Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: all
Company or Organization: all
Date Made Public:
July 30, 2005
Company: California State University, Dominguez Hills
Location: Carson, California
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
9,613

Hackers accessed several computers containing personal information such as names and Social Security numbers.  The students who were affected were emailed.

Information Source:
Dataloss DB
Date Made Public:
July 30, 2005
Company: San Diego County Employees Retirement Association
Location: San Diego, California
Type of breach:
HACK
Type of organization:
GOV
Records Breached:
33,000

Two computers that contained personal information for current and retired San Diego County employees were hacked.  The information included names, addresses, Social Security numbers, and dates of birth.  The San Diego Retirement Association mailed warnings to members.

Information Source:
Dataloss DB
Date Made Public:
July 30, 2005
Company: Austin Peay State University
Location: Clarksville, Tennessee
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
1,500

The University removed student Social Security numbers, grade point averages and names that were accidentally posted. A student alerted the University to the problem after searching his name and finding the information on the website. A school employee put the internal documents on the website to email other staff members the information, but forgot to remove the information from the website.

Information Source:
Dataloss DB
Date Made Public:
July 21, 2005
Company: University of Colorado, Boulder
Location: Boulder, Colorado
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
49,000

Prospective students, current students, staff, faculty and University health care service recipients may have had their data exposed in a campus server breach.  The information included names, Social Security numbers, addresses, student ID numbers, birth dates, and lab test information. The University mailed letters and sent emails to the individuals affected.

UPDATE (08/20/2005) The number of students affected was increased from an estimate of 42,000 to 49,000.

Information Source:
Dataloss DB
Date Made Public:
July 13, 2005
Company: Arizona Biodyne
Location: Phoenix, Arizona
Type of breach:
PORT
Type of organization:
MED
Records Breached:
57,000

A safe with computer backup tapes containing financial, personal and medical records was stolen from Arizona Biodyne.  Policyholders' addresses, phone numbers, dates of birth and Social Security numbers were among the personal information lost.  Partial treatment histories and doctor information for some patients was also lost.  

Information Source:
Dataloss DB
Date Made Public:
July 12, 2005
Company: University of Southern California (USC)
Location: Los Angeles, California
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
270,000

A reporter contacted USC based on an individual's claim to be able to access personal information on college applicants online.  USC removed the site pending investigation and sent letters to affected individuals.

Information Source:
Security Breach Letter
Date Made Public:
July 7, 2005
Company: Michigan State University
Location: East Lansing, Michigan
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
27,000

Student information was compromised during an attack on the College of Education server.  The information included Social Security numbers, names, addresses, student courses, and personal identification numbers.  The breach occurred in April and students were emailed in July.

Information Source:
Dataloss DB
Date Made Public:
July 6, 2005
Company: City National Bank, Iron Mountain
Location: Los Angeles, California
Type of breach:
PORT
Type of organization:
BSF
Records Breached:
0

Two tapes containing Social Security numbers, account numbers, and other customer information were lost or stolen during transportation.  The tapes have been missing since April.  City National Bank notified its customers.

Information Source:
Dataloss DB
Date Made Public:
July 1, 2005
Company: University of California San Diego
Location: La Jolla, California
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
3,300

A University server was hacked in April.  The server contained Social Security numbers, driver's license numbers, and credit card numbers from people who attended or worked at UCSD Extension between the time of the incident and 2000.  UCSD contacted those who were affected two months after the incident.

Information Source:
Dataloss DB
Date Made Public:
June 30, 2005
Company: Ohio State University Medical Center, MTE Consulting
Location: Columbus, Ohio
Type of breach:
PORT
Type of organization:
MED
Records Breached:
15,000

A laptop containing patient information was stolen from a financial consultant.  MTE Consulting notified OSU medical center a month after the laptop was stolen and OSU sent a brief letter to the affected clients.

Information Source:
Dataloss DB
Date Made Public:
June 29, 2005
Company: Bank of America
Location: Charlotte, North Carolina
Type of breach:
PORT
Type of organization:
BSF
Records Breached:
18,000

A laptop containing the names, Social Security numbers, and addresses of customers was stolen from a consultant's car.

Information Source:
Dataloss DB
Date Made Public:
June 29, 2005
Company: Medica Health Plans
Location: Minnetonka, Minnesota
Type of breach:
INSD
Type of organization:
MED
Records Breached:
0

It was discovered that two employees had engaged in unauthorized activities for an extended period of time.  The computer administrators were fired for sabotaging the company's computers and downloading data.  Sensitive information for 1.2 million Medica members may have been accessed.  The former employees prolonged their activities and avoided heavier punishment by hiding and destroying evidence of their activities. 

Information Source:
Dataloss DB
Date Made Public:
June 28, 2005
Company: Lucas County Children Services
Location: Toledo, Ohio
Type of breach:
DISC
Type of organization:
GOV
Records Breached:
900

Data from around 500 former and 400 current employees from as far back as 1991 were sent outside the organization via e-mail.  The data included names, Social Security numbers, and telephone numbers.  Current employees were contacted immediately and letters were sent to former employees.

Information Source:
Media
Date Made Public:
June 27, 2005
Company: U.S. Department of Veterans Affairs
Location: Minneapolis, Minnesota
Type of breach:
PORT
Type of organization:
GOV
Records Breached:
66

A laptop being stored in the trunk of a car was stolen in Minneapolis, Minnesota. Two people later reported identity fraud problems.

Information Source:
Dataloss DB
Date Made Public:
June 25, 2005
Company: University of Connecticut (UCONN)
Location: Storrs, Connecticut
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
72,000

University officials became aware of an October 26, 2003 hacking incident.  The personal information included Social Security numbers and addresses for students, faculty, and staff.  The University began contacting those affected in June of 2005.

Information Source:
Dataloss DB
Date Made Public:
June 22, 2005
Company: Eastman Kodak
Location: Rochester, New York
Type of breach:
PORT
Type of organization:
BSO
Records Breached:
5,800

A password-protected laptop containing former employee names, Social Security numbers, birth dates, and benefits information was stolen from a consultant's car trunk. The consulting company has been identified as Hewitt Associates. Kodak sent letters and offered one-year of credit monitoring services and identity theft insurance covering up to $50,000 in fraud.

Information Source:
Dataloss DB
Date Made Public:
June 21, 2005
Company: CVS
Location: Woonsocket, Rhode Island
Type of breach:
DISC
Type of organization:
BSR
Records Breached:
0

CASPIAN, a consumer privacy group, notified CVS of a security hole that allowed people to access information about purchases made by customers who used a CVS Corp. loyalty card. Anyone with someone's card number, zip code and the first three letters of the customer's last name could have a list of recent purchases sent to an email account. The company removed Internet access to the information. Fifty million loyalty cards have been issued.

Information Source:
Dataloss DB
Date Made Public:
June 18, 2005
Company: University of Hawai'i
Location: Honolulu, Hawaii
Type of breach:
INSD
Type of organization:
EDU
Records Breached:
150,000

A former librarian with access to the personal information of students, faculty, staff and patrons was convicted of Social Security fraud.  The former librarian used Social Security information to obtain fraudulent loans.  The University used Social Security numbers to track who checked out library materials. At the time of the press release it was unclear whether any information had been stolen from the University.

Information Source:
Dataloss DB
Date Made Public:
June 17, 2005
Company: Kent State University
Location: Kent, Ohio
Type of breach:
PORT
Type of organization:
EDU
Records Breached:
1,400

A laptop containing the names, Social Security numbers, and in some cases birthdays of current and former University employees was stolen from a human resources administrator's car. 

Information Source:
Dataloss DB
Date Made Public:
June 16, 2005
Company: CardSystems
Location: Tucson, Arizona
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
40,000,000

Over 40 million card accounts were exposed to potential fraud due to a security breach that occurred at a third-party processor of payment card transactions. Of the more than 40 million accounts exposed, information on 68,000 Mastercard accounts, 100,000 Visa accounts and 30,000 accounts from other card brands are known to have been exported by the hackers. The data exported included names, card numbers and card security codes.

UPDATE (2/23/2006) CardSystems agreed to settle Federal Trade Commission charges that it failed to take appropriate security measures to protect sensitive personal information. The company must implement a comprehensive security program and obtain audits every 2 years for 20 years.

UPDATE (5/12/2006) CardSystems filed for bankruptcy.

UPDATE (5/28/2009) Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations less than a year before the payment processor's systems were hacked, compromising up to 40 million credit card accounts. Less than a year later the security breach occurred. Hackers were able to get hold of the data because CardSystems kept unencrypted card information on its servers - in contravention of the regulations for which Savvis certified it.

Information Source:
Dataloss DB
Date Made Public:
June 10, 2005
Company: Federal Deposit Insurance Corp. (FDIC)
Location: Washington, District Of Columbia
Type of breach:
UNKN
Type of organization:
GOV
Records Breached:
6,000

Personal information including the names, birthdays, salaries, and Social Security numbers of former Federal Deposit Insurance Corporation employees was stolen.  Some of the information was used for fraudulent purposes.  Affected employees from as far back as July 2002 were notified.

Information Source:
Dataloss DB
Date Made Public:
June 6, 2005
Company: Citigroup, UPS
Location: New York, New York
Type of breach:
PORT
Type of organization:
BSF
Records Breached:
3,900,000

Customers are being notified that backup tapes containing their account information were lost or stolen while being shipped by UPS.

Information Source:
Dataloss DB
Date Made Public:
June 4, 2005
Company: Duke University Medical Center
Location: Durham, North Carolina
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
14,000

A hacker broke into the computer system, stealing thousands of passwords and fragments of Social Security numbers.  Fourteen thousand affected people were notified, including 10,000 employees of Duke University Medical Center.

Information Source:
Dataloss DB
Date Made Public:
May 30, 2005
Company: Motorola
Location: Schaumburg, Illinois
Type of breach:
STAT
Type of organization:
BSO
Records Breached:
0

Two computers were stolen from third party vendor Affiliated Computer Services (ACS).  They had security safeguards and contained names and Social Security numbers of Motorola employees.  Motorola notified affected staff by email and offered fraud insurance coverage.

Information Source:
Dataloss DB
Date Made Public:
May 28, 2005
Company: Merlin Information Services
Location: Kalispell, Montana
Type of breach:
INSD
Type of organization:
BSO
Records Breached:
5,875

An individual fraudulently obtained personal information about thousands of victims from Merlin Information Services and used that information to commit identity theft by opening up credit card accounts. He posed as a private investigator, thus giving Merlin the impression that he was a legitimate user of their services. He conducted at least 1,873 queries through the Merlin system to obtain information on approximately 5,875 people.

Information Source:
Media
Date Made Public:
May 27, 2005
Company: Cleveland State University
Location: Cleveland, Ohio
Type of breach:
PORT
Type of organization:
EDU
Records Breached:
44,420

A laptop containing personal information from applicants, current students, and former students was stolen from the University's admissions office.  The information included Social Security numbers and addresses from as far back as 2001.  Letters were sent to those affected.  

UPDATE (12/24/05):CSU found the stolen laptop

Information Source:
Dataloss DB
Date Made Public:
May 19, 2005
Company: Valdosta State University
Location: Valdosta, Georgia
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
40,000

A computer server containing campus ID card information and Social Security numbers was hacked. The cards were designed to be used as debit cards by students and employees.

Information Source:
Dataloss DB
Date Made Public:
May 18, 2005
Company: University of Iowa
Location: Iowa City, Iowa
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
30,000

A computer containing credit card numbers and campus ID numbers for University Book Store customers was breached by a hacker.

Information Source:
Dataloss DB
Date Made Public:
May 18, 2005
Company: Jackson Community College
Location: Jackson, Michigan
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
8,000

A hacker may have downloaded the passwords and Social Security numbers of employees and students.  The College sent new, high security passwords to students and employees.

Information Source:
Dataloss DB
Date Made Public:
May 16, 2005
Company: Westborough Bank
Location: Westborough, Massachusetts
Type of breach:
INSD
Type of organization:
BSF
Records Breached:
750

A former employee who ran an investment program from 1998 to 2001 may have given Social Security numbers and account information to a convicted felon known for defrauding senior citizens.  The bank mailed warning letters.

Information Source:
Dataloss DB
Date Made Public:
May 14, 2005
Company: Georgia Technology Authority (GTA)
Location: Atlanta, Georgia
Type of breach:
INSD
Type of organization:
GOV
Records Breached:
465,000

A former computer programmer for Georgia Technology Authority downloaded state driver's license information which contained names, addresses, driver's license numbers, and in some cases Social Security numbers.

Information Source:
Dataloss DB
Date Made Public:
May 12, 2005
Company: Hinsdale Central High School
Location: Hinsdale, Illinois
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
2,400

Two students were accused of hacking into the School's computer system and stealing student and staff Social Security numbers.  The students had the information for months before being caught.  Letters were sent to affected families. The Social Security Administration and the Federal Trade Commission were also notified.

Information Source:
Dataloss DB
Date Made Public:
May 11, 2005
Company: Stanford University
Location: Stanford, California
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
9,900

The University's Career Development Center was hacked. This exposed the names, Social Security numbers, and other personal information of users. Names and credit card information for some employers that registered with the site were also in the database.

Information Source:
Dataloss DB
Date Made Public:
May 7, 2005
Company: Department of Justice
Location: Washington, District Of Columbia
Type of breach:
PORT
Type of organization:
GOV
Records Breached:
80,000

A laptop containing password protected names and travel account credit card information was stolen sometime between May 7 and May 9.

Information Source:
Dataloss DB
Date Made Public:
May 5, 2005
Company: Purdue University
Location: West Lafayette, Indiana
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
11,360

Hackers accessed a program which contained University credit card information and the Social Security numbers of current and former employees. Letters were sent to employees and former employees.

Information Source:
Dataloss DB
Date Made Public:
May 5, 2005
Company: Arbella Mutual Insurance Company
Location: Quincy, Massachusetts
Type of breach:
DISC
Type of organization:
BSF
Records Breached:
0

A customer discovered that he could view the Registry of Motor Vehicles database by visiting a website printed on the bottom of his insurance paperwork.  He was able to look up people by name and then obtain their address, date of birth, license number, driving history and even their Social Security number most times.  The company corrected the problem quickly.  The company believes the error was temporary and that few outsiders were able to access the information.

Information Source:
Dataloss DB
Date Made Public:
May 4, 2005
Company: Colorado Health Department
Location: Denver, Colorado
Type of breach:
PORT
Type of organization:
GOV
Records Breached:
1,600

A laptop containing Social Security numbers, medical records, family medical history, and addresses was stolen from an employee's car.  The State Health Department is not monitoring the affected group and has only contacted some of the families involved.

Information Source:
Dataloss DB
Date Made Public:
May 2, 2005
Company: Time Warner, Iron Mountain Inc.
Location: New York, New York
Type of breach:
PORT
Type of organization:
BSO
Records Breached:
600,000

Backup tapes containing the personal information of current and former employees from as far back as 1986 was lost or stolen during shipping. An 800 number was set up to answer questions and provide free credit monitoring for one year.

UPDATE (5/3/2005): A contractor named Iron Mountain Inc. lost the tapes during shipping. 

Information Source:
Dataloss DB
Date Made Public:
April 29, 2005
Company: Oklahoma State University
Location: Stillwater, Oklahoma
Type of breach:
PORT
Type of organization:
EDU
Records Breached:
37,000

A laptop used for student job placement seminars was lost or stolen.  It contained the Social Security numbers of current and former students.

Information Source:
Dataloss DB
Date Made Public:
April 28, 2005
Company: Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp
Location: Hackensack, New Jersey
Type of breach:
INSD
Type of organization:
BSF
Records Breached:
676,000

Bank employees illegally sold account information to someone posing as a collection agency. Customers affected were notified and received one year of free credit monitoring services.

Information Source:
Dataloss DB
CSV