Compromises in 2008 affecting 10,000 or more
Compromises in 2008 affecting less than 10,000
Compromises in 2008 affecting an unknown, or undisclosed number
01/04/2008 Mariner Health Care, Windham Brannon, SavaSeniorCare Administrative Services, LLC
a Financial or Insurance Services firm in Atlanta, Georgia
80,124 non-financial accounts compromised
Cash and several laptops were stolen from Windham’s Atlanta office on the evening of December 31, 2007. Windham provides audit services for Mariner’s and SaveSeniorCare’s 401(k) benefit plans. Current and former employees may have had their names, Social Security numbers, addresses, dates of birth, salary information and 401(l) account information.
01/08/2008 Wisconsin Department of Health and Family Services
State Government in Madison, Wisconsin
260,000 non-financial accounts compromised
Social Security numbers were printed on about 260,000 informational brochures sent by a vendor hired by the state, Electronic Data Systems Inc. (EDS), to recipients of SeniorCare, BadgerCare and Medicaid. The company agreed to pay $250,000 to the state for the mistake, as well as paying for an identity theft monitoring service for the affected individuals, for a total of about $1 million.
01/17/2008 GE Money, Iron Mountain
a Financial or Insurance Services firm in Boston, Massachusetts
150,000 non-financial accounts compromised
Personal information on customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing. The missing information includes Social Security numbers for about 150,000 people.
01/24/2008 Fallon Community Health Plan
a healthcare provider or servicer in Worcester, Massachusetts
29,800 non-financial accounts compromised
A vendor computer containing personal information on patients of Fallon Community Health Plan has been stolen. The data included names, dates of birth, some diagnostic information and medical ID numbers. Some of which may be based on Social Security numbers.
01/28/2008 Kiwanis International, On-Net Services
a Non-Governmental Organization (includes non-profits) in Indianapolis, Indiana
18,432 financial accounts compromised
On January 4, Kiwanis learned of an unauthorized intrusion into its Kiwanis Family Store Website and database that occurred sometime between December 1 of 2007 and January 4 of 2008. The unauthorized person or persons illegally accessed information by running a SQL injection program that gathered names, credit card numbers, expiration dates and billing/shipping addresses of individuals who had purchased items from the Kiwanis Family Store.
01/28/2008 T. Rowe Price Retirement Plan Services, CBIZ Benefits and Insurance Services Inc.
a Financial or Insurance Services firm in Baltimore, Maryland
35,000 non-financial accounts compromised
Names and Social Security numbers of current and former participants in several hundred retirement plans were compromised when several computers were stolen. The machines were taken from the office of CBIZ Benefits and Insurance Services Inc.
01/29/2008 Horizon Blue Cross Blue Shield
a healthcare provider or servicer in Newark, New Jersey
300,000 non-financial accounts compromised
More than 300,000 members names, Social Security numbers and other personal information were contained on a laptop computer that was stolen. The laptop was being taken home by an employee who regularly works with member data.
01/29/2008 Georgetown University
an educational institution in Washington, District Of Columbia
38,000 non-financial accounts compromised
A hard drive containing the Social Security numbers of Georgetown students, alumni, faculty and staff was reported stolen from the office of Student Affairs.
01/30/2008 Davidson Companies
a Financial or Insurance Services firm in Great Falls, Montana
226,000 financial accounts compromised
A computer hacker broke into a database and obtained the names and Social Security numbers of virtually all of the Great Falls financial services company’s clients. The database also included information such as account numbers and balances.
UPDATE (4/12/2010): D.A. Davidson was fined $375,000 for failing to adequately protect customer information. The Financial Industry Regulatory Authority (FINRA) found that the database should have been encrypted and had a blank password in place during the 2007 December 25 and 26 breach. On January 16, the hacker alerted D.A. Davidson to the incident and the fact that he had downloaded confidential customer information. The hacker offered to reveal security weaknesses and delete the customer information he had obtained in exchange for $80,000. The hacker was not caught.
UPDATE (11/10/2010): A class action settlement was reached for those who were affected by the breach. Anyone receiving a notification letter from Davidson dated January 29, 2008 is a member of the Davidson data breach lawsuit. A $1 million settlement fund will be established to reimburse class members for damages related to having their names, Social Security numbers, addresses, emails, account numbers, tax identification numbers, financial consultant’s identification numbers, account balances and dates of birth exposed. Claim forms requesting reimbursement damages must be received by the Settlement Administrator no later than June 1, 2011.
02/12/2008 Long Island University
an educational institution in Brookville, New York
30,000 non-financial accounts compromised
Students tax forms mailed to them last week in were in defective mailers. The mailers containing each student’s annual 1098-T Tuition Statement were supposed to have adhesive on all four sides. But one side of each envelope was missing adhesive. The statement contains the student’s name, address and Social Security number.
02/13/2008 Lifeblood
a healthcare provider or servicer in Memphis, Tennessee
321,000 non-financial accounts compromised
Laptop computers with birth dates and other personal information of roughly 321,000 blood donors are missing and presumed stolen. Stored inside both computers were names, birth dates and addresses at the time of the individual’s last donation or attempted donation. In most cases, the donors’ Social Security numbers were also stored, along with driver’s licenses, telephone numbers, e-mail addresses, ethnicity, marital status, blood type and cholesterol levels. Social Security numbers had been used to track blood from the donor to the recipients.
02/14/2008 Tenet Healthcare Corporation
a healthcare provider or servicer in Dallas, Texas
37,000 non-financial accounts compromised
A ex-employee worked at a Frisco, Texas, billing center for less than two years, and is confirmed to have stolen the names, Social Security numbers and other personal information of about 90 patients. The employee also had access to 37,000 other accounts.
02/15/2008 Systematic Automation Inc
a business other than retail in Fullerton, California
40,000 non-financial accounts compromised
Police filed possession of stolen property charges against a prison parolee who was arrested for having a computer with more than 40,000 names, addresses and Social Security numbers of California residents. The computer was stolen from Systematic Automation Inc., which processes individualized annual statements customized for employees with a summary of their health and other employee benefits. The hard drive contained employee information from 19 agencies. Some of the agencies include the Modesto City Schools, Clovis Unified School District, Los Angeles Department of Water and Power, Nestle Waters North America and the Torrance Unified School District.
02/27/2008 Health Net Federal Services
a healthcare provider or servicer in Rancho Cordova, California
103,000 non-financial accounts compromised
Thousands of doctors in eleven states had their personal information openly posted on a company website. Social Security numbers were part of the personal information exposed. The states involved include Wisconsin, Michigan, Illinois, Indiana, Ohio, Pennsylvania, Tennessee, Iowa, Missouri, Kentucky and West Virginia.
03/03/2008 Kaft Foods
a business other than retail in Northfield, Illinois
20,000 non-financial accounts compromised
A company-owned laptop computer was stolen from an employee of Kraft Foods traveling on company business. The laptop contained the names and may have contained Social Security numbers.
03/06/2008 Cascade Healthcare Community
a healthcare provider or servicer in Prineville, Oregon
11,500 financial accounts compromised
People who donated to Cascade Healthcare Community (the parent company of St. Charles hospitals) had information compromised. A virus infected a computer system 11/12/1007 and the information technology staff believed they had ended it. On 2/5/2008 suspicious activity re-surfaced and external forensic experts were called to investigate. By 2/11/2008 it was clear that the virus had exposed the information. SCALE: more than 11,500. SCOPE: Compromised information included names, charge card numbers, addresses, and birthdays.
[ http://www.phiprivacy.net/tag/cascade-healthcare-community ]
03/10/2008 Blue-Cross Blue-Shield of Western New York
a healthcare provider or servicer in Buffalo, New York
40,000 non-financial accounts compromised
A laptop hard-drive containing vital information about members has gone missing. Blue-Cross Blue-Shield of Western New York says it is notifying its members about identity theft concerns after one of it’s company laptops went missing.
03/17/2008 Hannaford Bros. Supermarket chain
a Financial or Insurance Services firm in Portland, Maine
4,200,000 financial accounts compromised
This supermarket chain stated that malware was loaded onto their servers which intercepted card data (including charge card numbers and other information stored on the magnetic stripe) during the card authorization transmission process. The servers subsequently infected all 165 stores in the northeast, over 100 Sweetbay stores in Florida and a number of independent groceries that were served by Hannaford. Hannaford was compliant with the Payment Card Industry rules and received PCI certification in 2007 and was recertified on 2/27/2008. There are several lawsuits in progress. (866) 591-4580
Consumers were dismayed in May 2009 when Maine U.S. District Court dismissed most of a class action lawsuit finding that there is no way to value the time and effort that consumers spent in correcting fraudulent activity resulting from the breach.
http://www.networkworld.com/news/2008/032808-hannaford.html
UPDATE (4/2/2009): An April 2, 2009, news story indicated that between December 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. About 1,800 fraudulent charges had been made.
UPDATE (5/14/2009): A federal appeals court has revived a Tampa class-action suit seeking money for Florida shoppers whose credit and debit card numbers were swiped in a data breach that hit 109 Sweetbay Supermarkets. The suit seeks free credit monitoring, credit repair if necessary and undetermined money damages to be split up among victims of the breach, including those unaware they were victims.
UPDATE (5/22/2009): A Maine U.S. District Court dismissed most of a class action lawsuit against Hannaford, finding that there is no way to value the time and effort that consumers spent in correcting fraudulent activity resulting from the breach. The case of one named plaintiff was not dismissed. That plaintiff suffered actual monetary damages for unreimbursed fraudulent charges.
UPDATE (11/2/2011): Federal Appeals Court Holds Identity Theft Insurance/Credit Monitoring Costs Constitute “Damages” in Hannaford Breach Case (Oct. 24, 2011) see http://tinyurl.com/3kxxmnb.
UPDATE(3/29/2013): A United States District Court for the District of Maine has denied a motion that would have allowed a lawsuit to proceed as a class action. The plaintiffs originally moved to certify the proposed class on September 4, 2012. see http://tinyurl.com/bsg9xpu
03/19/2008 The Dental Network
a healthcare provider or servicer in Baltimore, Maryland
74,256 non-financial accounts compromised
A security breach of The Dental Network website left access to member personal data, including names, Social Security numbers, addresses and dates of birth unprotected for approximately two weeks. The Dental Network is an independent licensee of the Blue Cross and Blue Shield Association. (866) 879-7402
03/20/2008 Lasell College
an educational institution in Newton, Massachusetts
20,000 financial accounts compromised
A hacker accessed data containing personal information on current and former students, faculty, staff and alumni. Information included names and Social Security numbers.
03/20/2008 Pennsylvania Department of State
State Government in Harrisburg, Pennsylvania
30,000 non-financial accounts compromised
The state was forced to pull the plug on a voter registration Web site after it was found to be exposing sensitive data about voters. Because of a Web programming error, the Web site was allowing anyone on the Internet to view data such as the voter’s name, date of birth, driver’s license number, and political party affiliation. On some forms, the last four digits of Social Security numbers could also be seen.
03/21/2008 Compass Bank
a Financial or Insurance Services firm in Birmingham, Alabama
1,000,000 financial accounts compromised
A database containing names, account numbers and customer passwords was stolen. A credit-card encoder and software to encode the information onto blank cards was also used to acquire information from ATMs. A former programmer at Birmingham, Ala.-based Compass Bank stole a hard drive containing 1 million customer records and used some of that information to commit debit-card fraud. The thief had used the information stolen from Compass Bank’s database to create about 250 counterfeit debit cards. He was able to use about 45 of those cards to access and withdraw cash from customer accounts at the bank before he was arrested.
03/22/2008 Agilent Technologies
a business other than retail in Santa Clara, California
51,000 non-financial accounts compromised
A laptop containing sensitive and unencrypted personal data on current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor. The data includes employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards. Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data – in violation of the contracted agreement.
03/26/2008 Bank of New York Mellon
a Financial or Insurance Services firm in Pittsburgh, Pennsylvania
12,500,000 financial accounts compromised
The company lost a box of computer data tapes storing personal information including names, Social Security numbers and possibly bank account numbers. (877) 278-3451, (877) 278-346,
UPDATE (5/07/2008): On February 27, Bank of New York Mellon gave the unencrypted backup tape containing information on about 4.5 million consumers — hundreds of thousands of them People’s United Bank customers and investors — and nine other tapes to a storage firm, Archive Systems, Inc., for transportation to a storage facility. When the storage company vehicle arrived at the storage facility, the tape was missing. The other nine tapes reached the facility safely.
UPDATE (5/31/2008): The Hartford Courant reports the following figures regarding the number of Connecticut shareholders affected by the lost computer tape: 403,894 People’s United Bank 33,586 John Hancock Financial 18,361 Walt Disney Co. 10,000 the remaining shareholders
UPDATE (8/30/2008): The estimated number of people affected by a data breach at Bank of New York Mellon Corp has been raised from 4.5 million to 12.5 million.
UPDATE (2/19/2009): The Bank of New York Mellon will pay Connecticut $150,000 as part of a settlement. The bank will continue to provide those affected by the breach with credit monitoring and fraud alerts for a total of 36 months of protection. It will also reimburse anyone for funds stolen from their accounts as a direct result of the data breach.
www.bnymellon.com/tapequery
03/26/2008 Broward School District
an educational institution in Coconut Creek, Florida
38,000 non-financial accounts compromised
An Atlantic Technical High School senior hacked into a district computer and collected Social Security numbers and addresses of district employees.
03/28/2008 Antioch University
an educational institution in Yellow Springs, Ohio
70,000 non-financial accounts compromised
A computer system that contained personal information on about 70,000 people was breached by an unauthorized intruder three times. The system contained the names, Social Security numbers, academic records and payroll documents for current and former students, applicants and employees.
03/31/2008 Advance Auto Parts
a retail business in Roanoke, Virginia
56,000 financial accounts compromised
The company reported a hacker may have gotten financial information on customers from 14 stores in Virginia, Mississippi, Georgia, Ohio, Tennessee, Virginia, Louisiana and Indiana. Customer who made purchases between December 2001 to December 2004 may have been exposed. Advance has over 3,000 stores in 40 states, Puerto Rico, and the US Virgin Islands. The company was not PCI compliant at the time of the breach. SCALE: 56,000 customers. SCOPE: information on checks and charge card data was exposed.
http://www.fierceretail.com/retailit/story/advance-auto-parts-breach-included-unencrypted-payment-data-from-2001
[ http://www.wkrg.com/story/21615552/advance-auto-parts-security-breach ]
04/01/2008 Okemo Mountain Resort
a business other than retail in Ludlow, Vermont
28,168 financial accounts compromised
The Ludlow ski area announced that its computer network was breached by an intruder who gained access to credit card data including cardholder names, account numbers and expiration dates. (866) 756-5366
04/04/2008 Harley-Davidson, Inc. (HOG)
a business other than retail in Milwaukee, Wisconsin
60,000 financial accounts compromised
A laptop computer containing certain HOG members’ personal information was determined to be missing from their facilities. The personal information stored on the computer included names, addresses, credit card numbers, their expiration dates, and driver’s license numbers.
04/08/2008 WellCare Health Plans Inc.
a healthcare provider or servicer in Atlanta, Georgia
71,000 non-financial accounts compromised
Private records of members of health insurance programs for the poor or working poor were accidentally made available on the Internet for several days. Those whose data was made available on the Internet included members of Medicaid, the federal health program for the poor, and PeachCare for Kids, a federal-state insurance plan for children of the working poor. About 10,500 members’ Social Security numbers may have been viewed by unauthorized people on the Internet, all members of Medicaid or PeachCare. There is a possibility that an initial 59,000 members may have had some personal information made accessible.
04/08/2008 WellPoint
a business other than retail in Indianapolis, Indiana
128,000 non-financial accounts compromised
Personal information that may have included Social Security numbers and pharmacy or medical data for customers in several states was exposed online over the past year.
04/11/2008 New York-Presbyterian Hospital, Weill Cornell Medical Center
a healthcare provider or servicer in New York, New York
49,841 non-financial accounts compromised
An admissions employee is accused of selling 2,000 patients’ data in an identity theft scheme and accessing nearly 50,000 records illegitimately. Records contained names, phone numbers and, in some cases, Social Security numbers of patients. The employee has since been charged with one count of conspiracy involving computer fraud, identity document fraud, transmission of stolen property and sale of stolen property.
04/15/2008 Oklahoma’s Department of Corrections
State Government in Oklahoma City, Oklahoma
10,597 non-financial accounts compromised
The names, addresses, and Social Security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years on the ODC’s website.
04/17/2008 University of Miami
a healthcare provider or servicer in Miami, Florida
2,100,000 non-financial accounts compromised
Computer tapes containing confidential information of Miami patients was stolen last month when thieves took a case out of a van used by a private off-site storage company. The data included names, addresses, Social Security numbers or health Information. (866) 628-4492
04/19/2008 Central Collection Bureau
a business other than retail in Indianapolis, Indiana
700,000 non-financial accounts compromised
A computer server containing Social Security numbers and other personal information was stolen last month from a Southside debt-collection bureau. The information includes customer-billing records for Indiana businesses, including Citizens Gas & Coke Utility, St. Vincent Health and Methodist Medical Group.
04/22/2008 CollegeInvest
a Non-Governmental Organization (includes non-profits) in Denver, Colorado
200,000 non-financial accounts compromised
Customers had personal information stored on a computer hard drive that disappeared during a recent move. CollegeInvest moved to a new office space, using an international relocation firm that offered specialists in moving computer equipment. CollegeInvest discovered while unpacking at the new location that a hard drive was missing. CollegeInvest is a not-for-profit division of the Colorado Department of Higher Education.
04/23/2008 Southern Connecticut State University
an educational institution in New Haven, Connecticut
11,000 non-financial accounts compromised
Southern Connecticut State University is taking action to prevent its students from becoming victims of identity theft. The move comes after a website with student and alumni information was found to be easily accessible to hackers. It appears that no financial information was accessed but Social Security numbers were vulnerable.
05/02/2008 Marine Corps Reserve Center
Military in San Antonio, Texas
17,000 non-financial accounts compromised
A former U.S. military contractor has pleaded guilty to exceeding authorized access to a computer and aggravated identity theft after he was accused of selling names and Social Security numbers of 17,000 military employees.
05/04/2008 Staten Island University Hospital
a healthcare provider or servicer in Staten Island, New York
88,000 non-financial accounts compromised
Computer equipment stolen from an administrator contained personal information from patients. Social Security numbers and health insurance numbers were contained in computer files on a desktop computer and the backup hard drive.
05/12/2008 Dave & Buster’s
a business other than retail in Islandia, New York
80,000 financial accounts compromised
Three men have been charged with hacking into 11 Dave & Buster’s networks and then remotely installing “packet sniffer” software on point-of-sale servers at locations throughout the U.S. A packet sniffer logs information being sent over a network. In this case, the criminals used it to log credit and payment card data as it was sent from the branch locations to corporate headquarters. The hacking took place from April to September 2007. At Dave & Buster’s Islandia, New York, location, the hackers accessed details of about 5,000 payment cards. The information was sold to other criminals who then used the card numbers to scam online merchants. The criminals were able to post at least $600,000 in fraudulent transactions from 675 cards taken from this one store.
UPDATE (04/05/2010): In reaching a settlement with Dave & Buster’s, the FTC quietly and without fanfare introduced a new security standard, requiring the company to monitor and filter outbound Internet traffic to block the unauthorized export of sensitive information. The consent decree puts companies on notice that they may face FTC scrutiny and penalties if they fail to use data loss prevention software.
UPDATE(07/19/2012): A member of the hacking ring was sentenced to seven years in prison. Around 80,000 payment card numbers were taken from the 11 Dave & Buster’s locations. It appears that the hacker was part of a larger conspiracy that last between 2005 and 2008 and affected Hannaford Bros. grocery chain, Heartland Payment Systems, TJX retail chain, BJ’s Wholesale Club, OfficeMax, Boston Market, 7-Eleven, JCPenney, Barnes & Noble, Sports Authority, and Forever 21. Two other members of the hacking ring were sentenced to 20 years in prison and 30 years in prison.
05/12/2008 Pfizer
a business other than retail in New York, New York
13,000 non-financial accounts compromised
About 13,000 employees at Pfizer Inc., including about 5,000 from Connecticut, had their personal information compromised when a company laptop and flash drive were stolen. No Social Security numbers were on the laptop, but names, home addresses, home telephone numbers, employee ID numbers, positions and salaries were possibly compromised. Other information possibly lost included the department employees worked in, the Pfizer site where the employees worked, the name of employees’ managers and descriptions of their jobs. (866) 274-3891
05/14/2008 Oklahoma State University
an educational institution in Stillwater, Oklahoma
70,000 non-financial accounts compromised
A breach in an Oklahoma State University computer server exposed names, addresses and Social Security numbers of students, staff and faculty who bought parking and transit services permits in the past six years.
05/16/2008 Chester County School District
an educational institution in Downingtown, Pennsylvania
55,000 non-financial accounts compromised
A 15-year-old student gained access to files on a computer at Downingtown West High School. Private information, including names, addresses and Social Security numbers, of more than 50,000 people were accessed. The student apparently used a flash drive to save the personal data of about 40,000 taxpayers and 15,000 students.
05/23/2008 R.E. Moulton
a Financial or Insurance Services firm in Irving, Texas
19,000 non-financial accounts compromised
Thieves broke into the Irving, Texas, regional office and stole a laptop computer containing personally information of numerous individuals, including names and Social Security numbers. The company is in the medical stop-loss insurance industry.
05/29/2008 State Street Corp, Investors Financial Services
a Financial or Insurance Services firm in Boston, Massachusetts
45,500 non-financial accounts compromised
Computer equipment containing personal information on customers and employees of a State Street unit was stolen. The computer equipment was stolen from a vendor hired by Investors Financial Services to provide legal support services. The personal information included names, addresses and Social Security numbers.
05/31/2008 Pocono Mountain School District
an educational institution in Swiftwater, Pennsylvania
11,000 non-financial accounts compromised
A hacker apparently broke into the computers at Pocono Mountain School District and may have tapped into confidential information concerning students and their parents. Information may have included the students’ birth dates, Social Security numbers, student IDs, home phones, and the parents’ names, phone numbers and emergency phone numbers. 570-873-7121 X10151
06/06/2008 Stanford University
an educational institution in Stanford, California
72,000 non-financial accounts compromised
Stanford University determined that a university laptop, which was recently stolen, contained confidential personnel data. The university is not disclosing details about the theft as an investigation is under way.
06/10/2008 University of Utah Hospitals and Clinics
a healthcare provider or servicer in Salt Lake City, Utah
1,300,000 non-financial accounts compromised
Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take the eight data tapes to a storage center. The records, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years.
UPDATE (2/5/2009): The data tapes were found within a month after being stolen.
UPDATE (6/9/2010): An Englewood, Colo., insurance company has filed a federal lawsuit contending that it isn’t responsible for reimbursing the University of Utah for $3.3 million in costs related to a 2008 data breach caused by a third-party service provider. The lawsuit filed in a Utah federal court by Colorado Casualty Insurance Co. contends that the insurer is not obligated to cover the costs sought by the University. Colorado Casualty was providing breach insurance to the University at the time of the breach. The nine-page complaint, which seeks a declaratory judgment from the court, offers little explanation as to why exactly the insurer believes it is not obligated to pay the breach-related costs sought by the University.
Insurer says NOT responsible for breach
06/10/2008 University of Florida
an educational institution in Gainesville, Florida
11,300 non-financial accounts compromised
Current and former students had their Social Security numbers, names and addresses accidentally posted online. The information became available when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program between 2003 and 2005.
06/19/2008 Aon Consulting
a Financial or Insurance Services firm in Chicago, Illinois
57,160 non-financial accounts compromised
A laptop used to collect pre-employment screening information for Verizon Inc. employees was stolen from a restaurant in May of 2008. The personal information included names and Social Security numbers.
06/23/2008 Colt Express Outsourcing Services, CNET Networks
a business other than retail in Walnut Creek, California
17,241 non-financial accounts compromised
Burglars stole computer systems from the offices of the company that administers the Internet publisher’s benefit plans. The computers contained names, birth dates, Social Security numbers and employment information of the beneficiaries of CNET’s health insurance plans. CNET was only one of several clients affected.
UPDATE (8/26/2008): Among the companies whose staffers have been exposed by the Colt break-in in Walnut Creek, California: Google, Bebe Stores, Alston & Bird, and the California Bankers Assn.
06/27/2008 Montgomery Ward
a retail business in Cedar Rapids, Iowa
51,000 financial accounts compromised
Hackers extracted information from an online database that held credit card account information.
07/07/2008 Florida Agency for Health Care Administration
State Government in Tallahassee, Florida
55,000 non-financial accounts compromised
A computer flaw in the Organ and Tissue Donor Registry database may have exposed thousands of donors’ personal information, including their Social Security numbers. Other data included donors’ names, addresses, birth dates and drivers’ license numbers.
07/08/2008 LPL Financial (formerly Linsco Private Ledger)
a Financial or Insurance Services firm in Boston, Massachusetts
10,219 non-financial accounts compromised
Hackers obtained clients’ unencrypted names, addresses and Social Security numbers from July 17, 2007, to February 15, 2008. They compromised the logon passwords of 14 financial advisers and four assistants.
UPDATE (9/11/2008) : The U.S. Securities & Exchange Commission (SEC) fined LPL $275,000 and required that LPL strengthen its security safeguards involving customer information. It was found that the hacker(s) placed, or attempted to place, 209 unauthorized trades in 68 customer accounts of several of LPL’s registered representative, for more than $700,000 in trades in securities of 19 different companies. LPL reversed or eliminated the trades and compensated the customers for the resulting trading losses, which totaled approximately $98,900.
http://www.sec.gov/litigation/admin/2008/34-58515.pdf
07/09/2008 Division of Motor Vehicles Colorado
State Government in Colorado
3,400,000 non-financial accounts compromised
The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit. At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers.
07/16/2008 Greensboro Gynecology Associates
a healthcare provider or servicer in Greensboro, North Carolina
47,000 non-financial accounts compromised
A backup tape of patient information was stolen from an employee who was taking the tape to an off-site storage facility for safekeeping. The stolen information included patients’ names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members.
07/17/2008 Bristol-Myers Squibb
a business other than retail in Jacksonville, Florida
42,000 non-financial accounts compromised
A backup computer-data tape containing employees’ personal information, including Social Security numbers, was stolen recently. The backup data tape was stolen while being transported from a storage facility. The information on the tapes included names, addresses, dates of birth, Social Security numbers and marital status, and in some cases bank-account information. Data for some employees’ family members also were on the tape.
07/17/2008 University of Maryland
an educational institution in College Park, Maryland
23,000 non-financial accounts compromised
University of Maryland accidentally released the addresses and Social Security numbers of thousands of students. A brochure with on-campus parking information was sent by U.S. Mail to students. The University discovered the labels on the mailing had the students’ Social Security numbers on it.
07/24/2008 Village of Tinley Park
City Government in Chicago, Illinois
20,400 non-financial accounts compromised
Computer backup tapes that contain thousands of Social Security numbers of Tinley Park residents have been lost. The tapes containing information from as long ago as 15 years were lost while being transferred from the village hall to another site within the Chicago suburb.
07/24/2008 Saint Mary’s Regional Medical Center
a healthcare provider or servicer in Reno, Nevada
128,000 non-financial accounts compromised
An unauthorized person may have accessed the St. Mary’s database. The database, used for Saint Mary’s health education classes and wellness programs, contained personal information such as names and addresses, limited health information and some Social Security numbers. The database did not contain medical records or credit card information.
07/28/2008 Facebook
a business other than retail in Palo Alto, California
80,000,000 non-financial accounts compromised
Facebook accidentally publicly revealed personal information about its members, which could be useful to identity thieves. The full dates of birth of many of Facebook’s 80 million active users were visible to others, even if the individual member had requested that the information remained confidential.
07/29/2008 Blue Cross and Blue Shield of Georgia
a healthcare provider or servicer in Atlanta, Georgia
202,000 non-financial accounts compromised
Benefit letters containing personal and health information were sent to the wrong addresses last week. The letters included the patient’s name and ID number, the name of the medical provider delivering the service, and the amounts charged and owed. A small percentage of letters also contained the patient’s Social Security numbers. (866) 800-8776
08/02/2008 Countrywide Financial Corp.
a Financial or Insurance Services firm in Calabasas, California
17,000,000 financial accounts compromised
The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers. The breach occurred over a two-year period though July. The insider was a senior financial analyst at Full Spectrum Lending, Countrywide’s subprime lending division. The alleged data thief was said to have downloaded about 20,000 customer profiles each week and sold files with that many names for $500, according to the affidavit. He typically would e-mail the data in Excel spreadsheets to his buyers, often using computers at Kinko’s copying and business center stores. Some, perhaps most, and possibly all the names were being sold to people in the mortgage industry to make new pitches.
UPDATE (1/30/2009): Bank of America will pay Connecticut $350,000 as part of a settlement. The bank will also provide at least $25,000 to reimburse Connecticut residents forced to pay for freezing and unfreezing their credit reports.
UPDATE (4/09/2010): Employees of Countrywide Financial stole and sold “tens of thousands, or millions” of customers’ personal financial information, invading their privacy and exposing them to identity theft, according to class action claims in Ventura County Court, CA. Sixteen named plaintiffs sued Countrywide Financial, Countrywide Home Loans, and Bank of America, which bought Countrywide, the poster boy for the subprime mortgage crisis.
UPDATE (5/08/2010): For information about the settlement, visit www.CWdataclaims.com or call (866) 940-3612.
UPDATE (8/24/2010): Bank of America has settled over 30 lawsuits involving Countrywide Financial customer data theft. As many as 17 million customers who received a mortgage or used Countrywide to service a mortgage before July 1, 2008 will receive reimbursement and identity theft insurance. Identity theft claims can be filed after September 6.
UPDATE(9/28/2011): A former employee responsible for the breach was sentenced to eight months in prison and ordered to repay $1.2 million in costs.
UPDATE(7/13/2012): A small group of people objected to a proposed settlement and decided to split from a larger class action lawsuit. A court dismissed their claim because they could not sufficiently prove an out of pocket loss.
08/04/2008 Arapahoe Community College
an educational institution in Littleton, Colorado
15,000 financial accounts compromised
A contractor who manages the student information database had a flash drive lost or stolen. Information on the drive included the names, addresses, credit card numbers and Social Security numbers.
08/05/2008 The Clear Program Fast-pass Registered Travel program
For airline passengers, operated by Verified Identity Pass for the U.S. Transportation Security Administration
a business other than retail in New York, New York
33,000 non-financial accounts compromised
A laptop containing personal information for about 33,000 people was reported stolen in a possible security breach for the Clear Program. The laptop was stolen at San Francisco International Airport. The stolen information included names, addresses, dates of birth, and driver’s license numbers or passport numbers.
08/18/2008 Dominion Enterprises
a business other than retail in Richmond, Virginia
92,095 non-financial accounts compromised
A computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008. The data intrusion resulted in the potential exposure of personal information, including the names, addresses, birth dates, and Social Security numbers of 92,095 applicants who submitted credit applications to IFMG’s family of special finance Web sites. (757) 351-7951
08/18/2008 The Princeton Review
an educational institution in New York, New York
108,000 non-financial accounts compromised
The test-preparatory firm accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site. One file on the site contained information on about 34,000 students in the public schools in Sarasota, Fl. Another folder contained dozens of files with names and birth dates for 74,000 students in the school system of Fairfax County, Va.
08/29/2008 Louisiana Real Estate Commission
State Government in Baton Rouge, Louisiana
13,000 non-financial accounts compromised
A glitch during a computer upgrade caused the names, addresses and Social Security numbers of licensed agents to be exposed on the Internet. The commission was transferring its online programs to a new server when the sensitive electronic file, which is not normally posted on the Internet, was left unsecured and slipped in among the commission materials that could be seen online.
08/30/2008 Ohio Police & Fire Pension System
State Government in Columbus, Ohio
13,000 non-financial accounts compromised
A former mailroom supervisor at the Ohio Police & Fire Pension System forwarded the names, addresses and Social Security numbers from his work e-mail address to his personal e-mail address before quitting his job. The file contains information for 13,000 of the approximately 24,000 retired members of the Ohio Police & Fire Pension System, most of whom are former police officers.
08/30/2008 National Technical Institute for the Deaf and Rochester Institute of Technology
an educational institution in Rochester, New York
13,800 non-financial accounts compromised
A recently stolen laptop contained the names, birth dates and Social Security numbers of about 12,700 applicants to the National Technical Institute for the Deaf and another 1,100 people at Rochester Institute of Technology. The laptop belonged to an employee and was stolen on Monday from an office at NTID. People at RIT, who are not affiliated with NTID, are affected because their personal information was being used as part of a control group in an internal study. RIT Hotline through 9/26/08 (866) 624-8330, RIT Public Safety (585) 475-2853
http://www.rit.edu/news/?v=46283
09/10/2008 Franklin Savings and Loan
a Financial or Insurance Services firm in Cincinnati, Ohio
25,000 non-financial accounts compromised
An unauthorized person gained access to a database on a company web site containing personal information such as names, addresses, phone numbers, account numbers, account balances and Social Security numbers. (877) 579-2267, (513) 605-4378
09/15/2008 Forever21
a retail business in Los Angeles, California
98,930 financial accounts compromised
If you shopped at the stores between November 26, 2003, and October 24, 2005, criminals may have hijacked your credit and debit card numbers from its computers. Approximately 20,500 of these numbers were obtained from the Fresno store transaction data. The data included credit and debit card numbers and in some instances expiration dates and other card data, but did not include customer name and address. (888) 757-4447,
[ http://www.forever21.com/notice/notice.html ]
09/23/2008 Texas Lottery Commission
State Government in Austin, Texas
89,000 non-financial accounts compromised
A former Texas Lottery Commission computer analyst has been arrested for copying the personal data of Texas lottery winners. He downloaded his own work files off his computer and took them to his next job. The names and Social Security numbers of 27,075 mid-level lottery winners — people who have won prizes from $600 up to around $1 million — were on the employee’s hard drive.
UPDATE 10/31/08: 89,000 lottery winners are being notified their personal information, including Social Security numbers, may have been breached.
09/30/2008 University of Indianapolis
an educational institution in Indianapolis, Indiana
11,000 non-financial accounts compromised
A hacker attacked the University of Indianapolis’ computer system and gained access to personal information and Social Security numbers for 11,000 students, faculty and staff,
10/07/2008 University of North Dakota Alumni Association
an educational institution in Grand Forks, North Dakota
84,554 financial accounts compromised
A laptop computer containing sensitive personal and financial information on alumni, donors and others was stolen from a vehicle belonging to a software vendor retained by the UND. The information, included individuals’ credit card and Social Security numbers,
10/17/2008 The Planet
a business other than retail in Houston, Texas
25,000 non-financial accounts compromised
A security breach that may have affected the customer portal account and server passwords, was discovered. The Planet identified the methods by which the systems were compromised and have closed those holes. Only two user accounts were definitely affected, and no credit card information is believed to have been compromised.
10/23/2008 Medical Mutual of Ohio
a healthcare provider or servicer in Columbus, Ohio
36,000 non-financial accounts compromised
Eleven computer disks containing personal information on Ohio retirees and employees are missing, disks are most likely somewhere in the postal system. It seems insufficient postage was placed on the envelopes [containing the disks], therefore they are believed that they are likely to still be safe within the postal system.
11/01/2008 Baylor Health Care System Inc.
a healthcare provider or servicer in Dallas, Texas
100,000 non-financial accounts compromised
A laptop computer containing limited health information on 100,000 patients was stolen from an employee’s car. Included were 7,400 patients whose Social Security numbers were stored on the computer. (800) 554-5281
11/06/2008 Harvard Law School
an educational institution in Cambridge, Massachusetts
21,000 non-financial accounts compromised
A computer tape containing Social Security numbers, addresses, and financial information was either lost or stolen. About 8,000 records of present and former clients contained Social Security numbers another 13,000 had other identification information that was contained on the tape.
11/06/2008 Express Scripts
a business other than retail in St. Louis, Missouri
700,000 non-financial accounts compromised
Express Scripts has received a letter demanding money from the company under the threat of exposing records of millions of patients. The letter, included personal information on 75 people covered by Express Scripts, including birth dates, Social Security numbers and prescription information. Express manages prescription benefits for roughly 50 million people.
UPDATE 10/1/09: Express Scripts notified about 700,000 consumers that their records may have been breached.
11/07/2008 Arizona’s Department of Economic Security
State Government in Phoenix, Arizona
40,000 non-financial accounts compromised
(DES) is notifying the families of about 40,000 children that their personal data may have been compromised following the theft of several hard drives from a commercial storage facility. The information stored on the stolen disks included the names, addresses and phone numbers of families whose children were referred to the DES for early intervention services over the past several years. In the cases of families that had applied for and received services from the agency, their records also included Social Security numbers.
11/09/2008 City of Charlottesville
City Government in Charlottesville, North Carolina
25,000 non-financial accounts compromised
Two laptops containing voter registration information were stolen from a building at Tonsler Park in Charlottesville sometime after the polls closed. The information on the computers included names, addresses, date of birth and DMV customer number.
11/12/2008 University of Florida College of Dentistry
an educational institution in Gainesville, Florida
330,000 non-financial accounts compromised
Some current and former dental patients have been notified that an unauthorized intruder recently accessed a College of Dentistry computer server storing their personal information. College information technology staff members were upgrading the server and found software had been installed on it remotely. Information stored on the server included names, addresses, birth dates, Social Security numbers and, in some cases, dental procedure information for patients dating back to 1990.
11/24/2008 Starbucks Corp.
a retail business in Seattle, Washington
97,000 non-financial accounts compromised
A laptop containing private information on employees was stolen. The information included names, addresses and Social Security numbers.
11/26/2008 Luxottica Group, Things Remembered
a retail business in Mason, Ohio
59,419 non-financial accounts compromised
A routine check by the information technology department discovered that a hacker had been inside a computer mainframe and downloaded the personal information of former workers. The victims lost names, addresses and Social Security numbers to the hacker.
12/02/2008 Florida Agency for Workforce Innovation
State Government in Tallahassee, Florida
259,193 non-financial accounts compromised
Employment information and more than a quarter million Social Security numbers were posted online. The breach occurred when several thousand Excel and text files containing millions of employment records were posted in the course of developing a new website.
12/12/2008 DJO, Empi Recovery Services
a healthcare provider or servicer in St. Paul, Minnesota
68,857 non-financial accounts compromised
A laptop was stolen from an employee’s car in Minneapolis. The laptop contained the names, addresses, account balances, insurance company, and Social Security numbers of patients.
12/18/2008 Bill Dube Ford/Toyota
a retail business in Dover, New Hampshire
10,000 non-financial accounts compromised
Personal information from thousands of people in New Hampshire and Massachusetts has been compromised after a data backup tape was stolen. The data include names, addresses, Social Security numbers and driver’s license information.
12/24/2008 Federal Emergency Management Agency
Federal Government in New Orleans, Louisiana
16,857 non-financial accounts compromised
An unauthorized breach of private information resulted in the information release of 16,857 names, Social Security numbers, phone numbers, and other private details of people who had applied for benefits. The information was flashed on a pair of privately run Web sites, but for how long was unclear.
12/25/2008 Pulte Homes Las Vegas Division
a business other than retail in Las Vegas, Nevada
16,000 non-financial accounts compromised
A box containing computer backup tapes was stolen. Computer tapes holding private customer information including names, addresses, driver’s license numbers and financial account numbers were stolen from a Pulte Homes office in Las Vegas.
12/29/2008 RBS WorldPay
a Financial or Insurance Services firm in Atlanta, Georgia
1,500,000 financial accounts compromised
RBS is an payment services firm that notified police about the attack on 11/20/2008, but did not inform the affected persons until 12/23/2008, two days before a holiday. Details were not released. SCALE: exposed during the breach was information on 1.5 million payroll and gift card holders. Also exposed were up to 1.1 million social security records. SCOPE: It was not until 2/10/2009 that it was revealed that “certain personal information” was exposed. Again, details are lacking. The information was used to extract over $9 million from ATM machines and other sources.
http://louisville.bizjournals.com/louisville/othercities/atlanta/stories/2008/12/22/daily24.html
http://www.theregister.co.uk/2008/12/29/rbs_worldpay_breach/
UPDATE (2/3/2009): Hackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering $9 million from ATMs in 49 cities worldwide. Alleged hackers are still at large and could orchestrate another attack.
UPDATE (2/10/2009): “Certain personal information” of 1.5 million card holders and Social Security numbers of 1.1 million people were compromised. A class action law suit has been filed against RBS WorldPay.
UPDATE (5/28/2009): RBS WorldPay says it has returned to Visa’s and MasterCard’s lists of validated service providers. It was recently certified as compliant with Payment Card Industry Data Security Standard (PCI DSS) version 1.2.
UPDATE (4/05/2010): Russian authorities have nabbed the man accused of masterminding a coordinated global ATM heist of $9.5 million from Atlanta-based card processing company RBS WorldPay.
UPDATE (8/09/2010): Sergei Tsurikov of Estonia was brought to Atlanta by the FBI. He pleaded not guilty to computer fraud, conspiracy to commit computer fraud, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft. The FBI is in the process of extraditing others involved in the international hack.
UPDATE (8/31/2010): Another person has been charged with participating in the computer fraud attack. Vladislav Anatolievich Horohorin is alleged to have used a prepaid payroll card to conduct fraudulent attacks on ATMs in Moscow.
UPDATE (9/15/2010): A previously unnamed member of the hacking group will be tried in a Russian court for his involvement in the RBS breach. Eugene Anikin’s criminal case was forwarded to Zaeltsovskiy District Court in Novosibirsk for consideration.
UPDATE(2/7/2011): Yevgeny Anikin, 27, pleaded guilty to participating in a hacking ring that stole $10 million from former Royal Bank of Scotland division WorldPay.
UPDATE(8/21/2012): Sonya Martin was sentenced to 2.5 years in federal prison for fraudulently obtaining over $9 million from an Atlanta payroll company. She was a cell leader in the plan that involved organized computer hacking and ATM cashout schemes. She worked with other members of the network to target 2,100 ATMs in 280 cities around the world.
[ http://www.rbsworldpay.us/RBS_WorldPay_Press_Release_Dec_23.pdf ] and http://louisville.bizjournals.com/louisville/othercities/atlanta/stories/2008/12/22/daily24.html
12/31/2008 Ohio State University
an educational institution in Columbus, Ohio
18,000 non-financial accounts compromised
Ohio State University has notified 18,000 current and former students that their personal information was mistakenly stored on a computer server exposed to the Internet. The data included student names, Social Security numbers, addresses and coverage dates for those enrolled in the health insurance plan for three quarters in 2005-06.
http://www.studentlife.osu.edu/dataexposure
In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended.
View the 2008 summary
Return to References page
Return to Year links page
Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.