Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: all
Company or Organization: all
Date Made Public:
June 1, 2006
Company: University of Kentucky
Location: Lexington, Kentucky
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
1,300

Personal information of current and former University of Kentucky employees including Social Security numbers was inadvertently accessible online for 19 days in May.

Information Source:
Dataloss DB
Date Made Public:
May 31, 2006
Company: Texas Guaranteed Student Loan Corp. via subcontractor Hummingbird
Location: Round Rock, Texas
Type of breach:
UNKN
Type of organization:
BSF
Records Breached:
1,700,000

Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers.

UPDATE (6/16/06):TG now says a total of 1.7 million people's information was compromised, 400,000 more than original estimate of 1.3 million.

Information Source:
Dataloss DB
Date Made Public:
May 30, 2006
Company: Florida International University
Location: Miami, Florida
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
0

Hacker accessed a database that contained personal information on thousands of individuals, such as student and applicant names and Social Security numbers.

Information Source:
Dataloss DB
Date Made Public:
May 26, 2006
Company: California State University Stanislaus
Location: Turlock, California
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
1,294

The University was informed that a file containing sensitive information remained in the Google cache and could be accessed by those with technological expertise. The file was first indexed in October of 2005. The file was deleted form the server, but it remained in the Google files cache. The file included names, addresses, Social Security numbers, and dates of birth of some current and former employees and their dependents.

Information Source:
Dataloss DB
Date Made Public:
May 26, 2006
Company: California Department of Financial Institutions
Location: , California
Type of breach:
PORT
Type of organization:
GOV
Records Breached:
0

On May 26, an examiner's laptop was stolen from a car. The laptop contained the personal data of bank customers.

Information Source:
Date Made Public:
May 25, 2006
Company: VyStar Credit Union
Location: Jacksonville, Florida
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
34,400

Hacker gained access to member accounts a and stole personal information including names, addresses, birth dates, mother's maiden names, Social Security numbers and/or email addresses. Less than 10% of VyStar's 344,000 members were affected.

Information Source:
Dataloss DB
Date Made Public:
May 25, 2006
Company: Security Savings Bank
Location: Southport, North Carolina
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
13

Security Saving's website host Goldleaf Technologies informed the bank that their website was down. The website had been phished for two hours. Thirteen customers visited the fraudulent website during that time. Passwords, user IDs, account numbers and card numbers could have fallen into the wrong hands.

Information Source:
Dataloss DB
Date Made Public:
May 24, 2006
Company: Sacred Heart University
Location: Fairfield, Connecticut
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
0

It was discovered on May 8th that a computer containing personal information including names, addresses and Social Security numbers was breached.  The University did not immediately release information on who the breach affected.

Information Source:
Dataloss DB
Date Made Public:
May 24, 2006
Company: New York State Insurance Fund (NYSIF)
Location: New York, New York
Type of breach:
PORT
Type of organization:
GOV
Records Breached:
37

An agency laptop computer was stolen from an employee's car. Names and Social Security numbers were on the laptop.

Information Source:
Dataloss DB
Date Made Public:
May 23, 2006
Company: Mortgage Lenders Network USA
Location: Middletown, Connecticut
Type of breach:
INSD
Type of organization:
BSF
Records Breached:
231,000

A former employee was arrested for extortion for attempting to blackmail his former employer for $6.9 million. He threatened to expose company files containing sensitive customer information - including customers' names, addressess, Social Security numbers, loan numbers, and loan types - if the company didn't pay him. He stole the files over the 16 months he worked there.

Information Source:
Dataloss DB
Date Made Public:
May 23, 2006
Company: Butler County Department of Mental Retardation & Developmental Disabilities
Location: Cincinnati, Ohio
Type of breach:
PORT
Type of organization:
NGO
Records Breached:
100

In April, three laptop computers were stolen from the agency's office. They contained personal information on mental health clients, including Social Security numbers.  Those affected were contacted in May.

Information Source:
Dataloss DB
Date Made Public:
May 23, 2006
Company: University of Delaware
Location: Newark, Delaware
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
1,076

A security breach of a Department of Public Safety computer server potentially exposed names, Social Security numbers and driver's license numbers. Individuals whose personal information was compromised were contacted.

Information Source:
Dataloss DB
Date Made Public:
May 23, 2006
Company: Liberty Mutual Insurance Company
Location: Boston, Massachusetts
Type of breach:
PORT
Type of organization:
BSF
Records Breached:
384

Two company laptops were stolen in California in March and one company laptop was stolen in Kentucky in April. One incident exposed some customer names and Social Security numbers that were listed along with their claims. The other incident exposed names and Social Security numbers for employees of some of Liberty's commercial insureds.

Information Source:
Dataloss DB
Date Made Public:
May 22, 2006
Company: U.S. Department of Veterans Affairs
Location: Washington, District Of Columbia
Type of breach:
PORT
Type of organization:
GOV
Records Breached:
26,500,000

On May 3, data of all American veterans who were discharged since 1975 including names, Social Security numbers, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and computer storage device included data of 26.5 million veterans. The data did not contain medical or financial information, but may have disability numerical rankings.

UPDATE (6/29/06): The stolen laptop computer and the external hard drive were recovered.

UPDATE (7/14/06): FBI claims no data had been taken from stolen computer.

UPDATE(8/5/06): Two teens were arrested in the theft of the laptop.

UPDATE (8/25/06): In an Aug. 25 letter, Secretary Nicholson told veterans of the decision to not offer them credit monitoring services. Rather the VA has contracted with a company to conduct breach analysis to monitor for patterns of misuse.

UPDATE (11/23/07): A federal judge questioned the Veterans Affairs Department's computer security and ruled Friday that lawsuits can go forward over the theft of computer equipment containing data on 26.5 million veterans. The lawsuits have been filed as potential class-action cases representing every veteran whose data was released.

UPDATE (1/23/09): The Department of Veterans Affairs has agreed to pay $20 million to current and former military personnel to settle a class action lawsuit.

UPDATE (6/16/09): No less than $75 will be paid for any valid claim, up to a cap of $1,500. If your expenses were higher than that, you might want to opt out of the class-action portion so you can file for your actual damages. In that case, you need to file a letter so it is received by June 29, 2009. You have until Nov. 27, 2009, to mail your claim form to VA Settlement Claims, P.O. Box 6727, Portland, OR 97228-9767. Be sure to keep a copy of the claim form, along with your proof of mailing. To download the claim form and to get more information, go to www.veteransclass.com. Read the FAQ and note the particulars on out-of-pocket expenses and actual damages. You also can call (888) 288-9625.

UDPATE (10/19/12): An investigation into the VA revealed that encryption software has only been installed on 16% of VA computers since the 2006 breach. Six million dollars has been spent on encryption software since the 2006 breach. The investigation began after a 2011 anonymous tip.

Information Source:
Dataloss DB
Date Made Public:
May 21, 2006
Company: Columbus Bank & Trust
Location: Columbus, Georgia
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
2,000

A security problem may have exposed customer credit and check card information.

Information Source:
Dataloss DB
Date Made Public:
May 19, 2006
Company: Frost Bank
Location: San Antonio, Texas
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
9,300

Hackers accessed the credit and debit card accounts of around 100 Frost Bank customers after they took Visa and MasterCard debit card information from the database of a national retailer.  Banks across the nation were affected by the breach. Only 100 Frost Bank customers reported fraudulent charges.

Information Source:
Dataloss DB
Date Made Public:
May 18, 2006
Company: American Red Cross, St. Louis Chapter
Location: St. Louis, Missouri
Type of breach:
INSD
Type of organization:
NGO
Records Breached:
1,000,000

A dishonest employee had access to Social Security numbers of donors.  The database was used to call previous donors and urge them to give blood again. The employee misused the personal information of at least three people to perpetrate identity theft and had access to the personal information of one million donors.

Information Source:
Dataloss DB
Date Made Public:
May 17, 2006
Company: M &T Bank via contractor PFPC
Location: Buffalo, New York
Type of breach:
PORT
Type of organization:
BSF
Records Breached:
0

A laptop computer, owned by PFPC, a third party company that provides record keeping services for M & T's Portfolio Architect accounts was stolen from a vehicle. The laptop contained clients' account numbers, Social Security numbers, last name and the first two letters of their first name.

Information Source:
Security Breach Letter
Date Made Public:
May 16, 2006
Company: American Institute of Certified Public Accountants (AICPA)
Location: New York, New York
Type of breach:
PORT
Type of organization:
NGO
Records Breached:
33,000

An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company. AICPA offered one year of free credit monitoring services to affected members.

Information Source:
Dataloss DB
Date Made Public:
May 16, 2006
Company: University of California Berkeley
Location: Berkeley, California
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
1,200

During an investigation of a computer virus, it was discovered that computers within an office may have been accessed without authorization from within the campus network.  Student, faculty and staff names and Social Security numbers were on archived spreadsheets.  The spreadsheets contained the personal information of people who requested campus cards between 1998 and 2004.

Information Source:
Dataloss DB
Date Made Public:
May 16, 2006
Company: GE Money Bank, Lowe's Companies Inc.
Location: Philadelphia, Pennsylvania
Type of breach:
PORT
Type of organization:
BSF
Records Breached:
150

GE Money Bank issues private label credit cards for Lowe's Companies Inc.  A number of credit card applications were taken form a Lowe's store in Philadelphia by an unknown person.  The information on the applications included names, Social Security numbers, dates of birth, addresses and Lowe's credit card account numbers.  At least 11 consumers discovered fraudulent purchases at Lowe's stores.

Information Source:
Dataloss DB
Date Made Public:
May 12, 2006
Company: Mercantile Potomac Bank
Location: Gaithersburg, Maryland
Type of breach:
PORT
Type of organization:
BSF
Records Breached:
48,000

A laptop containing confidential information about customers, including Social Security numbers and account numbers was stolen when a bank employee removed it from the premises, in violation of the bank's policies. The computer did not contain customer passwords, personal identification numbers (PIN numbers) or account expiration dates. The bank contacted affected customers and offered them one year of free credit monitoring services.

Information Source:
Dataloss DB
Date Made Public:
May 12, 2006
Company: Annibell Mortgage Inc.
Location: Sayville, New York
Type of breach:
STAT
Type of organization:
BSF
Records Breached:
300

Four computers with the personal information of clients were stolen during an early April burglary. The information did not include credit files, but did have other forms of private customer data.

Information Source:
Dataloss DB
Date Made Public:
May 11, 2006
Company: Merrill Lynch
Location: New York, New York
Type of breach:
PORT
Type of organization:
BSF
Records Breached:
10,500

An employee's laptop computer was stolen during a burglary.  The computer contained limited personal information of some current and former Merrill Lynch clients and prospects.  The information included names, addresses, account and loan numbers, account and loan balances and the name of clients' financial advisors.

Information Source:
Dataloss DB
Date Made Public:
May 11, 2006
Company: Healthcare Business Resources (HBR)
Location: Durham, North Carolina
Type of breach:
DISC
Type of organization:
MED
Records Breached:
0

Google accessed confidential information on the HBR website and made the information available on the internet. Socail Security numbers, names, phone numbers, dates of birth, addresses and diagnostic information were accessible through Google. Access to the information is now restricted to authorized users with secure identification and passwords. The information was available between August 2005 and January of 2006.

Information Source:
Dataloss DB
Date Made Public:
May 11, 2006
Company: Ohio University Hudson Health Center
Location: Athens, Ohio
Type of breach:
HACK
Type of organization:
MED
Records Breached:
70,000

Names, birth dates, Social Security numbers and medical information were accessed in records of students dating back to 2001, plus faculty, workers and regional campus students.

Information Source:
Dataloss DB
Date Made Public:
May 5, 2006
Company: Wells Fargo
Location: San Francisco, California
Type of breach:
STAT
Type of organization:
BSF
Records Breached:
0

A computer containing names, addresses, Social Security numbers and mortgage loan deposit numbers of existing and prospective customers may have been stolen while being delivered from one bank facility to another.

Information Source:
Dataloss DB
Date Made Public:
May 5, 2006
Company: New York State Department of Taxation and Finance
Location: Albany, New York
Type of breach:
PORT
Type of organization:
GOV
Records Breached:
38

A sales tax field auditor reported a laptop missing. Contents of the laptop were unknown at the time of the report. The data exposed may have included sales tax audit reports and supporting documentation from closed sales tax audits on 38 businesses. Some of this information would include Social Security number, business and/or home address and bank account information.

Information Source:
Dataloss DB
Date Made Public:
May 4, 2006
Company: Idaho Power Company
Location: Boise, Idaho
Type of breach:
PORT
Type of organization:
BSO
Records Breached:
0

Four company hard drives were sold on eBay containing hundreds of thousands of confidential company documents, employee names and Social Security numbers, and confidential memos to the company's CEO.

Information Source:
Dataloss DB
Date Made Public:
May 2, 2006
Company: Ohio University Innovation Center
Location: Athens, Ohio
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
35

A server containing data including e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes was compromised.

Information Source:
Dataloss DB
Date Made Public:
May 2, 2006
Company: Georgia State Government
Location: Atlanta, Georgia
Type of breach:
STAT
Type of organization:
GOV
Records Breached:
0

Government surplus computers that sold before their hard drives were erased contained credit card numbers, birth dates, and Social Security numbers of Georgia citizens.  The State stopped selling the computers after being notified by a buyer.  Thousands of patient records from a psychiatric hospital in Rome, Georgia were found on one computer's hard drive.

Information Source:
Dataloss DB
Date Made Public:
May 2, 2006
Company: Ohio University
Location: Athens, Ohio
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
30,000

Hackers accessed a computer system of the school's alumni relations department that included biographical information and 137,000 Social Security numbers of alum.

UPDATE (8/30/07) : An Ohio judge has granted a motion to dismiss a case against Ohio University (OU) regarding security breaches of the school's computer systems that compromised alumni data. The two alumni who filed the lawsuit wanted OU to pay for credit monitoring services for everyone whose data were compromised. The judge said the pair had not proven that they had suffered damages for which they could be compensated.

Information Source:
Dataloss DB
Date Made Public:
May 2, 2006
Company: Countrywide Home Loans
Location: Plano, Texas
Type of breach:
INSD
Type of organization:
BSF
Records Breached:
90

A former employee is suspected of ordering customer credit reports and providing some of those reports to a third party.

Information Source:
Dataloss DB
Date Made Public:
May 1, 2006
Company: CBCInnovis Bank Inc., Great Florida Bank
Location: Miami, Florida
Type of breach:
UNKN
Type of organization:
BSF
Records Breached:
518

CBCInnovis, Inc. learned that Great Florida Bank had consumer information accessed without proper authorization. The information may have included names, addresses, Social Security numbers, names of creditors, account numbers, payment histories and financial public records.

Information Source:
Dataloss DB
Date Made Public:
April 28, 2006
Company: Ohio Secretary of State
Location: Cleveland, Ohio
Type of breach:
DISC
Type of organization:
GOV
Records Breached:
0

The names, addresses, and Social Security numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to 20 political campaign operations for spring primary election races. The records of about 7.7 million registered voters are listed on the CDs, but it's unknown how many records contained Social Security numbers, which were not supposed to have been included on the CDs.

UPDATE (9/15/06): A news report said that some Social Security numbers still remain on the agency's Web site.

Information Source:
Dataloss DB
Date Made Public:
April 28, 2006
Company: U.S. Department of Defense
Location: Washington, District Of Columbia
Type of breach:
HACK
Type of organization:
GOV
Records Breached:
14,000

A hacker accessed a Tricare Management Activity (TMA) public server containing personal information about military employees. TMA is used to provide health care services to military personnel and their families.

Information Source:
Dataloss DB
Date Made Public:
April 28, 2006
Company: Sears, Roebuck, Company Contractor Compliance
Location: Winter Park, Florida
Type of breach:
DISC
Type of organization:
BSF
Records Breached:
196

A spreadsheet with the business or individual names, identification or Social Security numbers, business addresses and business phone numbers of Sears contractors was accidentally included in an email sent to 373 contractors on April 13. The contractors were instructed to delete the email on April 24 and were also required to send written confirmation that they had done so.

Information Source:
Dataloss DB
Date Made Public:
April 27, 2006
Company: Long Island Railrad via contractor Iron Mountain
Location: Jamaica, New York
Type of breach:
PORT
Type of organization:
GOV
Records Breached:
17,000

Data tapes containing personal information including names, addresses, Social Security numbers and salary figures of virtually everyone who worked for or currently works for the agency were lost.  The lost occurred during delivery by contractor Iron Mountain. Data tapes belonging to the U.S. Department of Veteran's Affairs may also have been affected.

Information Source:
Dataloss DB
Date Made Public:
April 26, 2006
Company: Purdue University
Location: West Lafayette, Indiana
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
1,351

A hacker accessed personal information including Social Security numbers of current and former graduate students, applicants to graduate school, and a small number of applicants for undergraduate scholarships.  The information compromised goes back three years prior to the incident.  Those who were affected were contacted.

Information Source:
Dataloss DB
Date Made Public:
April 26, 2006
Company: Aetna, Omni Hotels and the Department of Defense NAF
Location: Hartford, Connecticut
Type of breach:
PORT
Type of organization:
MED
Records Breached:
38,253

A laptop containing personal information including names, addresses and Social Security numbers of Department of Defense (35,253) and Omni Hotel employees (3,000) was stolen from an Aetna employee's car.  Members were notified and Aetna offered to pay for the credit monitoring services of those who were affected.

Information Source:
Dataloss DB
CSV