Personal information of current and former University of Kentucky employees including Social Security numbers was inadvertently accessible online for 19 days in May.
Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers.
UPDATE (6/16/06):TG now says a total of 1.7 million people's information was compromised, 400,000 more than original estimate of 1.3 million.
Hacker accessed a database that contained personal information on thousands of individuals, such as student and applicant names and Social Security numbers.
The University was informed that a file containing sensitive information remained in the Google cache and could be accessed by those with technological expertise. The file was first indexed in October of 2005. The file was deleted form the server, but it remained in the Google files cache. The file included names, addresses, Social Security numbers, and dates of birth of some current and former employees and their dependents.
On May 26, an examiner's laptop was stolen from a car. The laptop contained the personal data of bank customers.
Hacker gained access to member accounts a and stole personal information including names, addresses, birth dates, mother's maiden names, Social Security numbers and/or email addresses. Less than 10% of VyStar's 344,000 members were affected.
Security Saving's website host Goldleaf Technologies informed the bank that their website was down. The website had been phished for two hours. Thirteen customers visited the fraudulent website during that time. Passwords, user IDs, account numbers and card numbers could have fallen into the wrong hands.
It was discovered on May 8th that a computer containing personal information including names, addresses and Social Security numbers was breached. The University did not immediately release information on who the breach affected.
An agency laptop computer was stolen from an employee's car. Names and Social Security numbers were on the laptop.
A former employee was arrested for extortion for attempting to blackmail his former employer for $6.9 million. He threatened to expose company files containing sensitive customer information - including customers' names, addressess, Social Security numbers, loan numbers, and loan types - if the company didn't pay him. He stole the files over the 16 months he worked there.
In April, three laptop computers were stolen from the agency's office. They contained personal information on mental health clients, including Social Security numbers. Those affected were contacted in May.
A security breach of a Department of Public Safety computer server potentially exposed names, Social Security numbers and driver's license numbers. Individuals whose personal information was compromised were contacted.
Two company laptops were stolen in California in March and one company laptop was stolen in Kentucky in April. One incident exposed some customer names and Social Security numbers that were listed along with their claims. The other incident exposed names and Social Security numbers for employees of some of Liberty's commercial insureds.
On May 3, data of all American veterans who were discharged since 1975 including names, Social Security numbers, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and computer storage device included data of 26.5 million veterans. The data did not contain medical or financial information, but may have disability numerical rankings.
UPDATE (6/29/06): The stolen laptop computer and the external hard drive were recovered.
UPDATE (7/14/06): FBI claims no data had been taken from stolen computer.
UPDATE(8/5/06): Two teens were arrested in the theft of the laptop.
UPDATE (8/25/06): In an Aug. 25 letter, Secretary Nicholson told veterans of the decision to not offer them credit monitoring services. Rather the VA has contracted with a company to conduct breach analysis to monitor for patterns of misuse.
UPDATE (11/23/07): A federal judge questioned the Veterans Affairs Department's computer security and ruled Friday that lawsuits can go forward over the theft of computer equipment containing data on 26.5 million veterans. The lawsuits have been filed as potential class-action cases representing every veteran whose data was released.
UPDATE (1/23/09): The Department of Veterans Affairs has agreed to pay $20 million to current and former military personnel to settle a class action lawsuit.
UPDATE (6/16/09): No less than $75 will be paid for any valid claim, up to a cap of $1,500. If your expenses were higher than that, you might want to opt out of the class-action portion so you can file for your actual damages. In that case, you need to file a letter so it is received by June 29, 2009. You have until Nov. 27, 2009, to mail your claim form to VA Settlement Claims, P.O. Box 6727, Portland, OR 97228-9767. Be sure to keep a copy of the claim form, along with your proof of mailing. To download the claim form and to get more information, go to www.veteransclass.com. Read the FAQ and note the particulars on out-of-pocket expenses and actual damages. You also can call (888) 288-9625.
UDPATE (10/19/12): An investigation into the VA revealed that encryption software has only been installed on 16% of VA computers since the 2006 breach. Six million dollars has been spent on encryption software since the 2006 breach. The investigation began after a 2011 anonymous tip.
A security problem may have exposed customer credit and check card information.
Hackers accessed the credit and debit card accounts of around 100 Frost Bank customers after they took Visa and MasterCard debit card information from the database of a national retailer. Banks across the nation were affected by the breach. Only 100 Frost Bank customers reported fraudulent charges.
A dishonest employee had access to Social Security numbers of donors. The database was used to call previous donors and urge them to give blood again. The employee misused the personal information of at least three people to perpetrate identity theft and had access to the personal information of one million donors.
A laptop computer, owned by PFPC, a third party company that provides record keeping services for M & T's Portfolio Architect accounts was stolen from a vehicle. The laptop contained clients' account numbers, Social Security numbers, last name and the first two letters of their first name.
An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company. AICPA offered one year of free credit monitoring services to affected members.
During an investigation of a computer virus, it was discovered that computers within an office may have been accessed without authorization from within the campus network. Student, faculty and staff names and Social Security numbers were on archived spreadsheets. The spreadsheets contained the personal information of people who requested campus cards between 1998 and 2004.
GE Money Bank issues private label credit cards for Lowe's Companies Inc. A number of credit card applications were taken form a Lowe's store in Philadelphia by an unknown person. The information on the applications included names, Social Security numbers, dates of birth, addresses and Lowe's credit card account numbers. At least 11 consumers discovered fraudulent purchases at Lowe's stores.
A laptop containing confidential information about customers, including Social Security numbers and account numbers was stolen when a bank employee removed it from the premises, in violation of the bank's policies. The computer did not contain customer passwords, personal identification numbers (PIN numbers) or account expiration dates. The bank contacted affected customers and offered them one year of free credit monitoring services.
Four computers with the personal information of clients were stolen during an early April burglary. The information did not include credit files, but did have other forms of private customer data.
An employee's laptop computer was stolen during a burglary. The computer contained limited personal information of some current and former Merrill Lynch clients and prospects. The information included names, addresses, account and loan numbers, account and loan balances and the name of clients' financial advisors.
Google accessed confidential information on the HBR website and made the information available on the internet. Socail Security numbers, names, phone numbers, dates of birth, addresses and diagnostic information were accessible through Google. Access to the information is now restricted to authorized users with secure identification and passwords. The information was available between August 2005 and January of 2006.
Names, birth dates, Social Security numbers and medical information were accessed in records of students dating back to 2001, plus faculty, workers and regional campus students.
A computer containing names, addresses, Social Security numbers and mortgage loan deposit numbers of existing and prospective customers may have been stolen while being delivered from one bank facility to another.
A sales tax field auditor reported a laptop missing. Contents of the laptop were unknown at the time of the report. The data exposed may have included sales tax audit reports and supporting documentation from closed sales tax audits on 38 businesses. Some of this information would include Social Security number, business and/or home address and bank account information.
Four company hard drives were sold on eBay containing hundreds of thousands of confidential company documents, employee names and Social Security numbers, and confidential memos to the company's CEO.
A server containing data including e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes was compromised.
Government surplus computers that sold before their hard drives were erased contained credit card numbers, birth dates, and Social Security numbers of Georgia citizens. The State stopped selling the computers after being notified by a buyer. Thousands of patient records from a psychiatric hospital in Rome, Georgia were found on one computer's hard drive.
Hackers accessed a computer system of the school's alumni relations department that included biographical information and 137,000 Social Security numbers of alum.
UPDATE (8/30/07) : An Ohio judge has granted a motion to dismiss a case against Ohio University (OU) regarding security breaches of the school's computer systems that compromised alumni data. The two alumni who filed the lawsuit wanted OU to pay for credit monitoring services for everyone whose data were compromised. The judge said the pair had not proven that they had suffered damages for which they could be compensated.
A former employee is suspected of ordering customer credit reports and providing some of those reports to a third party.
CBCInnovis, Inc. learned that Great Florida Bank had consumer information accessed without proper authorization. The information may have included names, addresses, Social Security numbers, names of creditors, account numbers, payment histories and financial public records.
The names, addresses, and Social Security numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to 20 political campaign operations for spring primary election races. The records of about 7.7 million registered voters are listed on the CDs, but it's unknown how many records contained Social Security numbers, which were not supposed to have been included on the CDs.
UPDATE (9/15/06): A news report said that some Social Security numbers still remain on the agency's Web site.
A hacker accessed a Tricare Management Activity (TMA) public server containing personal information about military employees. TMA is used to provide health care services to military personnel and their families.
A spreadsheet with the business or individual names, identification or Social Security numbers, business addresses and business phone numbers of Sears contractors was accidentally included in an email sent to 373 contractors on April 13. The contractors were instructed to delete the email on April 24 and were also required to send written confirmation that they had done so.
Data tapes containing personal information including names, addresses, Social Security numbers and salary figures of virtually everyone who worked for or currently works for the agency were lost. The lost occurred during delivery by contractor Iron Mountain. Data tapes belonging to the U.S. Department of Veteran's Affairs may also have been affected.
A hacker accessed personal information including Social Security numbers of current and former graduate students, applicants to graduate school, and a small number of applicants for undergraduate scholarships. The information compromised goes back three years prior to the incident. Those who were affected were contacted.
A laptop containing personal information including names, addresses and Social Security numbers of Department of Defense (35,253) and Omni Hotel employees (3,000) was stolen from an Aetna employee's car. Members were notified and Aetna offered to pay for the credit monitoring services of those who were affected.