Compromises in 2005 affecting 10,000 or more
Compromises in 2005 affecting less than 10,000
Compromises in 2005 affecting an unknown, or undisclosed number
01/10/2005 George Mason University
an educational institution in Fairfax, Virginia
32,000 non-financial accounts compromised
Names, photos, and Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the University’s main ID server.
01/22/2005 University of Northern Colorado
an educational institution in Greeley, Colorado
15,790 financial accounts compromised
A hard drive was lost or stolen. It contained information on current and former University employees and their beneficiaries and dates back to April of 1997. Names, dates of birth, SSNs, addresses, bank account numbers and routing numbers may have been accessed.
02/12/2005 Science Applications International Corp. (SAIC)
a business other than retail in San Diego, California
45,000 non-financial accounts compromised
On January 25 thieves broke into a SAIC facility and stole computers containing personal information of past and current employees. Stolen information included names, Social Security numbers, addresses, phone numbers and records of financial transactions.
02/15/2005 ChoicePoint
a business other than retail in Alpharetta, Georgia
163,000 non-financial accounts compromised
Fraudsters who presented themselves as legitimate ChoicePoint customers purchased data profiles from ChoicePoint on individuals and used that data to commit identity theft. The initial number of affected records was estimated at 145,000 but was later revised to 163,000.
UPDATE(1/26/2006): ChoicePoint settled with the Federal Trade Commission for $10 million in civil penalties and $5 million for consumer redress.
UPDATE (1/27/2008): ChoicePoint has agreed to pay $10 million to settle a class action lawsuit
02/25/2005 PayMaxx
a Financial Services firm headquartered in Miramar, Florida
100,000 non-financial accounts compromised
In the Franklin TN office of PayMaxx Inc., a payroll processing company, a software glitch accidentally revealed personal financial information on as many as 100,000 individuals, including Social Security numbers. The problem arose in a PayMaxx feature that enabled employees to use the Internet to get their W-2 forms, the standard tax information form issued by companies to their employees.
02/25/2005 Bank of America Corp.
a Financial or Insurance Services firm in Charlotte, North Carolina
1,200,000 non-financial accounts compromised
Computer tapes with credit card information, Social Security numbers, addresses and account numbers were lost. Bank of America began monitoring the customer accounts on the lost tapes and said it would contact cardholders if unusual activity was detected. Around 900,000 of the account holders affected were Defense Department employees.
03/08/2005 DSW Shoe Warehouse, Retail Ventures
a retail business in Columbus, Ohio
1,400,000 financial accounts compromised
Customers in over two dozen states had their charge cards compromised. Initial estimates were 100,000 cards. On 04/19/2005 the estimate was raised to 1,400,000. Link is to an Associated Press article via NBC News
http://www.nbcnews.com/id/7550562/#.UvfaCVpD18E
UPDATE(08/23/2012): DSW had a dispute with National Union over insurance coverage. A federal appellate court ruled that DSW was entitled to insurance coverage of more than $6.8 million in stipulated losses and prejudgment interest.
03/10/2005 LexisNexis
a business other than retail in Dayton, Ohio
310,000 non-financial accounts compromised
Unauthorized individuals used IDs and passwords of legitimate customers to obtain consumers’ Social Security numbers, driver’s license numbers, and names and addresses affecting an estimated 30,000 accounts..
UPDATE (4/12/2005) An internal investigation at LexisNexis has uncovered an additional 280,000 records may have been involved in this breach.
UPDATE (06/30/2006): Five men were arrested in connection with this breach.
03/11/2005 University of California, Berkeley
an educational institution in Berkeley, California
98,369 non-financial accounts compromised
A laptop containing the Social Security numbers of doctoral degree recipients from 1976 to 1999, graduate students enrolled between 1989 and 2003, and graduate school applicants between fall 2001 and spring of 2004 was stolen. Birth dates and addresses for about one-third of the affected people were also on the laptop.
03/11/2005 Boston College
an educational institution in Boston, Massachusetts
120,000 non-financial accounts compromised
A hacker gained access to a phone banking database that included alumni addresses and Social Security numbers.
03/16/2005 California State University, Chico
an educational institution in Chico, California
59,000 non-financial accounts compromised
A university housing and food service computer server containing names and Social Security numbers of faculty, staff, students, former students, and prospective students was hacked.
03/20/2005 Northwestern University
an educational institution in Evanston, Illinois
17,500 non-financial accounts compromised
Hackers gained access to multiple computers and gathered user ID and password information from the University’s network. The personal information for around 500 faculty members, 2000 staff members, and 14,000 alumni was compromised.
04/05/2005 MCI
a business other than retail in Colorado Springs, Colorado
16,500 non-financial accounts compromised
A laptop containing names and Social Security numbers of current and former employees was stolen from the car trunk of an MCI financial analyst. An MCI spokesperson stated that MCI would continue its policy of allowing laptops to be taken home by employees and will evaluate new security technologies.
04/08/2005 Eastern National
Ft. Washington, Pennsylvania
15,000 financial accounts compromised
A hacker gained access to a server containing the names, credit card information, and billing addresses of 15,000 customers. Letters were mailed to all customers who bought products through the educational website for national parks.
04/08/2005 San Jose Medical Group
a healthcare provider or servicer in San Jose, California
187,000 non-financial accounts compromised
A former branch manager at the San Jose Medical Group has been sentenced to almost two years in prison for stealing medical records for about 187,000 patients. The accused pleaded guilty in May to one count of health care-related theft after he stole computer equipment from his former employer, including a DVD that contained patients’ names, Social Security numbers, medical diagnoses and other information.
04/11/2005 Tufts University
an educational institution in Boston, Massachusetts
106,000 non-financial accounts compromised
The University’s donor database was breached sometime in late 2004. The database was managed by a software company for nonprofit organizations named RuffaloCODY. Letters were sent to the alumni who may have had their personal information stolen.
04/15/2005 California Department of Health Services
Government or Military in Sacramento, California
21,600 non-financial accounts compromised
A laptop containing the names, Social Security numbers, and medical information of Medi-Cal beneficiaries was stolen from the car trunk of an employee. The Department of Health Services began notifying beneficiaries in late May.
04/15/2005 Polo Ralph Lauren, HSBC
a retail business in New York, New York
180,000 financial accounts compromised
Early July 2007 Cyber crooks had created high quality fake cards from Ralph Polo Lauren customers’. Affected consumers were world wide. Link is to an Associated Press Article via the Seattle Times.
http://seattletimes.com/html/businesstechnology/2002241978_datatheft15.html
UPDATE(07/10/2007): U.S. Secret Service agents found Ralph Polo Lauren customers’ credit card numbers in the hands of Eastern European cyber thieves who created high-quality counterfeit credit cards. Victims are from the U.S., Europe, Asia and Canada, among other places, Several Cuban nationals in Florida were arrested with more than 200,000 credit card account numbers.
04/20/2005 TD Ameritrade
a Financial or Insurance Services firm in Omaha, Nebraska
200,000 financial accounts compromised
A backup tape was lost, stolen, or accidentally destroyed while being shipped. The tape contained account information from clients or former clients between the years of 2001 and 2003. Ameritrade notified the affected clients and offered one free year of credit protection services.
04/21/2005 Carnegie Mellon University
an educational institution in Pittsburgh, Pennsylvania
19,000 financial accounts compromised
The compromised information included Social Security numbers and grades from master’s alumni classes 1997 through 2004, job offer information from master’s alumni classes 1985 through 2004, contact information for all alumni, and Social Security numbers and grades from doctoral students enrolled between 1998 and 2004. Between 5,000 and 6,000 of those affected had their credit card information and Social Security numbers compromised. Emails and letters were sent to those who were affected.
04/26/2005 Michigan State University’s Wharton Center
an educational institution in East Lansing, Michigan
40,000 non-financial accounts compromised
A hacker may have stolen the credit card information of visitors attending a performing arts venue. Warnings were sent to Wharton visitors who used their credit cards anytime between September of 2003 and the incident.
04/26/2005 Christus St. Joseph’s Hospital
a healthcare provider or servicer in Houston, Texas
16,000 non-financial accounts compromised
Two computers used for converting paper medical records into digital files were stolen. One of the computers contained Social Security numbers and medical records for hundreds of patients. Letters were sent to about 16,000 patients.
04/28/2005 Georgia Southern University
an educational institution in Stateboro, Georgia
20,000 financial accounts compromised
Hackers accessed a University server which contained thousands of credit card and Social Security numbers collected over three years. Students who received bookstore credit through scholarship or financial aid between the fall 2003 and spring of 2005 semesters, and anyone who made credit purchases at campus stores, stadium, or website are at risk. Email alerts were sent to students and alumni.
04/28/2005 Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp
a Financial or Insurance Services firm in Hackensack, New Jersey
676,000 financial accounts compromised
Bank employees illegally sold account information to someone posing as a collection agency. Customers affected were notified and received one year of free credit monitoring services. Location listed is the corporate headquarters of Bank of America, not necessarily where the breach occurred.
04/29/2005 Oklahoma State University
an educational institution in Stillwater, Oklahoma
37,000 non-financial accounts compromised
A laptop used for student job placement seminars was lost or stolen. It contained the Social Security numbers of current and former students.
05/02/2005 Time Warner, Iron Mountain Inc.
a business other than retail in New York, New York
600,000 non-financial accounts compromised
Backup tapes containing the personal information of current and former employees from as far back as 1986 was lost or stolen during shipping by Iron Mountain Inc.
05/05/2005 Purdue University
an educational institution in West Lafayette, Indiana
11,360 financial accounts compromised
Hackers accessed a program which contained University credit card information and the Social Security numbers of current and former employees. Letters were sent to employees and former employees.
05/07/2005 Department of Justice
Government or Military in Washington, District Of Columbia
80,000 financial accounts compromised
A laptop containing password protected names and travel account credit card information was stolen sometime between May 7 and May 9.
05/14/2005 Georgia Technology Authority (GTA)
Government or Military in Atlanta, Georgia
465,000 non-financial accounts compromised
A former computer programmer for Georgia Technology Authority downloaded state driver’s license information which contained names, addresses, driver’s license numbers, and in some cases Social Security numbers.
05/18/2005 University of Iowa
an educational institution in Iowa City, Iowa
30,000 financial accounts compromised
A computer containing credit card numbers and campus ID numbers for University Book Store customers was breached by a hacker.
05/19/2005 Valdosta State University
an educational institution in Valdosta, Georgia
40,000 financial accounts compromised
A computer server containing campus ID card information and Social Security numbers was hacked. The cards were designed to be used as debit cards by students and employees.
05/27/2005 Cleveland State University
an educational institution in Cleveland, Ohio
44,420 non-financial accounts compromised
A laptop containing personal information from applicants, current students, and former students was stolen from the University’s admissions office. The information included Social Security numbers and addresses from as far back as 2001. Letters were sent to those affected. The laptop was recovered,
06/04/2005 Duke University Medical Center
an educational institution in Durham, North Carolina
14,000 non-financial accounts compromised
A hacker broke into the computer system, stealing thousands of passwords and fragments of Social Security numbers. Fourteen thousand affected people were notified, including 10,000 employees of Duke University Medical Center.
06/06/2005 Citigroup, UPS
a Financial or Insurance Services firm in New York, New York
3,900,000 financial accounts compromised
Customers are being notified that backup tapes containing their account information were lost or stolen while being shipped by UPS.
06/16/2005 CardSystems
a Financial or Insurance Services firm in Tucson, Arizona
40,000,000 financial accounts compromised
Over 40 million card accounts were exposed to potential fraud due to a security breach that occurred at a third-party processor of payment card transactions. Of the more than 40 million accounts exposed, information on 68,000 Mastercard accounts, 100,000 Visa accounts and 30,000 accounts from other card brands are known to have been exported by the hackers. The data exported included names, card numbers and card security codes.
The link is to a CNN Money article that initially reported the breach to be over 40 million accounts of which 13.9 million were MasterCard (including Maestro and Cirrus), and 22 million from Visa cards.
http://money.cnn.com/2005/06/17/news/master_card/
UPDATE (2/23/2006) CardSystems agreed to settle Federal Trade Commission charges that it failed to take appropriate security measures to protect sensitive personal information. The company must implement a comprehensive security program and obtain audits every 2 years for 20 years.
UPDATE (5/12/2006) CardSystems filed for bankruptcy.
UPDATE (5/28/2009) Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations less than a year before the payment processor’s systems were hacked, compromising up to 40 million credit card accounts. Less than a year later the security breach occurred. Hackers were able to get hold of the data because CardSystems kept unencrypted card information on its servers – in contravention of the regulations for which Savvis certified it.
06/18/2005 University of Hawaii
an educational institution in Honolulu, Hawaii
150,000 non-financial accounts compromised
A former librarian with access to the personal information of students, faculty, staff and patrons was convicted of Social Security fraud. The former librarian used Social Security information to obtain fraudulent loans. The University used Social Security numbers to track who checked out library materials. At the time of the press release it was unclear whether any information had been stolen from the University.
06/25/2005 University of Connecticut (UCONN)
an educational institution in Storrs, Connecticut
72,000 non-financial accounts compromised
University officials became aware of an October 26, 2003 hacking incident. The personal information included Social Security numbers and addresses for students, faculty, and staff. The University began contacting those affected in June of 2005.
06/29/2005 Bank of America
a Financial or Insurance Services firm in Charlotte, North Carolina
18,000 non-financial accounts compromised
A laptop containing the names, Social Security numbers, and addresses of customers was stolen from a consultant’s car.
06/30/2005 Ohio State University Medical Center, MTE Consulting
a healthcare provider or servicer in Columbus, Ohio
15,000 non-financial accounts compromised
A laptop containing patient information was stolen from a financial consultant. MTE Consulting notified OSU medical center a month after the laptop was stolen and OSU sent a brief letter to the affected clients.
07/07/2005 Michigan State University
an educational institution in East Lansing, Michigan
27,000 non-financial accounts compromised
Student information was compromised during an attack on the College of Education server. The information included Social Security numbers, names, addresses, student courses, and personal identification numbers. The breach occurred in April and students were emailed in July.
07/12/2005 University of Southern California (USC)
an educational institution in Los Angeles, California
270,000 non-financial accounts compromised
A reporter contacted USC based on an individual’s claim to be able to access personal information on college applicants online. USC removed the site pending investigation and sent letters to affected individuals.
07/13/2005 Arizona Biodyne
a healthcare provider or servicer in Phoenix, Arizona
57,000 non-financial accounts compromised
A safe with computer backup tapes containing financial, personal and medical records was stolen from Arizona Biodyne, an affiliate of Magellan Health Services and manages behavioral health for Blue Cross of Arizona. Policyholders’ addresses, phone numbers, dates of birth and Social Security numbers were among the personal information lost. Partial treatment histories and doctor information for some patients was also lost.
07/21/2005 University of Colorado, Boulder
an educational institution in Boulder, Colorado
49,000 non-financial accounts compromised
Prospective students, current students, staff, faculty and University health care service recipients may have had their data exposed in a campus server breach. The information included names, Social Security numbers, addresses, student ID numbers, birth dates, and lab test information. The University mailed letters and sent emails to the individuals affected.
07/30/2005 San Diego County Employees Retirement Association
Government or Military in San Diego, California
33,000 non-financial accounts compromised
Two computers that contained personal information for current and retired San Diego County employees were hacked. The information included names, addresses, Social Security numbers, and dates of birth. The San Diego Retirement Association mailed warnings to members.
07/31/2005 California State Polytechnic University (Cal PolyPomona)
an educational institution in Pomona, California
31,077 non-financial accounts compromised
Hackers gained access to two computers containing names, Social Security numbers and transfer records. Applicants, current students, current and former faculty, and staff were affected.
08/02/2005 University of Colorado
an educational institution in Denver, Colorado
36,000 non-financial accounts compromised
Hackers accessed files containing names, photographs, Social Security numbers, and University meal card information. Around 7,000 staff members, 29,000 current students, and some former students were affected.
08/09/2005 University of Utah
an educational institution in Salt Lake City, Utah
100,000 non-financial accounts compromised
A server containing library archival databases was hacked. The server included names and Social Security numbers of former University employees. The University issued a warning that people may try to get personal information by posing as University officials involved in the investigation.
08/09/2005 Sonoma State University
an educational institution in Rohnert Park, California
61,709 non-financial accounts compromised
Hackers broke into a computer system and may have accessed the names and Social Security numbers of people who applied, attended, or worked at the University between 1995 and 2002. University officials attempted to notify those who were affected.
08/10/2005 University of North Texas
an educational institution in Denton, Texas
39,000 financial accounts compromised
A server containing housing records, financial aid inquiries, and in some cases credit card numbers was hacked. UNT sent letters to current, former, and prospective students whose information may have been accessed.
08/19/2005 University of Colorado
an educational institution in Denver, Colorado
49,000 non-financial accounts compromised
A hacker may have gained access to personal information from June of 1999 to May of 2001, and fall of 2003 to summer of 2005. The information included current and former student names, Social Security numbers, addresses and phone numbers. The University contacted individuals who were affected.
08/22/2005 U.S. Air Force
Government or Military in Washington, District Of Columbia
33,300 non-financial accounts compromised
A hacker used a legitimate user ID and password to access career information, birth dates, and Social Security numbers. Those affected were notified several months after the breach was discovered.
09/02/2005 Iowa Student Loan
a Financial or Insurance Services firm in West Des Moines, Iowa
165,000 non-financial accounts compromised
A compact disk containing personal information, including SSNs, was lost when shipped by private courier.
09/10/2005 Kent State University
an educational institution in Kent, Ohio
100,000 non-financial accounts compromised
Five desktop computers were stolen from the locked offices of two deans. Names, Social Security numbers, and grades were on the computers. The information goes back to 2000 for students and 2002 for instructors. Affected students and professors were alerted by the University.
09/15/2005 Miami University
an educational institution in Hamilton, Ohio
21,762 non-financial accounts compromised
A report containing Social Security numbers and grades of students was accessible online for three years. The University is attempting to contact those affected via letters and emails. A graduate alerted the University to the exposure after running a Google.com search of her name.
09/22/2005 Internal Revenue Service (IRS)
Government or Military in San Francisco, California
30,000 non-financial accounts compromised
A truck carrying checks with tax information for the self-employed was involved in an accident on the San Mateo Bridge. Wind blew about 30,000 pieces of mail into the bay and beyond. The IRS agreed to waive penalties and interest for anyone whose payment was affected.
10/21/2005 Wilcox Memorial Hospital
a healthcare provider or servicer in Lihue, Hawaii
130,000 non-financial accounts compromised
A backup computer data drive containing medical record numbers, addresses, names and Social Security numbers of current and former patients was lost. Letters have been sent to affected patients.
11/04/2005 Keck School of Medicine, University of Southern California (USC)
an educational institution in Los Angeles, California
50,000 non-financial accounts compromised
A computer server containing names and Social Security numbers of patients, donors and employees was stolen from a campus computer room.
11/11/2005 Georgia Tech University Office of Enrollment Services
an educational institution in Atlanta, Georgia
13,000 non-financial accounts compromised
On October 16 of 2005 computers were stolen from campus which contained the names, Social Security numbers, addresses and birth dates of current and prospective students. Notifications were sent to those who were affected.
11/19/2005 Boeing
a business other than retail in Chicago, Illinois
161,000 financial accounts compromised
A laptop containing names, Social Security numbers, bank account information and other human resources data was stolen. Affected current and former employees were notified.
12/01/2005 First Trust Bank
a Financial or Insurance Services firm in Memphis, Tennessee
100,000 non-financial accounts compromised
A man claiming to be a janitor bypassed security and stole a laptop from the bank. The laptop contained Social Security numbers and other personal information of current and former customers. Affected customers were contacted and the theft was caught on tape.
12/08/2005 J-Sargeant Reynolds Community College
an educational institution in Richmond, Virginia
26,000 non-financial accounts compromised
The names, Social Security numbers and addresses of students taking non-credit classes from 2000 to 2003 were posted online for months. The information was compiled for a mailing list, but an employee posted it on the College’s server. A student informed officials of the mistake after accessing the information online. The College began the process of removing the information from the web.
12/12/2005 Iowa State University
an educational institution in Ames, Iowa
5,500 accounts compromised
At least one ISU computer was hacked. Social Security numbers and encrypted credit card numbers may have been obtained. Between 2,000 and 2,500 Social Security numbers are at risk and between 2,300 and 3,000 credit card numbers are at risk. Student, alumni, employee and volunteer information was put at risk.
12/20/2005 Guidance Software, Inc.
a business other than retail in Pasadena, California
3,800 accounts compromised
Charge card numbers of law enforcement officials and network security professionals were exposed when a leading provider of software used to diagnose hacked attacks was itself, hacked. Link is to a Washington Post article by Brian Krebs.
Guidance’s EnCase software is used by hundreds of security researchers and law enforcement agencies worldwide, including the U.S. Secret Service, the FBI and New York City police. John Colbert, the company’s chief executive officer, said Guidance alerted all of its customers less than two days after discovering the break-in, and that it would no longer store customer credit card data.
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/19/AR2005121900928.html
12/22/2005 Ford Motor Co.
a business other than retail in Dearborn, Michigan
70,000 non-financial accounts compromised
A computer containing names and Social Security numbers of current and former employees was stolen. Ford alerted those who were affected and offered to pay for their credit monitoring services.
12/25/2005 Ameriprise Financial Inc.
a Financial or Insurance Services firm in Minneapolis, Minnesota
262,000 financial accounts compromised
A laptop was stolen from an employee’s car on Christmas eve. It contained customers’ names and Social Security numbers and in some cases, Ameriprise account information. Around 68,000 customers had their names and Social Security numbers exposed. Around 158,000 customers had their names and internal account numbers exposed. Call (877) 267-7408
UPDATE (08/01/2006): The laptop was recovered by local law enforcement in the community where it was stolen.
UPDATE (12/11/2006): The company settled with the Massachusetts securities regulator in the office of the Secretary of State. Ameriprise agreed to hire an independent consultant to review its policies and procedures for employees’ and contractors’ use of laptops containing personal information. Ameriprise will pay the state regulator $25,000 for the cost of the investigation.
12/28/2005 Marriott International Inc.
a retail business in Orlando, Florida
206,000 financial accounts compromised
It is unclear whether backup computer tapes with credit card account information and Social Security numbers were lost or stolen from headquarters during November. Employees and time-share owners and customers were affected.
In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended.