Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: all
Company or Organization: all
Date Made Public:
February 15, 2006
Company: U.S. Department of Agriculture (USDA)
Location: Washington, District Of Columbia
Type of breach:
DISC
Type of organization:
GOV
Records Breached:
350,000

The Social Security numbers of tobacco farmers were accidentally released when the U.S. Department of Agriculture attempted to comply with the Freedom of Information Act.  Those who received the information agreed to destroy any copies and return the original discs, which also contained tax identification numbers.

Information Source:
Dataloss DB
Date Made Public:
February 15, 2006
Company: Suffolk County Clerk's Office
Location: Long Island, New York
Type of breach:
DISC
Type of organization:
GOV
Records Breached:
7,000

Between 7,000 and 8,000 homeowners had their Social Security numbers accidentally posted online. After realizing the mistake, County officials realized that they could not remove the information. People who pay to access the County's public records online will be able to see the Social Security numbers associated with people and addresses in the system that date back to 2001. The county could not alter public records in any way, but a new program will be implemented to block the Social Security numbers from newly recorded documents.

Information Source:
Dataloss DB
Date Made Public:
February 13, 2006
Company: Ernst & Young
Location: New York, New York
Type of breach:
PORT
Type of organization:
BSO
Records Breached:
38,000

A laptop containing the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees was stolen from a locked car. While Ernst and Young waited until pressured to inform a majority of those affected about the breach, at least one CEO from the affected companies was contacted immediately.

Information Source:
Security Breach Letter
Date Made Public:
February 9, 2006
Company: OfficeMax
Location: Naperville, Illinois
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
200,000

Debit card accounts and pin numbers from bank and credit union accounts nationwide (including CitiBank, BofA, WaMu, Wells Fargo) were exposed. The crooks created counterfeit cards to make fraudulent purchases and withdrawals from card-holder accounts. 

UPDATE (3/14/06) New Jersey law enforcement arrested 14 people connected to the crime spree. 

Information Source:
Dataloss DB
Date Made Public:
February 6, 2006
Company: Prudential Financial Inc.
Location: Newark, New Jersey
Type of breach:
DISC
Type of organization:
BSF
Records Breached:
1,000

A health insurer claims data were erroneously faxed to a company in Canada by doctors and clinics across the U.S.. Data included the patients' Social Security numbers, bank account details and health care information.

Information Source:
Media
Date Made Public:
February 4, 2006
Company: FedEx
Location: Los Angeles, California
Type of breach:
DISC
Type of organization:
BSO
Records Breached:
1,100

Eighty-five hundred W-2 forms including other workers' tax information such as Social Security numbers and salaries were sent out to employees. Fewer than 1,100 employees had their information exposed.  The company suspects that their internal processing center may have misaligned the forms and caused them to be cut in the wrong place. Workers were asked not to open their W-2s, but many had already done so before the notification. 

Information Source:
Dataloss DB
Date Made Public:
February 2, 2006
Company: Presbyterian Healthcare Service
Location: Albuquerque, New Mexico
Type of breach:
STAT
Type of organization:
MED
Records Breached:
450

The theft of a computer may have exposed patient and physician information. Names, Social Security numbers, addresses, phone numbers and credit card numbers were on the computer. The computer may have been stolen for the purpose of committing identity theft.

Information Source:
Dataloss DB
Date Made Public:
February 1, 2006
Company: Blue Cross and Blue Shield of North Carolina
Location: Durham, North Carolina
Type of breach:
DISC
Type of organization:
BSO
Records Breached:
629

Social Security numbers of members were printed on the mailing labels of envelopes with information about a new insurance plan.  Those who were affected were contacted immediately.

Information Source:
Dataloss DB
Date Made Public:
February 1, 2006
Company: University of Colorado, Colorado Springs (UCCS)
Location: Colorado Springs, Colorado
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
2,500

Names, Social Security numbers, addresses and birth dates of current and former employees were accessed.  A computer in the Personnel Department was hacked and infected with a virus.  People employed by the University at anytime between the attack and 2004 are at risk.  The virus infected other computers at the University and was part of a worldwide attack.

Information Source:
Dataloss DB
Date Made Public:
January 31, 2006
Company: Honeywell International
Location: Morristown, New Jersey
Type of breach:
UNKN
Type of organization:
BSO
Records Breached:
19,000

Personal information of current and former employees including Social Security numbers and bank account information was posted on an Internet Web site. It was not known whether this was the result of a malicious insider or an administrative error.  Current and former employees whose information was compromised were informed immediately and offered free credit monitoring and identity theft insurance.

Information Source:
Dataloss DB
Date Made Public:
January 31, 2006
Company: Boston Globe (The New York Times Company) and The Worcester Telegram & Gazette
Location: Boston, Massachusetts
Type of breach:
DISC
Type of organization:
BSO
Records Breached:
240,000

Recycled paper used in wrapping newspaper bundles for distribution turned out to contain credit and debit card information along with routing information for personal checks of subscribers.

 

Information Source:
Dataloss DB
Date Made Public:
January 27, 2006
Company: State of Rhode Island website (www.RI.gov)
Location: Providence, Rhode Island
Type of breach:
HACK
Type of organization:
GOV
Records Breached:
4,118

Hackers obtained credit card information in conjunction with names and addresses. The credit card companies were notified of the breach, but not the customers.

Information Source:
Dataloss DB
Date Made Public:
January 26, 2006
Company: College of St. Scholastica
Location: Duluth, Minnesota
Type of breach:
STAT
Type of organization:
EDU
Records Breached:
12,000

A computer was stolen from a locked office in the College's information Technology Department on or around December 24. The computer had Social Security numbers and names of current and former students. The thief was caught and claims that none of the personal information was used.

Information Source:
Dataloss DB
Date Made Public:
January 25, 2006
Company: University of Delaware
Location: Newark, Delaware
Type of breach:
STAT
Type of organization:
EDU
Records Breached:
159

Two separate breaches occurred on the campus during November and December. A computer from the School of Urban Affairs and Public policy was hacked and a back-up hard drive was stolen from the Department of Entomology and Wildlife Ecology. The hacking incident occurred between November 22 and 26 and exposed the Social Security numbers of 159 graduate students. The hard drive theft occurred between December 16 and 18 and the personal information of an unknown number of people was exposed.

Information Source:
Dataloss DB
Date Made Public:
January 25, 2006
Company: Providence Home Services
Location: Portland, Oregon
Type of breach:
PORT
Type of organization:
MED
Records Breached:
365,000

Backup tapes, laptops and disks containing Social Security numbers, clinical and demographic information were stolen from the car of an employee. In a small number of cases, patient financial data was stolen.

UPDATE (9/26/06) Providence Health System and the Oregon Attorney General have filed a settlement agreement. Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its security programs.

UPDATE (7/15/08) Providence Health will pay $100,000 and adhere to a compliance plan under the first ever Resolution Agreement negotiated by CMS (Centers for Medicare and Medicaid Services of the U.S. Dept. of Health and Human Services) under the HIPAA Privacy and Security Standards. The Corrective Action Plan requires Providence to revamp its security policies to include physical protections for portable devices and off-site transport and storage of backup media. Further, it must implement technical safeguards, such as encryption and password protection. And it must conduct random compliance audits and submit compliance reports to HHS for the next three years.

UPDATE (4/16/2012): The Oregon Supreme Court struck down a class-action suit against Providence Health Systems.  The Oregon Supreme Court claimed that there was no evidence that any of the 365,000 patients who were affected by the breach suffered any financial loss or other adverse consequences.

Information Source:
Dataloss DB
Date Made Public:
January 24, 2006
Company: University of Washington Medical Center
Location: Seattle, Washington
Type of breach:
PORT
Type of organization:
MED
Records Breached:
1,600

Laptops containing names, Social Security numbers, maiden names, birth dates, diagnoses and other personal data were stolen from a UW office.  The information was password protected and the affected patients were notified.

Information Source:
Dataloss DB
Date Made Public:
January 23, 2006
Company: University of Notre Dame
Location: Notre Dame, Indiana
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
0

Hackers may have accessed Social Security numbers, credit card information and check images of people who donated to the University between November 22 of 2005 and January 12 of 2006.

Information Source:
Date Made Public:
January 21, 2006
Company: California Army National Guard
Location: Sacramento, California
Type of breach:
PHYS
Type of organization:
GOV
Records Breached:
200

A briefcase with personal information of National Guardsmen including a seniority roster, Social Security numbers and dates of birth was stolen from the car of an employee.  A memo was sent to National Guard soldiers.

Information Source:
Dataloss DB
Date Made Public:
January 20, 2006
Company: Indiana University, University Place Conference Center & Hotel
Location: Indianapolis, Indiana
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
0

The computer housing the reservations data base was compromised. Data included credit card account numbers and names.

Information Source:
Security Breach Letter
Date Made Public:
January 20, 2006
Company: University of Kansas (Kansas University)
Location: Lawrence, Kansas
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
9,200

A computer file with sensitive personal information was accessible to the public.  Students who applied and paid an application fee online between April 29, 2001 and December 16, 2005 had their names, Social Security numbers, birth dates, addresses, phone numbers and credit card numbers exposed.

Information Source:
Dataloss DB
Date Made Public:
January 17, 2006
Company: City of San Diego, Water & Sewer Department
Location: San Diego, California
Type of breach:
INSD
Type of organization:
GOV
Records Breached:
0

A dishonest employee accessed customer account files, including Social Security numbers, and stole the identities of two individuals.

Information Source:
Media
Date Made Public:
January 16, 2006
Company: New York City Teachers Retirement System
Location: New York, New York
Type of breach:
INSD
Type of organization:
GOV
Records Breached:
5,800

A dishonest employee and two others were arrested for their part in writing and cashing fraudulent checks. Police found fraudulent checks with the names of 19 pension members and beneficiaries in the apartment of the former employee. The employee was originally hired as a temp and had worked for the company for three years. He had access to the information of 5,800 pension members.

Information Source:
Dataloss DB
Date Made Public:
January 15, 2006
Company: Illinois Education Association
Location: Springfield, Illinois
Type of breach:
STAT
Type of organization:
NGO
Records Breached:
0

Two laptops, six desktops and a digital camera were stolen from the Illinois Education Association office sometime prior to the week of January 3. Some of the computers contained Social Security numbers of members. Many member organizations were affected. Over 2,400 members from the Elgin Area School District were affected.

Information Source:
Dataloss DB
Date Made Public:
January 12, 2006
Company: People's Bank
Location: Bridgeport, Connecticut
Type of breach:
PORT
Type of organization:
BSF
Records Breached:
90,000

A computer tape containing names, addresses, Social Security numbers, and checking account numbers was lost while being transported by UPS.  The bank alerted the affected customers and provided them with a credit monitoring service for one year.

Information Source:
Dataloss DB
Date Made Public:
January 2, 2006
Company: H&R Block
Location: Kansas City, Missouri
Type of breach:
DISC
Type of organization:
BSO
Records Breached:
0

H&R Block included Social Security numbers in a 40-digit number string on mailing labels.  Affected individuals were contacted.

Information Source:
Dataloss DB
Date Made Public:
January 1, 2006
Company: University of Pittsburgh Medical Center, Squirrel Hill Family Medicine
Location: Pittsburgh, Pennsylvania
Type of breach:
STAT
Type of organization:
MED
Records Breached:
700

Six computers containing names, Social Security numbers, and birth dates of patients were stolen from doctors' offices. A letter was sent notifying the affected patients.

Information Source:
Dataloss DB
Date Made Public:
December 28, 2005
Company: Marriott International Inc.
Location: Orlando, Florida
Type of breach:
PORT
Type of organization:
BSR
Records Breached:
206,000

It is unclear whether backup computer tapes with credit card account information and Social Security numbers were lost or stolen from headquarters during November. Employees and time-share owners and customers were affected.

Information Source:
Dataloss DB
Date Made Public:
December 25, 2005
Company: Ameriprise Financial Inc.
Location: Minneapolis, Minnesota
Type of breach:
PORT
Type of organization:
BSF
Records Breached:
226,000

A laptop was stolen from an employee's car on Christmas eve. It contained customers' names and Social Security numbers and in some cases, Ameriprise account information. Around 68,000 customers had their names and Social Security numbers exposed.  Around 158,000 customers had their names and internal account numbers exposed.

UPDATE (08/01/06): The laptop was recovered by local law enforcement in the community where it was stolen.

UPDATE (12/11/06): The company settled with the Massachusetts securities regulator in the office of the Secretary of State. Ameriprise agreed to hire an independent consultant to review its policies and procedures for employees' and contractors' use of laptops containing personal information. Ameriprise will pay the state regulator $25,000 for the cost of the investigation.

Information Source:
Dataloss DB
Date Made Public:
December 22, 2005
Company: Ford Motor Co.
Location: Dearborn, Michigan
Type of breach:
STAT
Type of organization:
BSO
Records Breached:
70,000

A computer containing names and Social Security numbers of current and former employees was stolen.  Ford alerted those who were affected and offered to pay for their credit monitoring services.

Information Source:
Dataloss DB
Date Made Public:
December 22, 2005
Company: H&R Block
Location: Kansas City, Missouri
Type of breach:
DISC
Type of organization:
BSO
Records Breached:
0

Many past and present customers received unsolicited copies of the program TaxCut that displayed their Social Security numbers on the outside, embedded in a lengthy string of code.

Information Source:
Security Breach Letter
Date Made Public:
December 21, 2005
Company: Sunrise Volkswagen
Location: Lynbrook, New York
Type of breach:
PHYS
Type of organization:
BSR
Records Breached:
0

Bank credit applications with names, Social Security numbers, addresses, telephone numbers, employment information and signatures were obtained by unauthorized access between December 15 and 16.  

Information Source:
Dataloss DB
Date Made Public:
December 20, 2005
Company: Guidance Software, Inc.
Location: Pasadena, California
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
3,800

A hacked database exposed credit card numbers of law enforcement officials and network security professionals.  The company is a leading provider of software used to diagnose hacked attacks.

UPDATE (4/3/07): The FTC came to a settlement agreement and final consent order against Guidance Software.

Information Source:
Dataloss DB
Date Made Public:
December 16, 2005
Company: Colorado Technical University (CTU)
Location: Colorado Springs, Colorado
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
300

An email was erroneously sent which contained names, phone numbers, email addresses, Social Security numbers and class schedules.

Information Source:
Security Breach Letter
Date Made Public:
December 16, 2005
Company: La Salle Bank, ABN AMRO Mortgage Group, DHL
Location: Ann Arbor, Michigan
Type of breach:
PORT
Type of organization:
BSF
Records Breached:
2,000,000

A backup tape with residential mortgage customers' information was lost in shipment by DHL.  It contained Social Security numbers and account information.

UPDATE (12/20/05): DHL found the lost tape.

Information Source:
Security Breach Letter
Date Made Public:
December 12, 2005
Company: Sam's Club, a division of Wal-Mart Stores, Inc
Location: Bentonville , Arkansas
Type of breach:
UNKN
Type of organization:
BSR
Records Breached:
0

Customers who used credit cards at the wholesaler's gas stations discovered fraudulent activity on their credit accounts.  Sam's Club is unaware of how the information was stolen.  Visa alerted the affected financial institutions and asked them to provide fraud monitoring services for the affected customers.

Information Source:
Dataloss DB
Date Made Public:
December 12, 2005
Company: Iowa State University
Location: Ames, Iowa
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
5,500

At least one ISU computer was hacked. Social Security numbers and encrypted credit card numbers may have been obtained. Between 2,000 and 2,500 Social Security numbers are at risk and between 2,300 and 3,000 credit card numbers are at risk. Student, alumni, employee and volunteer information was put at risk. 

Information Source:
Dataloss DB
Date Made Public:
December 9, 2005
Company: Oregon Community Credit Union
Location: Springfield, Oregon
Type of breach:
PHYS
Type of organization:
BSF
Records Breached:
200

A packet of insurance forms with names, Social Security numbers and addresses of around 200 Oregon Community Credit Union employees was inside of a stolen car. Someone tried to use the identity of an employee after the theft.  The company is on alert and purchased extended identity theft insurance for those who were affected by the theft.

Information Source:
Dataloss DB
Date Made Public:
December 8, 2005
Company: San Antonio Independent School District
Location: San Antonio, Texas
Type of breach:
PORT
Type of organization:
EDU
Records Breached:
1,000

A laptop with personal information of more than a thousand teachers was stolen from an employee's unlocked car.  The information included names, Social Security numbers and dates of birth. 

Information Source:
Dataloss DB
Date Made Public:
December 8, 2005
Company: J-Sargeant Reynolds Community College
Location: Richmond, Virginia
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
26,000

The names, Social Security numbers and addresses of students taking non-credit classes from 2000 to 2003 were posted online for months.  The information was compiled for a mailing list, but an employee posted it on the College's server.  A student informed officials of the mistake after accessing the information online.  The College began the process of removing the information from the web.

Information Source:
Dataloss DB
Date Made Public:
December 8, 2005
Company: Federal Reserve Bank of Dallas
Location: Dallas, Texas
Type of breach:
PHYS
Type of organization:
GOV
Records Breached:
8,000

A courier truck dropped canceled personal and business checks on northbound Central Expressway near Woodall Rodgers Freeway around 4 a.m.  The incident closed the freeway exit until 7 a.m.  Employees from the Federal Reserve, the courier company and the Texas Department of Transportation removed many checks, though some disappeared.  Some unaffiliated people also returned checks to the authorities.  A very similar incident happened in August of 2005.

Information Source:
Dataloss DB
CSV