| |
 |
|
ID Theft Incidents - 2006
National "Wall of Shame"
Commentary and Analysis of 2006 Breaches - 1/3 of the USA is at
Risk - James Childers
One in three Americans the potential victim of Identity Theft
in 2006. Privacy Rights Clearinghouse (http://www.privacyrights.org)
announced on December 20th, 2006 a conservative total of the
announced "breaches" in personal data security hit a record
100,214,930 individuals exposed to
identity theft through the illegal theft or exposure of their
private personal data.
US Population hits 301 Million People - That means that ONE
in THREE people in the USA has been exposed to potential
identity theft through the reckless disregard for the privacy of
their personal information. Most of these breaches involve
the careless storage and transport of
their personal data.
Most all of these breaches involve the transport of portable
unencrypted data being compromised through neglect, theft or
outright stupidity on the part of the stewards of the data.
Don't be a victim. Don't have to be the one that explains
to your boss, your clients or a judge that you did not take
proper measures to protect valuable data.
How do you Tell Your Boss or Worse Yet, Your Customers That
Their Data is Compromised or the Files were Stolen?
Imagine the Press That Your Company Could Generate When This
News Gets Out...
Secure Your Network. Secure Access and Secure Data with
VeriSoft and BioCert.
Multi-Factor Authentication Integrated with Microsoft Active
Directory.
ASG's ClipBio Pro
and iQBioDrive provide
encrypted fingerprint security for the safe storage and
transport of private data. Our unique line of PC
Peripherals and Client/Server security software allow system
administrators to encrypt and store data using multi-factor
authentication.
|
DATE MADE PUBLIC |
NAME & Location |
TYPE OF BREACH |
Privacy Requirement: |
NUMBER
OF RECORDS |
|
Jan. 1, 2006 |
University of Pittsburgh Medical Center, Squirrel Hill Family Medicine |
Portable Unencrypted
Data Breach
Six Stolen computers. Names, Social Security numbers, birthdates
|
HIPAA |
700 |
|
Jan. 2, 2006 |
H&R Block |
SSNs exposed in 40-digit number string on mailing label |
|
Unknown |
| Jan. 9, 2006
|
Atlantis Hotel - Kerzner Int'l
|
Dishonest insider or hacking. Names, addresses, credit card details, Social Security numbers, driver's
license numbers and/or bank account data. |
|
55,000 |
| Jan. 12, 2006
|
People's Bank
|
Portable Unencrypted
Data Breach
Lost computer tape containing names, addresses, Social Security numbers, and checking account numbers. |
|
90,000 |
| Jan. 17, 2006
|
City of San Diego, Water & Sewer Dept.
(San Diego, CA) |
Dishonest employee accessed customer account files, including SSNs, and committed identity theft on some individuals. |
|
Unknown |
| Jan. 20, 2006
|
Univ. Place Conference Center & Hotel, Indiana Univ.
|
Hacking. Reservation information including credit card account number compromised.
|
|
Unknown |
| Jan. 21, 2006
|
California Army National Guard
|
Stolen briefcase with personal information of National Guardsmen including a "seniority roster," Social Security numbers and dates of birth. |
|
"hundreds of officers"
|
| Jan. 23, 2006 |
Univ. of Notre Dame
|
Hackers accessed Social Security numbers, credit card information and check images of school donors.
|
|
Unknown |
| Jan. 24, 2006
|
Univ. of WA Medical Center
|
Portable Unencrypted
Data Breach
Stolen laptops containing names, Social Security numbers, maiden names, birth dates, diagnoses and other personal data. |
HIPAA |
1,600 |
| Jan. 25, 2006
|
Providence Home Services
(Portland, OR) |
Portable Unencrypted
Data Breach
Stolen backup tapes and disks containing Social Security numbers, clinical and demographic information. In a small number of cases, patient financial data was stolen. |
HIPAA |
365,000 |
| Jan. 27, 2006 |
State of RI web site (www.RI.gov) |
Hackers obtained credit card information in conjunction with names and addresses.
|
|
4,117 |
| Jan. 31, 2006
|
Boston Globe and The Worcester Telegram & Gazette
|
Inadvertently exposed. Credit and debit card information along with routing information for personal checks printed on recycled paper used in wrapping newspaper bundles for distribution. |
|
240,000 potentially exposed
|
| Feb. 1, 2006
|
Blue Cross and Blue Shield of North Carolina
|
Inadvertently exposed. SSNs of members printed on the mailing labels of envelopes with information about a new insurance plan. |
HIPAA |
600 |
| Feb. 4, 2006
|
FedEx |
Inadvertently exposed. W-2 forms included other workers' tax information such as SSNs and salaries.
|
|
8,500 |
| Feb. 9, 2006
|
Unknown retail merchants, apparently OfficeMax and perhaps others. |
Hacking. Debit card accounts exposed involving bank and credit union accounts nationwide (including CitiBank, BofA, WaMu, Wells Fargo).
[3/13/06 Crime ring arrested.] |
|
200,000, although total number is unknown. |
| Feb. 9, 2006
|
Honeywell International
|
Exposed online. Personal information of current and former employees including Social Security numbers and bank account information posted on an Internet Web site. |
|
19,000 |
| Feb. 13, 2006
|
Ernst & Young
(UK) |
Portable Unencrypted
Data Breach
Laptop stolen from employee's car with customers' personal information including Social Security numbers.
|
|
38,000 BP employees in addition to Sun, Cisco and IBM employees.
|
| Feb. 15, 2006
|
Dept. of Agriculture
|
Inadvertently exposed Social Security and tax identification numbers in FOIA request.
|
|
350,000 |
| Feb. 15, 2006
|
Old Dominion Univ.
|
Exposed online. Instructor posted a class roster containing names and Social Security numbers to a web site. |
|
601 |
| Feb. 16, 2006
|
Blue Cross and Blue Shield of Florida
|
Contractor sent names and Social Security numbers of current and former employees, vendors and contractors to his home computer in violation of company policies.
|
|
27,000 |
| Feb. 17, 2006
|
Calif. Dept. of Corrections, Pelican Bay
(Sacramento, CA) |
Inmates gained access to files containing employees' Social Security numbers, birth dates and pension account information stored in warehouse.
|
|
Unknown |
| Feb. 17, 2006
|
Mount St. Mary's Hospital (1 of 10 hospitals with patient info. stolen)
(Lewiston, NY)
|
Portable Unencrypted
Data Breach
Two laptops containing date of birth, address and Social Security numbers of patients was stolen in an armed robbery in the New Jersey. |
HIPAA |
17,000 |
| Feb. 18, 2006 |
Univ. of Northern Iowa
|
Hacking. Laptop computer holding W-2 forms of student employees and faculty was illegally accessed.
|
|
6,000 |
| Feb. 23, 2006
|
Deloitte & Touche (McAfee employee information)
|
External auditor lost a CD with names, Social Security numbers and stock holdings in McAfee of current and former McAfee employees. |
|
9,290 |
| Mar. 1, 2006
|
Medco Health Solutions
(Columbus, OH) |
Portable Unencrypted
Data Breach
Stolen laptop containing Social Security numbers for State of Ohio employees and their dependents, as well as their birth dates and, in some cases, prescription drug histories. |
HIPAA |
4,600 |
| Mar. 1, 2006
|
OH Secretary of State's Office
|
SSNs, dates of birth, and other personal data of citizens routinely posted on a State web site as part of standard business practice. |
|
Unknown |
| Mar. 2, 2006
|
Olympic Funding
(Chicago, IL) |
Portable Unencrypted
Data Breach
3 hard drives containing clients names, Social Security numbers, addresses and phone numbers stolen during break in. |
|
Unknown |
| Mar. 2, 2006
|
Los Angeles Cty. Dept. of Social Services
(Los Angeles, CA) |
File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W-2, and date of birth were left unattended and unshredded.
|
HIPAA |
[Potentially 2,000,000, but number unknown]
Not included in number below. |
| Mar. 2, 2006
|
Hamilton County Clerk of Courts
(OH) |
SSNs, other personal data of residents posted on county Web site, were stolen and used to commit identity theft.
|
|
[1,300,000]
Not included in number below. |
| Mar. 3, 2006
|
Metropolitan State College
(Denver, CO) |
Portable Unencrypted
Data Breach
Stolen laptop containing names and Social Security numbers of students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester. |
|
93,000 |
| Mar. 5, 2006
|
Georgetown Univ.
(Washington, D.C.) |
Hacking. Personal information including names, birthdates and Social Security numbers of District seniors served by the Office on Aging. |
|
41,000 |
| Mar. 8, 2006
|
Verizon Communications
(New York, NY) |
Portable Unencrypted
Data Breach
2 stolen laptops containing employees' personal information including Social Security numbers. |
|
"Significant number" |
| Mar. 8, 2006
|
iBill
(Deerfield Beach, FL) |
Dishonest insider or possibly malicious software linked to iBill used to post names, phone numbers, addresses, e-mail addresses, Internet IP addresses, logins and passwords, credit card types and purchase amount online. Credit card account numbers, expiration dates, security codes, and SSNs were NOT included, but in our opinion the affected individuals could be vulnerable to social engineering to obtain such information. |
|
[17,781,462]
Not included in total below. |
| Mar. 11, 2006
|
CA Dept. of Consumer Affairs (DCA)
(Sacramento, CA) |
Mail theft. Applications of DCA licensees or prospective licensees for CA state boards and commissions were stolen. The forms include full or partial Social Security numbers, driver's license numbers, and potentially payment checks.
|
|
"A small number"
|
| Mar. 14, 2006
|
General Motors
(Detroit, MI) |
Dishonest insider keep Social Security numbers of co-workers to perpetrate identity theft.
|
|
100 |
Mar. 14
2006 |
Buffalo Bisons and Choice One Online
(Buffalo, NY) |
Hacker accessed sensitive financial information including credit card numbers names, passwords of customers who ordered items online.
|
|
Unknown |
Mar. 15,
2006 |
Ernst & Young
(UK) |
Portable Unencrypted
Data Breach
Laptop lost containing the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees exposed.
|
|
Unknown |
Mar. 16,
2006 |
Bananas.com
(San Rafael, CA) |
Hacker accessed names, addresses, phone numbers and credit card numbers of customers.
|
|
274 |
Mar. 23,
2006 |
Fidelity Investments
(Boston, MA) |
Portable Unencrypted
Data Breach
Stolen laptop containing names, addresses, birth dates, Social Security numbers and other information of 196,000 Hewlett Packard, Compaq and DEC retirement account customers was stolen. |
|
196,000 |
Mar. 24,
2006 |
CA State Employment Development Division
(Sacramento, CA)
|
Computer glitch sends state Employment Development Division 1099 tax forms containing Social Security numbers and income information to the wrong addresses, potentially exposing those taxpayers to identity theft. |
|
64,000 |
Mar. 24,
2006 |
Vermont State Colleges (VT)
|
Portable Unencrypted
Data Breach
Laptop stolen containing Social Security numbers and payroll data of students, faculty and staff associated with the five-college system from as long ago as 2000.
|
|
14,000 |
Mar. 30,
2006 |
Marines
(Monterey, CA) |
Portable Unencrypted
Data Breach
Portable drive lost that contains personal information used for research on re-enlistment bonuses.
|
|
207,750 |
Mar. 30,
2006 |
Georgia Technology Authority
(Atlanta, GA) |
Hacker exploited security flaw to gain access to confidential information including Social Security numbers and bank-account details of state pensioners.
|
|
573,000 |
Mar. 30,
2006 |
Conn. Technical High School System
(Middletown, CT) |
Social Security numbers of students and faculty mistakenly distributed via email.
|
|
1,250 |
| April 1, 2006
|
Con Edison
(New York) |
Portable Unencrypted
Data Breach
Con Edison shipped 2 cartridge tapes to JPMorgan Chase in upstate Binghamton so it could input data on behalf of the NY Dept. of Taxation and Finance. One tape was apparently lost containing employees' W-2 data, including names, addresses, SSNs, taxes paid and salaries.
|
|
15,000 Con Edison employees
|
April 6,
2006 |
Progressive Casualty Insurance
(Mayfield Village, OH) |
Dishonest insider accessed confidential information, including names, Social Security numbers, birth dates and property addresses on foreclosure properties she was interested in buying. |
|
13 |
April 7,
2006 |
DiscountDomain
Registry.com
(Brooklyn, NY) |
Exposed online. Domain registrants' personal information including usernames, passwords and credit card numbers were accessible online.
|
|
"thousands of domain name registrations" |
April 9,
2006 |
University of Medicine and Dentistry of New Jersey
(Newark, NJ) |
Hackers accessed Social Security numbers, loan information, and other confidential financial information of students and alumni. |
HIPAA |
1,850 |
April 12,
2006 |
Ross-Simons
(Providence, RI) |
Security breach exposed account and personal information of those who applied for its private label credit card. Information exposed includes private label credit card numbers and other personal information of applicants.
|
|
Unknown |
April 14,
2006 |
Univ. of South Carolina
(Columbia, SC) |
Social Security numbers of students were mistakenly e-mailed to classmates. |
|
1,400 |
| April 15, 2006
|
Scott County, IA
|
The Social Security numbers of people who obtained mortgages in the early 1990s are visible in documents posted on the county's website. The county will redact the information at the individuals' request. |
|
Unknown |
| April 21, 2006 |
University of Alaska, Fairbanks
(Fairbanks, AK) |
A hacker accessed names, Social Security numbers, and partial e-mail addresses of current and former students, faculty, and staff.
|
|
38,941 |
| April 21, 2006
|
Boeing
(Seattle, WA) |
Portable Unencrypted
Data Breach
A laptop was taken from a Boeing
human resources employee at SeaTac airport. It contained SSNs and other personal information, including personnel information from the 2000 acquisition of Hughes Space and Communications. .
|
|
3,600 current and former employees |
April 21,
2006 |
Ohio University
Innovation Center
(Athens, OH) |
a server containing data including e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes was compromised.
|
|
Unknown |
April 24,
2006 |
University of Texas' McCombs School of Business
(Austin, TX)
|
Hackers accessed records containing names, biographical information and, in some cases, Social Security numbers and dates of birth of current and prospective students, alumni, faculty members, corporate recruiters and staff members.
|
|
197,000 |
April 24,
2006 |
Ohio University
(Athens, OH) |
Hackers accessed a computer system of the school's alumni relations department that included biographical information and 137,000 Social Security numbers of alum.
|
|
300,000 |
April 26,
2006 |
Purdue University
(West Lafayette, IN) |
Hacker accessed personal information including Social Security numbers of current and former graduate students, applicants to graduate school, and a small number of applicants for undergraduate scholarships. |
|
1,351 |
April 26,
2006 |
Aetna -- health insurance records for employees of 2 members, including Omni Hotels and the Dept. of Defense NAF
(Hartford, CT) |
Portable Unencrypted
Data Breach
Laptop containing personal information including names, addresses and Social Security numbers of Dept. of Defense (35,253) and Omni Hotel employees (3,000) was stolen from an Aetna employee's car.
|
HIPAA |
38,000 |
April 27,
2006 |
MasterCard
(Potentially UK only) |
Though MasterCard refused to say how the breach occurred, fraudsters stole the credit card details of holders in a major security breach. |
|
[2,000]
Not included in total below. |
April 27,
2006 |
Long Island Rail
Road
(Jamaica, NY) |
Portable Unencrypted
Data Breach
Data tapes containing personal information including names, addresses, Social Security numbers and salary figures of "virtually everyone" who worked for the agency was lost by delivery contractor Iron Mountain while enroute. Data tapes belonging to the U.S. Department of Veterans Affairs may also have been affected.
|
|
17,000 |
April 28,
2006 |
Ohio's Secretary of State
(Cleveland, OH)
|
The names, addresses, and Social Security numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to 20 political campaign operations for spring primary election races. The records of about 7.7 million registered voters are listed on the CDs, but it's unknown how many records contained SSNs, which were not supposed to have been included on the CDs. |
|
"Potentially millions of registered voters"
|
April 28,
2006 |
Dept. of Defense
(Washington, DC) |
Hacker accessed a Tricare
Management Activity (TMA) public server containing personal information about military employees. |
HIPAA |
Unknown |
May 2,
2006 |
Georgia State Government
(Atlanta, GA) |
Portable Unencrypted
Data Breach
Government surplus computers that sold before their hard drives were erased contained credit card numbers, birth dates, and Social Security numbers of Georgia citizens. |
|
Unknown |
May 4,
2006 |
Idaho Power Co.
(Boise, ID) |
Portable Unencrypted
Data Breach
Four company hard drives were sold on eBay containing hundreds of thousands of confidential company documents, employee names and Social Security numbers, and confidential memos to the company's CEO. |
|
Unknown |
May 4,
2006 |
Ohio University
Hudson Health Center
(Athens, OH) |
Names, birth dates, Social Security numbers and medical information were accessed in records of students dating back to 2001, plus faculty, workers and regional campus students. |
HIPAA |
60,000 |
|
May 2006 |
Ohio University
(Athens, OH) |
A breach was discovered on a computer that housed IRS 1099 forms for vendors and independent contractors for calendar years 2004 and 2005.
|
|
2,480 |
|
May 2006 |
Ohio University
(Athens, OH) |
A breach of a computer that hosted a variety of Web-based forms, including some that processed on-line business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration.
|
|
Unknown |
May 5,
2006 |
Dept. of Veteran Affairs
(Washington, D.C.) |
Portable Unencrypted
Data Breach
A data tape disappeared from a VA facility in Indianapolis, IN that contained information on legal cases involving U.S. veterans and included veterans' Social Security numbers, dates of birth and legal documents. |
HIPAA |
16,500 |
May 5,
2006 |
Wells Fargo
(San Francisco, CA) |
Portable Unencrypted
Data Breach
Computer containing names, addresses, Social Security numbers and mortgage loan deposit numbers of existing and prospective customers may have been stolen while being delivered from one bank facility to another. |
|
Unknown |
May 12,
2006 |
Mercantile Potomac Bank
(Gaithersburg, MD) |
Portable Unencrypted
Data Breach
Laptop containing confidential information about customers, including Social Security numbers and account numbers was stolen when a bank employee removed it from the premises, in violation of the bank's policies. The computer did not contain customer passwords, personal identification numbers (PIN numbers) or account expiration dates. |
|
48,000 |
May 19,
2006 |
American Institute of Certified Public Accountants (AICPA)
(New York, NY) |
Portable Unencrypted
Data Breach
An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company.
|
|
330,000
[Updated 6/16/06] |
May 19,
2006 |
Unknown retail merchant |
Visa, MasterCard, and other debit and credit card numbers from banks across the country were stolen when a national retailer's database was breached. No names, Social Security numbers or other personal identification were taken. |
|
Unknown |
May 22,
2006 |
Dept. of Veterans Affairs
(Washington, DC)
(800) 827-1000 |
Portable Unencrypted
Data Breach
On May 3, data of all Currently Serving Personnel and Discharged American veterans who were discharged since 1975 including names, Social Security numbers, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and computer storage device included data of 26.5
million veterans. The data included individually identifiable
medical information |
HIPAA |
28,600,000 |
May 23,
2006 |
Univ. of Delaware
(Newark, DE) |
Security breach of a Department of Public Safety computer server
potentially exposes names, Social Security numbers and driver's license numbers. |
|
1,076 |
May 23,
2006 |
M&T Bank
(Buffalo, NY) |
Portable Unencrypted
Data Breach
Laptop computer, owned by PFPC, a third party company that provides record keeping services for M & T's Portfolio Architect accounts was stolen from a vehicle. The laptop contained clients' account numbers, Social Security numbers, last name and the first two letters of their first name. |
|
Unknown |
|
May 23, 2006 |
Butler Co. Dept. of Mental Retardation & Developmental Disabilities
(Cincinatti, OH) |
Portable Unencrypted
Data Breach
Three laptop computers were stolen "last month" from the agency's office. They contained personal information on mental health clients, including SSNs.
|
|
100 clients |
|
May 23, 2006 |
Mortgage Lenders Network USA
(Middletown, CT) |
A former employee was arrested for extortion for attempting to blackmail his former employer for $6.9 million. He threatened to expose company files containing sensitive customer information if the company didn't pay him. He stole the files over the 16 months he worked there.
|
|
Unknown |
May 24,
2006 |
Sacred Heart Univ.
(Fairfield, CT) |
Portable Unencrypted
Data Breach
It was discovered on May 8th that a computer containing personal information including names, addresses and Social Security numbers was breached. |
HIPAA |
Unknown |
May 24,
2006 |
American Red Cross, St. Louis Chapter
(St. Louis, |
Dishonest employee had access to Social Security numbers of donors to call urging them to give blood again. The employee misused the
personal information of at least 3 people to perpetrate identity theft and had access to the personal information of 1 million donors.
|
|
1,000,000 |
|
May 25, 2006 |
Vystar Credit Union
(Jacksonville, FL) |
Hacker gained access to member accounts "a few weeks ago" and stole personal information including names, addresses, birth dates, mother's maiden names, SSNs and/or email addresses.
|
|
Approx. 34,400
("less than 10% of its 344,000 members") |
May 30,
2006 |
Texas Guaranteed Student Loan Corp.
(Round Rock, TX)
via subcontractor, Hummingbird
(Toronto, Canada) |
Portable Unencrypted
Data Breach
Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers.
Update (6/16/06): TG now says a total of 1.7 million people's information was compromised, 400,000 more than original estimate of 1.3 million.
|
|
1,300,000
plus 400,000
for total of 1,700,000 |
May 30,
2006 |
Florida Int'l Univ.
(Miami, FL) |
Hacker accessed a database that contained personal information, such as student and applicant names and Social Security numbers. |
|
"thousands" |
|
May 31, 2006 |
Humana
(Louisville, KY) |
On May 5, 2006, Medicare drug benefit applications were stolen from an insurance agent's unlocked car in Brooklyn Park, MN. Information included applicants' name, address, date of birth, Social Security number, and bank routing information. |
HIPAA |
268 Minnesota and North Dakota applicants
|
June 1,
2006 |
Miami University
(Oxford, OH) |
Portable Unencrypted
Data Breach
An employee lost a hand-held personal computer containing personal information of students who were enrolled between July 2001 and May 2006. |
|
851 |
June 1,
2006 |
Ernst & Young
(UK) |
Portable Unencrypted
Data Breach
A laptop containing names, addresses and credit or debit card information of Hotels.com customers was stolen from an employee's car in Texas. |
|
243,000 |
June 1,
2006 |
Univ. of Kentucky
(Lexington, KY) |
Personal information of current and former University of Kentucky employees including Social Security numbers was inadvertently accessible online for 19 days last month.
|
|
1,300 |
June 2,
2006 |
Buckeye Community Health Plan
(Columbus, OH) |
Portable Unencrypted
Data Breach
Four laptop computers containing customer names, Social Security numbers, and addresses were stolen from the Medicaid insurance provider. |
|
72,000 |
June 2,
2006 |
Ahold USA
(Landover, MD)
Parent company of Stop & Shop, Giant stores and Tops stores via subcontractor Electronic Data Systems
(Plano, TX)
|
An EDS employee lost a laptop computer during a commercial flight that contained pension data of former employees of Ahold's supermarket chains including Social Security numbers, birth dates and benefit amounts. |
|
Unknown |
June 2,
2006 |
YMCA
(Providence, RI) |
Portable Unencrypted
Data Breach
Laptop computer containing personal information of members was stolen. The information included credit card and debit card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare programs and medical information about the children, such as allergies and the medicine they take, though the type of stolen information about each person varies. |
|
65,000 |
June 2,
2006
|
Humana
(Louisville, KY) |
Personal information of Humana customers enrolled in the company's Medicare prescription drug plans could have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file. |
HIPAA |
17,000 current and former Medicare enrollees
|
June 5,
2006 |
Internal Revenue Service
(Washington, DC) |
Portable Unencrypted
Data Breach
A laptop computer containing personal information of employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth, was lost during transit on an airline flight
|
|
291 |
June 6,
2006 |
Univ. of Texas
(El Paso, TX) |
Students demonstrated that student body and faculty elections could be rigged by hacking into student information including Social Security numbers.
|
|
4,719 |
June 8,
2006 |
Univ. of Michigan Credit Union
(Ann Arbor, MI)
|
Paper documents containing personal information of credit union members were stolen from a storage rooms. The documents were supposed to have been digitally imaged and then shredded. Instead, they were stolen and used to perpetrate identity theft. |
|
5,000 |
June 11,
2006 |
Denver Election Commission
(Denver, CO) |
Records containing personal information on more than 150,000 voters are missing at city election offices. The microfilmed voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new offices in February. The files contain voters' Social Security numbers, addresses and other personal information. |
|
150,000 |
June 12,
2006 |
U.S. Dept. of Energy
(Washington, D.C.) |
Names, Social Security numbers, security clearance levels and place of employment for mostly contract employees who worked for National Nuclear Security Administration may have been compromised when a hacker gained entry to a computer system at a service center in Albuquerque, N.M. eight months ago.
|
|
1,502 |
June 13,
2006 |
Minn. State Auditor
(St. Paul, MN) |
Portable Unencrypted
Data Breach
Three laptops possibly containing Social Security numbers of employees and recipients of housing and welfare benefits along with other personal information of local governments the auditor oversees have gone missing. |
|
493 |
June 13,
2006 |
Oregon Dept. of Revenue
(Salem, OR) |
Electronic files containing personal data of Oregon taxpayers may have been compromised by an ex-employee's downloaded a contaminated file from a porn site. The "Trojan" attached to the file may have sent taxpayer information back to the source when the computer was turned on.
|
|
2,200 |
June 13,
2006 |
U.S. Dept of Energy, Hanford Nucear Reservation
(Richland, WA) |
Current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation.
|
|
4,000 |
June 14,
2006 |
American Insurance Group (AIG), Indiana Office of Medical Excess, LLC
(New York, NY) |
Portable Unencrypted
Data Breach
The computer server was stolen on March 31 containing personal information including names, Social Security numbers, birth dates, and some medical and disability information.
|
|
930,000 |
June 14,
2006 |
Western Illinios Univ.
(Macomb, IL) |
On June 5th, a hacker compromised a University server that contained names, addresses, credit card numbers and Social Security numbers of people connected to the University.
|
|
180,000 |
June 16,
2006 |
Union Pacific
(Omaha, NE) |
Portable Unencrypted
Data Breach
On April 29th, an employee's laptop was stolen that contained data for current and former Union Pacific employees, including names, birth dates and Social Security numbers.
|
|
30,000 |
June 16,
2006 |
NY State Controller's Office
(Albany, NY) |
State controller data cartridge containing payroll data of employees who work for a variety of state agencies was lost during shipment. The data contained names, salaries, Social Security numbers and home addresses. |
|
1,300 |
June 16,
2006 |
ING
(Miami, FL)
|
Portable Unencrypted
Data Breach
Two ING laptops that carried sensitive data affecting of Jackson Health System hospital workers were stolen in December 2005. The computers, belonging to financial services provider ING, contained information gathered during a voluntary life insurance enrollment drive in December and included names, birth dates and Social Security numbers.
|
HIPAA |
8,500 |
June 16,
2006 |
Univ. of Kentucky
(Lexington, KY) |
The personal data of current and former students including classroom rosters names, grades and Social Security numbers was reported stolen on May 26 following the theft of a professor's flash drive..
|
|
6,500 |
June 17,
2006 |
ING
(Washington, D.C.) |
Laptop stolen from employee's home containing retirement plan information including Social Security numbers of D.C. city employees. |
|
13,000 |
June 17,
2006 |
Automatic Data Processing (ADP)
(Roseland, NJ) |
Personal and payroll information of workers were intended to be faxed between ADP offices and were mistakenly sent to a third party. |
|
80 |
June 17,
2006 |
CA Dept. of Health Services (CDHS)
(Sacramento, CA) |
CDHS documents were inappropriately emptied from an employee's cubicle on June 5 and 9 rather than shredded.
The documents contained state employees and other individuals applying for employment with the state including names, addresses, Social Security numbers and home and work telephone numbers. They were mostly expired state employment certification lists, but also included requests for personnel action, copies of e-mail messages and handwritten notes.
|
HIPAA |
1,550 |
June 20,
2006 |
Equifax
(Atlanta, GA) |
Portable Unencrypted
Data Breach
On May 29, a company laptop containing employee names and partial and full Social Security numbers was stolen from an employee. |
|
2,500 |
June 20,
2006 |
Univ. of Alabama
(Birmingham, AL) |
Portable Unencrypted
Data Breach
In February a computer was stolen from a locked office of the kidney transplant program at the University of Alabama at Birmingham that contained confidential information of donors, organ recipients and potential recipients including names, Social Security numbers and medical information.
|
HIPAA |
9,800 |
June 21,
2006 |
U.S. Dept. of Agriculture (USDA)
(Washington, D.C.) |
During the first week in June, a hacker broke into the Department's computer system and may have obtained names, Social Security numbers and photos of current and former employees and contractors. |
|
26,000 |
| June 21, 2006
|
Cape Fear Valley Health System
(Fayetteville, NC) |
Portable Unencrypted
Data Breach
Portable computer containing personal information of more than 24,000 people was stolen from ambulance of Cumberland Co. Emergency Medical Services on June 8th. It contained information on people treated by the EMS, including names, addresses, and birthdates, plus SSNs of 84% of those listed. |
HIPAA |
24,350 |
June 21, 2006
(Date of letter sent to doctors. Date of news story is July 28, 2006) |
Lancaster General Hospital
(Lancaster, PA) |
A desktop computer with personal information of hundreds of doctors was stolen from a locked office June 10. The unencrypted data included names, practice addresses, and SSNS of physicians on medical and dental staff.
|
HIPAA |
"Hundreds of local physicians" (not included in total below)
|
June 22,
2006 |
Federal Trade Commission (FTC)
(Washington, D.C.) |
Portable Unencrypted
Data Breach
Two laptop computers containing personal and financial data were stolen from an employee's vehicle. The data included names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers gathered in law enforcement investigations. |
|
110 |
June 23,
2006 |
San Francisco State Univ.
(San Francisco, CA) |
Portable Unencrypted
Data Breach
a faculty member's laptop was stolen from a car on June 1 that contained personal information of former and current students including Social Security numbers, and names and ins some instance, phone numbers and grade point averages. |
|
3,000 |
June 23,
2006 |
U.S. Navy
(Washington, D.C.) |
Navy personnel were notified on June 22 that a civilian web site contained files with personal information of Navy members and dependents including names, birth dates and Social Security numbers.
|
|
30,000 |
June 23,
2006 |
CA Dept. of Health Services (CDHS)
(Sacramento, CA) |
On June 12, a box of Medi-Cal forms from December 2005 were found in the cubicle of a CDHS employee. The claim forms contained the names, addresses, Social Security numbers and prescriptions for beneficiaries or their family members.
|
HIPAA |
323 |
June 23,
2006 |
Catawba County Schools
(Newton, NC) |
On June 22, it was discovered that a web site posted names, Social Security numbers, and test scores of students who had taken a keyboarding and computer applications placement test during the 2001-02 school year.
Update: The web site containing the data has been removed.
|
|
619 |
June 23,
2006 |
King County Records, Elections, and Licensing Services Division
(Seattle, WA) |
Social Security numbers for potentially thousands of current and former county residents may be exposed on the agency's web site. Residents can request that the image of any document that contains a Social Security number, Mother's Maiden Name or Drivers License be removed. Officials state that they are unable to alter original public documents and cannot choose to not record documents presented for recording.
|
|
Unknown |
June 27,
2006 |
Gov't Accountability Office (GAO)
(Washington, D.C.)
|
Data from audit reports on Defense Department travel vouchers from the 1970s were inadvertently posted online and included some service members' names, Social Security numbers and addresses. The agency has subsequently removed the information. |
|
"Fewer than 1,000"
[1,000 used in total] |
June 28,
2006 |
AAAAA Rent-A-Space
(Colma, CA) |
Customer's account information including name, address, credit card, and Social Security number was easily accessible due to a security gap in its online payment system.
|
|
13,000 |
June 29,
2006 |
AllState Insurance
Huntsville branch
(Huntsville, AL) |
Portable Unencrypted
Data Breach
Over Memorial Day weekend, a computer containing personal data including images of insurance policies, correspondence and Social Security numbers was stolen. |
|
2,700 |
June 29,
2006 |
Nebraska Treasurer's Office
(Lincoln, NE) |
A hacker broke into a child-support computer system and may have obtained names, Social Security numbers and other information such as tax identification numbers for 9,000 businesses.
|
|
309,000 |
| June 29, 2006
|
Minnesota Dept. of Revenue
(St. Paul, MN) |
Portable Unencrypted
Data Breach
On May 16, a package containing a data tape used to back up the regional office's computers went missing during delivery. The tape contained personal information including individuals' names, addresses, and Social Security numbers. |
|
50,400 |
| June 30, 2006
|
Nat'l Institutes of Health Federal Credit Union
(Rockville, MD) |
NIHFCU is investigating with law enforcement the identity theft of some of its 41,000 members. No details given on type of information stolen, or how it was stolen.
|
|
"Very few" of 41,000 members affected
[not included in total] |
| July 1, 2006
|
American Red Cross, Farmers Branch
(Dallas, TX) |
Portable Unencrypted
Data Breach
Sometime in May, 3 laptops were stolen, one of them containing encrypted personal information including names, SSNs, dates of birth, and medical information of all regional donors. They also report losing a laptop with encrypted donor information in June 2005. |
HIPAA |
Unknown |
| July 5, 2006
|
Bisys Group Inc.
(Roseland, NJ) |
Personal details about 61,000 hedge fund investors were lost when an employee's truck carrying backup tapes was stolen. The data included SSNs of 35,000 individuals. The tapes were being moved from one Bisys facility to another on June 8 when the theft occurred. |
|
61,000 |
| July 6, 2006
|
Automated Data Processing (ADP)
(Roseland, NJ) |
Payroll service company ADP gave scam-artist names, addresses, and number of shares held of investors, although apparently not SSNs or account numbers. The leak occurred from Nov. '05 to Feb. '06 and involved individual investors with 60 companies including Fidelity, UBS, Morgan Stanley , Bear Stearns, Citigroup, Merrill Lynch.
|
|
"Hundreds of thousands"
[not included in total] |
| July 7, 2006
|
University of Tennessee
(866) 748-1680
|
Hacker broke into UT computer containing names, addresses and SSNs of about 36,000 past and current employees. Intruder apparently used computer from Aug. '05 to May '06 to store and transmit movies.
|
|
36,000 |
| July 7, 2006
|
Nat'l Association of Securities Dealers (NASD)
(Boca Raton, FL)
|
Portable Unencrypted
Data Breach
Ten laptops were stolen on Feb. 25 '06 from NASD investigators. They included SSNs of securities dealers who were the subject of investigations involving possible misconduct. Inactive account numbers of about 1,000 consumers were also contained on laptops.
|
|
73 |
| July 7, 2006
|
Naval Safety Center
|
SSNs and other personal information of naval and Marine Corps aviators and air crew, both active and reserve, were exposed on Center web site and on 1,100 computer discs mailed to naval commands.
|
HIPAA |
"more than 100,000" |
| July 7, 2006
|
Montana Public Health and Human Services Dept.
(Helena, MT)
|
Portable Unencrypted
Data Breach
A state government computer was stolen from the office of a drug dependency program. during a 4th of July break-in. It was not known if sensitive information such as SSNs was compromised.
|
HIPAA |
Unknown |
| July 7, 2006
|
City of Hattiesburg
(Hattiesburg, MS) |
Portable Unencrypted
Data Breach
Video surveillance cameras caught 2 intruders stealing hard drives from 18 computers June 23. Data files contained names, addresses, and SSNs of current and former city employees and registered voters as well as bank account information for employees paid through direct deposit and water system customers who paid bills electronically.
|
|
"thousands of city workers and contractors"
|
| July 13, 2006
|
| |
View
Cart
