2007-detail

Compromises in 2007 affecting 10,000 or more

Compromises in 2007 affecting less than 10,000
Compromises in 2007 affecting an unknown, or undisclosed number

01/01/2007 Wisconsin Department of Revenue via Ripon Printers

State Government in Madison, Wisconsin
171,000 non-financial accounts compromised
 
Tax forms were mailed to taxpayers in which SSNs were inadvertently printed on the front of some Form 1 booklets. Some were retrieved before they were mailed. (608) 224-5163

http://privacy.wi.gov/alerts/jan0107.jsp

01/09/2007 Mercer Health and Benefits

a Financial or Insurance Services firm in ,
10,500 non-financial accounts compromised
 
A laptop computer was stolen from a vehicle.

01/09/2007 Towers Perrin

a Financial or Insurance Services firm in New York, New York
300,000 non-financial accounts compromised
 
Five laptops were stolen from Towers Perrin, allegedly by a former employee. The theft occurred Nov. 27, 2006. The computers contain names, SSNs, and other pension-related information, presumably of several companies, although news reports are not clear. Companies named include Altria (unknown number, possibly 18,000 employees) and Philip Morris (6,300 employees).

UPDATE (1/11/2007): NY police arrested a junior-level administrative employee of the company in the theft of the laptops.

UPDATE (2/6/2009): It now appears that 300,000 people were affected. Additional companies include Citigroup, Time Warner, United Technologies, Prudential Financial, Random House, Stanley Inc., Bertelsmann Services Inc., Lloyd’s Register Group, AGL Resources Inc., Salvage Association, The Nielsen Company, Major League Baseball, Unilever, Harlequin Holdings, Celanese Americas Corporation, The Interpublic Group, Dover Corporation, Continuum Health Partners, Maersk Inc./P&O Nedlloyd, Roman Catholic Diocese of Brooklyn, Cambrex Corporation, Strategic Industries, Shorewood, Swiss International Air Lines, LTD, Alpharma Inc. Around 18,000 past and present employees, presumably of Altria, and 6,300 employees of Philip Morris were affected.

01/11/2007 University of Idaho

an educational institution in Moscow, Idaho
70,000 non-financial accounts compromised
 
Over Thanksgiving weekend,3 desktop computers were stolen from the Advancement Services office containing personal information of alumni, donors, employees, and students. 331,000 individuals may have been exposed, with as many as 70,000 records containing SSNs, names and addresses. (866) 351-1860

01/12/2007 MoneyGram International

a Financial or Insurance Services firm in Minneapolis, Minnesota
79,000 financial accounts compromised
 
MoneyGram, a payment service provider, reported that a company server was unlawfully accessed over the Internet last month. It contained information on about 79,000 bill payment customers, including names, addresses, phone numbers, and in some cases, bank account numbers.

01/13/2007 North Carolina Department of Revenue

Government or Military in Raleigh, North Carolina
30,000 non-financial accounts compromised
 
A laptop computer containing taxpayer data was stolen from the car of a NC Dept. of Revenue employee in mid-December. The files included names, SSNs or federal employer ID numbers, and tax debt owed to the state.

01/17/2007 TJ stores (TJX)

a retail business in Framingham, Massachusetts
100,000,000 financial accounts compromised
 
A monumental breach. Read details here.

01/18/2007 Private Medical Practice

a healthcare provider or servicer in Cheektowaga, New York
10,600 non-financial accounts compromised
 
The December 15 office burglary of three computers may have exposed patient information. Names, Social Security numbers, addresses, dates of birth, phone numbers, insurance companies and insurance ID numbers were on the computers.

01/22/2007 Chicago Board of Election

City Government of Chicago, Illinois
1,300,000 non-financial accounts compromised
 
About 100 computer discs (CDs) with 1.3 million Chicago voters’ SSNs were mistakenly distributed to aldermen and ward committeemen. The CDs also contain birth dates and addresses.

01/25/2007 Wahiawa Women, Infants and Children program (WIC)

of Honolulu, Hawaii
11,500 non-financial accounts compromised
 
A WIC employee apparently stole the personal information of agency clients, including SSNs, and committed identity theft on at least 3 families and perhaps two more. The Health Director said the agency will no longer use SSNs in its data base. (808) 586-8080

http://www.hawaii.gov/dcca/quicklinks/id_theft_info

01/26/2007 WellPoint’s Anthem Blue Cross Blue Shield

a healthcare provider or servicer in Richmond, Virginia
50,000 non-financial accounts compromised
 
Cassette tapes containing customer information were stolen from a lock box held by one of its vendors. Data included names and SSNs. (800) 284-9779

01/29/2007 Vermont Agency of Human Services

State Government in Waterbury, Vermont
70,000 financial accounts compromised
 
A state computer that contained the names, Social Security numbers and bank account information was hacked into. Some of the information came from noncustodial parents who owed back child support while most of the people affected were customers of New England Federal Credit Union with no history of owing child support. The information is from 2004 and 2005 credit union members. Customers of New England Federal Credit Union, Central Vermont Public Service Employees Credit Union, First Brandon National Bank, Federal Family Credit Union, Granite Hills Credit Union, Merchants Bank, Northfield Savings Bank, Opportunities Credit Union and the Vermont State Employees Credit Union were affected.

02/02/2007 U.S. Department of Veterans Affairs, VA Medical Center

Federal Government/Military/Healthcare provider in Birmingham, Alabama
583,000 non-financial accounts compromised
 
An employee reported a portable hard drive stolen or missing that might contain personal information about veterans including Social Security numbers. (877) 894-2600

http://www1.va.gov/opa/pressrel/pressrelease.cfm?id=1294

 
UPDATE (2/10/2007): VA increases number of affected veterans to 535,000, included in the total below.

UPDATE (2/12/2007): VA reported that billing information for 1.3 million doctors was also exposed, including names and Medicare billing codes, not included in the total below.

UPDATE (3/19/2007): The VA’s Security Operations Center has referred 250 incidents since July 2006 to its inspector general, which has led to 46 separate investigations.

UPDATE (6/18/2007):The breach potentially exposes the identities of nearly a million physicians and VA patients.

02/06/2007 Merchant America

a retail business in Camarillo, California
130,000 financial accounts compromised
 
A hacker gained access to a customer database. Customers who made transactions with merchants that Merchant America provides payment processing services to may have had their names, bank account numbers and driver’s license numbers exposed.

02/07/2007 Johns Hopkins University and Johns Hopkins Hospital

a healthcare provider or servicer in Baltimore, Maryland
135,000 non-financial accounts compromised
 
Johns Hopkins reported the disappearance of 9 backup computer tapes containing personal information of employees and patients. Eight of the tapes contained payroll information on 52,000 past and present employees, including SSNs and in some cases bank account numbers. The 9th tape contained less sensitive information about 83,000 hospital patients.

02/08/2007 District Council 37 Health and Security Plan of New York City

City Government of New York, New York
31,500 non-financial accounts compromised
 
A CD containing prescription drug data was discovered missing from the organization’s files. People who had their prescription drugs filled through DC 37’s prescription drug benefits plan may have had their names and Social Security numbers exposed. Prescription information from between February 13 and February 22 of 2006 (the previous year) was also exposed.

02/08/2007 St. Mary’s Hospital

a healthcare provider in Leonardtown, Maryland
130,000 non-financial accounts compromised
 
A laptop was stolen in December that contained names, SSNs, and birthdates for many of the Hospital’s patients.

02/09/2007 East Carolina University

an educational institution in Greenville, North Carolina
65,000 financial accounts compromised
 
A programming error exposed personal information of 65,000 individuals on the university web site. Included were names, addresses, SSNs, and in some cases credit card numbers. 877-328-6660

http://www.ecu.edu/incident/

02/10/2007 State of Indiana Official Website www.IN.gov

State Government in Indianapolis, Indiana
76,600 financial accounts compromised
 
A hacker gained access to the State Web site and obtained credit card numbers of individuals who had used the site’s online services and gained access to Social Security numbers for 71,000 healthcare workers and 5,600 individuals and businesses. 877-328-6660 888-438-8397

www.ccsf.edu/securityalert

02/17/2007 Albany Medical Center

a healthcare provider or servicer in Albany, New York
12,000 non-financial accounts compromised
 
A laptop was stolen from the Employee Health Services center. It contained software used to track information required for N95 fit testing at Albany Med. Staff names and Social Security numbers were also exposed. Anyone who had N95 fit testing at Albany Med between January 2005 and February 2007 may have had their personal information exposed.

02/22/2007 Speedmark

a business other than retail in Woodlands, Texas
35,000 non-financial accounts compromised
 
Thieves stole several computers, one of which contained a database with personally identifying information including names, addresses, e-mail accounts, and Social Security numbers of Speedmark’s mystery shopper employees and contractors.

02/23/2007 ADC Telecommunications Inc., Flex Compensation

a retail business in St. Louis Park, Minnesota
63,400 non-financial accounts compromised
 
A laptop was stolen from ADC’s benefits administrator. Current and former employee names, Social Security numbers, bank account numbers, dates of birth, addresses and other private information were on the laptop. It is not clear if employees from other companies that use Flex Compensation for benefits administration are among the 63,400 affected individuals.

03/03/2007 Johnny’s Selected Seeds

a retail business in Winslow, Maine
11,500 financial accounts compromised
 
Hacker accessed credit card account information of online customers. About 20 credit cards have been used fraudulently.

DataLossDB record

03/14/2007 WellPoint’s Empire Blue Cross and Blue Shield unit in NY

a healthcare provider or servicer in Indianapolis, Indiana
75,000 non-financial accounts compromised
 
An unencrypted disc containing patient’s names, Social Security numbers, health plan identification numbers and description of medical services back to 2003 was lost en route to a subcontractor. 800-293-3443

03/23/2007 Group Health Cooperative Health Care System

a healthcare provider or servicer in Seattle, Washington
31,000 non-financial accounts compromised
 
Two laptops containing names, addresses, Social Security numbers and Group Health ID numbers of local patients and employees have been reported missing.

http://www.ghc.org/news/news.jhtml?reposid=/common/news/news/20070323-missing_laptops.html

03/26/2007 Fort Monroe

Government or Military in Fort Monroe, Virginia
16,000 non-financial accounts compromised
 
A laptop computer containing the names, Social Security numbers and payroll information for as many as 16,000 civilian employees was stolen from an employee’s personal vehicle. Bank account and bank routing information were not included. People who work at the U.S. Army Training and Doctrine Command were affected.

03/30/2007 Los Angeles County Child Support Services

Government or Military in Los Angeles, California
243,000 non-financial accounts compromised
 
Three laptops containing personal information including about 130,500 Social Security numbers, most without names, 12,000 individuals’ names and addresses, and more than 101,000 child support case numbers were apparently stolen from the department’s office.

04/03/2007 Commerce Banc Insurance Services (CBIS)

a Financial or Insurance Services firm in Cherry Hill, New Jersey
12,876 non-financial accounts compromised
 
A CBIS vendor had a laptop stolen. CBIS employees may have had their names, Social Security numbers, and possibly health information exposed.

04/04/2007 University of California, San Francisco (UCSF)

an educational institution in San Francisco, California
46,000 non-financial accounts compromised
 
An unauthorized party may have accessed the personal information including names, Social Security numbers, and bank account numbers of students, faculty, and staff associated with UCSF or UCSF Medical Center over the past two years by compromising the security of a campus server. (415) 353-8100 isecurity@ucsf.edu

04/06/2007 Chicago Public Schools

an educational institution in Chicago, Illinois
40,000 non-financial accounts compromised
 
Two laptop computers contain the names and Social Security numbers of current and former employees was stolen from Chicago Public Schools headquarters. (773) 553-1142

04/06/2007 Hortica (Florists’ Mutual Insurance Company), UPS

a Financial or Insurance Services firm in Edwardsville, Illinois
268,000 financial accounts compromised
 
A locked shipping case of backup tapes containing personal information including names, Social Security numbers, drivers’ license numbers, and bank account numbers went missing while in transit with UPS. (800) 851-7740 securedata@hortica-insurance.com

[ http://www.hortica-insurance.com/hotTopics/26.PDF ]

04/10/2007 Georgia Department of Community Health, Affiliated Computer Services (ACS)

Government or Military in Atlanta, Georgia
2,900,000 non-financial accounts compromised
 
A computer disk containing personal information including addresses, birthdates, dates of eligibility, full names, Medicaid or children’s health care recipient identification numbers, and Social Security numbers went missing from a private vendor, Affiliated Computer Services (ACS), contracted to handle health care claims for the state. (866) 213-3969

http://dch.georgia.gov/vgn/images/portal/cit_1210/19/38/80010015Public_Notice-Missing_Personal_Data.pdf

04/11/2007 ChildNet

a Non-Governmental Organization (includes non-profits) in Ft. Lauderdale, Florida
12,000 non-financial accounts compromised
 
An organization responsible for managing Broward County’s child welfare system believes a dishonest former employee stole a laptop from the agency’s office. It contains personal information of adoptive and foster-care parents including financial and credit data, Social Security numbers, driver’s license data and passport numbers.

04/12/2007 Georgia Secretary of State

State Government in Atlanta, Georgia
75,000 non-financial accounts compromised
 
30 boxes of Fulton County voter registration cards that contain names, addresses and Social Security numbers were found in a trash bin.

<[ http://sos.georgia.gov/pressrel/20070411a.htm ]

04/18/2007 Ohio State University

an educational institution in Columbus, Ohio
14,000 non-financial accounts compromised
 
A hacker accessed the names, Social Security numbers, employee ID numbers and birth dates of 14,000 current and former staff members.

[ http://www.osu.edu/news/newsitem1673 ]

04/20/2007 U.S. Agriculture Department

Federal Government in Washington, District Of Columbia
38,700 non-financial accounts compromised
 
The Social Security numbers of people who received loans or other financial assistance from two Agriculture Department programs were disclosed since 1996 in a publicly available database posted on the Internet. Originally, the US Department of Agriculture estimated that the personal information of as many as 150,000 people may be affected, then reduced the number 38,700.

http://www.usda.gov/wps/portal/!ut/p/_s.7_0_A/7_0_1OB?contentidonly=true&contentid=2007/04/0110.xml

04/25/2007 Neiman Marcus Group

a retail business in Dallas, Texas
160,000 non-financial accounts compromised
 
Computer equipment was stolen containing files with sensitive information including name, address, Social Security number, date of birth, period of employment and salary information of retailer Neiman Marcus Group’s current and former employees and their spouses. (800) 456-7019

http://phx.corporate-ir.net/phoenix.zhtml?c=118113&p=irol-recentdata

05/01/2007 JP Morgan

a Financial or Insurance Services firm in Chicago, Illinois
47,000 non-financial accounts compromised
 
A computer tape containing personal information of wealthy bank clients and some employees was delivered to a secure off-site facility for storage but was later reported missing.

05/05/2007 Transportation Security Administration (TSA)

Federal Government in Crystal City, Virginia
100,000 financial accounts compromised
 
A computer hard drive containing payroll data from January 2002 to August 2005 including employee names, Social Security numbers, birth dates, bank account and routing information of current and former workers including airport security officers and federal air marshals was stolen. The American Federation of Government Employees is suing the TSA for the loss of the hard drive calling the breach a violation of the Privacy Act.

05/08/2007 University of Missouri

an educational institution in Columbia, Missouri
22,396 non-financial accounts compromised
 
A hacker accessed a computer database containing the names and Social Security numbers of employees of any campus within the University system in 2004 who were also current or former students of the Columbia campus. (866) 241-5619

05/11/2007 Highland Hospital (Rochester, NY)

a healthcare provider or servicer in Rochester, New York
13,000 non-financial accounts compromised
 
Two laptop computers, one containing patient information including Social Security numbers, were stolen from a business office. The computers were sold on eBay, and the one containing personal information was recovered. HighlandHospitalAdmin@urmc.rochester.edu

05/14/2007 Community College of Southern Nevada

an educational institution in North Las Vegas, Nevada
197,000 non-financial accounts compromised
 
A virus attacked a computer server and could have allowed a hacker to access students’ personal information including names, Social Security numbers and dates of birth, but the school is not certain whether anything was actually stolen from the school’s computer system.

05/17/2007 Georgia Division of Public Health

Government or Military in Atlanta, Georgia
140,000 non-financial accounts compromised
 
The Georgia Department of Human Resources notified parents of infants born between 4/1/06 and 3/16/07 that paper records containing parents’ SSNs and medical histories — but not names or addresses — were discarded without shredding.

05/19/2007 Stony Brook University

an educational institution in Stony Brook, New York
90,000 non-financial accounts compromised
 
SSNs and university ID numbers of faculty, staff, students, alumni, and other community members were visible via the Google search engine after they were posted to a Health Sciences Library Web server April 11. It was discovered and removed 2 weeks later.

[ http://www.stonybrook.edu/sb/disclosure ]

05/19/2007 Illinois Department of Financial and Professional Regulation

State Government in Chicago, Illinois
300,000 non-financial accounts compromised
 
A computer server was breached earlier this year. SSNs, tax numbers, and addresses of banking and real estate licensees and applicants were exposed. The hacking incident was discovered May 3. For information about breach see

http://www.idfpr.com/

05/19/2007 Texas Commission on Law Enforcement Standards and Education

State Government in Austin, Texas
230,000 non-financial accounts compromised
 
A laptop computer was stolen from the state agency that licenses police officers. It contained information on every licensed peace officer in Texas, including SSNs, driver’s license numbers, and birth dates.

05/22/2007 University of Colorado, Boulder

an educational institution in Boulder, Colorado
45,000 non-financial accounts compromised
 
A worm attacked a University computer server used by the College of Arts and Sciences. Information for 45,000 students enrolled at UC-B from 2002 to mid-2007 were exposed, including SSNs. The breach was discovered May 12. Apparently anti-virus software had not been properly configured. (303) 492-1655

05/23/2007 Waco Independent School District

an educational institution in Waco, Texas
17,400 non-financial accounts compromised
 
Two high school seniors recently hacked into the district’s computer network potentially compromising the personal information including Social Security numbers of students and employees.

05/25/2007 North Carolina Department of Transportation

Government or Military in Raleigh, North Carolina
25,000 non-financial accounts compromised
 
A computer server used to back up employee identification badge records that included the names and Social Security numbers of NCDOT employees, contractors and other state employees was compromised.

https://apps.dot.state.nc.us/pio/releases/details.aspx?r=1179

06/01/2007 Fresno County, Refined Technologies Inc., DHL

County Government in Fresno, California
10,000 non-financial accounts compromised
 
A missing computer disk contains names, addresses and Social Security numbers. The County sent it by courier to a software vendor’s office in San Jose to determine workers’ eligibility for health care benefits. The software company, Refined Technologies Inc., said they never received the disk. The courier service, DHL, told County officials that the file was delivered May 10, though the County didn’t require anyone to sign for the delivery.

06/05/2007 vFinance Investments Inc.

a Financial or Insurance Services firm in Boca Raton, Florida
29,000 non-financial accounts compromised
 
A database that contained customer information was accessed through the www.vfinance.com website by an unauthorized person. The goal of the attack seems to have been to deface the website.

06/11/2007 Pfizer

a business other than retail in New York, New York
17,000 non-financial accounts compromised
 
Installation of certain file sharing software on a Pfizer laptop, exposed files containing names, Social Security numbers, addresses and bonus information of present and former Pfizer colleagues. Investigation revealed that certain files containing data were accessed and copied. 866-274-3891

06/14/2007 Georgia Tech University

an educational institution in Atlanta, Georgia
23,000 non-financial accounts compromised
 
An electronic file containing the personal information of current and former Georgia Tech students was exposed briefly.

06/14/2007 Division of Workforce Services

Government or Military in Salt Lake City, Utah
20,000 non-financial accounts compromised
 
Children’s Social Security numbers are believed to have been compromised by identity thieves. (801) 281-1267

06/15/2007 Ohio state workers & Taxpayers

State Government in Columbus, Ohio
1,000,000 non-financial accounts compromised
 
A backup computer storage device with the names and Social Security numbers of every state worker was stolen out of a state intern’s car. The tape, which was stolen in June, contains personally identifiable information of nearly 84,000 current and former Ohio state employees and more than 47,000 state taxpayers. The storage device also had the names and Social Security numbers of 225,000 taxpayers. Updated to 500,000 persons on 6/22/2007. Updated by the State of Ohion on 7/12/2007 an estimated one million. (888) 644-6648 (taped-message), (877) 742-5622 (Ohio Consumers’ Counsel) or (800) 267-4474

06/25/2007 Fresno County

County Government in Fresno, California
10,000 non-financial accounts compromised
 
A disk containing information pertaining to thousands of home health-care workers — including their names, addresses and Social Security numbers — was lost when it was shipped to a software vendor’s office in San Jose, CA. (559) 453-6450

06/25/2007 UnitedHealthCare

a healthcare provider or servicer in Trumbull, Connecticut
17,000 non-financial accounts compromised
 
A former employee had the names, Social Security numbers, dates of birth and addresses of about 127 members. The employee is believed to have participated in fraudulent activity and may have accessed approximately 17,000 members’ information during the final two and a half years of their employment.

06/27/2007 Milwaukee PC

a retail business in Milwaukee, Wisconsin
65,000 financial accounts compromised
 
Credit card information for 65,000 was possibly compromised. A service center noticed a file in their server and was concerned that file could contain customers’ credit card numbers and personal information. (414) 258-2275

07/03/2007 Fidelity National Information Services

a Financial or Insurance Services firm in Jacksonville, Florida
8,500,000 financial accounts compromised
 
A worker at a subsidiary (Certegy Check Services, Inc.) stole customer records containing credit card, bank account and other personal information. The initial estimate was 2.3 million records were affected.

8/27/2007: The estimate of affected customers was raised to 8.5 million in filings with the U.S. Securities and Exchange Commission. A California law firm has filed a class-action suit charging Fidelity National Information Services (FIS) and one of its subsidiaries with negligence in connection with a data breach.

UPDATE (11/23/2007): A former database analyst at Certegy Check Services Inc., has agreed to enter a guilty plea to federal fraud and conspiracy charges in connection with the theft of data.

UPDATE (7/7/2008):A man has been sentenced to four years and nine months in jail and fined US $3.2 million for his part in the theft of consumer records from Certegy Check Services.

UPDATE (7/7/2008): A new settlement provides that all class members whose personal or financial information was stolen can get compensated up to $20,000 if they were not reimbursed for certain identity theft losses caused by the data theft. The losses covered could have occurred from Aug. 24, 1998, to Dec. 31, 2010. www.datasettlement.com

UPDATE (4/26/2010): As part of a class action settlement in U.S. District Court in Tampa, consumers were given the opportunity to elect credit monitoring for one year or bank account monitoring for two years and were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses. Consumers also were able to request credit monitoring at the company’s expense immediately after the thefts were announced. The settlement with the Attorney General’s office ensures that Certegy will maintain a comprehensive information-security program. This program will assess internal and external risks to consumers’ personal information, implement safeguards to protect that consumer information, and will regularly monitor and test the effectiveness of those safeguards. Certegy and its related entities also agree to adhere to payment card industry data security standards as those standards continue to evolve. As part of the settlement, Certegy is donating $125,000 to the Attorney General’s Seniors vs. Crime Program for educational, investigative and crime prevention programs for the benefit of senior citizens and the community and will pay $850,000 for the state’s investigative costs and attorney’s fees related to the case.

07/16/2007 Transportation Security Administration (TSA)

Federal Government in Arlington, Virginia
100,000 non-financial accounts compromised
 
Authorities realized in May a storage device was missing from TSA headquarters. The drive contained historical payroll data, Social Security numbers, dates of birth, addresses, time and leave data, bank account, routing information, and details about financial allotments and deductions.

07/17/2007 Louisiana Board of Regents

Government in Baton Rouge, Louisiana
80,000 non-financial accounts compromised
 
Records of students and staff including Social Security numbers, names, and addresses were exposed on web. In all, more than 80,000 names and Social Security numbers were accessible for perhaps as long as two years on an internal Internet site.

07/17/2007 Kingston Technology Co.

a business other than retail in Fountain Valley, California
27,000 non-financial accounts compromised
 
A security breach may have compromised the names, addresses and credit card details of online customers. Kingston Technology is a computer memory vendor. The breach may have gone undetected for nearly 2 years.

Privacy Rights Org record

07/17/2007 Western Union

a Financial or Insurance Services firm in Greenwood Village, Colorado
20,000 financial accounts compromised
 
Credit card information and names were hacked from a database. The thieves got names, addresses, phone numbers and complete credit-card information.

Breach Alerts at Trusted ID

07/20/2007 Science Applications International Corp. (SAIC)

a business other than retail in McLean, Virginia
560,000 accounts compromised
 
SAIC, a military support contractor, reported that personal information may have been compromised when the company failed to encrypt the data before transmitting it over the Internet. The data was stored on a single, non-secure server that had become infected with malware.
 
SCALE: the information referred to 560,000 households. As a household may contain more than one person the number of affected people may be larger.
 
SCOPE: Information compromised included names, birthdays, social security numbers, health information, billing addresses, telephone number, facsimile number, charge card number and charge card security code.

http://breachalerts.trustedid.com/category/saic-data-breach/

UPDATE(5/05/2012): Though 580,000 households were reported, a total of 867,000 people may have been affected.

07/23/2007 Fox News

a media business in Los Angeles, California
1,500,000 non-financial accounts compromised
 
Sensitive information was exposed on the Fox News web server. The security hole allowed hackers to access login information, names, phone numbers, and email addresses.

07/24/2007 St. Vincent Hospital / Verus, Inc.

a healthcare provider or servicer in Indianapolis, Indiana
51,000 non-financial accounts compromised
 
Saint Vincent used subcontractor Verus Inc. to set up an online bill payment for patients. For a “brief” period of time, personal information was left unprotected and available online. The security lapse compromised names, addresses and Social Security numbers.

07/26/2007 U.S. Marine Corps / Penn State University

an educational institution in Harrisburg, Pennsylvania
10,554 financial accounts compromised
 
Data belonging to 10,554 Marines was improperly posted by Penn State University, according to the Marine Corps. Names and Social Security numbers of Marines could be found via Google search engine. Penn State University was under a research contract with the Marine Corps.

07/27/2007 City Harvest

a Non-Governmental Organization (includes non-profits) in New York, New York
12,000 financial accounts compromised
 
City Harvest is currently investigating a potential improper access of systems that contained credit card information of their donors. (917) 351-8763

07/28/2007 Yuba County Health and Human Services

a healthcare provider or servicer in Yuba County, California
70,000 non-financial accounts compromised
 
A laptop stolen from a building contained personally identifiable information of individuals whose cases were opened before May 2001. The laptop was being used as a backup system for the county’s computer system. The data include Social Security numbers, birth dates, driver’s license numbers and other private information.

08/07/2007 Merrill Lynch

a Financial or Insurance Services firm in Hopewell, New Jersey
33,000 non-financial accounts compromised
 
A computer device apparently was stolen containing sensitive personal information, including Social Security numbers, about some 33,000 employees.

08/08/2007 Yale University

an educational institution in New Haven, Connecticut
10,200 non-financial accounts compromised
 
Social Security numbers for over 10,000 current and former students, faculty and staff were compromised last month following the theft of two University computers

08/15/2007 Sky Lakes Medical Center, Verus Inc.

a healthcare provider or servicer in Klamath Falls, Oregon
30,000 non-financial accounts compromised
 
The company that maintained the hospital’s online bill payment system, transferred patient information from one server to another to perform maintenance but didn’t take security measures, leaving information such as names, addresses and Social Security numbers exposed.

08/22/2007 CalPERS

California Public Employees’ Retirement System
part of the State Government in Sacramento, California
445,000 non-financial accounts compromised
 
Roughly 445,000 retirees in California received brochures announcing an upcoming election to fill a rare vacancy on the board of the California Public Employees’ Retirement System. All or a portion of each person’s Social Security number appeared without hyphens on the address panel.

08/23/2007 New York City Financial nformation Services Agency

Government or Military in New York, New York
280,000 non-financial accounts compromised
 
A laptop loaded with financial information on as many as 280,000 city retirees was stolen from a consultant who took the computer to a restaurant.

08/26/2007 American Ex-Prisoners of War

a Non-Governmental Organization (includes non-profits) in Texas
35,000 non-financial accounts compromised
 
Personal records including addresses and Social Security numbers of more than 35,000 veterans and their families were stolen this month from the offices of a POW support organization in Texas. Digital and paper records included information on the group’s entire membership, including addresses, dates of birth, Social Security numbers and VA claims data.

08/28/2007 Connecticut Department of Revenue Services

State Government in Hartford, Connecticut
106,000 non-financial accounts compromised
 
A computer laptop with the names and Social Security numbers of more than 100,000 Connecticut taxpayers has been stolen. The Department of Revenue Services intends to launch a web page soon that residents can search to determine whether their personal information was stored on the Laptop. More than 2 dozen state laptops have gone missing since July 2006.

UPDATE (10/19/2007): A supervisor at the state Department of Revenue Services was suspended without pay. His computer was stolen from his car in August at a hotel in New York. Police say it was possible the vehicle was not locked because there were no signs of a break-in.

08/31/2007 Option One Mortgage

a Financial or Insurance Services firm in Irvine, California
10,000 non-financial accounts compromised
 
A computer server that contained customer service information was hacked. People who visited the customer service website between August 9 and 14 may have had their names, Social Security numbers, addresses, phone numbers, loan information and payment histories exposed. The hacker was able to change the website so that a virus was installed on the computers of visitors.

09/04/2007 Pfizer

a business other than retail in New York, New York
34,000 financial accounts compromised
 
A security breach may have caused employees’ names, Social Security numbers, addresses, dates of birth, phone numbers, bank account numbers, credit card information, signatures and other personal information to be publicly exposed. The breach occurred late last year when a Pfizer employee removed copies of confidential information from a Pfizer computer system without the company’s knowledge or approval. Pfizer didn’t become aware of the breach until July 10. (866) 274-3891

09/09/2007 McKesson Specialty, AstraZeneca

a healthcare provider or servicer in Scottsdale, Arizona
68,779 non-financial accounts compromised
 
McKesson Health-care services company, is alerting thousands of its patients that their personal information is at risk after two of its computers were stolen from an office. (866) 554-6366

09/11/2007 Gander Mountain

a retail business in Greensburg, Pennsylvania
112,000 financial accounts compromised
 
Somebody either lost or stole a computer potentially containing the credit card information of anyone who has shopped at the Greensburg store since it first opened more than five years ago. Gander Mountain said credit card information for 112,000 customers of its Greensburg store might have been compromised. That includes 10,000 records with names, card numbers and expiration dates.

09/12/2007 TennCare

a healthcare servicer in Knoxville, TN
67,000 non-financial accounts compromised
 
There are 67,000 TennCare enrollees at risk of identity theft after a courier service lost their personal information. The lost information includes names, Social Security numbers, birthdays and addresses. For the offered no-charge identity theft protection call AmeriChoice at (800) 690-1606.

09/14/2007 TD Ameritrade Holding Corporation

a Financial or Insurance Services firm in Omaha, Nebraska
6,300,000 financial accounts compromised
 
One of TD Ameritrade’s databases was hacked and contact information for its more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based company said more sensitive information in the same database, including Social Security numbers and account numbers, does not appear to have been taken. “We were able to conclude that while Social Security numbers are stored in this particular database, your SSN were not retrieved.” The company said names, e-mail addresses, phone numbers, and home addresses were taken in the data breach. Company customers received unwanted spam because of this breach.

Discovery   FAQ   key legal documents

 
UPDATE (4/28/2009):TD Ameritrade sent a mass email on September 14, 2007 to its customers admitting SSNs had been compromised:” [W]e recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases … to be retrieved by an external source [and] Social Security Numbers are stored in this particular database.”

UPDATE(10/27/2009): TD Ameritrade was nearing a settlement in the case of more than six million stolen records when the judge, who previously seemed to agree with the proposal, rejected it today. The federal judge handling the case has decided the proposed settlement provides no discernible benefit to the victims and he rejected the proposed settlement.

UPDATE(11/16/2010): Pending approval by a U.S. District Judge, TD Ameritrade will offer between $0 and $2,500 to customers who were affected by the breach. Customers who received spam, or were victims of criminal identity theft because a criminal who was arrested posed as them, will get $0 unless they were also victims of account-fraud-based identity theft. This settlement will cost between $2,500,000 and $6,500,000. The settlement was approved in October 2011.

09/28/2007 Gap Inc.

a retail business in San Francisco, California
800,000 non-financial accounts compromised
 
A laptop containing the personal information of certain job applicants was recently stolen from the offices of an experienced third-party vendor that manages job applicant data for Gap Inc. Personal data for approximately 800,000 people who applied online or by phone for store positions at one of Gap Inc.’s brands between July 2006 and June 2007 was contained on the stolen laptop. Social Security numbers were included in the information on the laptop. (866) 237-4007

UPDATE (5/28/2010): A man whose Social Security number and other personal information were compromised by a company that processed his job application for The Gap Inc. has no legal claims against the company because no actual damage resulted from the privacy breach (a laptop stolen from Vangent), ruled the Ninth Circuit Court of Appeals.

Ruiz v. Gap, Inc. 09-15971 (9th Circ. May 28, 2010) [ http:// http://www.ca9.uscourts.gov/datastore/memoranda/2010/05/28/09-15971.pdf ]
http://gapinc.com/securityassistance/

09/28/2007 Wal-Mart Stores Inc.

a retail business in Bentonville, Arkansas
48,686 non-financial accounts compromised
 
A Wal-Mart associate took confidential information relating to a group of associates. The former associate was not authorized to retain the information after ending his employment with Wal-Mart. Associate names, Social Security numbers, Wal-Mart job codes and compensation information were exposed. The incident occurred on August 15.

10/02/2007 The Nature Conservancy

a Non-Governmental Organization (includes non-profits) in Arlington, Virginia
14,000 financial accounts compromised
 
A hacker illegally gained access to a computer of The Nature Conservancy containing personal information on current and former employees and their dependents. The stolen information included the names, home addresses, Social Security numbers and birth dates. It also included direct deposit bank account numbers for employees who were on the payroll between 2000 and 2004, as well as the Social Security numbers of those employees’ dependents. When employees accessed a particular Web site, the site planted a program on the employees’ computers that copied the contents of the hard drives and sent the information to the hacker. Additional locations: Little Rock, Fayetteville, Arkadelphia, Batesville and Ponca, (Arkansas)

10/04/2007 Massachusetts Division of Professional Licensure

State Government in Boston, Massachusetts
450,000 non-financial accounts compromised
 
Social Security numbers of about 450,000 licensed professionals were inadvertently released. The information was mailed last month to agencies that submitted a public records request for the names and addresses of professionals licensed by the division. The division mailed 28 computer disks to 23 agencies that use the information as a marketing or promotional tool. The disks would normally contain only the names and addresses of individuals licensed through the Division of Professional Licensure and the Division of Health Professions Licensure. However, the disks also included Social Security numbers. (617) 973-8100

http://www.mass.gov/dpl

10/16/2007 Administaff Inc.

a business other than retail in Houston, Texas
159,000 non-financial accounts compromised
 
Current and former workers personal data may be compromised because of a stolen laptop. The data wasn’t encrypted when it was stored on the portable computer, which is password-protected. Data stored on the laptop included names, addresses and Social Security numbers for most employees paid by Administaff in 2006.

10/17/2007 Home Depot

a retail business in Boston, Massachusetts
10,000 non-financial accounts compromised
 
A laptop computer containing about 10,000 employees’ personal data was stolen from a regional manager’s car. The computer, which was password protected, didn’t contain any customer information. The laptop contained names, home addresses and Social Security numbers of certain Home Depot employees.

10/23/2007 Dixie State College

an educational institution in St. George, Utah
11,000 non-financial accounts compromised
 
An unauthorized person reportedly gained access to a computer system and confidential files, including Social Security numbers, birth date information and addresses for some 11,000 alumni and current DSC employees who graduated or worked at DSC from 1986 to 2005. (866) 295-3033 idprotect@dixie.edu

10/23/2007 West Virginia Public Employees Insurance Agency

a healthcare provider or servicer in Charleston, West Virginia
200,000 non-financial accounts compromised
 
West Virginia officials are alerting 200,000 past and current members of three health insurance programs that a computer tape containing full names, addresses, phone numbers, Social Security numbers and marital status was lost last week while being shipped via United Parcel Service. (800) 435-4351

10/30/2007 University of Nevada, Reno

an educational institution in Reno, Nevada
16,000 non-financial accounts compromised
 
A University of Nevada, Reno administrative employee has lost a flash drive that contained the names and Social Security numbers of 16,000 current and former students.

10/30/2007 Pathology Group

a healthcare provider or servicer in Memphis, Tennessee
75,000 non-financial accounts compromised
 
Someone broke into a locked office building, several computers with flat screen monitors were stolen. One of those computers had patient information on about 75,000 people. This information included names, addresses, Social Security number, even medical information

10/30/2007 Hartford Financial Services Group

a Financial or Insurance Services firm in Hartford, Connecticut
230,000 non-financial accounts compromised
 
Three backup tapes that contained personal information of 230,000 customers, including 9,200 Ohioans, mainly of the company’s property lines, were misplaced.

11/01/2007 City University of New York

an educational institution in New York, New York
20,000 non-financial accounts compromised
 
A broken laptop containing personal information was taken from the School’s financial aid office.

11/07/2007 Carolinas Medical Center, NorthEast

a healthcare provider or servicer in Concord, North Carolina
28,000 non-financial accounts compromised
 
A paramedic left a computer on the back bumper of an ambulance and then drove away. The laptop contains names, addresses, phone numbers and Social Security numbers of approximately 28,000 people who have been cared for by the Cabarrus County EMS over the last four years.

11/13/2007 Youth Women’s Christian Association (YWCA)

a Non-Governmental Organization (includes non-profits) in New York, New York
13,000 non-financial accounts compromised
 
Staff discovered that a computer had been stolen from the office sometime around October 1. It contained the names and Social Security numbers of active participants in the YWCA Retirement Fund. Individuals who participated between January 1, 2002 and September 28, 2007 were affected.

11/15/2007 Roudebush Veteran’s Administration Medical Center

a healthcare provider or servicer in Indianapolis, Indiana
12,000 non-financial accounts compromised
 
Two personal computers and a laptop computer were allegedly stolen from an unsecured room. One of the stolen computers contained the names, Social Security numbers and dates of service of approximately 12,000 veterans.

UPDATE (3/19/2008) : A 50 year old Indianapolis man was arrested Monday on one count of Class D felony theft after investigators identified him from surveillance video. A probable cause affidavit, a sworn police statement filed in support of the charge, identifies him as a former patient at the facility. The man has been charged in the disappearance of hospital computer equipment that contained the records of nearly 12,000 patients.

11/16/2007 U.S. Department of Veteran Affairs

Federal Government in Washington, District Of Columbia
185,000 non-financial accounts compromised
 
Investigation from a man’s home uncovered a computer that held about 1.8 million Social Security numbers from the U.S. Department of Veteran Affairs, where he had been employed as an auditor. Veterans Affairs’ officials have said only 185,000 numbers are at risk because many were repeated in the file.

11/30/2007 Prescription Advantage

a healthcare provider or servicer in Boston, Massachusetts
150,000 non-financial accounts compromised
 
The state of Massachusetts is warning 150,000 members of its Prescription Advantage insurance program that their personal information may have been snatched by an identity thief. Local authorities arrested a lone identity thief who had been using information taken from the program in an attempted identity theft scheme. Although the thief used information from just a small number of participants in the scheme, state data-breach laws require that the 150,000 people who could have possibly been affected by the breach be contacted. (866) 523-6846 or (877) 610-0241 for the hearing impaired.

11/30/2007 Prudential Financial

a Financial or Insurance Services firm in Fort Washington, Pennsylvania
44,023 financial accounts compromised
 
An employee who had authorized access to personal information was arrested and charged with stealing personal information and identity theft. The employee took client names, Social Security numbers, dates of birth, addresses and bank account information.

12/05/2007 Memorial Blood Centers

a healthcare provider or servicer in Duluth, Minnesota
268,000 non-financial accounts compromised
 
A laptop computer holding donor information was stolen. About 268,000 donor records on this laptop computer contain a donor name in combination with the donor’s Social Security number. Hot Line (888) 333-1491 Contacts: Memorial Blood Centers Laura Kaplan, (651) 332-7220 lkaplan@mbc.org or Jim McCartney (952) 346-6688

12/06/2007 Oak Ridge National Laboratory

Federal Government in Oak Ridge, Tennessee
12,000 non-financial accounts compromised
 
Hackers may have infiltrated a non-classified database containing names, Social Security numbers and birth dates of every lab visitor between 1990 and 2004. The assault was in the form of phony e-mails containing attachments, which when opened allowed hackers to penetrate the lab’s computer security. The lab has sent letters to about 12,000 potential victims.

12/10/2007 Sutter Lakeside Hospital

a healthcare provider or servicer in Lakeport, California
45,000 non-financial accounts compromised
 
A laptop computer containing personal and medical information of approximately 45,000 former patients, employees and physicians has been stolen from the residence of a contractor. (866) 785-6443

12/14/2007 Deloitte & Touche, IKON Office Solutions

a Financial or Insurance Services firm in New York, New York
22,634 non-financial accounts compromised
 
A laptop was stolen from a contractor working on scanning Deloitte’s pension fund documents. The laptop contained names, Social Security numbers, dates of birth, start and end dates and other personnel information of Deloitte partners, principals and other employees. The laptop was stolen sometime around Thanksgiving. Deloitte no longer works with the service provider.

12/17/2007 West Penn Allegheny Health System

a healthcare provider or servicer in Pittsburgh, Pennsylvania
42,000 non-financial accounts compromised
 
The names, Social Security numbers, phone numbers, addresses and patient care information of 42,000 patients were all on a laptop computer stolen from a nurse’s home. Only home care and hospice patients could be impacted, not patients at the hospitals. (866) 559-6309 Monday through Friday from 10 am to 6 pm or e-mail the hospital at askquestions@wpahs.org.

12/18/2007 Pennsylvania Department of Aging

State Government in Harrisburg, Pennsylvania
21,000 non-financial accounts compromised
 
A state Department of Aging-owned laptop computer containing personal information on senior citizens was stolen from a Johnstown home. The information included names, addresses, Social Security numbers and some medical information.

12/28/2007 Davidson County Election Commission

County Government in Nashville, Tennessee
337,000 non-financial accounts compromised
 
Someone broke into several county offices over Christmas and stole laptop computers that county officials now believe may have contained Social Security numbers and other personal information for every registered voter in Davidson County. Two weeks later local police confirmed they recovered the hard drive from the laptop computer and it contained names and complete Social Security numbers for 337,000 registered voters.

12/28/2007 United States Air Force

Federal Government in Washington, District Of Columbia
10,501 non-financial accounts compromised
 
A military laptop computer is missing and it contains personal information including Social Security numbers, birth dates, addresses, and telephone numbers of active and retired Air Force members. The laptop belonged to an Air Force band member at Bolling Air Force Base, who reported it missing from his home.

 
 

View the 2007 summary
Return to References page
Return to Year links page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.