresses of more than 700 volunteers. 2,600
Aug. 27, 2008 YMCA
(Champaign, IL)		 Customers who paid for items at a YMCA fund-raiser with checks or credit cards are being warned about a burglary at which credit and debit card numbers were taken. Unknown
Aug. 27, 2008 Kansas State University
(Manhattan, KS)		 An instructor for classes offered through the Division of Continuing Education, taught through the UFM Community Learning Center, reported an overnight theft of numerous items from a car, which was parked outside a Manhattan residence. Items taken included a backpack with a list of names and Social Security numbers of 86 K-State students who had taken that instructor’s classes from fall 2007 through summer 2008. 86
Aug. 28, 2008 The Washington Trust Co.
(Westerly, RI)		 The Washington Trust Co. has notified about 1,000 customers that their debit and credit card accounts might have been compromised in a suspected security breach at an unidentified MasterCard merchant. The company is investigating a suspected security breach of a U.S. e-commerce-based merchant's Web server which contained debit card data. 1,000
Aug. 28, 2008 Reynoldsburg Ohio City School District
(Reynoldsburg, OH)		 Reynoldsburg school officials were phasing out the use of Social Security numbers in the district's student database when someone stole a laptop containing that information. The district laptop, taken from a computer technician's car, also included names, addresses and phone numbers for two-thirds of the district's enrollment. 4,259
Aug. 29, 2008 Louisiana Real Estate Commission
(Baton Rouge, LA)		 A glitch during a computer upgrade caused the names, addresses and Social Security numbers of licensed agents to be exposed on the Internet. The commission was transferring its online programs to a new server when the sensitive electronic file, which is not normally posted on the Internet, was left unsecured and slipped in among the commission materials that could be seen online. 13,000
Aug. 29, 2008 Wachovia Bank
(Cape Coral, FL)		 It was confirmed that the Camelot branch, at Cape Coral Parkway and Chiquita Boulevard, has had several debit cards’ identities stolen because someone placed what’s known as a “skimming” device on the ATM. The device collected each person’s card information, including personal identification numbers, and allowed the suspect to create different debit cards with that information. Unknown
Aug. 30, 2008 Ohio Police & Fire Pension System
(Columbus, OH)		 A former mailroom supervisor at the Ohio Police & Fire Pension System forwarded the names, addresses and Social Security numbers from his work e-mail address to his personal e-mail address before quitting his job. The file contains information for 13,000 of the approximately 24,000 retired members of the Ohio Police & Fire Pension System, most of whom are former police officers. 13,000
Aug. 30, 2008 National Technical Institute for the Deaf
Rochester Institute of Technology
(Rochester, NY)
RIT Hotline through 9/26/08 (866) 624-8330
FAQ, incl. ASL video, www.rit.edu/news/?v=46283
RIT Public Safety (585) 475-2853		 A recently stolen laptop contained the names, birth dates and Social Security numbers of about 12,700 applicants to the National Technical Institute for the Deaf and another 1,100 people at Rochester Institute of Technology. The laptop belonged to an employee and was stolen on Monday from an office at NTID. People at RIT, who are not affiliated with NTID, are affected because their personal information was being used as part of a control group in an internal study. 13,800
Aug. 30, 2008 Southwest Medical Association
(Las Vegas, NV)		 Thousands of medical charts were found in an abandoned storage unit that was purchaced for $25. Unknown
Sept. 5, 2008 East Burke High School
(Morganton, NC)		 For the past five years, East Burke High School's web site exposed files containing personal information including names, Social Security numbers, addresses, phone numbers, job titles, email addresses and unlisted phone numbers of teachers, bus drivers, custodians and other staff members on the Internet. 163
Sept. 9, 2008 University of Pittsburgh
(Pittsburgh, PA)		 A laptop containing personal information including names and Social Security numbers was stolen. The laptop, stolen from Mervis Hall was being used by an employee to conduct surveys of alumni that are used in college rankings. Unknown
Sept. 10, 2008 Ivy Tech Community College
(Bloomington, IN)
www.ivytech.edu/about/security/faq-0708.html
www.ivytech.edu/about/security/		 An employee of the college used an internal file sharing system to send a file that consisted of students enrolled in the spring 2008 semester for distance education courses. The employee intended to share the file with a single employee of the college. Instead, due to a clerical error, the invitation to view the file was sent to a list of all Indianapolis region employees. Unknown
Sept. 10, 2008 Franklin Savings and Loan
(Cincinnati, OH)
(877) 579-2267
(513) 605-4378		 An unauthorized person gained access to a database containing personal information such as names, addresses, phone numbers, account numbers, account balances and Social Security numbers. 25,000
Sept. 11, 2008 Marshall University
(Charleston, WV)		 The names and Social Security numbers of Marshall University students were openly available on the Internet. 198
Sept. 11, 2008 University of Iowa College of Engineering
(Iowa City, IA)		 Some students are being notified by the college that their personal information may have been exposed in a recent computer breach. The compromised computer contained a file with names and Social Security numbers of students stored on its hard drive. 500
Sept. 12, 2008 Tennessee State University
(Nashville, TN)		 A flash drive containing the financial information and Social Security numbers of students was reported missing. The flash, which contained financial records of TSU students dating back to 2002. 9,000
Sept. 13, 2008 State Farm Insurance
(Surprise, AZ)		 An employee of State Farm fraudulently used customer information to open credit-card accounts. Customers' Social Security numbers, driver's license numbers, addresses and possibly financial account numbers could have been accessed. 137
Sept. 15, 2008 Forever21
(Los Angeles, CA)
(888) 757-4447
www.forever21.com/notice/notice.html		 If you shopped at the stores between November 26, 2003 and October 24, 2005, criminals may have jacked your credit and debit card numbers from its computers. Approximately 20,500 of these numbers were obtained from the Fresno store transaction data. The data included credit and debit card numbers and in some instances expiration dates and other card data, but did not include customer name and address. 98,930
Sept. 19, 2008 Texas A&M University
(College Station, TX)		 A class roster was among some documents located on a computer server that was hacked. The class roster was for Economics-2301 held during the first summer session of 2004. Social Security numbers were part of the information on those documents. 31
Sept. 22, 2008 Sonoma State University
(Sonoma, CA)		 Social Security numbers have been exposed to the public through an internal department website. 600
Sept. 23, 2008 Texas Lottery Commission
(Austin, TX)		 A former Texas Lottery Commission computer analyst has been arrested for copying the personal data of Texas lottery winners. He downloaded his own work files off his computer and took them to his next job. The names and Social Security numbers of 27,075 mid-level lottery winners -- people who have won prizes from $600 up to around $1 million -- were on the employee's hard drive. 27,075
Sept. 26, 2008 Fort Wayne Community Schools
(Fort Wayne, IN)		 A man arrested on forgery and counterfeiting charges may have used some employees' personal information in his possession. A 94-page document containing personal information belonging to 3,348 FWCS employees was found by police. The information included names, Social Security numbers, dates of birth and salary. 3,348
Sept. 30, 2008 Dormitory Authority's
(New York City, NY)		 On the trip from the Albany headquarters of this New York based construction organization, to their data center in New York City 5 tapes had fallen out of their yellow mailing envelope. The tapes contained personal private or sensitive information of over 600 employees and approximately 3,000 vendors. Social security numbers and tax ID numbers were compromised. 3,600
Sept. 30, 2008 University of Indianapolis
(Indianapolis, IN)		 A hacker attacked the University of Indianapolis' computer system and gained access to personal information and Social Security numbers for 11,000 students, faculty and staff, 11,000
Sept. 30, 2008 Blue Cross & Blue Shield
(Baton Rouge, LA)		 A document containing the personal data was accidentally attached to a general e-mail being sent out to brokers notifying them of a software upgrade. Information such as Social Security numbers, phone numbers and addresses were exposed. 1,700
Oct. 1, 2008 Foothills Parks and Recreation District
(Littleton, CO)		 The district noticed unusual activity last week which they believe was caused by a virus introduced to cover up the actions of the intruder. Some customer information, including credit card information, may have been compromised. Unknown
Oct. 7, 2008 University of North Dakota Alumni Association
(Grand Forks, ND)		 A laptop computer containing sensitive personal and financial information on alumni, donors and others was stolen from a vehicle belonging to a software vendor retained by the UND. The information, included individuals’ credit card and Social Security numbers, 84,000
Oct. 7, 2008 West Virginia Dept. of Administration
(Charleston, WV)		 A laptop was taken from an auditor's vehicle. It contains payroll and benefits information for 425 employees of the state Insurance Commission and 110 employees of the Department of Health and Human Resources' Bureau of Medical Services and Child Support Enforcement Division. The information includes full names or first names and Social Security numbers. 535
Oct. 13, 2008 Southwest Mississippi Community College
(Summit, MS)		 Former Southwest Mississippi Community College students had some of their personal information made available temporarily on the Internet. The breach involved names, addresses, and in some cases, Social Security numbers. 1,000
Oct. 15, 2008 City of Indianapolis
(Indianapolis, IN)		 A spreadsheet containing the names, Social Security numbers and dates of birth for people charged with minor offenses in 2006 and 2007 was accidentally posted on the city of Indianapolis' new Web site. 3,300
Oct. 17, 2008 The Planet
(Houston, TX)		 A security breach that may have affected the customer portal account and server passwords, was discovered. The Planet identified the methods by which the systems were compromised and have closed those holes. Only two user accounts were definitely affected, and no credit card information is believed to have been compromised. 25,000
Oct. 18, 2008 City of Goodyear
(Goodyear, AZ)		 A list of their Social Security numbers was stolen from the car of a staffer who had taken the data home. Burglars took the list while the employee's car was parked at her home. 570
Oct. 19, 2008 Mary Washington Hospital
(Fredericksburg, VA)		 A security breach in an online computer system exposed the private medical information of some of its maternity patients. Social Security numbers, phone numbers, address, insurance carrier, birth dates and doctor's names were exposed.

 

 803
Oct. 22, 2008 KRM Management
(Fresno, CA)		 Offices of KRM Management were broken into and stole two dozen computers, on one of those hard drives were Social security numbers, birthdates and addresses. One missing laptop computer is causing the most concern. It contained sensitive and confidential information on close to 5700 city employees who filed worker's comp claims dating back to 1973. Hundreds are or were police officers. 5,700
Oct. 23, 2008 Medical Mutual of Ohio
(Columbus, OH)		 Eleven computer disks containing personal information on Ohio retirees and employees are missing, disks are most likely somewhere in the postal system. It seems insufficient postage was placed on the envelopes [containing the disks], therefore they are believed that they are likely to still be safe within the postal system. 36,000
Oct. 24, 2008 Shenendehowa Transportation Employees
(Shenendehowa, NY)		 A Shenendehowa sophomore arrested after he allegedly accessed the personal data of some 250 transportation employees due to a school district error. Due to a school district error in configuring information on a new computer server, the student was able to use his student password to access an employee domain and 250 names of past and present Shen transportation employees, their Social Security numbers, driver's license numbers and more. 250
Oct. 27, 2008 Shell Oil Co.
(Houston,TX)		 An IT contractor used the personal data of four Shell workers as part of an unemployment insurance claims scam. Employees of a third-party contractor misused information stored in a corporate database. The database includes records for a majority of current and former Shell employees. Misused data included names, dates of birth and Social Security numbers. Unknown
Oct. 31, 2008 U.S. State Department
(Washington, D.C.)		 Passport applicants in the D.C. area were notified of a breach in a database that allowed a ring of thieves to obtain confidential information so they could fraudulently use credit cards stolen from the mail. The compromised included information Social Security numbers, physical descriptions, names and places of birth of the applicants' parents. 400
Nov. 1, 2008 Seattle School District
(Seattle, WA)		 Personal information, including Social Security numbers, was inadvertently released to a local union representing some district workers. The 5,000 employees are more than half the district's work force. Included were about 700 members of International Union of Operating Engineers Local 609, which represents custodial, nutritional services, security- and alarm-monitoring workers. 5,000
Nov. 1, 2008 Veterans Affairs Medical Center
(Portland, OR)		 Personal information, including some Social Security numbers, of patients at the Veterans Affairs Medical Center in Portland was inadvertently posted on a public Web site. 1,600
Nov. 1, 2008 Baylor Health Care System Inc.
(Dallas, TX)
(800) 554-5281		 A laptop computer containing limited health information on 100,000 patients was stolen from an employee's car. Included were 7,400 patients whose Social Security numbers were stored on the computer.

100,000
7,400 were SSN
Nov. 3, 2008 Genesee Intermediate School District
(Mundy Township, MI)		 A laptop stolen had been used for background checks on school workers and included their fingerprints and some personal information such as their names, addresses, birthdates and race. The laptop did not have Social Security numbers and the data was stored in files that require a password to be opened. 6,000 Not included in total.
Nov. 4, 2008 Arizona Department of Economic Security
(Phoenix, AZ)		 Some children’s identities were stored on Department of Economic Security hard drives that were stolen from a storage unit. The hard drive contained names, addresses, phone numbers and Social Security numbers for families referred for the Arizona Early Intervention Program over the past several years. 40,000
Nov. 5, 2008 North Carolina Dept. of Health and Human Services
(Raleigh, NC)		 A laptop computer belonging to a Division of Aging and Adult Services employee was stolen. The computer contained information about people receiving home and community services. Unknown
Nov. 6, 2008 Express Scripts
(St. Louis, MO)		 Express Scripts has received a letter demanding money from the company under the threat of exposing records of millions of patients. The letter, included personal information on people covered by Express Scripts, including birth dates, Social Security numbers and prescription information. Express manages prescription benefits for roughly 50 million people. 75
Nov. 6, 2008 Harvard Law School
(Cambridge, MA)		 A computer tape containing Social Security numbers, addresses, and financial information was either lost or stolen. About 8,000 records of present and former clients contained Social Security numbers; another 13,000 had other identification information that was contained on the tape. 21,000
Nov. 7, 2008 Christus Health Care
(Houston, TX)
(800) 877-9056		 Two computer back-up tapes were stolen. Someone broke into a car in a Houston parking lot and took the tapes. The information on the tapes included patient names, Social Security numbers, demographic information, and in some cases, diagnosis codes. Unknown
Nov. 7, 2008 Arizona's Department of Economic Security
(Phoenix, AZ)		 (DES) is notifying the families of about 40,000 children that their personal data may have been compromised following the theft of several hard drives from a commercial storage facility. The information stored on the stolen disks included the names, addresses and phone numbers of families whose children were referred to the DES for early intervention services over the past several years. In the cases of families that had applied for and received services from the agency, their records also included Social Security numbers. 40,000
Nov. 9, 2008 Texas A&M University
(Corpus Christi, TX)		 Through an Internet search on the university's Web site, a student viewed a document that listed admissions applicants from 2005. The page listed names and Social Security numbers. 1,430
Nov. 9, 2008 City of Charlottesville
(Charlottesville, NC)		 Two laptops containing voter registration information were stolen from a building at Tonsler Park in Charlottesville sometime after the polls closed. The information on the computers included names, addresses, date of birth and DMV customer number. 25,000
Nov. 11, 2008 Sinclair Community College
(Dayton,OH)		 The names and Social Security numbers of almost 1,000 employees were inadvertently left open to public view on the Internet for about a year. A spreadsheet with information on people who worked at the school in 2000 and 2001 was placed in a computer folder by an employee. The employee didn't realize the folder could be viewed on the Internet. 1,000
Nov. 12, 2008 University of Florida
(Gainesville, FL)		 Some current and former dental patients have been notified that an unauthorized intruder recently accessed a College of Dentistry computer server storing their personal information. College information technology staff members were upgrading the server and found software had been installed on it remotely. Information stored on the server included names, addresses, birth dates, Social Security numbers and, in some cases, dental procedure information for patients dating back to 1990. 330,000
Nov. 12, 2008 Pinellas County and
Florida state agency offices
(Pinellas County, FL)		 Documents with Social Security numbers, medical information and other legally protected data were found in trash containers at government buildings. Also found were hundreds of improperly discarded records were found that included medical data, privileged communications between attorneys and clients, juvenile defendant records and child abuse materials. Unknown
Nov. 20, 2008 Law office of former Texas attorney
(Rio Grande Valley, TX)		 An individual purchased a used computer and memory stick from a pawn shop. He discovered sensitive information on the computer and traced it to the law office of a Texas attorney who no longer practices law. The attorney, Aaron Pena, Jr., is now a Texas State Representative. His spokesperson told news sources that the computer's hard drive had been wiped before the machine was donated to charity. The news team visited other pawn shops and found several other used computers which also contained sensitive personal information. 627
Nov. 21, 2008 Jackson-Madison County School System
(Jackson, TN)		 A computer disk containing Social Security numbers and test scores was stolen from a principal's car. 200
Nov. 21, 2008 B.J. Accessories and Tax Preparation
(New Bern, NC)		 A computer was stolen containing identity information on about 70 people. Information on the computer may have had Social Security Numbers on it. 70
Nov. 22, 2008 Maryland Department of the Environment
(Baltimore, MD)		 Two laptop computers containing the names and Social Security numbers of people formerly employed by the Maryland Department of the Environment were stolen. 1,367
Nov. 24, 2008 Starbucks Corp.
(Seattle, WA)		 A laptop containing private information on employees was stolen. The information included names, addresses and Social Security numbers. 97,000
Nov. 25, 2008 Weber State University
(Ogden, UT)		 In a break in, thieves made off with approximately $1,600 in cash, three computers and a postal scale. Hard-copy records of post office box rental information was also taken from the center. Some of the stolen rental cards contained names, addresses and Social Security numbers for members of the campus community who rented post office boxes in the union building during the past eight years. 70
Nov. 26, 2008 Luxottica Group/Things Remembered
(Mason, OH)		 A routine check by the information technology department discovered that a hacker had been inside a computer mainframe and downloaded the personal information of former workers. The victims will have lost names, addresses and Social Security numbers to the hacker. 59,419
Dec. 2, 2008 US Army A possible security breach regarding the personal information stored on a lost laptop computer affecting more than 6,000 beneficiaries. Names, Social Security numbers and health information of at least 26 individuals were stored on the laptop. However, information on approximately 6,000 other patients also may have been on the missing computer. 6,000
Dec. 2, 2008 Florida Agency for Workforce Innovation
(Tallahassee, FL)		 Employment information and more than a quarter million Social Security numbers were posted online. The breach occurred when several thousand Excel and text files containing millions of employment records were posted in the course of developing a new website. 259,193
Dec. 3, 2008 Central California Appellate Program
(Sacramento, CA)		 A backup computer disk was in a safe taken by thieves who broke into a storage facility. Besides Social Security numbers, the disk contained tax identification numbers, addresses, telephone numbers and e-mail addresses. Unknown
Dec. 4, 2009 Deo B. Colburn Foundation Scholarship
(Lake Placid, NY)		 If you received the Deo B. Colburn scholarship for the 2003-04 academic year, your Social Security number may have been made public. Hundreds of Social Security numbers of former students from all over the northern Adirondacks, including Lake Placid, were released onto the Internet, potentially compromising those people's credit and financial status. Information included names, addresses, academic institutions, the amount of money recieved and Social Security numbers of the scholarship recipients. 341
Dec. 5, 2008 Cal Poly Pomona
(Pomona, CA)		 A student informed the university that he accessed an Excel file containing his personal information and others while on the Internet. The information includes names, addresses, phone numbers and Social Security numbers. 675
Dec. 11, 2008 Hewlett-Packard/Symantec
(Houston,TX)		 Several thousand employee records were contained on a laptop that was stolen from an HP employee based in the Houston area. At first HP thought that there was no sensitive information on the laptop, but after looking into back-up files, the company realized that it contained names and Social Security numbers of current and former employees. Unknown(1000's)
Dec. 12, 208 Oregon Health & Science University
(Portland, OR)		 A laptop stolen in Chicago this week contained health records. It was stolen from a hotel while an OHSU employee was there on business. The data could include medical record numbers, names, telephone numbers, dates of birth, gender, Social Security numbers, addresses.medical diagnosis category and category of treatment — but not the specific treatments. 890
Dec. 14, 2008 Zyacorp Entertainment Cinemagic Stadium
(Merrimack, NH)		 Hackers broke into a Merrimack movie theater's servers and stole customers' credit card information. Unknown
Dec. 15, 2008 University of North Carolina
(Greensboro, NC)		 A breach of the accounting computer systems at UNC-Greensboro may have exposed personal employee information to intruders. The breach was detected on a computer in the Accounting Services office, in the form of a virus that may have allowed unauthorized access. Unknown
Dec. 15, 2008 Louisiana Department of Revenue
(Baton Rouge, LA)		 The Louisiana Department of Revenue accidentally divulged the personal information of taxpayers to other people with tax debts. The department says letters mailed to taxpayers who owe money also listed the name, address, Social Security number and debt for a different taxpayer on the other side of the paper. 299
Dec. 17, 2008 New Hampshire Dept. of Health and Human Services
(Concord, NH)		 Health and Human Services mistakenly released the Social Security numbers and other personal information of Medicare Part D recipients. The information was mistakenly attached to a e-mail to health care organizations including nursing homes. 9,300
Dec. 18, 2008 Bill Dube Ford/Toyota
(Dover, NH)		 Personal information from thousands of people in New Hampshire and Massachusetts has been compromised after a data backup tape was stolen. The data include names, addresses, Social Security numbers and driver's license information. 10,000
Dec. 19, 2008 Austin Peay State University
(Clarksville, TN)		 Two computers containing personal information were stolen. The computers contained names and Social Security numbers of students. 750
Dec. 22, 2008 University of North Carolina School of the Arts
(Winston-Salem, NC)		 Names and Social Security numbers may have been accidentally exposed in a security breach involving a university computer server. The security breach occurred in May of 2006 and affected students who were enrolled between 2003 and 2006. 2,700
Dec. 23, 2008 Cedars-Sinai Medical Center
(Los Angeles, CA)		 A former billing department employee is in custody on $895,000 bail for allegedly stealing the personal information of 1,000 hospital patients and using it to bilk insurance companies. 1,000
Dec. 23, 2008 Ohio University-Chillicothe
(Chillicothe, OH)		 An external computer hard drive was discovered missing or stolen. Current and former wellness center members' Social Security numbers were on the hard drive.. 38
Dec. 24, 2008 FEMA
(New Orleans, LA)		 An unauthorized breach of private information resulted in the information release of 16,857 names, Social Security numbers, phone numbers, and other private details of people who had applied for benefits. The information was flashed on a pair of privately run Web sites, but for how long was unclear. 16,857
Dec. 25, 2008 Pulte Homes Las Vegas Division
(Las Vegas, NV)		 A box containing computer backup tapes was stolen. Computer tapes holding private customer information including names, addresses, driver's license numbers and financial account numbers were stolen from a Pulte Homes office in Las Vegas. 16,000
Dec. 29, 2008 RBS WorldPay
(Atlanta., GA)
http://www.rbsworldpay.us/RBS_WorldPay_
Press_Release_Dec_23.pdf
http://www.nationalterroralert.com/updates/2009
/02/03 /fbi-uncovers-worldwide-atm-card-scam-9
-million-stolen -in-single-day/
http://media2.myfoxny.com/pdf/rbscomplaint.pdf		 RBS WorldPay belatedly admitted that hackers broke into their systems. In the US up to 1.1 million Social Security records were exposed as a result of the breach. Pre-paid cards including payroll cards and open-loop gift cards were affected. RBS stated that PINs for all PIN-enabled cards have been reset.
UPDATE (2/3/09):
Hackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering $9 million from ATMs in 49 cities worldwide. Alleged hackers are still at large and could orchestrate another attack.
UPDATE (2/10/09):
1.5 million financial and 1.1 million personal records were compromised. As usual, in these cases, a class action law suit has been filed against RBS WorldPay.
UPDATE (5/28/09):
RBS WorldPay says it has returned to Visa's and MasterCard's lists of validated service providers. It was recently certified as compliant with Payment Card Industry Data Security Standard (PCI DSS) version 1.2.		 1.1 Million
Dec. 31, 2008 New Hampshire's Lakes Region General Hospital
(Laconia, NH)		 A package containing personnel medical information on patients is missing. UPS recently shipped the parcel from a Woburn, Mass. central processing agent to the hospital, but the package never arrived. Information contained in the package includes patient names, possible Social Security numbers, dates of service and diagnosis code numbers for different diagnosis or medical procedures. 1,500
Dec. 31, 2008 Ohio State University
(Columbus, OH)
http://www.studentlife.osu.edu/dataexposure		 Ohio State University has notified 18,000 current and former students that their personel information was mistakenly stored on a computer server exposed to the Internet. The data included student names, Social Security numbers, addresses and coverage dates for those enrolled in the health insurance plan for three quarters in 2005-06. 18,000
2009 NAME
(Location)		 TYPE OF BREACH NUMBER OF RECORDS
Jan. 2, 2009 Merrill Lynch
(New York, NY)		 A third-party consulting services firm working on behalf of Merrill Lynch reported, one of their employees was burglarized. The burglars took various items, including a computer, which had on it the names and Social Security numbers of current and former Financial Advisors and some applicants for employment. Unknown
Jan. 2, 2009 Pepsi Bottling Group
(Somers, NY)
For More Info Contact:
David Yawman
David.Yawman@pepsi.com
(914) 767-7620 or (866) 578-5410		 A portable data storage device, which contained personal information, including the names and Social Security numbers of employees in the US is missing or stolen. Unknown
Jan. 5, 2009 Library of Congress
(Washington, DC)		 An employee in the human resources department of the Library of Congress was charged with conspiring to commit wire fraud in which he stole information on at least 10 employees from library databases. He passed the information to a relative, who used it to open the accounts. Together, the two are alleged to have bought $38,000 worth of goods through the accounts. 10
Jan. 6, 2009 CheckFree Corp.
(Atlanta, GA)		 CheckFree Corp. and some of the banks that use its electronic bill payment service say that criminals took control of several of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine. The company believes that about 160,000 consumers were exposed to the Ukrainian attack site. However, because the company lost control of its Web domains, it doesn't know exactly who was hit. And so it must warn a much larger number of customers. This breach was reported back in Dec. 3 08. 5,000,000
Jan. 7, 2009 Genica/Geeks.com
(Oceanside, CA)
(888) 529-6261
http://www1.ftc.gov/opa/2009/02/compgeeks.shtm		 Genica dba Geeks.com ("Genica") recently discovered that customer information, including Visa credit card information, may have been compromised. In particular, it is possible that an unauthorized person may be in possession of your names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers. They are still investigating the details of this incident, but it appears that an unauthorized individual may have accessed this information by hacking our eCommerce website. Unknown
Jan. 11, 2009 University of Rochester
(Rochester, NY)		 Personal information including Social Security numbers of about 450 current and former University of Rochester students was stolen by hackers this week from a UR database. The information was taken from a non-academic student database and copied illegally to an off-campus IP address. 450
Jan. 12, 2009 Columbus City Schools
(Columbus, OH)		 Columbus City Schools experienced a security breach, resulting in employees’ Social Security numbers being at risk. CPD officers went to serve drug and auto-theft felony warrants. During the arrest officers learned there might be stolen personal information in the house and found personal information on district employees.It is believed the suspects either stole or intercepted part of a mailing from the payroll division that was en route to annuity companies. 100
Jan. 13, 2009 University of Oregon
(Eugene, OR)
(541) 346-2510		 A laptop computer containing data files for Youth Transition Program (YTP) participants was stolen. Those files contained names and social security numbers. Unknown
Jan. 13, 2009 Innodata Isogen, Inc.
(Hackensack, NJ)		 Laptop stolen from an employee's car contained names, addresses, Social Security numbers of current and former employees. Unknown
Jan. 13, 2009 Seventh-Day Adventist Church
(Silver Spring, MD)		 A Laptop stolen and recovered contained names and Social Security numbers. 292
Jan. 13, 2009 Continental Airlines
(Newark, NJ)		 A laptop containing fingerprints, Social Security numbers, names, addresses, was stolen from a locked Newark office. 230
Jan. 13, 2009 Blue Ridge Community Action
(Morganton, NC)		 Social Security numbers were on an external computer hard drive that is missing or stolen. The hard drive contained information on clients from four counties who have used the organization's services in the past four or five years. The external hard drive was used to back up information on clients. 300
Jan. 14, 2009 Occidental Petroleum Corporation
(Dallas, TX)
(800) 733-0085		 A former employee emails himself (to personal email account)a spreadsheet of employee names, addresses, empolyee identification numbers, birth dates, starting dates, retirment dates and Social Security numbers. Unknown
Jan. 16, 2009 Southwestern Oregon Community College
(Coos Bay, OR)		 A laptop computer was stolen from the campus putting former and current students at risk. 200
Jan. 19, 2009 Forcht Bank
(Lexington, KY)		 Customer debit cards were disabled this week after learning they could have potentially been hacked into by persons creating duplicate cards. The cards were comprised when a retail merchant’s computer system was hacked. Which merchant is unknown at this time. The breach affected customers of multiple banks and multiple debit and ATM networks. 8,500
Jan. 20, 2009 Kanawha-Charleston Health Department
(Charleston, WV)		 People who received flu shots from the agency since October, are being warned that their personal information may have been stolen by a former department temporary worker. Information included their names, social security numbers, addresses and other personal information. 11,000
Jan. 20, 2009 Heartland Payment Systems
(Princeton, NJ)
http://www.2008breach.com
Indictment document, U.S. District Court (New Jersey)
http://www.wired.com/images_blogs/threatlevel
/2009/08/gonzalez.pdf		 After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, the company last week found evidence of malicious software that compromised card data that crossed Heartland's network. This incident may be the result of a global cyberfraud operation.
UPDATE (1/26/09):
Heartland Payment Systems has been sued. The lawsuit seeks damages and relief for the "inexplicable delay, questionable timing, and inaccuracies concerning the disclosures" with regard to the data breach, which is believed to be the largest in U.S. history.
UPDATE (2/12/09):
According to BankInfoSecurity.com, the number of financial institutions that have come forward to say they have been contacted by their credit card companies Visa and MasterCard in relation to the breach has jumped from fewer than 50 to more than 200.
UPDATE (6/4/09):
While it's hard to get a handle on just how many consumers were affected by the Heartland Payment Systems (HPY) data breach, the total number of institutions now reporting card compromises is at 656.
UPDATE (6/16/09):
Heartland Lawsuits to be Heard in Texas. The Judicial Panel on Multidistrict Litigation in Louisville, KY issued its decision to consolidate the class action suits. The lawsuits will be heard in the Southern District Court of Texas in Houston. Thirty-one separate lawsuits, on behalf of consumers, investors, banks and credit unions, have been filed against Princeton, N.J.-based Heartland.
UPDATE (7/6/09):
Heartland Payment Systems successfully completed the first phase of an end-to-end encryption pilot project designed to enhance its security.
UPDATE (8/20/09):
Albert “Segvec” Gonzalez has been indicted by a federal grand jury in New Jersey — along with two unnamed Russian conspirators — on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack.

100 million transactions per month
It is unclear how many account numbers have been compromised, and how many are represented by multiple transactions. The number of records breached is an estimate, subject to revision. Consequently, we have not included this breach in the “Total” below.

UPDATE (8/20/09): According to the court document, hackers stole more than 130 million credit and debit card numbers from Heartland and Hannaford combined.
Jan. 21, 2009

First Interstate Mortgage Corporation (FIM)/
Nevada One Corporation (Nevada One)
http://www.ftc.gov/opa/2009/01/navone.shtm
(Nevada)

 These mortgage brokers have discarding consumers’ tax returns, credit reports, and other sensitive personal and financial information in an unsecured dumpster. Approximately 40 boxes containing consumer records were found in a publicly-accessible dumpster. The records included tax returns, mortgage applications, bank statements, photocopies of credit cards, drivers’ licenses, and at least 230 credit reports. The defendant, who has owned numerous companies that handle sensitive consumer information, kept the documents in an insecure manner in his garage before improperly disposing of them. Unknown
This breach accrued in Dec. 06
Jan. 21, 2009 Missouri State University
(Springfield, MO)		 Personal information, including Social Security numbers for 565 foreign students at MSU was leaked this month when a university office sent an e-mail message soliciting their help with language tutoring. The email message they got had a spreadsheet attachment that contained names and Social Security numbers for international students. 565
Not included in total -- not known how many students have SSNs.
Jan. 23, 2009 Monster.com
(Maynard, MA)
http://help.monster.com/besafe/
http://help.monster.com/besafe/jobseeker/index.asp		 Their database had been illegally accessed and user IDs, passwords, names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence were stolen. Unknown
Jan. 26, 2009 Madison, WI. Human Resources Department
(Madison, WI)		 An oversight by the city of Madison's personnel office is the reason Social Security numbers of city employees were stored on a laptop computer stolen from a city office. Any official or employee — except those in the police, fire and transit departments — who was issued a new or replacement city identification card from the start of 2004 through 2007 may be at risk. Data on the laptop included photos, names and Social Security numbers. 500
Jan. 26, 2009 U.S. Military
 A New Zealand man accesses US military secrets on an MP3 player he bought from an Oklahoma thrift shop for $18. When the 29-year-old hooked up the player he discovered a playlist he could never have imagined - 60 files in total, including the names and personal details of American soldiers. 60
Jan. 27, 2009 U.S. Consulate
 Hundreds of files — with Social Security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction. Unknown
Jan. 27, 2009 Beaumont City
(Beaumont, TX)		 Personal information of current and former Beaumont city workers was accidentally posted online. The information, including birth dates and Social Security numbers. 500
Jan. 27, 2009 Citi Habitat
(New York, NY)		 During a refurbishing of their office, paper that should have been shredded was improperly placed as trash. Information found blowing in the street included bank statements, 401k statements, credit reports, tax returns, driver's licenses, names, phone numbers and Social Security numbers. Unknown
Jan. 28, 2009 CityStage
(Springfield, MA)		 A computer system might have exposed credit card information of customers on the Internet. The probably occurred in December while the theater's Web contractor was changing servers. Credit card numbers might have been compromised. 60
Jan. 30, 2009 Kansas State University
Manhattan, KS
(785) 532 4441		 Students who were enrolled in an agricultural economics class in spring 2001 inadvertently had some personal information exposed on the Internet through a K-State departmental Web site. Names, Social Security numbers and grades of those students have been exposed since 2001. 45
Jan. 30, 2009 Coos Bay Department of Human Services
(Coquille, OR)		 A scammer made off with Social Security numbers after sending a virus online to a computer at the Department of Human Services office. A application that was installed recorded keystrokes and sent them to an external address. The information was taken from Coos County residents. 45
Jan. 30, 2009 Indiana Department of Administration
(Indianapolis, IN)		 Social Security numbers of current and former state employees were accidentally posted on a state Web site for about two hours. The Social Security numbers were erroneously included in a contract solicitation file posted on the department's procurement Web site. 8,775
Jan. 31, 2009 HoneyBaked Ham
(Indianapolis, IN)		 A computer server stocked with credit-card information was stolen from a store. Customers might be at risk. Unknown
Jan. 31, 2009 Ball State University
(Muncie, IN)		 A employee sent out an e-mail, to verify contact information, to 91 special events staff with an excel spreadsheet attachment that, unbeknownst to the employee, included the Social Security number of 19 of the workers. 19
Feb. 2, 2009 Southern Satellite
(Orange City, FL)		 Hundreds of folders containing names, addresses, Social Security numbers and credit card information were found in a dumpster. Unknown
Feb. 2, 2009 St. Anthony Central Hospital
(Denver , CO)		 Boxes, filing cabinets and trash bags full of hundreds of U.S. passports, birth certificates, driver's licenses, Social Security cards and other documents - most stolen within the past two years were found in a storage unit. Also found were hospital records containing dates of birth, Social Security numbers and copies of the driver's licenses of 150 patients who had been admitted into the emergency room or general surgery. 150
Feb. 2, 2009 Irving Independent School District
(Irving, TX)		 Detailed information such as Social Security numbers and birth dates were stolen by one of the volunteer. She opened a line of credit at a local Sears Store and tried to buy tires and electronics, using the name of an Irving elementary school teacher. An alert Sears employee became suspicious and called police. 50
Feb. 3, 2009 Baystate Medical Center
(Springfield , MA)
(413 )794-4722		 Several laptops were stolen from Baystate Medical Center's Pediatrics department. Some of those computers had patient information on them. All of the information is password protected and the computers had no financial or Social Security information on them. Unknown
Feb. 3, 2009 SRA International
(Fairfax, VA)		 Malicious software may have allowed hackers to get access to data maintained by SRA, including employee names, addresses, Social Security numbers, dates of birth and healthcare provider information. Unknown
Feb. 3, 2009 Georgia State Board of Pardons and Paroles
(Atlanta, GA)		 The offices of a state contractor in Roswell were burglarized and a computer was stolen. Information regarding current and past parolees that was lost in a burglary includes names, dates of birth and Social Security numbers. Unknown
Feb. 4, 2009 Womancare Inc.
(Lathrup Village, MI)		 Medical records were improperly disposed of. Pro-Life Society found the records in a dumpster behind the office. unknown
Feb. 4, 2009 Texas Veterans Commission
(Waco, TX)		 A Waco individual received a packet in the mail with the application for her daughter's tuition benefits. At the bottom of the packet, was a claims log that listed more than 20 veterans names, Social Security numbers and medical claim information. The Waco Veterans Commission and the VA's regional office were not able to explain how the veterans' personal information found its way into the envelope containing the unrelated information about the tuition benefits for the woman's daughter. 20
Feb. 5, 2009 Mooresville's Dry Cleaning Station
(Mooresville, NC)		 A Mooresville dry cleaner has skipped town, taking her clients' clothes and credit card numbers with her. Unknown
Feb. 5, 2009 phpBB.com
 A popular bulletin board software package has been taken offline following a security breach that gave an attacker full access to a database containing names, email, address, and hashed passwords for its entire user base. The attacker gained access through an unpatched security bug in PHPlist, a third-party email application. 400,000
Not added to total SSN's were not accessed.
Feb. 6, 2009 Catskill Regional Medical Center
(Harris, NY)		 A woman was fired for allegedly spying. The employee had access to company files. The files included Social Security numbers, birth dates, addresses and financial information. 431
Feb. 6, 2009 Kaiser Permanente
(Oakland, CA)
(877) 281-3573		 A law enforcement agency seized a computer file with Kaiser data from a person who was subsequently arrested. The suspect was not a Kaiser employee. Kaiser Permanente is notifying nearly 30,000 Northern California employees that the security breach may have led to the release of their personal information. The stolen information included names, addresses, dates of birth and Social Security numbers for Kaiser employees. 30,000
Feb. 6, 2009 Purdue University
(West Lafayette, IN)
http://news.uns.purdue.edu/Payroll0901.html		 A mailing error has resulted in 1099 tax forms being sent to the wrong recipients. The incident affected 248 companies and 962 individuals. Those affected by the incident received letters notifying them that their tax information had either been sent to another or that they themselves had received someone else's information by mistake. 962
Feb. 8, 2009 Kaspersky
(Woburn, MA)		 An unidentified hacker gained access to databases used by the usa.kaspersky.com Web site, allowing access to users' accounts, activation codes and possibly personal data about Kaspersky customers. Kaspersky Lab is a security software company. Unknown
Feb. 9, 2009 Parkland Memorial Hospital
(Dallas, TX)		 A laptop computer that may have contained the names, birthdates and Social Security numbers of 9,300 employees of Parkland Memorial Hospital was stolen. 9,300
Feb. 9, 2009 Federal Aviation Administration
(Washington D.C.)		 Hackers broke into the Federal Aviation Administration's computer system, accessing the names and Social Security numbers of employees and retirees. 43,000
Total increased to 48,000
Feb. 9, 2009 U.S. Postal Service Santee
(Santee, CA)		 A mail carrier in San Diego County is accused of stealing dozens of gift cards, debit cards and Social Security documents sent through the mail. Deputies found 30 gift cards, stolen mail, debit cards and money when the carrier was arrested after he finished his route. Detectives also found Social Security documents and W-2 wage and tax statements at carrier's home. Unknown
Feb. 10, 2009 SemGroup LP
(Tulsa, OK)		 Online banking bandits pulled thousands of dollars from the accounts of current and former employees after personal information was inadvertently left on a bankruptcy court document made public. 160
Feb. 11, 2009 Los Angeles National Laboratory
(Los Alamos, NM)		 The Los Alamos nuclear weapons laboratory in New Mexico is missing 69 computers, including at least a dozen that were stolen last year. The computers are a cybersecurity issue because they may contain personal information like names and addresses. But they did not contain any classified information. Also missing are three computers that were taken from a scientist's home and a BlackBerry belonging to another employee that was lost "in a sensitive foreign country." Unknown
Feb. 13, 2009 University of Alabama
(Tuscaloosa, AL)		 Seventeen of four-hundred databases were tapped by hackers. Personal information may have been stolen. One of those computers contained lab results for people tested at the campus medical center. The servers had a database containing 37,000 records of lab data. They contain the names, addresses, birthdates and Social Security numbers of each person who has had lab work, such as a blood or urine test, done on the UA campus since 1994. 37,000
Feb. 16, 2009

Wyndham Hotels & Resorts
(Parsippany, NJ)
http://www.wyndhamworldwide.com/customer_care/
data-claim.cfm

 In mid-September, 2008, the company discovered that a sophisticated hacker penetrated the computer systems of one of the hotels. By going through the centralized network connection, the hacker was then able to access and download information from several, but not all, of the other WHR properties and create a unique file containing payment card information of a small percentage of our WHR customers. Potentially exposed through this breach are guest and/or cardholder names and card numbers, expiration dates and other data from the card’s magnetic stripe. 21,000
Feb. 17, 2009 Broome Community College
(Binghamton, NY)		 Broome Community College, sent out a mailing last week with Social Security number posted prominently on the back cover. The winter/spring 2009 alumni magazine was mailed to 28,000 people, it assumed that less than 14,000 copies had Social Security numbers on the magazine. 14,000
Feb. 18, 2009

CVS Pharmacies
(Woonsocket, RI, Indianapolis, IN, and other cities)
http://www.hhs.gov/ocr/privacy/hipaa/enforcement
/examples/cvsresolutionagreement.html

 The CVS Pharmacy chain, the largest in the country with 6,300 outlets, has agreed to a $2.25 million settlement with the U.S. Dept. of Health and Human Services. Indianapolis TV station WTHR engaged in an extensive investigation beginning in 2006 of local CVS Pharmacies and their pharmacies in other cities nationwide including Boston, Chicago, Cleveland, Detroit, Dallas, Louisville, Miami, New Haven (Conn.), Philadelphia, Phoenix, and CVS headquarters in Woonsocket, RI. They found that CVS pharmacies were disposing of documents, such as labels from prescription bottles and old prescriptions, in unsecured dumpsters. The HHS's Office of Civil Rights charged that CVS "failed to implement adequate policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process; failed to adequately train employees on how to dispose of such information properly; and did not maintain and implement a sanctions policy for members of its workforce who failed to comply with its disposal policies and procedures." In a coordinated action, CVS Caremark Corporation, the parent company of the chain, also signed a consent order with the Federal Trade Commission to settle potential violations of the FTC Act.
UPDATE (7/16/00): A state board has given final approval to settlements with Indiana's two largest drugstore chains for leaving patient information in the trash. CVS has paid a $2.25 million fine to settle a probe by the U.S. Office of Civil Rights. Also CVS will donate a $1,000 to charity as part of the state settlement.		 Unknown
Feb. 18, 2009 Rio Grande Food Project
(Albuquerque, NM)		 A food pantry is warning its clients that tens of thousands of them are at risk for identity theft after a laptop computer containing their personal information was stolen. The computer contained sensitive personal data including addresses, birth dates and Social Security numbers. 36,000
Feb. 19, 2009 University of Florida
(Gainesville, FL)
(877) 657-9133		 A foreign hacker gained access to a University of Florida computer system containing the personal information of students, faculty and staff. The files included the names and Social Security numbers of individuals who used UF's Grove computer system since 1996. 97,200
Feb. 19, 2009 Northeast Orthopaedics
(Albany, NC)		 Records of more than 1,000 patient visits to Northeast Orthopaedics, a large Albany surgical practice, have been posted on the Internet. The records appeared on the Web site visvabpo.com, which seems to be a defunct company in India called Visva BPO. Those records include patient names, birth dates and Social Security numbers. 1,000
Feb. 20, 2009 Del Mar College
(Del Mar, CA)		 A class roster containing the names and Social Security numbers of some 53 Del Mar College students has been stolen. The roster was taken out of a professor's vehicle parked at Cole Park. The G.E.D. teacher was taking work home Sunday, when he stopped at Cole Park and his car was broken into. 53
Feb. 20, 2009 Arkansas Department of Information Systems/
Information Vaulting Services
(888) 682-0411
http://notify.arkansas.gov		 A computer storage tape with data from criminal background checks dating back to the mid-1990s is missing from an information-protection company's vault. The background-check information includes names, dates of birth, Social Security numbers and addresses. 807,000
Feb. 23, 2009 University of Florida
(Gainesville, FL)
(877) 657-9133
http://privacy.ufl.edu/incidents/2009/ldap		 An undated statement on the University's Web site indicates that on January 20, an LDAP Directory Server configuration error allowed outside access to a directory containing Social Secerity numbers and other personal data. Personal data belonging to about 101 people might have been compromised as a result. 101
Feb. 23, 2009 Seaview Financial
(Corona Del Mar, CA)		 Folders with personal information for numerous clients of a local mortgage broker sat for days at a public recycling site. The files contained bank account statements, completed tax forms, credit reports and Social Security numbers. Unknown
Feb. 26, 2009 Steamboat Springs School District
(Steamboat Spgs, CO)		 Social Security numbers for 1,300 past and present employees was compromised when a laptop was stolen from the Steamboat Springs School District office. The laptop had a spreadsheet containing the Social Security numbers and names of their owners. The spreadsheet was created as part of a requirement from a past district audit. The laptop was password-protected, but district officials are warning their employees to be on the lookout for any potential identity theft. 1,300
Mar. 1, 2009 City of Muskogee
(Muskogee, OK)		 The city of Muskogee recently discovered that a computer “zip” disk containing personal information has been in public circulation since 2000. The disk in some cases contained phone numbers and in other cases contained Sociel Security numbers. It's believed that a forgetful employee scooped up the disk while putting together surplus items no longer used by the city. 4,500
Mar. 3, 2009 Western Oklahoma State College
(Altus, OK)		 A computer breach at Western Oklahoma State College may have exposed Social Security numbers and other identifying information for 1,500 campus library users. An unauthorized program known as a rootkit was installed on a server administered by an outside party. There is no indication that any of the data on the machine was actually compromised — only that the opportunity for someone to access it existed. 1,500
Mar. 4, 2009 Elk Grove Unified School District
(Elk Grove, CA)		 A document with the Social Security numbers of more than 500 Elk Grove Unified School District employees was lost by a district employee. 520
Mar. 4, 2009 New York Police Department
(New York, NY)		 A civilian employee of the department's pension fund is accused of stealing eight tapes containing the Social Security numbers and direct-deposit information for 80,000 current and retired cops. The employee, who served as the pension fund's director of communications, has been charged with computer trespass, burglary and grand larceny. He is accused of removing the tapes from a backup data warehouse on Staten Island after disabling security cameras. Police found the missing tapes at his home before arresting him. 80,000
Mar. 5, 2009 St. Rita's Medical Center
(Lima, OH)		 A home-health employee for St. Rita's Medical Center had a bag stolen during an automobile break-in. The bag contained information on some patients, including names, dated of birth, addresses, phone numbers, patient identification numbers, and the names of case managers and physicians. In some cases it also included Social Security numbers and the type of treatment being provided, according to a letter given to the patients involved. 242
Mar. 6, 2009 Federal Emergency Management Agency
Region 5 Office (Chicago, IL)
(Griffith, IN)		 A laptop containing Social Security numbers and other personal information from dozens of victims of last September's floods was reported stolen from a housing inspector's car. Representatives from the Federal Emergency Management Agency alerted "roughly 50" flood victims from Gary, Hammond, Highland, Griffith and Munster whose information was stored in the laptop after they applied for federal disaster assistance. The password-protected laptop was stolen from a housing inspector's car in Griffith on Nov. 4, containing names, Social Security numbers, dates of birth, addresses and phone numbers of people who applied for assistance. 50
Mar. 7, 2009 Idaho National Laboratory
(Idaho Falls, ID)		 Idaho's Congressional Delegation this week announced a potential identity theft threat involving information from 59,000 present and former workers at the Idaho National Laboratory at Idaho Falls. DOE notified delegation members that an encoded disc containing personal data from the employees was either lost or stolen in transit via United Parcel Service. The package, originally shipped from New York to Maryland, was found damaged. 59,000
Mar. 7, 2009 Google
(Mountain View, CA)
March 7, 2009
http://googledocs.blogspot.com/2009/03/on-yesterdays-email.html		 Google contacted some of its users to let them know about a situation that affected its Google Docs users. They believe the problem affected less than 0.05% of all documents. Google identified and fixed a bug where a small percentage of users shared some of their documents inadvertently. The bug occurred when the document owner, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and then changed the sharing permissions. The bug did not affect spreadsheets. (Not added to total. It does not appear that SSNs or financial account numbers were exposed.)
Mar. 7, 2009 Oklahoma Department of Human Services
(Shawnee, OK)		 The state Department of Human Services is investigating how a child welfare worker’s records ended up with a local TV station. The files, which included names, Social Security numbers, contact information and details on child abuse investigations, reportedly were left behind when a DHS worker was evicted from a rent house in Guthrie. Unknown
Mar. 11, 2009 Binghamton University
(Binghamton, NY)		 Binghamton University kept payment information for every student, possibly dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. The information itself contained Social Security numbers, credit card numbers, scans of tax forms, business information (including Social Security numbers and salary information for employees of students' parents), asylum records and more, all kept in a haphazard and disorganized fashion, sprawled out in boxes, in unlocked (yet lockable) filing cabinets and shelving units. If the information inside the room pertained only to the current students enrolled and their parents that would mean the story would effect, roughly, forty-two thousand people. However, because the information goes back at least ten years, if not more, the potential number of people effect lies well in the hundred thousands. 100,000
Mar. 11, 2009 Sprint
(Overland Park, KS)
(800) 300-6868		 Sprint is warning several thousand customers that a former employee sold or otherwise provided their account data without permission. It appears this employee may have provided customer information to a third party in violation of Sprint policy and state law. They have terminated this employee. The information that may have been compromised includes your name, address, wireless phone number, Sprint account number, the answer to your security question, and the name of the authorized point of contact on your account. Unknown (1000's) (Not added to total. It does not appear that SSNs or financial account numbers were exposed.)
Mar. 12, 2009 US Army
 An Army database that contains personal information about nearly 1,600 soldiers may have been penetrated by unauthorized users. The information that may have been breached includes the service members' names, e-mail messages, phone numbers, home addresses, awards received, ranks, gender, ethnicity, and dates the soldiers deployed and returned from their deployment. 1,600
(Not added to total. It does not appear that SSNs or financial account numbers were exposed.)
Mar. 12, 2009 Dezonia Group
(Chicago, IL)		 The city of Chicago bills people for ambulance rides -- $600 and up. The city uses an outside company(Dezonia Group) to do it. An employee's laptop, containing patient names, addresses and Social Security numbers, was stolen. It's unclear how many people here and nationwide might be impacted by this potential information breach. 63,000
Mar. 16, 2005 University of Toledo
(Toledo, OH)		 A computer stolen from the University of Toledo contained personal information for about 24,000 students and 450 faculty during the 2007-08 and 2008-09 academic years. The student data was directory and educational information, such as student identification numbers and grade point averages. The faculty information, however, was more personal and included names, Social Security numbers, birth dates, and more. 24,450
Only 450 were added to the total.
Mar. 16, 2009 Comcast
(Philadelphia, PA)		 A list of over 8,000 Comcast user name and passwords were available to the public via Scribd for two months, before a Wilkes University professor discovered it over the weekend after doing a search for his identity online. Comcast is saying it looks like the result of a phishing scam and isn't an inside job, and that there are so many duplicate entries on the list that it's closer to 4,000 customers. 4,000
Not added to total SSN's were not accessed.
Mar. 17, 2009 Penn State Office of Physical Plant
(University Park, PA)		 The Social Security numbers of employees working for the Penn State Office of Physical Plant in 2000 may have been stolen. A virus infiltrated an administrative computer that contained more than 1,000 Social Security numbers of OPP employees. 1,000
Mar. 18, 2009

Central Ohio Transit Authority
(Columbus OH)

 More than 900 current and former COTA employees recently learned their Social Security numbers had been sent to dozens of health-insurance companies. Central Ohio Transit Authority officials notified administrative employees who have or had worked for COTA since 2004 that personnel workers gave 51 companies their names and identification numbers. The information went to companies proposing to bid on providing long-term disability insurance to COTA. In 2006, COTA also sent information on union employees to 39 potential insurance providers. 900
Mar. 18, 2009 University of West Georgia
(Carrollton, GA)		 University of West Georgia officials have notified nearly 1,300 students and faculty members that their personal information was on a laptop stolen from a professor traveling in Italy. The laptop was taken last summer, but university officials say they only recently learned that the computer contained sensitive information, including names, addresses, phone numbers and Social Security numbers. 1,300
Mar. 18, 2009 Walgreens Health Initiative/KRS
(Deerfield, IL)
(866) 292-9063		 Names, dates of birth and Social Security numbers of roughly 28,000 state retirees were e-mailed to the Kentucky Retirement Systems without being properly encrypted for security purposes by its pharmacy benefit provide. The e-mail contained dates of birth, Social Security numbers and health insurance claim numbers but not personal health information. The file contained information only on members who were both Medicare-eligible and used the retiree pharmacy benefit through Walgreens in 2007. 28,000
Mar. 18, 2009 New York City Housing Authority
(New York, NY)		 Dozens of confidential files with city public housing residents' birth dates, Social Security numbers, and eviction notices were dumped on an East New York street. City Housing Authority officials are investigating to determine how the files ended up scattered along Atlantic Ave. near Pennsylvania Ave. Unknown
Mar. 19, 2009 Bailey Middle School
(Nashville, TN)		 A Nashville mother who was walking along found confidential paperwork that lists Metro school students' names, Social Security numbers and disabilities. The Metro Schools spokeswoman said they will trace the documents and try to figure out how they got where they weren't supposed to be. 21
Mar. 23, 2009 Maryland Federal Court
(Baltimore, MD)		 A filing error in Maryland's federal court resulted in health insurance information for 226 people - including 42 Social Security numbers - being made available to the public for more than two weeks. The private information of Washington area residents was included in requests for warrants to search the doctors' offices in Suitland, La Plata, Oxon Hill and Falls Church as part of a health care fraud investigation. The warrants were marked as being sealed and, therefore, were not supposed to be made public. 226
Mar. 24, 2009 Massachusetts General Hospital
(Boston, MA)		 Massachusetts General Hospital has put dozens of patients on notice that it has lost some of their confidential medical records, which were left on an MBTA Red Line train by a hospital employee. The MGH employee left the hospital, taking the records with her to do billing work on them over the weekend. The records belonged to at least 66 patients and included private information such as the patients' diagnoses, their names, birth dates and billing information. 66
Mar. 27, 2009 Pacific University
(Forest Grove, OR)
Student Life (503) 352-2212
Faculty and staff (503) 352-1511
Legal Affairs (503) 352-2236.		 A University-owned laptop was stolen from a staff member’s residence. The stolen laptop was password protected and there is no factual evidence that any private information was stored on the laptop. The computer contained names and some personal information. It does not appear that any social security numbers were stored on the system. Unknown
Mar. 31, 2009 Symantec
(Cupertino, CA)		 Symantec is warning a small number of customers that their credit card numbers may have been stolen from an Indian call center used by the security vendor. Symantec sent out warning letters , after the BBC reported that it managed to purchase credit card numbers obtained from Symantec's call center from a Delhi-based man. The letters were sent to just over 200 customers. Most of those notified are in the U.S., but the company also notified a handful of customers in the U.K. and Canada. 200
April 1, 2009 Palo Alto Medical Foundation
(Palo Alto, CA)		 A laptop computer recently stolen at the Palo Alto Medical Foundation's Santa Cruz office contained personal and medical information of 1,000 Santa Cruz County patients. 1,000
April 1, 2009 Maryland State The names, Social Security numbers and other personal information of about 8,000 state employees could be compromised. The potential problem came to light when a torn and empty envelope from the company that manages the state's health savings account program arrived by U.S. mail. The envelope was missing an invoice that contains confidential information. 8,000
April 3, 2009 Policy Studies, Inc/Tenn. Dept. of Human Services
(Nashville, TN)		 A former child support worker was arrested after attempting to sell the personal information — including names, Social Security numbers and bank account numbers — of 1,600 people. He sold a total of 35 names, dates of birth and Social Security numbers between October 2008 and last month, all to an undercover operative of the Tennessee Bureau of Investigation. He claimed to the operative that he had similar information that he was willing to sell for an additional 1,500 people, and was arrested while meeting with the operative to deliver the information. 1,600
April 6, 2009 City of Culpeper
(Culpeper, VA)		 Personal information for 7,845 town taxpayers was exposed on the Internet due to a vendor's mistake. The unidentified vendor had the records to reformat the town's personal property tax file for billing purposes. The files containing the names, addresses and Social Security numbers of residents were on a password-protected site that was compromised. 7,845
April 8, 2009 Metro Nashville School/Public Consulting Group
(Nashville, TN)
(615) 259-INFO (4636)
 Metro Nashville students' names, Social Security numbers, addresses and dates of birth and parents' demographic information were available by searching Google. A private contractor unintentionally put student data on a computer Web server that wasn't secure. The data was available online from Dec. 28 to March 31. 18,000
April 8, 2009 Hawaii Department of Transportation
(Kapolei, O'ahu)		 Holders of Hawai'i commercial driver's licenses are being warned to take measures to prevent identity theft after a state computer containing personal information was stolen three weeks ago. The laptop computer contained the names, addresses, Social Security numbers and other personal information of 1,892 commercial vehicle license drivers. 1,892
April 9, 2009 Penn State Erie/Behrend College
(Erie, PA)		 On March 23, the University confirmed that 10,868 Social Security numbers in historical data on a computer at Penn State Erie, The Behrend College, could have been breached. Longstanding security measures, designed to protect the network and systems from malicious software, alerted the University to the potential breach. As soon as the University became aware of the malicious software on this computer, the computer was immediately taken off line, data was examined and information was removed. 10,868
April 10, 2009 Borrego Springs Bank/Vavrinek,Trine,Day and Co.
(Borrego Springs, CA)		 The theft of seven laptop computers from an auditing firm has led the Borrego Springs Bank to send warning letters to all of its customers saying their personal financial information may be in the hands of criminals. The bank would not comment on the name of the accounting firm that was auditing the records or how or where the thefts occurred. The computer files contain sensitive personal financial information including account name, number and balance. Unknown
April 11, 2009 Peninsula Orthopaedic Associates
(Salisbury, MD)		 As many as 100,000 patients of Peninsula Orthopaedic Associates are being warned to protect themselves against identity theft after tapes containing patient information were stolen. Patients also were advised to keep an eye on benefits statements from their health insurance companies since they may also be at risk for medical identity theft. The records from Peninsula Orthopaedic were stolen March 25 while in transport to an off-site storage facility. Patients' personal information including their Social Security numbers, employers and health insurance plan numbers may have been among the information stolen. 100,000
April 12, 2009 CBIZ Medical Management Professionals
(Chattanooga, TN)		 The office of CBIZ Medical was broken into on Feb. 23. Among the items stolen was a computer belonging to the hospital with stored radiology reports related to some patients. Patients between December 2007 and Feb. 23, 2009, may have had records saved on the stolen computer. Unknown
April 13, 2009 Moses Cone Hospital
(Greensboro, NC)		 Moses Cone Hospital is offering free credit monitoring to 14,380 patients after a laptop computer containing confidential information was stolen from a VHA employee's car. The information on the laptop, including patients' Social Security numbers. 14,380
April 13, 2009 Irving Independent School District
(Irving, TX)		 Identity thieves using the names and Social Security numbers of Irving Independent School District employees have made thousands of dollars in credit card purchases. At least 64 of the 3,400 teachers and other employees names were on a old benefits report that somehow ended up in the trash. Unknown
April 16, 2009 Myspace
(Los Angeles, CA)
(877) 369-1369		 Confidential employee information, including “at least” name, Social Security numbers and compensation, was taken by an employee in the company’s benefit’s department without authorization, beginning in June 2008 or earlier. The information was used to “annoy selected individuals” and the now former employee was arrested and is being prosecuted by the High Tech Crimes Division of the Los Angeles County District Attorneys Office. Unknown
April 20, 2009 FairPoint Communications Inc.
(Charlotte, NC)		 A worker’s failure to abide by security precautions caused a portable data-storage device containing employee information to disappear. The device contained information for all current FairPoint employees and some former employees, or about 4,400 individuals in total. Such data may have included names, home addresses and phone numbers, Social Security numbers, birth dates and certain compensation and employment information. 4,400
April 22, 2009 Marian Medical Center
(Santa Maria, CA)		 Recent patients of the emergency room and Urgent Care Center have been alerted that a Blackberry containing patient information was stolen from the hospital. The Blackberry contained an email message that included patient information, such as Social Security numbers, dates of birth and medical histories. 3,200
April 22, 2009 New York State Tax Department
(New York, NY)		 A former New York state tax department worker was accused of stealing the identities of thousands of taxpayers and running up more than $200,000 in fraudulent charges. The former employee gathered credit card, brokerage account and Social Security numbers that he used to open more than 90 credit card accounts and lines of credit between 2006 and 2008. Investigators searched the employee's home, they found more than 700 state tax forms containing identifying taxpayer information. They also found more than 300 birth certificates, more than 1,000 Social Security cards, credit card statements and applications, and some 2,000 notes with Social Security numbers, many accompanied by handwritten notes such as "good prospect," "had money" and "go with this one." 2,000
April 23, 2009 Oklahoma Department of Human Services
(Oklahoma City, OK)
(866) 287-0371		 Some personal information may have been contained on a laptop computer stolen from an agency employee. Information on the stolen computer included names, Social Security numbers and dates of birth for people who receive DHS services. 1,000,000
April 27, 2009 Federal Reserve Bank of New York
(New York, NY)		 A former employee at the Federal Reserve Bank of New York and his brother were arrested on suspicion of obtaining loans using stolen identities. The former employee previously worked as an IT analyst at the bank and had access to sensitive employee information, including names, birthdates, Social Security numbers and photographs. A thumb drive attached to his computer had applications for $73,000 in student loans using two stolen identities. They also found a fake drivers license with the photo of a bank employee who wasn't the person identified in the license. Unknown
April 28, 2009 West Virginia State Bar
(Charleston, WV)		 The West Virginia State Bar has hired forensic computer experts in hopes of finding those responsible for hacking into the group's website and internal computer network. It's possible certain information about the State Bar's current and former members may have been compromised. The hacker was able to get by the website and into the group's internal database server where there was information concerning lawyer identification numbers, names, mailing addresses, email addresses and some Social Security numbers. Unknown
April 29, 2009 Orleans Parish Public Schools
(New Orleans, LA)		 The confidential records of Orleans Parish public-school employees have been discovered in an abandoned and unsecured warehouse in New Orleans. Personnel files, payroll records, and other documents with private data were uncovered. Inside were countless boxes filled with confidential information, not to mention stacks of other documents lying on the ground, listing payroll information, worker evaluations, notices of personnel action, and investigations into employee discrimination. Also found were Full names, home addresses, and Social Security numbers on document after document. Unknown
April 29, 2009 Oklahoma Housing Finance Agency
(Oklahoma City, OK)		 A laptop computer containing the personal information of about 225,000 Oklahomans was stolen from a city home last week. The names, Social Security numbers, tax identification numbers, birth dates and addresses of clients of the Section 8 Housing Voucher Program were on an employee’s laptop that was stolen. 225,000
April 29, 2009 Illinois Department on Aging
(Springfield, IL)		 A spreadsheet with worker names and Social Security numbers was found on the Internet. The data, prepared for an outside auditing firm, was released to a so-called peer-to-peer network during a music transfer to an agency laptop. 160 employees and another 10 or so former staffers were alerted to the breach. 170
April 30, 2009 Unknown businesses in Chateau Office Building
(Woodland Hills, CA)		 Thieves broke into 60 to 80 businesses in the Chateau Office Building. One business owner indicated that credit card numbers of 7,000 clients were stolen. Another said that a stolen computer held the tax documents of 800 clients. An attorney said only three computers were taken from his office, but "they had all kinds of stuff. Everything: people's names, credit cards, clients, e-mails back and forth -- who knows what." Unknown
May 1, 2009 Lexis Nexis/Investigative Professionals
(Miamisburg, OH)		 Companies Lexis Nexis and Investigative Professionals have notified up to 40,000 people whose “sensitive and personally identifiable” information may have been viewed by individuals who should not have had access. The data breach is linked to a Nigerian Scam artist who used the information to incur fraudulent charges on victims’ credit cards. Of the 40,000 individuals whose information was accessed, up to 300 were compromised and used to obtain fraudulent credit cards. The private information viewed included names, dates of birth and possibly even Social Security numbers. 40,000
May 4, 2009 Kapiolani Community College
(Honolulu, HI)		 More than 15,000 students at Kapiolani Community College face an identity theft risk because of an Internet security breach. School officials found a computer with the personal information of 15, 487 students who applied for financial aid between January 2004 and April 15 that was infected with malware that can steal sensitive data. The computer did not have sensitive information, but it was hooked up to a network that had access to names, addresses, phone numbers dates of birth and Social Security numbers. 15,487
May 4, 2009 Virginia Health Data Potentially
Department of Health Professions
(Richmond, VA)		 The FBI and Virginia State Police are searching for hackers who demanded that the state pay them a $10 million ransom for the return of millions of personal pharmaceutical records they say they stole from the state's prescription drug database. A notice posted on the DHP Web site acknowledged that the site "is currently experiencing technical difficulties which affect computer and e-mail systems." Some customer identification numbers, which may be Social Security numbers, were included, but medical histories were not.
UPDATE (6/4/09): The state is mailing individual notifications to 530,000 people whose prescription records may have contained Social Security numbers. In addition, 1,400 registered users of the database, mostly doctors and pharmacists, who may have provided Social Security numbers when they registered for the program are being notified. The database that was hacked contained records of more than 35 million prescriptions dispensed since 2006 for certain federally controlled drugs with a high potential for abuse.		 530,000
Just added additional 1,400
May 5, 2009 East Burke Christian Ministries
(Hildebran, NC)		 A thief who broke into a charity in Burke County and stole a computer containing more than 1,000 Social Security numbers of people seeking help. 1,000
May 5, 2009 Fulton County Board of Registration and Elections
(Atlanta, GA)		 Boxes were found in a trash bin at Atlanta Technical College. They contained about 75,000 voter registration application cards and 24,000 precinct cards. Many of the documents contained personal information on active voters, such as full names and Social Security numbers. 99,000
May 5, 2009 Spencer House Apartment Complex
(Beaverton, OR)		 Residents at an apartment complex blamed apartment management Monday for leaving their personal information out in the open. The documents were found in an unlocked public container that was sitting off a side street in their apartment complex. The documents included Social Security numbers, addresses, phone numbers, immigration numbers and names. Unknown
May 7, 2009 Irving schools
(Irving, TX)		 Irving school officials are planning to offer credit monitoring to employees who became identity theft victims after an apparent security breach of district records. Credit service will likely be offered free to current and former employees whose names were on a benefits report from the year 2000 obtained by identity thieves. About 3,400 people were on that list. It is believed that the records that led to the identity theft may have been pulled out of a Dumpster. 3,400
Not added to total. It is not know if SSN's are involved.
May 7, 2009 University of California
(Berkeley, CA)
http://datatheft.berkeley.edu		 Hackers infiltrated restricted computer databases. Personal information of 160,000 current and former students and alumni may have been stolen. The University says Social Security numbers, health insurance information and non-treatment medical records dating back to 1999 were accessed. The breach was discovered April 21, 2009, when administrators performing routine maintenance identified messages left by the hackers. They found that restricted electronic databases had been illegally accessed by hackers beginning on October 9, 2008 and continued until April 6, 2009. All of the exposed databases were removed from service to prevent further attacks. 160,000
May 11, 2009 Office of the State Superintendent of Education D.C.
(Washington, D.C.)		 The D.C. agency that handles college financial aid requests had accidentally e-mailed personal information from 2,400 student applicants to more than 1,000 of those applicants. An employee of the agency's Higher Education Financial Services Program inadvertently attached an Excel spreadsheet to an e-mail. The information included student names, e-mail and home addresses, phone and Social Security numbers and dates of birth. 2,400
May 11, 2009 Multiple financial institutions
(New York City, NY)		 A band of brazen thieves ripped off hundreds of New Yorkers by rigging ATMs to steal account and password information from bank customers. The first - a skimmer - went over the slot where customers insert their ATM cards. The skimmer reads, and stores, the personal information kept in the magnetic strip on the back of the bank card. The second gizmo was a tiny camera hidden in the lighted signs over the ATM. The pinhole camera lens pointed directly onto the ATM keypad and filmed victims typing in their supposedly secret PIN codes. The thieves would then create their own phony ATM cards and use their victim's PIN to dip into accounts.  
May 12, 2009 Johns Hopkins
(Baltimore, MD)		 An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create fake drivers' licenses in Virginia. The employee had access to information such as name, address, telephone number, mother and fathers names, dates of birth and Social Security numbers, but not to any health or medical information. 10,000
May 13, 2009 United Food and Commercial Workers Union 555
(Tigard, OR)		 A union employee's laptop was stolen on the East Coast. The laptop may contain personal information of Local 555 members, including birth dates and Social Security numbers. 19,000
May 15, 2009

Kaiser Permanente Bellflower Medical Center
(Bellflower, CA)

 The California hospital where Nadya Suleman's octuplets were born has been fined $250,000 for failing to stop employees from snooping into medical files on the famous case. Hospital officials discovered that 23 unauthorized workers examined Suleman's medical records.
UPDATE (7/21/09): The Kaiser Permanente hospital in Bellflower has been hit with a $187,500 fine for failing for a second time to prevent unauthorized access to confidential patient information.		 1
May 18, 2009 NJ Department of Labor and Workforce Development
(Trenton, NJ)		 Unemployed New Jersey residents may have had their name and Social Security number accidentally delivered to an employer for which you did not work. The error occurred when department staff last month sent first-quarter reports to businesses that included a list of former employees receiving unemployment benefits. Because some companies had laid off a significant number of employees, the reports were longer than usual, requiring staff members to stuff the envelopes by hand rather by machine.Some reports were placed in the wrong envelopes. 28,000
May 18, 2009 Anderson Kia Car Dealership
(Boulder, CO)		 Police have chained up 10 recycling bins outside Boulder’s now-defunct Anderson Kia car dealership after learning that the bins were stuffed with personal information from the dealership’s former customers. Green recycling bins were piled full with folders, each headed with an individual’s name. All of the folders contained Social Security numbers, driver’s license information, photos, phone numbers and financial information for Kia customers. Unknown
May 19, 2009 CompuCredit
(Atlanta, GA)		 A computer processing error created a single image file of 120 account statements for the month of April. Statement files are delivered to the cardholder through the website in Adobe PDF format. Because of a load error, the system failed to detect page breaks between the account statements, thus resulting in the system "believing" that all of the pages belonged to a single statement. As a result, the PDF image file contained 119 statements in addition to the cardholder’s statement. (Note: Monthly account statements do not include customers' Social Security numbers or PINs.) 120 Not included in total. SSn were not accessed.
May 19, 2009 National Archives
(College Park, Md)		 The National Archives lost a computer hard drive containing massive amounts of sensitive data from the Clinton administration, including Social Security numbers, addresses, and Secret Service and White House operating procedures. The Archives had been converting the Clinton administration information to a digital records system when the hard drive went missing. The hard drive was left on a shelf and unused for an uncertain period of time. When the employee tried to resume work, the hard drive was missing. Unknown
May 19, 2009 Rudder
(Houston, TX)		 Rudder may have just committed a huge blunder sending user’s confidential financial information to the wrong people. Through a online financial planning application you were able get the full details on someone else’s finances – their salary, their debts, their bank balance, and where they shop. Bank account numbers do not seem to be exposed. Unknown
May 21, 2009 Texas Lottery Commission
(Austin, TX)		 A former Texas lottery worker was arrested while training for a new job and charged with illegally “possessing” personal information on 140 lottery winners and employees, including their names and Social Security numbers. The man was still working for the Lottery Commission in 2007 when he allegedly took the information, which was discovered last year on a state computer at the Comptroller of Public Accounts where he later was employed. 140
May 21, 2009 Internal Revenue Service
(several IRS document disposal facilities in the U.S.)
http://www.treas.gov/tigta/auditreports/2009reports/
200930059fr.pdf		 The U.S Treasury Inspector General for Tax Administration found in a fiscal year 2008 audit that in more than a dozen IRS document disposal facilities, old taxpayer documents were being tossed out in regular waste containers and dumpsters. In addition, the investigation found that IRS officials failed to consistently verify whether contract employees who have access to taxpayer documents had passed background checks. Further, investigators had difficulty finding anyone responsible for oversight of most of the facilities that the IRS contracted with to burn or shred sensitive taxpayer documents. The review was performed at IRS offices in Phoenix, Tempe, and Tucson, Arizona; New Carrollton, Maryland; Holtsville, Garden City, and Westbury, New York; and Ogden, Utah, and included questionnaires to 14 Territory Managers across the country during the period September 2007 through May 2008. Unknown
May 23, 2009 Indianapolis Department of Workforce Development
(Indianapolis, IN)		 The Department of Workforce Development is notifying approximately 4,500 unemployment recipients concerning the accidental disclosure of their Social Security number to the incorrect employer. The release occurred during the printing of DWD's "Statement of Benefit Charges" by print vendor, Pitney Bowes Management Services Inc. This form is sent to companies listing those who are collecting unemployment benefits against that employer's account. The misprinted statements contained information from individuals who did not work for that company. Approximately 1,200 companies received incorrect statements. 4,500
May 27, 2009 Batteries.com
(Carmel, IN)		 On March 13th, Batteries.com received notice from a customer about potential unauthorized activity on their credit card. They later discovered the Batteries.com network had been breached from around February 25, 2009 to April 9, 2009. The hackers stole names, addresses and credit card information. 865
May 27, 2009 Warren County Virtual Community School
(Lebanon, OH)		 Contractors installing fiber on a near by street to the school say they found a four-page list in a recycling dumpster when they went to dump some trash. The list had more than 140 students’ names, addresses, Social Security numbers and birth dates listed. Their parents names were on the list too. 140
May 28, 2009 Aetna
(Hartford, CT)
 Aetna has contacted 65,000 current and former employees whose Social Security numbers may have been compromised in a Web site data breach. The breach was a spam campaign showing that the intruders successfully harvested e-mail addresses from the Web site, although it's not clear if SSNs were also obtained. The spam purported to be a response to a job inquiry and requested more personal information. Aetna sent letters last week notifying the 65,000 people whose SSNs were on the site of the breach.
UPDATE (6/11/09):
Hartford health insurer Aetna Inc. is being sued. The class-action suit was filed in a Pennsylvania District Court and demands credit monitoring, punitive damages, costs and other relief for current, former and potential employees.		 65,000
June 1, 2009 University of Nevada, Las Vegas
(Las Vegas, NV)		 A UNLV computer was compromised and may have allowed possible loss of some personal data. The College of Sciences recently sent this statement in a letter to about 20 students as officials became aware of a virus affecting a computer in the college. The college found out no information was leaked, but for legal reasons they still had to send out the letter. 20
June 3, 2009 Aviva
(Concord, NH)		 The data breach affected customers who opened accounts in the U.S. or beneficiaries of accounts opened in the U.S. The breach, caused by malware on an Aviva computer, happened between Dec. 30 and Feb. 24. A vendor helping Aviva locate policyholders and beneficiaries whose mail was undeliverable found three Aviva USA customers Social Security numbers and other personal information while searching for them. Aviva has removed the compromised hardware and taken steps to secure our environment against similar future malware attacks. 550
June 4, 2009 Maine Office of Information Technology
(Augusta, ME)		 Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including Social Security numbers belonging to another person. "We received a print job and were running it, and there was an equipment malfunction," Thompson said. "In restarting the piece of equipment, a mistake was made and it started one page off. It was an error and our quality assurance didn't pick it up." Recipients received one page with their own information and another page with information belonging to a different person. 597
June 5, 2009 Virginia Commonwealth University
(Richmond, VA)		 A desktop computer was stolen from a secured area within Cabell Library in mid-April. The computer may have contained student names, Social Security numbers and test scores dating from October 2005 to the present. VCU discontinued use of Social Security numbers as ID numbers in January 2007. An additional 22,500 students are being notified that their names and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been. 17,214
June 6, 2009 Ohio State Dining Services
(Columbus, OH)		 Student employees had their social security numbers accidentally leaked in an e-mail. The hiring coordinator for Dining Services, and OSU student, received an e-mail with an attachment that included students' names and social security numbers. He accidentally sent the attachment in an e-mail reminding student employees to sign their waivers for the Ohio Employees Retirement System. After realizing the mistake, the hiring coordinator called the Office of Information Technology, which stopped the e-mails before all of them were sent. 350
June 7, 2009 T-Mobile USA
(Bellevue, WA)		 T-Mobile USA is looking into claims that a hacker has broken into its data bases and stolen customer and company information. Someone anonymously posted the claims on the security mailing list Full Disclosure. In that post, the hacker claims to have gotten access to "everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009." They go on to say that they've been in touch with the carrier's competitors trying to sell the data, but have been unsuccessful, so now they're looking to hawk it to the highest bidder. Unknown
June 12, 2009 Kirkwood Community College
(Cedar Rapids, IA)		 Someone took a storage device from a counselor's office in Iowa City. That device contained names and Social Security numbers for participants in the PROMISE JOBS program. 1,600
June 12, 2009 Oregon Health & Science University
(Portland, OR)		 A physician's laptop was stolen from a car parked at the doctor's Washington County home. Patient names, treatment dates, short medical treatment summaries and medical record numbers were stored on the computer. There were no home addresses, billing information or Social Security numbers stored on the laptop. 1,000
(Not added to total)
June 15, 2009 Beam Global Spirits & Wine Inc.
(Deerfield, IL)		 Unauthorization of a human resources payroll database was accessed by a former employee exposes names, addresses and Social Security numbers of past and present employees. Unknown
June 16, 2009 Redondo Beach Arco Gas Station
(Redondo Beach, CA)		 An organized-crime ring that police believe is Russian or Armenian targeted a high-volume Redondo Beach Arco gas station, assigned a low-level soldier to infiltrate it and waited eight months while he worked himself into a position where he could implant a tiny, high-tech “skimmer” to steal customers’ credit-card information. Armed with a fresh batch of personal-information numbers, the gang began draining thousands of Southern California bank accounts soon after “Erick,” the model employee who was by then entrusted with opening the station every day at 5 a.m., vanished in late April along with 1,500 packs of cigarettes, $1,000, a laptop, his employee application form — and the two digital video recorders used for surveillance. The skimmer scam left a string of more than 1,000 victims, stretching from Santa Barbara to Newport Beach. 1,000
June 17, 2009 Blackbaud / Univ. of North Dakota
(Forks, ND)		 A computer that was stolen from a car in Charleston last year contained personal financial information on 84,000 University of North Dakota donors. The missing laptop belonged to Daniel Island-based software giant Blackbaud Inc., which stressed that all of the information was password-protected and encrypted. The theft prompted a man to request a copy of the contract between the software company and the two university-affiliated fundraising groups. He wanted to know why those organizations had his Social Security number. 84,000
June 18, 2009 Suncoast Schools Federal Credit Union
(Tampa,FL)		 Some members of Suncoast Schools Federal Credit Union have been notified that their debit card accounts were exposed to fraud. It is the latest casualty of last year's breach of Heartland Payment Systems, one of the country's largest credit card processors, where information from more than 100 million credit and debit card transactions was exposed. Not until the end of May did Suncoast discover that some of its customers who use Visa Check Cards could be in danger. The Tampa credit union is issuing new cards to all members whose accounts were compromised. 56,000
Not added to the total because it's included in the huge number already attributed for Heartland.
June 22, 2009 Baptist Medical Center
(Montgomery, AL)		 Folder upon folder were found in a land fill dump site, labeled "Radiology Department, Baptist Medical Center. Hundreds of medical records were out in the open, all with sensitive information. Sensitive patient information that was thrown out included names, x-rays, ultrasounds, MRIs and Social Security numbers. Baptist was quickly pointed out at fault, while files from at least 5 other facilities were found at the same site. Unknown
June 22, 2009 Broadridge Financial Solutions,Inc.
(Jersey City, NJ)		 Broadridge Financial Solutions,Inc. provides proxy services for clients, including the processing, distribution and tabulation of Annual Meeting Proxy materials for registered shareholders of publically traded companies. The firm inadvertently disclosed Dynegy shareholder information including name, address, Social Security number and other account information to another client. The total number of shareowners affected was not reported. Unknown
June 23, 2009 Cornell University
(Ithaca, NY)		 A stolen Cornell University computer has compromised the personal information of thousands of members of the University community. The computer contains the names and Social Security numbers of current and former students as well as current and former faculty and staff members. 45,277
June 24, 2009 Florida Department of Revenue
(Tallahassee, FL)		 The names, addresses and Social Security numbers of about 3,000 people employed by a handful of state businesses were on a password-protected flash drive stolen from the car of a Florida Department of Revenue employee in Georgia. The people were current or past employees of six large corporations that are being audited by the state. 2,828
June 24, 2009 Battle Creek City
(Battle Creek City, MI)		 Some Battle Creek city employees are getting free identity protection help after the mayor posted a document with personnel information to a public Web site. Information on city workers, including Social Security numbers, was listed on a city check registry that the mayor put online and linked to using his Twitter.com account. The registry is no longer online and the city has worked with law enforcement and Twitter, to remove any archived references to the information. 65
June 30, 2009 Sutter Health
(Sacramento, CA)		 Hundreds of current and former employees with Sutter Health had their personal data compromised. The company's Sacramento Sierra region were contacted by a computer repair shop. "The repair people did the right thing and told us they had our laptop," said Sutter Communication Coordinator . The laptop contained names and Social Security numbers of 6,000 Sutter Health workers. 6,000
July 1, 2009 Carrell Clinic
(Dallas, TX)		 Arlington Security Guard Arrested on Federal Charges for Hacking into Hospital's Computer System, Defendant Allegedly Posted Video of Himself Compromising a Hospital's Computer System on YouTube. The system and computers containing confidential patient information. Unknown
July 1, 2009

Bike Nashbar
(Asheville, NC)
custserv@nashbar.com
800-NASHBAR

 The company's computer servers has been hacked and credit card information was compromised. Letters with more details will be mailed to affected customers. Unknown
July 8, 2009 AT&T
(Chicago, IL)		 A temporary employee for AT&T was arrested today on charges she stole personal information on 2,100 co-workers and then pocketed more than $70,000 by taking out short-term payday loans in the names of 130 of them. 2,100
July 9, 2009 Mountain Medical Center
(Salt Lake, UT)		 Names, credit card numbers, Social Security numbers were found in a dumpster. A man was throwing away some stuff in a dumpster and found it was chock full of medical records,"There's everything in there from canceled checks to routing numbers", he said. Salt Lake Police packed away perhaps twenty boxes of papers, and said they would protect the documents, as they dug into the matter. Unknown
July 10, 2009 Northern California dumpsters
(dumpsters from Bay Area to Central Valley in Calif.)
 A criminal complaint filed against 30-year-old suspect claims that he made more than 1,000 fake ID cards that he used to rip off people, stores and banks. He also allegedly admitted to stealing the identities of more than 500 people all across Northern California, ranging from the Bay Area to the Central Valley. Federal agents say the man said it was easy to find new victims: All he needed to do was visit a local bank and search their dumpsters. Using the sensitive materials he found in the trash, He was able to use a computer to mock up fake identification cards and blank checks, according to authorities. He also allegedly confessed to stealing between one to two million dollars in cash and merchandise. 1,500
July 13, 2009 Florida Department of Education
(Tallahassee, FL)		 The agency is notifying 475 student-loan borrowers that their financial records have been exposed to identity theft because the OSFA managed to lose 1,186 "promissory notes" that they signed when they were going to school, and have now fallen behind. The missing files bear Social Security numbers, names and addresses, birth dates, personal references and lots of other little tidbits that could come in handy for an identity thief. 475
July 13, 2009 LexisNexis
(Dayton, OH)		 LexisNexis has warned more than 13,000 consumers that a Florida man who is facing charges in an alleged mafia racketeering conspiracy may have accessed some of the same sensitive consumer databases that were once used to track terrorists. The accussed would provide names, addresses and account numbers as part of a fake check-cashing operation. But he's also accused of using computer databases to get information on potential extortion or assault targets as well as individuals suspected by the Enterprise members of being involved with law enforcement. 13,329
July 14, 2009 Canyons School District
(Cottonwood Heights, UT)		 Canyons School District officials are investigating the disappearance of a thumb drive that contained the personal information of more than 6,000 current and recent employees. The USB flash drive is believed to have contained employee addresses, phone numbers, dates of birth and Social Security numbers. A district-level worker was using it to transfer data for apparently "legitimate," job-related purposes. 6,000
July 14, 2009 Leander School District
(Leander, TX)		 School officials sent a notice home with special needs students to alert parents that someone gained access to private information. It appears that one individual gained unauthorized electronic access to confidential information. Unknown
July 16, 2009 Moores Cancer Center
(San Diego, CA)		 A hacker breached the center's computers and gained access to patients' personal information. 30,000
July 16, 2009 Elance
(Mountain View, CA)
http://www.elance.com/p/trust/account_security.html		 A warning from Elances customer service was emailed, saying that the site has been hacked or attacked in some way. The data accessed was contact information — specifically name, email address, telephone number, city location and Elance username. This incident did not involve any credit card, bank account, social security or tax ID numbers. Unknown
July 17, 2009 Francis Howell School District
(St. Charles, MO)		 A laptop computer theft could have compromised personal information. Tthe computer could have contained names and Social Security numbers for 1,700 noncertified employees. Anyone who worked for the district from 2005 through 2008 could be affected. The computer belonged to a Francis Howell employee in the district human resources department. 1,700
July 20, 2009 St. Vincent Health System
(Little Rock, AR)		 A physician and two former employees of the St. Vincent Health System pleaded guilty today to misdemeanor federal charges for accessing the medical records of slain television anchor Anne Pressly. All three said they accessed Pressly’s files out of curiosity. 1
July 22, 2009 A Honolulu hospital
(Honolulu, HI )		 In June 2009, a Hawaii woman was sentenced to a year in prison for illegally accessing another woman's medical records and posting on MySpace that she had HIV. The State of Hawaii brought charges under a state law that criminalizes unauthorized access to a compute as a class B felony. The defendant was employed by a hospital and had access to patient medical records. Unknown
July 24, 2009 Hampton Redevelopment and Housing Authority
(Hampton, VA)		 The Social Security numbers and other personal information of nearly 900 people who were banned from public housing in Hampton were accidentally given to a resident who requested the information. A housing authority employee printed a spreadsheet and mailed it but forgot to exclude the personal information. 900
July 24, 2009 Network Solutions
(Herndon, VA)		 Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months. Network Solutions discovered that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores. 573,000
July 24, 2009 First National Bank
(Howell, MI)
(517) 546-3150		 More than two thousand debit card customers of First National Bank of Howell have had their accounts closed down after learning of a security breach. After learning of an information breach at Heartland Payment Systems, they began to closely monitor their customer’s accounts and quickly found a pattern of suspicious activity. They deactivated 2,300 of their customers debit cards as a precaution. 2,300
July 29, 2009 University of Colorado at Colorado Springs
(Colorado Springs, CO)		 The university is notifying nearly 800 students and alumni that some of their personal information may have been on a stolen laptop. That laptop was taken from a professor's home on July 5th after the home was burglarized. The laptop contained class roster information – name, student ID number, e-mail address, graduating class year and grade information – for current and past UCCS students. No financial information was stored on the laptop, but there is a possibility that Social Security numbers may have been involved for students enrolled prior to summer, 2005. 766
July 31, 2009 Jackson Memorial Hospital
(Miami, FL)		 A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims. Unknown
Aug. 1, 2009 Williams Cos. Inc.
(Tulsa, OK)		 A laptop containing personal and compensation information for more than 4,400 current and former employees was stolen from a worker's vehicle. The computer had names, birth dates, Social Security numbers and compensation data for every Williams employee since Jan. 1, 2007. 4,400
Aug. 3, 2009 National Finance Center
(Washington DC)		 An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees' personal information to a co-worker via e-mail in an unencrypted form. The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed. 27,000
Aug. 4, 2009 New Hampshire Department of Corrections
(Laconia,NH)		 A 64-page list containing the names and Social Security numbers of about 1,000 employees of the state Department of Corrections ended up under the mattress of a minimum security prisoner. The prison contracts with vendors to shred documents and investigators are trying to find out why documents were not destroyed. 1,000
Aug. 11, 2009 Bank of America Corp.
(Charlotte, NC)		 Charlotte-based BofA (NYSE:BAC) and Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Account information from certain Bank of America debit cards may have been compromised at an undisclosed third-party location. Bank officials are not certain if this is a new breach or a previously disclosed one. Unknown
Aug. 11, 2009 Citigroup Inc.
(New York City, NY)		 Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Citigroup told credit-card customers in Massachusetts “your account number may have been illegally obtained as a result of a merchant database compromise and could be at risk for unauthorized use." Bank officials are not certain if this is a new breach or a previously disclosed one. Unknown
Aug. 11, 2009 University of California-Berkeley School of Journalism
(Berkeley, CA)
https://security.berkeley.edu/jschool-info/		 Campus officials discovered during a computer security check that a hacker had gained access to the journalism school's primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009. 493
Aug. 13, 2009 National Guard Bureau
(Arlington, VA)		 An Army contractor had a laptop stolen containing personal information on 131,000 soldiers. on the stolen laptop contained personal information on soldiers enrolled in the Army National Guard Bonus and Incentives Program. The data includes names, Social Security numbers, incentive payment amounts and payment dates. 131,000
Aug. 14, 2009 American Express
(New York, NY)		 Some American Express card members' accounts may have been compromised by an employee's recent theft of data. The former employee has been arrested and the company is investigating how the data was obtained. American Express declined to disclose any more details about the incident. The company has put additional fraud monitoring and protection controls on the accounts at issue. Unknown
Aug. 14, 2009 Calhoun Area Career Center
(Battle Creek, MI)		 Personal information from 455 students at Calhoun Area Career Center during the 2005-2006 school year was available online for more than three years. The information included names, Social Security numbers, 2006 addresses and telephone numbers, birth dates and school information. There were about 1,000 students at the career center during that time, but an investigation by the Calhoun County Intermediate School district found that information for 455 students was available. 455
Aug. 15, 2009 Northern Kentucky University
(Highland Heights, KY)		 A Northern Kentucky University employee's laptop computer - which contained personal information about some current and former students -- was stolen from a restricted area. The personal information stored on the employee's computer included Social Security numbers of at least 200 current and former students. 200
Aug. 20, 2009 Cal State Los Angeles
(Los Angeles, CA)
(800) 883-4029

The theft of two desktop and 12 laptop computers from an office at Cal State Los Angeles is causing identity theft concerns for more than 600 students and faculty members. Someone broke a window in the office of the university’s Minority Opportunities in Research program to steal the computer. The computers stolen contained individual names, Social Security numbers and addresses, according to campus.

 600
Aug. 21, 2009 Battleground Urgent Care/Prompt Med
(Greensboro, NC)		 Medical files were found in a dumpster. It seems a third party moving company was hired to trasnfer the boxes from one wharehouse to another. It is unsure at this time how the files ended up in the dumpster. The information in the files contained Social Security numbers, birthdates, driver license copies, medical history, employers. 623
Aug. 21, 2009 University of Massachusetts
(Amherst, MA)		 Nearly a year ago, hackers broke into a computer server that contained Social Security numbers and “a very limited amount of” credit card information for graduates of University of Massachusetts. Hackers gained access to one server on the university’s computer system, which held information of students who attended UMass between 1982 and 2002, as well as a few who attended before 1982. A UMass spokesman declined to say how many people’s records were exposed, except that it was “a large number” of undergraduate and graduate students who attended the university during the 20-year period. Unknown
Sept. 2, 2009 Bluegrass Community and Technical College
(Danville, KY)		 A file containing the personal information including Social Security numbers of nearly 100 students at the Bluegrass Community and Technical College has been stolen. 100
Sept. 2, 2009 Naval Hospital Pensacola
(Pensacola, FL)		 Naval Hospital Pensacola will be notifying thousands of beneficiaries who use its pharmacy services, following the disappearance of a laptop computer. The computer's database contains a registry of 38,000 pharmacy service customers' names, Social Security numbers and dates of birth on all patients that used the pharmacy in the last year. It does not contain any personal health information. 38,000
Sept. 5, 2009 Mitsubishi Corp.
(New York, NY)		 A Mitsubishi Corp. internet shopping unit lost credit card details on 52,000 customers after its servers were hacked from overseas. The company has informed customers and relevant authorities of the leaks and has suspended the Web site until it can improve the system. 52,000
Sept. 7, 2009 School for the Physical City
(New York, NY)		 Boxes of student records were piled in the street in front of the old home of the School for the Physical City. Some records contained the Social Security numbers, grades, signatures and even psychological reports of former students of the public intermediate high school. The boxes were sitting next to a trash bin filled with old desks and other discarded school supplies. The School for the Physical City moved to a new location over the summer and apparently the records were thrown out with the trash during the relocation. Unknown
Sept. 14, 2009 University Florida
(Gainesville, FL)
(866) 876-HIPA (4472)		 In August, the University’s Privacy Office was notified of a privacy breach after the discovery of an unprotected computer file containing 34 names and 25 Social Security numbers. It's believed the personal information belongs to trainers working with the Florida Traffic and Bicycle Safety Education program in 2006. The file was immediately removed. 25
Sept. 14, 2009 Jones General Store/Root of the Hill
(Boulder, CO)		 Boulder police are investigating two burglaries on University Hill that could have compromised some local shoppers' personal and credit card information. A manager for Jones General Store called police to report an overnight break-in and theft of credit card receipts. A short time later, an owner of Root of the Hill, a business in the same building, called officers to report a break-in, theft and extensive vandalism. Unknown
Sept. 16, 2009 Downeast Energy & Building Supply
(Brunswick, ME)		 Downeast sent the notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account. Sometime prior to September, attackers planted keystroke logging malware on Downeast's computer systems, and stole the credentials the company uses to manage its bank accounts online. Then, on or around Sept. 2, the hackers used that access to initiate a series of sub-$10,000 money transfers out of the company's account to at least 20 individuals around the United States who had no prior business with Downeast Energy. 850
Sept. 17, 2009 Akron Children's Hospital
(Akron, OH)		 A 38-year-old Avon Lake, Ohio, man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at Akron Children's Hospital. He allegedly sent the spyware to the woman's Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department, creating a regulatory nightmare for the hospital. Between March 19 and March 28 the spyware sent more than 1,000 screen captures via e-mail. They included details of medical procedures, diagnostic notes and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well, the plea agreement states. 66
Sept. 21, 2009 Rocky Mountain Bank
(Pinedale, WY)		 A customer of the Rocky Mountain Bank asked a bank employee to send certain loan statements to a representative of the customer. The employee, however, inadvertently sent the e-mail to the wrong Gmail address. Additionally, the employee had attached a sensitive file to the e-mail that should not have been sent at all. The attachment contained confidential information on 1,325 individual and business customers that included their names, addresses, tax identification or Social Security numbers and loan information. 1,325
Sept. 22, 2009 Bernard Madoff Investors
(Dallas, TX)		 More than 2,200 Bernard Madoff investors are learning that some of their personal and financial information has potentially been breached after the theft of a laptop in Dallas. The names, addresses, Social Security numbers and some Madoff account information on 2,246 investors was contained in a computer stolen from the car of an employee of AlixPartners Llp. 2,246
Sept. 22, 2009 Sagebrush Medical Plaza/Kern Medical Center
(Bakersfield, CA)		 Thousands of patients at a Kern County health clinic have been warned their personal information could have been stolen. A break-in happened at the Sagebrush Medical Plaza in July, and Kern Medical Center officials have notified 31,000 patients to take precautions against possible identity theft. One or more unknown individuals broke into a locked storage area that contained confidential patient information. All patient information has now been moved to a location inside the clinic building. 31,000
Sept. 23, 2009 Eastern Kentucky University
(Richmond, KY)
(859) 622-7777
ecert@eku.edu		 The names and Social Security numbers of about 5,000 Eastern Kentucky University faculty, staff and student workers were posted inadvertently on the Internet last September, where they have been displayed for a year. 5,045
Sept. 25, 2009 UNC Chapel Hill
(Chapel Hill, NC)		 A hacker has infiltrated a computer server housing the personal data of 236,000 women enrolled in a UNC Chapel Hill research study. Among the information exposed: the Social Security numbers of 163,000 participants. The data is part of the Carolina Mammography Registry, a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina. 236,000
Only 163,000 was added to the total.
Sept. 25, 2009 Doctors' offices in Tennessee
(Nashville, TN)		 Doctors' offices in Tennessee have been accidentally sending patient information, including Social Security numbers and medical histories, to an Indiana businessman's fax machine for the past three years. The sensitive medical information was supposed to be sent to the Tennessee Department of Human Services, but the owner of SunRise Solar Inc. in Indiana, says hundreds of confidential medical faxes having been coming to him. Unknown
Spet. 28, 2009 Penrose Hospital
(Colorado Springs, CO)		 Officials at Penrose Hospital believe someone has stolen the personal information of 175 patients. The missing information consists of names, addresses, phone numbers, Social Security numbers and the reason for the patients' visits. The information was stored on a computer print-out and kept in a binder stored in a cabinet. The print out has gone missing. 175
Oct. 2, 2009 U.S. Military Veterans
 The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn’t be fixed, and ultimately passed it to another firm to be recycled. The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, when the military began using individuals’ Social Security numbers as their service numbers. 76 Million
Oct. 4, 2009 Suffolk Community College
(Selden, NY)		 Suffolk Community College has agreed to pay a company for the next year to monitor the credit of 300 students whose last names and Social Security numbers were mistakenly listed in an attachment to an e-mail sent to those students last month. 300
Oct. 5, 2009 U.S. Army Special Forces
(Fort Bragg, NC)		 A recent breach involved a U.S. Army Special Forces document containing the names, Social Security numbers, home phone numbers and home addresses of 463 soldiers. The document also contained names and ages of soldiers' spouses and children. The document was discovered in connection with a Congressional move to address the continuing risk of data leaks on peer-to-peer (P2P) networks. Through its research, the firm, Tiversa, turned up the document among 240 others belonging to federal government agencies and military branches, all sitting on P2P networks. 463
Oct. 6, 2009 BlueCross BlueShield Assn.
(Chicago, IL)		 A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors. Some 16% to 22% of those physicians listed -- as many as 187,000 -- used their Social Security numbers as a tax ID or NPI number. 187,000
Oct. 7, 2009 CLP Skilled Trade Solutions
(Palm Springs, FL)		 Boxes full of documents that had the CLP Skilled Trade Solutions logo on them were found in a dumpster in the back of a Newport Café. Some of the information found included Social Security cards, tax papers, driver's licenses and home IDs. Many of the documents were from a company that CLP acquired a few years ago. Unknown
Oct. 13, 2009 Pitt County Memorial Hospital
(Greenville, NC)
(877) 676-0376		 Patient names and Social Security numbers were placed onto a portable computer storage device, used to move the information between different computer systems. Employees have since discovered that USB flashdrive is missing from where it was stored. 1,700
Oct. 15, 2009 Virginia Department of Education
(Richmond, VA)
(877) 347-5224		 A flash drive containing the personal information of more than 103,000 former adult education students in Virginia was misplaced. The information included names, Social Security numbers and employment and demographic information. The flash drive contained information on all students who finished an adult education course in Virginia from April 2007 through June 2009 or who passed a high school equivalency test between January 2001 and June 2009. 103,000
Oct. 15, 2009 Halifax Health
(Daytona Beach, FL)		 A laptop computer from a Halifax Health employee's vehicle in Orange County was stolen -- which might have contained password protected patient information. 33,000
Oct. 15, 2009 PayChoice
(Moorestown, NJ)		 Hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com. The plug-in was instead malicious software designed to steal the victim's user names and passwords. Unknown
Oct. 20, 2009 ChoicePoint
(Alpharetta, GA)
FTC statement below
http://www.ftc.gov/opa/2009/10/choicepoint.shtm		 ChoicePoint has been fined $275,000 by the U.S. Federal Trade Commission for a data breach that exposed personal information of 13,750 people last year. In April 2008, ChoicePoint turned off a key electronic security tool that it used to monitor access to one of its databases and failed to notice the problem for four months, according to an FTC statement. During that period, unauthorized searches were conducted for 30 days on a ChoicePoint database that contained Social Security numbers and other sensitive information. 13,750
Oct. 21, 2009 Bullitt County Public Schools
(Shepherdsville, KY)		 A Bullitt County Public Schools employee accidentally sent an e-mail message to about 1,800 school district workers that included the names and Social Security numbers of 676 district employees. The employees were identified as not having completed the district’s 2010 open-enrollment process for insurance, and the e-mail was intended as a reminder to complete the process. 676
Oct. 21, 2009 Roane State Community College
(Harriman, TN)
Hotline (865) 882-4688
(866) 462-7722 ext. 4688		 Roane State Community College has announced that the names and Social Security numbers of 9,747 current or former students were on a data storage device stolen from an employee's vehicle, along with 1,194 current/former employees' information. The Social Security numbers alone, with no names, were also stolen for 5,036 additional current or former students. The data was on a 4GB USB drive used for work-related purposes. An employee took it home to do work after hours, and left it in the car. The employee forgot to lock the car doors. The USB drive was stolen along with a personal hand-held device. 14,783
Oct. 26, 2009 CalOptima
(Orange County, CA)		 Personally identifiable information on members of CalOptima, a Medicaid managed care plan, may have been compromised after several CDs containing the information went missing. The unencrypted data on the CDs includes member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member ID numbers, and an unspecified number of Social Security numbers. The discs had been put in a box and sent via certified mail to CalOptima by one of its claims-scanning vendors, according to a statement by the health plan. CalOptima received the external packaging material minus the box of discs. 68,000
Oct. 27, 2009 Baptist Hospital East
(Louisville, KY)		 Hundreds of people in Kentuckiana are worrying about identity theft after their employer accidentally released their social security numbers. 350 names of hospital employees appear on a list that was circulated in an e-mail and so did their Social Security numbers. 350
Oct. 27, 2009 FirstMerit Bank
(Streetsboro, Westlake and Elyria, OH)		 Police in three Ohio cities are investigating the theft of three large storage bins from bank branches earlier this month. The storage bins were used to store paper waiting to be shredded. Three branches of the FirstMerit Bank in Streetsboro, Westlake and Elyria, OH each reported a bin missing beginning on October 7. One of the three bins contained personal documents of bank customers. Unknown
Oct. 28, 2009 Llywelyn’s Pub
(Overland Park, KS)		 Llywelyn’s Pub and its customers are the victims of a sophisticated cyber credit card attack. The crimes were the result of a hacker, who managed to gain access to the information between the time of sale and the point at which the information reached the credit card processing company. The credit card information had been used illegally in various states, but mostly southern states. Unknown
Oct. 28, 2009 New York Mellon Corp.
(New York, NY)		 A computer technician has been charged with allegedly stealing the identities of more than 150 Bank of New York Mellon Corp. employees and using their identities to steal more than $1.1 million from charities, non-profit groups and others. The man was employed by a contractor that did work for Bank of New York, was charged in a 149-count indictment. The man was arrested in April when the U.S. Secret Service executed a search warrant of his home and found Bank of New York employees' credit reports on his computer, along with many other documents containing personal identifying information of more than 150 Bank of New York employees. 150
Nov. 6, 2009 MassMutual
(Springfield, MA)		 Despite comprehensive procedures and diligent practices to protect confidential and private data concerning employees at MassMutual and several of its subsidiaries, a limited amount of personal employee information maintained in a database by an outside vendor may have been subject to unauthorized access. However, the vendor engaged a highly respected forensics team to investigate, and at this time they believe that no misuse of the information or fraudulent activity involving the data has occurred. This database does not include any client or field representative information of any type; it also did not contain personal Social Security or bank account information. Unknown
Nov. 6, 2009 Chaminade University
(Honolulu, HI)
www.chaminade.edu/infosecure
infosecure@chaminade.edu		 Chaminade University inadvertently posted confidential information, including Social Security numbers, of thousands of students, on its Web site for months. An investigation determined the report was placed on obscure -- though publicly accessible -- Web pages because of human error, according to a university news release. The information was accessible for about eight months, although there is no evidence of its use, officials said. The university estimates that personally identifiable data for 4,500 students were in the report. Those affected include undergraduate students who attended the university from 1997 to 2006. 4,500
Nov. 6, 2009 National Archives and Records Administration
(College Park, MD)		 The National Archives and Records Administration violated its information security policies by returning failed hard drives from systems containing personally identifiable information of current government employees and military veterans back to vendors. By agency policy, NARA is supposed to destroy the hard drives rather than return them. On two separate occasions the agency sent defective disk drives back to vendors under a maintenance contract, rather than destroying and disposing of them in-house. Unknown
Nov. 10, 2009 Obsidian Financial Group
(Woodbury, NY)		 A former employee broke into a Woodbury financial services company, photocopied customers' Social Security numbers and bank reference numbers and took the photocopied data with him when he left. Unknown
Nov. 17, 2009 Nebraska Workers' Compensation Court
(Omaha, NE)		 Someone broken into a server that temporarily held injury reports. Whenever a worker has a job-related injury, a report is filed with the Workers' Compensation Court and the information temporarily stored on that server. Personal information, including birth dates and Social Security numbers, would have been on the server. Unknown
Nov. 18, 2009 Universal American Action Network
(St. Petersburg, FL)
(877) 697-6228		 Thousands of Pennsylvanians could become victims of identity theft just because a piece of mail has been sent to their homes. Right on the front of the piece of mail, under the persons name, in plain view, is the recipient's Social Security number. The postcards were from the Universal American Action Network, a subsidiary of Universal American Insurance. 80,000 postcards with Social Security numbers on them were sent out to Universal clients throughout the country. More than 10,000 of them were mailed to Medicare participants in Pennsylvania. 80,000
       
TOTAL number of records containing sensitive personal information involved in security breaches in the U.S. since January 2005.

Printing tip: Use the "landscape" setting for best results when printing the breach list.		 340,242,628
What does the total number indicate?
Tags: