Compromises in 2010 affecting 10,000 or more
Compromises in 2010 affecting less than 10,000
Compromises in 2010 affecting an unknown, or undisclosed number
01/01/2010 collective2.com
a business other than retail in Tenafly, New Jersey
25,000 financial accounts compromised
Users of the do-it-yourself trading site collective2.com received an Urgent e-mail notifying them that the company’s computer database had been breached by a hacker and that all users should log in to change their passwords immediately. That e-mail stated that the information accessed by the hacker included names, e-mail addresses, passwords and credit card information.
01/06/2010 Eugene School District
an educational institution in Eugene, Oregon
13,000 non-financial accounts compromised
Hackers breached the security of a computer server containing the names, phone numbers and employee ID numbers of current and former Eugene School District employees. The server in question did not contain other personal information but was attached to servers that contain Social Security numbers and other sensitive data. It is possible that the individuals responsible may have accessed names, addresses, dates of birth, Social Security numbers, tax identification numbers and direct-deposit bank account information for current and former staff members. databreach@4j.lane.edu or call (541) 790-7730.
01/12/2010 Valley Kaiser, Kaiser Permanente
a healthcare provider or servicer in Sacramento, California
15,500 non-financial accounts compromised
An electronic storage device stolen from an employee’s car in Sacramento CA last month contained health information from 15,500 patients, including about 800 in the Fresno CA area. Information included patient names, medical-record numbers and, for some individuals, ages, dates of birth, gender, phone numbers and other information related to their care and treatment.
01/14/2010 BlueCross /BlueShield (BCBST)
a healthcare provider or servicer in Chattanooga, Tennessee
451,274 non-financial accounts compromised
The theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility last October has put at risk the private information of approximately 500,000 customers in at least 32 states. The hard drives contained 1.3 million audio files and 300,000 video files. The files contained customers’ personal data and protected health information that was encoded but not encrypted. Data included names and BlueCross ID numbers. In some (but not all) recordings diagnostic information, date of birth, and/or a Social Security number were exposed. BCBS of TN estimates that the Social Security numbers of approximately 220,000 customers may be at risk.
UPDATE (4/29/2010): The number of plan members whose data were exposed has grown from 521,761, an estimate made in March, to nearly one million, as of April 2, according to a report issued by Mary Thompson, spokeswoman for the Tennessee Blues.
UPDATE (11/3/2010): According to a letter sent to the New Hampshire Attorney General’s Office, the total number of individuals affected was 1,023,209. BCBS used a three-tier system to categorize individuals affected by the breach. The total includes 451,274 clients whose Social Security numbers were involved, 319,325 clients whose personal and diagnostic health information was involved and 239,730 clients who had personally identifiable information that was neither medical nor their Social Security number. BlueCross Blue Shield also reported receiving fewer than 10 requests for credit restoration services from those who had their Social Security numbers exposed.
UPDATE(3/14/2012): Blue Cross Blue Shield of Tennessee (BCBST) reached a $1.5 million resolution agreement with the U.S. Department of Health and Human Services. BCBS of Tennessee kept the drives and network data closet in a facility that was secured by a property management company. The closet was secured by biometric and keycard scan security with a magnetic look and an additional door with a keyed lock. BCBST eventually vacated most of the leased office space. Thieves may have taken the opportunity to steal the 57 unencrypted hard drives from the closet while the space was not fully occupied.
01/14/2010 DFAS / DDDAPS
Defense Finance and Accounting Service and the
Defense Department’s Document Automation and Production Service
Federal Government in Arlington, Virginia
18,000 non-financial accounts compromised
An error at the U.S. Department of Defense Document Automation and Production Service caused pay statements containing names and sensitive information about the finances of about 18,000 recipients of a special pay for disabled retirees to be sent to wrong addressees. The statements, a page of which contained information about annual increases in Concurrent Retirement and Disability Pay, mistakenly listed data including at least a portion of another recipients name, their bank or insurance company name, the amount of their allotment and the allotment type. There is no indication that any Social Security numbers, bank account numbers or phone numbers were listed on the erroneously mailed pages.
01/14/2010 Lincoln National Corporation (Lincoln Financial)
a Financial or Insurance Services firm in Radnor, Pennsylvania
1,200,000 non-financial accounts compromised
Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers. In a disclosure letter sent to the Attorney General of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source. The unidentified source sent FINRA a username and password to the portfolio management system. “This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies,” the letter says. “The sharing of usernames and passwords is not permitted under the LNC security policy.”
UPDATE(2/17/2011): Lincoln National Corporation was fined $600,000 by the Financial Industry Regulatory Authority for failing to adequately protect customer information. Failing to require brokers working remotely to install security software on personal computers led to the fine.
http://www.finra.org/Newsroom/NewsReleases/2011/P122940
01/18/2010 Goodwill Industries of Grand Rapids
a Non-Governmental Organization (includes non-profits) in Kentwood, Michigan
10,000 non-financial accounts compromised
A man broke into a Goodwill store and stole a safe containing thousands of names, addresses, dates of birth, and Social Security numbers.
01/21/2010 University of Missouri System
an educational institution in Columbia, Missouri
75,000 non-financial accounts compromised
About 100 people responded to an e-mail notifying students that their Social Security numbers may have been visible in the envelope window of a tax form sent by the University of Missouri System. More than 75,000 Form 1098-Ts were mailed. The four-campus system has no way of assessing how many envelopes displayed the numbers. Form 1098-T is an Internal Revenue Service form that reports tuition billed and paid. Campus Mail Services committed the folding errors.
01/28/2010 PricewaterhouseCoopers
a business other than retail in New York, New York
77,000 non-financial accounts compromised
The names, birth dates and Social Security numbers of 77,000 people were lost in their Chicago office. The people at risk for identify theft are those who were in the PERS and TRS system in 2003-04 as active or inactive employees or retirees. Price Waterhouse Coopers has agreed in a settlement to pay for credit monitoring and other security measures and cover any losses to individuals caused by its mishandling of the information. A number of people associated with the State of Alaska also had their information exposed.
01/31/2010 Iowa State Racing and Gaming Commission
State Government in Des Moines, Iowa
80,000 non-financial accounts compromised
The Iowa Racing and Gaming Commission says someone gained access to a computer server that holds more than 80,000 records containing casino employee information. The person who hacked into the system was traced back to China and had used a computer with an external account. The server contains records including names, birth dates and Social Security numbers.
02/04/2010 Ceridian Corporation
a Financial or Insurance Services firm in Bloomington, Minnesota
27,000 financial accounts compromised
A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies nationwide. In a Jan. 29 letter to an affected worker obtained by the Star Tribune, Ceridian said a hacker attacked its Internet payroll system Dec. 22 and 23.
UPDATE(6/1/2011): The Federal Trade Commission reached a settlement agreement with Ceridian. According to the FTC, Ceridian did not adequately protect its network from reasonably foreseeable attacks and failed to encrypt the sensitive personal information that was stored on its network. The settlement requires the company to establish a comprehensive information security program and to undergo 20 years of independent security audits. Ceridian provides payroll and HR services.
02/06/2010 AvMed Health Plans
a healthcare provider or servicer in Gainesville, Florida
1,220,000 non-financial accounts compromised
AvMed Health Plans announced that personal information of some current and former subscribers may have been compromised by the theft of two company laptops from its corporate offices in Gainesville. The information included names, addresses, phone numbers, Social Security numbers and protected health information. The theft was immediately reported to local authorities but attempts to locate the laptops have been unsuccessful. AvMed determined that the data on one of the laptops may not have been protected properly, and approximately 80,000 of AvMed’s current subscribers and their dependents may be affected. An additional approximate 128,000 former subscribers and their dependents, dating back to April 2003, may also have been affected.
UPDATE (06/03/2010): The theft of the laptops compromised the identity data of 860,000 more Avmed members than originally thought. The total now nears 1.1 million.
UPDATE (11/17/2010): Five AvMed Health Plans customers filed a class-action lawsuit against the health insurer on behalf of the 1.2 million people who were affected by the breach. At least two of them believe that their personal information was misused as a result of this particular breach.
UPDATE (09/24/2012): An appeals court ruled that the plaintiffs were “explicitly” able to prove a link between the breach and ID theft they incurred. The case had been thrown out by a lower court in August 2011, but the appeal ruling may allow victims of identity theft to make it easier to prove that the identity theft was caused by a data breach.
UPDATE(09/05/2013): AvMed Inc. agreed to settle with customers who were affected by the 2009 data breach on September 3, 2013.
UPDATE(10/29/2013): AvMed will pay $3 million.
UPDATE (3/6/2014): “Last week, a judge for the Southern District of Florida gave final approval to a settlement between health insurance provider AvMed and plaintiffs in a class action stemming from a 2009 data breach of 1.2 million sensitive records from unencrypted laptops. The settlement requires AvMed to implement increased security measures, such as mandatory security awareness training and encryption protocols on company laptops. More notably, AvMed agreed to create a $3 million settlement fund from which members can make claims for $10 for each year that they bought insurance, subject to a $30 cap (class members who experienced identity theft are eligible to make additional claims to recover their monetary losses)”.
02/06/2010 University of Texas, El Paso
an educational institution in El Paso, Texas
15,000 non-financial accounts compromised
University of Texas at El Paso is notifying students that their Social Security numbers were visible when their tax forms were sent out. The University notified 15,000 students but they don’t know exactly how many students were affected. UTEP blames a glitch in a machine used to fold letters when student forms were sent out. Some of the forms were folded in such a way that the document shifted on the envelope and allowed for the Social Security numbers to be visible through the mailing window on the envelope.
02/09/2010 California Department of Health Care Services
State Government in Sacramento, California
50,000 non-financial accounts compromised
The personal security of nearly 50,000 people may have been breached by the California Department of Health Care Services. Social Security numbers were printed on the address labels of letters that were mailed by the department. State employees mistakenly included the numbers in a list of patient addresses. The list was sent to an outside contractor, who printed and mailed the envelopes.
02/19/2010 Valdosta State University
an educational institution in Valdosta, Georgia
170,000 non-financial accounts compromised
A Valdosta State server that was reported as being breached could have exposed the information of up to 170,000 students and faculty. Valdosta State officials reported the discovery of a breach on Dec. 11 and estimated it began on Nov. 11. The university said the grades and Social Security numbers of up to 170,000 students and faculty were exposed in the breach.
[ http://www.valdosta.edu/notify ]
02/24/2010 Citigroup
a Financial or Insurance Services firm in New York, New York
600,000 non-financial accounts compromised
About 600,000 Citigroup customers got a shock earlier this month when they received their annual tax documents with their Social Security numbers printed on the outside of the envelope. The digits were not identified as a Social Security number, and they were printed at the lower edge of the mailing envelope with other numbers and letters that together resembled a mail routing number.
02/28/2010 Wyndham Hotels & Resorts
a business other than retail in Dallas, Texas
500,000 financial accounts compromised
International hotel group Wyndham Hotels and Resorts (WHR) has suffered another data breach after hackers broke into its computer systems, stealing customer names and payment card information. 37 hotels under Wyndham’s hotel group were affected. An open letter on 5/18/2010 from Wyndham to its customers [ http://www.wyndhamworldwide.com/customer_care/data-claim.cfm ].
UPDATE(06/26/2012): The FTC has filed a complaint against Wyndham hotels for failure to protect the personal information of consumers. Wyndham hotels and three of its subsidiaries are accused of data security failures that led to three data breaches at Wyndham hotels between 2009 and 2011. The FTC accused them of allowing failures that led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an internet domain address registered in Russia. The FTC statement
UPDATE(08/30/2012): Wyndham Hotel & Resorts LLC is contending that the FTC lacks the authority to regulate private companies’ data security practices. Wyndham motioned to dismiss the FTC’s Arizona federal court case with this assertion.
UPDATE (06/25/2014): On June 25th, The Federal Trade Commission sufficiently alleged that several Wyndham Hotels entities operated as a common enterprise in the FTC’s data security enforcement action. The U.S. District Court for the District of New Jersey held June 23, in an unpublished opinion. That the court is allowing Wyndham Hotels and Resorts LLC am interlocutory review of portions of an earlier April 7th opinion denying the company’s separate motion to dismiss. Judge Esther Salas wrote in a second unpublished opinion (FTC v. Wyndham Worldwide Corp., 2014 BL 174519, D.N.J., No. 2:13-cv-01887, unpublished opinion 6/23/14).
March 2010 Village View Escrow Inc
A real estate escrow firm in Redondo Beach, California
Just one account was breached, theirs.
It cost them over $450,000 and maybe the company.
Via an email reportedly from “UPS”, crooks were able to plant a malicious program that allowed them to set up a password stealer. Eventually crooks were able to send 26 wire transfers to 20 locations world wide. None of those had existing business with the Village View. More on the story from Brian Krebs.
Business may have little legal recourse when their credentials are compromised to make wire transfers. See Who Loses for more. Information at the top describes how to better guard other people’s money.
03/02/2010 Shands at UF
a healthcare provider or servicer in Gainesville, Florida
12,500 non-financial accounts compromised
Shands at UF sent notification letters to about 12,500 people Monday warning them that a laptop containing their personal and medical information was stolen. An employee had uploaded the information onto his home laptop for work-related purposes. The laptop held information about patients referred to the gastroenterology clinical services department. Included were names, addresses, medical record numbers, and in the case of 650 patients, Social Security numbers.
03/05/2010 Arkansas Army National Guard
Military in Camp Robinson, Arkansas
35,000 non-financial accounts compromised
An external hard drive has gone missing. Approximately 35,000 current and former members of the Arkansas Army National Guard are affected by the loss. The drive included names, Social Security numbers and other personal information which potentially places the affected soldiers at risk for identity theft. The drive was recovered and destroyed about two months later. A soldier had used the device as a personal backup of his work related information which included a copy of the Guard’s personnel database containing personal information on all soldiers who have served in the Arkansas Army National Guard since 1991, almost 20 years of data.
03/13/2010 Beer and Wine Hobby
a retail business in Woburn, Massachusetts
35,000 financial accounts compromised
Personal information may have been accessed during a breach of Beer and Wine Hobby’s computer system. The personal information included partial credit card numbers.
03/17/2010 Choice Escrow and Land Title LLC
a retail business in Springfield, Missouri
Just one account was compromised, their own
Hackers compromised their on-line banking credentials and made a single wire transfer of $440,000 to another bank account on the island of Cyprus in the Republic of Cyprus. Choice Escrow sued their bank BancorpSouth Inc. based in Tupelo, Mississippi. Who is responsible for this cyber heist? See Who Loses? for more.
03/23/2010 Connecticut Office of Policy and Management
State Government in Hartford, Connecticut
11,000 non-financial accounts compromised
Police are investigating the theft of personal information including Social Security numbers, names and addresses from as many as 11,000 people who had applied for furnace rebate programs with the state. The investigation by Hartford and state police has led them to a woman who worked at the state Office of Policy and Management from May 2008 until May 2009. There have been no arrests. The state collected Social Security numbers because the refunds are federally taxable and the state was required to send a 1099 tax form to the recipients.
03/26/2010 Educational Credit Management Corporation
a Financial or Insurance Services firm in ST. Paul, Minnesota
3,300,000 non-financial accounts compromised
ECMC, a guarantor of federal student loans, said that a theft has occurred from its headquarters involving portable media with personally identifiable information. The data was in two stolen safes and contained information on approximately 3.3 million individuals and included names, addresses, dates of birth and Social Security numbers. No bank account or other financial account information was included in the data.
UPDATE (4/16/2010): The information was recovered shortly after the theft and discovered weeks later in a police evidence room.
03/29/2010 University MRI Diagnostic Center, Holy Cross Hospital, North Ridge Medical Center, and Oncology and Hematology Associates of West Broward
a healthcare provider or servicer in Florida
40,000 financial accounts compromised
Two former employees of these organizations were involved in an identity theft scheme with at least three other partners. Thousands of victims have been confirmed. The employees had access to emergency room patient records such as names, dates of birth, Social Security numbers, Medicare numbers, and addresses. The stolen information was used by others to obtain Care Credit accounts and Chevron Visa credit cards. Victims lost a total of approximately $162,000. People in Fort Lauderdale, Aventura and Tamarac, Florida were affected. The hospital’s information hotline is (800) 388-4301.
04/12/2010 Kern County Employee’s Retirement Association
County Government in Bakersfield, California
37,000 non-financial accounts compromised
A former employee was convicted of using the Social Security number of a member to create a false identity. The county employee opened a line of credit and had committed felonies before being hired at KCERA in a position with access to retirees’ personal information.
04/16/2010 Blue Cross and Blue Shield of Rhode Island (BCBSRI)
a healthcare provider or servicer in Providence, Rhode Island
12,000 non-financial accounts compromised
A filing cabinet containing survey information from approximately 12,000 BlueCHIP for Medicare members was donated to a local nonprofit organization. The surveys were from 2001 to early 2004 and contained information such as names, Social Security numbers, telephone numbers, addresses and Medicare Identification numbers.
04/21/2010 US Army Reserve
Military in Fort Totten, New York
12,000 non-financial accounts compromised
The Army is warning about 12,000 military and civilian personnel once associated with a reserve command based at Fort Totten that they should check their credit records, after discovering that it cannot locate files containing information that could make them vulnerable to identity theft. The records cover reservists from Long Island, New York City and upstate who were assigned to the 77th Regional Readiness Command and its subordinate units from 2001 until the unit was absorbed by the 99th Regional Support Command in 2008. The files were discovered missing when the new command asked for an accounting of the old units records. They could have been burned, shredded or stolen.
04/21/2010 Affinity Health Plan
a healthcare provider or servicer in Bronx, New York
409,262 non-financial accounts compromised
Affinity Health Plan, a New York managed care service, is notifying more than 400,000 current and former customers employees that their personal data might have been leaked through the loss of an unerased digital copier hard drive. Some personal records were found on the hard drive of a copier found in a New Jersey warehouse. The copier had previously been leased by Affinity and was then returned to the leasing company. Affinity Health Plan says it has not had a chance to review the data found on the copier. The figure of 409,262 notifications includes former and current employees, providers, applicants for jobs, members, and applicants for coverage.
UPDATE(08/15/2013): Affinity Health Plan will pay more than $1.2 million in HIPAA violations as a result of the breach.
04/29/2010 St. Jude Heritage Medical Group
a healthcare provider or servicer in Orange, California
20,000 non-financial accounts compromised
20,000 patients may have had their personal information stolen after a break-in at the St. Jude Heritage Healthcare Clinical Management Services building in Fullerton. The thieves stole five computers. The stolen patient data included Social Security numbers, dates of birth and in some cases, health related information. (800) 627-8106
04/30/2010 Our Lady of Peace
a healthcare provider or servicer in Louisville, Kentucky
24,600 non-financial accounts compromised
A flash drive containing personal information on 24,600 patients is missing from Our Lady of Peace psychiatric hospital. The drive contained the following information on patients admitted since 2002: patient names, room numbers, insurance company names and admission and discharge dates. It didn’t include diagnoses or treatments, Social Security numbers, dates of birth, telephone numbers or addresses for these patients. The drive also included the following information on patients assessed since 2009 but never admitted: name, date of assessment, date of birth and the time they left the hospital. For these patients, the information on the drive didn’t include diagnoses or treatments, Social Security numbers, telephone numbers, addresses or insurance information.
05/04/2010 Millennium Medical Management Resources
a healthcare provider or servicer in Westmont, Illinois
180,111 non-financial accounts compromised
Health records belonging to patients were stolen in a break-in. The records were on a portable hard drive and stolen from the Westmont office of Millennium Medical Management Resources. Millenium believes the hard drive contained personally identifiable information about EHP patients including name, address, phone, date of birth, and Social Security number. In some cases other information such as diagnosis, procedure (and/or codes), medical record number, account number, drivers license number and health insurance info. It was NOT encrypted.
05/13/2010 Army Reserve / Serco Inc.
Military in Morrow, Georgia
207,000 non-financial accounts compromised
A laptop containing the names, address and Social Security numbers of more than 207,000 Army reservists has been stolen from a government contractor in Georgia. A CD-ROM containing the personal identifiable information was in one of three laptops stolen from the Morrow, Ga., offices of Serco Inc., a government contractor based in Reston, Va. The other laptops did not contain sensitive personal information. Serco had a contract with the U.S. Army’s Family and Morale, Welfare and Recreation Division, so some of the pilfered information also could belong to reservists’ family members.
05/17/2010 Silicon Valley Eyecare Optometry and Contact Lenses
a healthcare provider or servicer in Santa Clara, California
40,000 non-financial accounts compromised
A computer and a plasma TV were stolen from the office on Friday April 2nd, 2010. The computer server contained patient names, addresses, phone numbers, email addresses, birth dates, family member names, medical insurance information, medical records, and in some cases, Social Security numbers. The data were password protected.
05/28/2010 Cincinnati Children’s Hospital Medical Center
a healthcare provider or servicer in Cincinnati, Ohio
61,000 non-financial accounts compromised
A laptop containing the names, medical record numbers, and medical services provided of patients was stolen from an employee’s car while it was parked at his or her home. As a precaution, no additional laptops will be allowed outside the hospital unless they are encrypted.
06/03/2010 Penn State
an educational institution in University Park, Pennsylvania
40,806 non-financial accounts compromised
The Pennsylvania State University sent data breach notification letters to 15 806 individuals who at one time had their personal information, including Social Security numbers, stored in a university database. Penn State issued a press release statement on Wednesday informing the university community that a computer in its Outreach Market Research and Data office was found to be actively communicating with a botnet CNC. According to the statement, the database used by the office had previously contained Social Security numbers on individuals. The university, which discontinued use of SSNs for identification purposes in 2005, nevertheless found that an archived copy of the information went undetected in the computer’s cache.
UPDATE (6/8/2010): An additional 25,000 individuals may have been affected.
06/04/2010 Digital River Inc.
a Financial or Insurance Services firm in Eden Prairie, Minnesota
200,000 non-financial accounts compromised
A massive data theft from the e-commerce company Digital River Inc. has led investigators to hackers in India and a 19-year-old in New York who allegedly tried to sell the information to a Colorado marketing firm for half a million dollars. The Eden Prairie company obtained a secret court order last month to block Eric Porat of Brooklyn from selling, destroying, altering or distributing purloined data on nearly 200,000 individuals. Digital River suspects that the information was stolen by hackers in New Delhi, India, possibly with help from a contractor working for Digital River.
06/09/2010 TennCare, New Mexico Human Services Department
a healthcare provider or servicer in Chicago, Illinois
21,000 non-financial accounts compromised
An employee from a subcontractor company called West Monroe Partners was robbed of a laptop containing information for a Medicaid billing company named DentaQuest. DentaQuest was responsible for dental benefits of the New Mexico Human Services Department and TennCare. Around 21,000 people had their full names and Social Security numbers on the stolen laptop. Approximately 55,000 others had some form of personal information on the laptop. This theft affects people in Tennessee and New Mexico. Around 9,600 people from New Mexico and over 10,000 from Tennessee were affected. This theft affects people in Tennessee and New Mexico. Around 9,600 people from New Mexico and over 10,000 from Tennessee were affected.
06/09/2010 Apple Inc., AT&T
a retail business in Cupertino, California
120,000 non-financial accounts compromised
A security breach has exposed iPad owner information. Dozens of CEOs, military officials, and top politicians may have been affected. They, and every other buyer of the cellular-enabled tablet, could be vulnerable to spam marketing and malicious hacking. The breach exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel’s information was compromised. It doesn’t stop there. According to the data given by the web security group that exploited vulnerabilities on the AT&T network, 114,000 user accounts have been compromised, although it’s possible that confidential information about every iPad 3G owner in the U.S. has been exposed.
The Hack
http://online.wsj.com/article/SB10001424052748704312104575299111189853840.html
UPDATE(01/18/2011): Chat logs of the accused iPad hackerswere turned over to investigators. It appears that two men used an “account slurper” to conduct a “brute force” attack that lasted five days and extracted data from iPad users who accessed the Internet through AT&T’s 3G network. Each of the two men were charged with one count of conspiracy to access a computer without authorization and one count of fraud.
UPDATE(06/23/2011): One of the people responsible for writing the malicious code used to breach AT&T’s computer servers pleaded guilty to his part in the attack.
UPDATE(11/20/2012): The second person responsible for discovering and exploiting a security weakness was found guilty. AT&T iPad subscribers had their emails exposed because of the security issue.
UPDATE(03/19/2013): One of the conspirators was sentenced to 41 months in prison for identity theft and conspiracy to gain unauthorized access to computers.
06/13/2010 Butler County Department of Job and Family Services
County Government in Middle, Ohio
10,600 non-financial accounts compromised
The Agency learned in 2008 that confidential records were being left in public dumpsters without being shredded. Documents from Medicaid, Food Stamps, Ohio Works First, and child care programs included information such as Social Security number, name, address, phone number and pay stub. The agency failed to notify those who were affected.
06/17/2010 Ocean Lakes High School
an educational institution in Virgina Beach, Virginia
11,388 non-financial accounts compromised
Because of an incorrect security setting, an Ocean Lakes High School student was able to access a temporary file on a server that contained the names, addresses and Social Security numbers of students at 22 schools. The breach was discovered when the student tried to print some of the information in the school library. In addition to names, addresses and Social Security numbers, the student files also contain parent names, phone numbers, class schedules, birth dates and student ID numbers. Schools that may have been accessed: Advanced Technology Center, Corporate Landing Middle School, Creeds Elementary School, Fairfield Elementary School, Indian Lakes Elementary School, Kellam High School, Kingston Elementary School, Landstown Middle School, Linkhorn Park Elementary School, Lynnhaven Middle School, New Castle Elementary School, Ocean Lakes Elementary School, Ocean Lakes High School, Red Mill Elementary School, Renaissance Academy, Rosemont Elementary School, Salem Elementary School, Technical & Career Education Center, Thalia Elementary School, Three Oaks Elementary School, Windsor Oaks Elementary School.Over 11,388 students from schools listed on the Virginia Beach City County Public Schools page of publicschoolreview.com
06/23/2010 Florida International University
an educational institution in Miami, Florida
19,495 non-financial accounts compromised
Florida International University is in the process of sending notification letters to 19,407 students and 88 faculty members after the university’s IT Security Office discovered personal data may have been exposed over the internet via a database’s external search function. An announcement posted on the FIU website lists the personal data as GPAs, test scores, and Social Security numbers that were stored on the College of Education’s E-Folio software app. This database kept track of student data related to state mastery standards, grade tracking, assignments, and Social Security numbers for both students and faculty.
06/23/2010 Anthem Blue Cross, WellPoint
a healthcare provider or servicer in Pasadena, California
470,000 financial accounts compromised
More than 200,000 Anthem Blue Cross customers this week received letters informing them that their personal information might have been accessed during a security breach of the company’s website. Only customers who had pending insurance applications in the system are being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed. Anthem Blue Cross merged with WellPoint in 2004.
UPDATE (6/29/2010): Around 470,000 customers in 10 states were notified of the breach. The original story states that only applicants were affected, but existing customers also received notification of a possible breach of their information.
UPDATE (7/12/2010): 20,000 Louisville, Kentucky residents received notification that a security mistake online resulted in the exposure of their Social Security numbers and financial information. It is unclear whether these residents are included in the original 470,000 customers. Only customers who were self insured were affected. WellPoint is claiming that this and other recent breaches were committed by an attorney or attorneys attempting to gain information for a lawsuit against WellPoint.
UPDATE (9/17/2010): An Anthem applicant whose information was exposed by the breach filed a lawsuit against Anthem at the Los Angeles County Superior Court. The lawsuit claims that the breach exposed applicants and clients to identity theft. An applicant behind the lawsuit is seeking class action status.
UPDATE (10/29/2010): The office of the Attorney General of Indiana is suing WellPoint Inc. because of the company’s delay in notifying customers of the breach. WellPoint is accused of violating an Indiana law that requires businesses to provide notification of breaches in a timely manner and faces $300,000 in fines. State officials believe WellPoint was aware of the exposure in late February, but waited until June to notify customers.
UPDATE(7/5/2011): WellPoint Inc. will pay Indiana a $100,000 settlement for violating a 2009 data breach notification law. Customer data was accessible between October 23, 2009 and March 8, 2010. One or more consumers informed WellPoint of the problem on February 22, 2010 and again on March 8, 2010. WellPoint began notifying consumers on June 18, 2010.
UPDATE(07/13/2013): About 612,000 individuals may have had their names, Social Security numbers, dates of birth, addresses, telephone numbers, health information, and other electronic protected health information exposed. WellPoint paid HHS $1.7 million in fines.
06/25/2010 University Hospital
a healthcare provider or servicer in Augusta, Georgia
13,000 non-financial accounts compromised
Two backup tapes containing personal information have gone missing. The hospital does not suspect theft and does believe that there is a very low probability that the personal information on the tapes can be misused. However, credit monitoring services are being offered to those who were affected. The hospital gave up looking for the tapes on May 7th and began notifying patients in late June. Per phone interview with University Hospital, Social Security number were involved but they are unaware of any financial data involved in this breach.
06/30/2010 Lincoln Medical and Mental Health Center
a healthcare provider or servicer in Bronx, New York
130,495 non-financial accounts compromised
Multiple CDs containing patient personal information were lost in transit by FedEx. Information included dates of birth, driver’s license numbers, descriptions of medical procedures, addresses, and Social Security numbers. Siemens Medical Solutions USA, the Hospital’s billing contractor, shipped the CDs around March 16th. They were never received.
07/04/2010 AMR Corporation
a business other than retail in Fort Worth, Texas
79,000 non-financial accounts compromised
American Airlines parent company said Friday the personal information of about 79,000 retirees, former and current employees has been compromised after a hard drive was stolen from its Fort Worth headquarters. No customer data was affected. The data was held by the company’s pension department. The drive contained images of microfilm files, which included names, addresses, dates of birth, Social Security numbers and a “limited amount” of bank account information. Some health insurance information may have also been included — mostly enrollment forms, but also details about coverage, treatment, and other administrative information. The data spans a period from 1960 to 1995. AMR also believes some of the employee files also contained information on beneficiaries, dependents and other employees from 1960 to 1995.
07/06/2010 DentaQuest
a healthcare provider or servicer in Chicago, Illinois
76,000 non-financial accounts compromised
In a statement datelined out of Nashville, DentaQuest reported the laptop theft occurred March 20 in Chicago and was informed of the incident April. DentaQuest reported the laptop contained a database which held the personal information of approximately 76,000 clients. The contractor advised most of the data is not considered sensitive, but the device did contain the first names, last names and Social Security Numbers of about 21,000 individuals. Some 10,500 are Tennessee residents.
07/07/2010 Massachusetts Secretary of State, Securities Division
State Government in Boston, Massachusetts
139,000 non-financial accounts compromised
The Massachusetts Secretary of State’s office accidentally released confidential personal information earlier this year on 139,000 investment advisers registered with the state. The data, including the advisers’ Social Security numbers, were on a CD-ROM sent to IA Week, an investment industry publication that had requested public information from the Securities Division. Secretary of State IA Week had asked for a list of registered investment companies. The Securities Division responded by sending a list of individual investment professionals. In addition to their names and Social Security numbers, this list included their dates and locations of birth, height, weight, hair color, and eye color.
07/07/2010 University of Hawaii
an educational institution in Honolulu, Hawaii
53,000 non-financial accounts compromised
53,000 people may have had their personal information exposed after a breach to the University of Hawaii computer system was discovered. The university released statement that more than 40,000 Social Security numbers and 200 credit card numbers were part of the exposed information that was housed on a computer server used by the campus parking office.
07/09/2010 Emily Morgan Hotel
a business other than retail in San Antonio, Texas
17,000 financial accounts compromised
Identity thieves obtained stacks of credit card receipts from one of the hotel’s storage rooms in 2006. Hundreds of thousands of dollars in fraudulent charges were then made in three different states. Investigators first became aware of a large identity theft issue in the area during the beginning of 2009.
UPDATE(12/4/2010): The ringleader pleaded guilty to ID theft fraud conspiracy, access device fraud and conspiracy to launder money. Seven other co-conspirators have been identified.
UPDATE (4/7/2011):A former hotel worker faces up to 22 years in prison for stealing customer information and using it to go on a shopping spree. In 2006, the former employee used credit card receipts from the Emily Morgan hotel in downtown San Antonio to make fraudulent charges totaling $300,000. This appears to be the one of the largest cases in Alamo City’s history. The accused former employee pleaded guilty to three charges and is scheduled to be sentenced in July.
07/12/2010 Marsh and Mercer
a Financial or Insurance Services firm in Washington, District Of Columbia
378,000 non-financial accounts compromised
The insurance broker and benefits consulting firm reported the loss of a backup tape during transport. The tape contained employee benefits information for companies that used Marsh and Mercer for consultation. Names, addresses, Social Security numbers, dates of birth, account information and driver’s license numbers were on the tape. Marsh and Mercer’s, Seabury and Smith, Inc. and Mercer Health and Benefits LLC operations were involved. The list of known organizations with affected employees includes Idaho Power, Saint Luke’s health System and Saint Alphonsus Regional Medical Center. The location is listed as Seabury and Smith’s office.
UPDATE (8/9/2010): Three hundred current and former Boise, Idaho city employees were also affected.
UPDATE (8/26/2010): The Idaho Power website revealed that around 5,000 employees were affected, and a total of 375,000 individuals from other organizations were affected.
07/12/2010 Connecticut Department of Education
State Teachers’ Retirement Board
State Government in Hartford, Connecticut
58,000 non-financial accounts compromised
An encrypted flash drive containing 2007-2008 Connecticut Teachers’ Retirement Board member annual statement data has been lost or stolen. It is unlikely that outside parties could read the pension and employment credit. The total number of retirees exposed to ID theft was reported as 58,000.
07/14/2010 Oregon State University
an educational institution in Corvallis, Oregon
34,000 non-financial accounts compromised
A University computer containing personal information of current and former employees was found to be infected by a virus. Employee records from 1999 to 2005 contained Social Security numbers.
07/14/2010 Blue Cross Blue Shield Association
a healthcare provider or servicer in Chicago, Illinois
15,000 non-financial accounts compromised
An error in the quarterly address update process resulted in the mailing of approximately 15,000 individuals’ protected health information to incorrect addresses. The information in the letters included demographic information, explanation of benefits, clinical information, and diagnoses. The returned mail was collected and the organization verified whether or not it had been delivered.
07/16/2010 Buena Vista University
an educational institution in Storm Lake, Iowa
93,000 non-financial accounts compromised
Someone gained unauthorized access to a BVU database. The database contained records of names, Social Security numbers, and driver’s license numbers of BVU applicants, current and former students, parents, current and former faculty and staff, alumni and donors. These records go back as far as 1987.
07/20/2010 South Shore Hospital, Active Data Solutions
a healthcare provider or servicer in South Weymouth, Massachusetts
800,000 financial accounts compromised
Computer files containing personal, health and financial information of volunteers, patients, vendors, business partners and employees from January 1996 through January 2010 may have been lost by a professional data management company. Depending on the person’s association with the hospital, the information exposed could be full name, address, phone number, date of birth, Social Security number, driver’s license number, medical record number, patient number, bank account information, credit card number, diagnoses and treatment.
UPDATE (9/10/2010): Archive Data Solutions (formerly Iron Mountain Data Products) was revealed to be the company responsible for disposing of South Shore Hospital’s records. Archive Data Solutions subcontracted the process to Graham Magnetics, who then lost the tapes in shipping. The tapes may have also had patient information from Harbor Medical Associates and patient and vendor information from South Shore Physician Hospital Organization.After investigating the incident the hospital decided not to mail notices or offer credit monitoring and identity theft services to those who may have been affected by the loss. It was determined that the risk of the data being accessed was extremely low and that notifications inside the hospital, on websites, via email and in newspapers would be enough. In addition, the Attorney General’s office of Massachusetts has spoken out against the hospital’s decision to skip precautions.
UPDATE(5/24/2012): South Shore Hospital will pay $750,000 to settle HIPAA violation and state law charges. The breach involved the loss of two of three boxes containing 473 unencrypted back-up computer tapes with sensitive information sometime between February 2010 and June of 2010. A total of $250,000 in civil penalty fines and a payment of $225,000 for an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal information and protected health information was determined. South Shore Hospital was given a credit of $275,000 to reflect the cost of security measures it had already taken subsequent to the breach.
[ http://www.southshorehospital.org/news/notice/news_statement.htm ]
07/21/2010 Lincoln National Life Insurance
a Financial or Insurance Services firm in Radnor, Pennsylvania
26,840 financial accounts compromised
A vendor printed a user name and password for agents and authorized brokers in a brochure. The brochure was also posted on an agent’s public website. The login information enable access to a website containing medical records and other personal information from individuals seeking life insurance. Applicant name, Social Security number, address, policy number, driver’s license number and credit information is also on the website.
07/22/2010 Colorado Department of Health Care Policy and Financing
State Government in Denver, Colorado
105,470 non-financial accounts compromised
A hard drive containing personal information for clients enrolled in state-provided health insurance was stolen from the Colorado Office of Information Technology. The information included names, state ID number and the name of the client’s program. The Agency is certain that contact information, financial information and Social Security numbers were not involved.
07/23/2010 Thomas Jefferson University Hospitals
an educational institution in Philadelphia, Pennsylvania
21,000 non-financial accounts compromised
A password-protected laptop was stolen from the office of an employee on June 14. The computer should not have contained protected health information, but did. It also contained the name, birth date, gender, ethnicity, diagnosis, Social Security number, insurance information, and hospital account number of approximately 24,000 patients.
07/30/2010 FIrst Advantage Tax Consulting Services (TCS)
a Financial or Insurance Services firm in Indianapolis, Indiana
32,842 non-financial accounts compromised
A laptop that contained personal information was lost or stolen during an airport layover. The Social Security numbers of people who were employed by companies that used TCS for tax help were on the laptop. The laptop did have a password and after it was lost its access to TCS’s network was blocked.
07/31/2010 Montefiore Medical Center
a healthcare provider or servicer in Bronx, New York
39,000 non-financial accounts compromised
Two computers were stolen during the weekend of May 22nd. Names, medical record numbers, Social Security numbers, dates of birth, insurers, and hospital admission dates for an unknown number of patients were on the computers.
UPDATE (8/3/2010): One computer was from the Finance Department and had the information of 16,000 patients; the second computer theft affected the records of 23,000 students from the School Health Program and their families.
08/06/2010 United HealthGroup
a healthcare provider or servicer in Minneapolis, Minnesota
16,291 non-financial accounts compromised
United HealthGroup reported a breach of paper records to Health and Human Services in June. The breach occurred on January 26.
08/06/2010 WellPoint, Inc.
a healthcare provider or servicer in Indianapolis, Indiana
31,700 non-financial accounts compromised
A hacking or IT incident that occurred or was discovered around November 3, 2009 resulted in the possible exposure of protected health information on a network server. The incident was reported by HHS on August 6, 2010 almost a year later.
08/07/2010 Fort Worth Allergy and Asthma Associates
a healthcare provider or servicer in Fort Worth, Texas
25,000 non-financial accounts compromised
The June 29th theft of four computers resulted in patient records being exposed. The patient records contained addresses, Social Security numbers and dates of birth.
08/10/2010 College Center for Library Automation (CCLA)
Government n Tallahassee, Florida
126,000 non-financial accounts compromised
Personal data from students, faculty and staff from six colleges was accessible through an Internet search for five days. The information may have included full names, Social Security numbers, driver’s license numbers, and Florida identification card numbers. The institutions were Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College.
08/12/2010 Loma Linda University School of Dentistry
an educational institution in Loma Linda, California
10,100 non-financial accounts compromised
On the weekend of June 12, thieves stole three desktop computers with password protection. The computers did not contain patient treatment records, but did have Social Security numbers, dates of birth and other health information.
08/12/2010 Walsh Pharmacy
a healthcare provider or servicer in Fall River, Massachusetts
11,440 non-financial accounts compromised
A DVD with patient information was lost in transit. Information included patient names as well as some Social Security numbers, health insurance information, driver’s license numbers and prescription information. The DVD, with information on 11,440 patients, was not in the envelope when the recipient opened it.
08/13/2010 Holyoke Medical Center, Caritas Carney Hospital, Milton Hospital, Milford Hospital
a healthcare provider or servicer in Georgetown, Massachusetts
45,600 non-financial accounts compromised
A large pile of medical records was found at Georgetown Transfer Station public dump. The reports contained names, addresses, diagnosis, Social Security numbers, and insurance information. A medical billing company known as Goldthwait Associates is believed to be responsible. The medical records are mostly from pathology patients served at the hospitals between 2007 and March of 2010. At least 32,750 files were found at the Georgetown Transfer Station in Georgetown, MA. Holyoke Medical Center is located in Holyoke, MA. Carney Hospital is located in Dorchester, MA. Milton Hospital is located in Milton, MA. Milford Hospital is located in Milford, MA.
UPDATE (9/2/2010): Holyoke reported that 24,750 patients were affected. The exact number of patients affected from other medical centers is still unknown. Between 8,000 and 12,000 patients of Milton Hospital were affected.
UPDATE (10/11/2010): Milton Pathology Associates, P.C. reported that a prior owner of Goldthwait Associates improperly disposed of patient information. Eleven thousand patients were affected. Milford Regional Medical Center reports that the incident affected 19,750 patients.
UPDATE(01/07/2013): People associated with Goldthwait Associates, Chestnust Pathology Services, Milford Pathology Associates, Milton Pathology Associates, and Pioneer Valley Pathology Associates agreed to collectively pay $140,000 to settle allegations related to the breach.
08/16/2010 Aultman Health Foundation
a healthcare provider or servicer in Canton, Ohio
13,800 non-financial accounts compromised
On June 7, a laptop was stolen. Patient information from the Aultman Healthcare in Your Home program may have been exposed. This information included names, insurance identification numbers, health information, telephone numbers, addresses, dates of birth and Social Security numbers.
08/19/2010 University of Connecticut West Hartford
an educational institution in West Hartford, Connecticut
10,174 non-financial accounts compromised
The August 3 office theft of a laptop resulted in the exposure of 10,174 applicants’ names, contact information and Social Security numbers. Undergraduate application information from 2004 to July of 2010 could have been accessed through the laptop.
08/30/2010 Aon Consulting
a Financial or Insurance Services firm in Chicago, Illinois
22,000 non-financial accounts compromised
The Social Security numbers, genders and dates of birth of retirees in Delaware were accidentally posted online for four days as part of a Request for Proposal for the State of Delaware. Names were not included.
UPDATE (9/2/2010): A woman affected by Aon’s failure to remove personal information from the request has filed a class action lawsuit against Aon Consulting.
09/16/2010 Martin Luther King Jr. Multi-Service Ambulatory Care Center
in Los Angeles, California
33,000 non-financial accounts compromised
A janitor removed 14 boxes of patient records and sold them to a recycling center. The records had names, genders, dates of birth, addresses, medical record numbers and financial batch numbers. Patients who received services from the outpatient facility between January and October of 2008 were affected. The files were discovered missing on July 29 of 2010 and the custodial worker admitted to selling them. The custodian is being charged with one count of felony commercial burglary. Those affected will be mailed notifications during the week of September 20 of 2010.
09/19/2010 Albrecht Discount (ALDI)
a retail business in Chicago, Illinois
25,000 financial accounts compromised
Several ATMs inside or near grocery stores in the Chicago area were outfitted with skimming devices. ALDI checked machines nationwide and removed a number of debit card terminals after discovering the problem.
UPDATE (10/1/2010): A notice on the ALDI Inc. website reveals that customers in Hartford, Atlanta, Chicago, Indianapolis, Maryland, New Jersey, New York state, North Carolina, Pennsylvania, Charlotte (South Carolina), and Washington D.C. were affected by the breach. The terminals were in stores between June 1 and August 31 of 2010.
UPDATE(12/2/2010): Eight thousand Maryland residents and 17,000 New York residents were affected.
09/21/2010 Pediatric and Adult Allergy, PC
a healthcare provider or servicer in Des Moines, Iowa
19,222 non-financial accounts compromised
Patients of Dr. George Caudill (retired), Dr. Veljko Zivkovich (retired) Dr. Robert Colman and Dr. Whitney Molis were notified that a backup tape with their personal information was lost on or around July 11. The patient information included name, address, phone number, date of birth, Social Security number, dates of service, services and diagnoses. Medical records and financial information were not on the backup tape. It appears that all patients with accounts created before July 10, 2010 were affected.
09/29/2010 Morgan Keegan & Company
a Financial or Insurance Services firm in Memphis, Tennessee
18,500 non-financial accounts compromised
An attorney was able to collect a disk with client names and detailed financial information during an investigation. Clients were notified and their accounts are being monitored for unauthorized use. The breach was discovered on September 15 and the disk was later returned by the attorney.
10/11/2010 University of Oklahoma-Tulsa Neurology Clinic, Neurology Services of Oklahoma, LLC
a healthcare provider or servicer in Oklahoma City, Oklahoma
19,264 non-financial accounts compromised
Malware was discovered on a clinic computer on or around July 28. Patients who saw Dr. John Cattaneo at the clinic and at his former employer Neurology, LLC were notified of the breach. Patient names, Social Security numbers, phone numbers, addresses, dates of birth, medical record numbers, lab reports and dates of service were in documents that may have been accessed by the virus. Neurology Services of Oklahoma, LLC is located in Tulsa, OK.
10/14/2010 Accomack County Virginia residents
County Government in Accomac, Virginia
35,000 non-financial accounts compromised
A stolen laptop contained the names and Social Security numbers of Accomack County, Virginia residents. Full addresses of some residents were also exposed. The laptop was county property and was stolen from an employee’s car during a vacation to Las Vegas. The incident happened on October 7; as of October 14, residents had not been notified. The theft occurred in Las Vegas, NV and affects residents of Accomack County. Citizens are advised to call one of the three credit bureaus at 888-397-3742, 888-766-0008 or 800-680-7289 for a credit report fraud alert.
10/15/2010 University of North Florida
an educational institution in Jacksonville, Florida
52,853 non-financial accounts compromised
A hacker from outside of the country may have accessed applicant information sometime between September 24 and September 29. The information was mostly recruiting information and may have involved names, ACT and SAT scores, dates of birth and Social Security numbers.
10/27/2010 Houston Independent School District (HISD)
an educational institution in Houston, Texas
30,000 non-financial accounts compromised
The HISD may have experienced a hacking incident over the weekend of October 24. Employees and students were unable to access the Internet, online classes and email until late Tuesday afternoon. Payroll information of workers and academic information of students may have been compromised along with other personal information.
UPDATE (12/2/2010): HISD announced an overhaul of the computer system following the breach. Private employee, vendor and student data dating back 10 years could have been accessed by the hacker. Investigators have determined that the private data of one HISD student was viewed by the hacker. The investigation is ongoing.
10/28/2010 Emergency Medical Services Bureau
State Government in Baton Rouge, Louisiana
56,000 non-financial accounts compromised
The Louisiana Department of Health and Hospitals notified emergency medical technicians that a hacker may have had access to their names, Social Security numbers and other personal information. The incident occurred on September 17 and a lack of funding for letters and postage caused a delay in notification.
10/29/2010 University of Hawaii West O’ahu (UHWO)
an educational institution in Pearl City, Hawaii
40,101 non-financial accounts compromised
Unencrypted files that were placed on the faculty web server exposed student information. Student names, Social Security numbers, birth dates, addresses and academic information were placed on the server in December of 2009. Students who attended UHWO in Fall of 1994 or graduated between 1988 and 1993 were affected. A much larger number of students who attended the University of Hawaii between 1990 and 1998 were also affected. The files were removed on October 18 after a privacy group notified the University. The server was quickly removed from the network. The faculty member who accidentally placed the file on the server retired before the breach was discovered.
UPDATE(11/19/2010): A former student is filing a class-action lawsuit on behalf of students affected by the University of Hawaii’s multiple breaches. The man attended the campus between 1990 and 1998 and claims that he was affected by the this breach and one that occurred in June of 2009. The names of four other people are attached to his Social Security number and his credit has been used in Georgia. Around 259,000 private records have been exposed by the University of Hawaii since 2005.
UPDATE(1/27/2012): The University of Hawaii will provide two years of credit protection services and credit restoration services to settle a class-action lawsuit involving data breaches that affected nearly 100,000 students, faculty, alumni, and staff between 2009 and 2011. The settlement is still subject to court approval.
11/06/2010 General Services Administration
Federal Government in Washington, District Of Columbia
12,000 non-financial accounts compromised
An employee sent an email with the names and Social Security numbers of the entire staff to a private, outside address. Though notification emails were sent at the end of September, many employees learned of the incident in November.
11/12/2010 Visiting Nurse Association of Southeastern Connecticut
a healthcare provider or servicer in Waterford, Connecticut
12,000 non-financial accounts compromised
Current and former patients received notification letters stating that their personal information was on a stolen laptop. The laptop was stolen from a nurse’s car while it was parked at her home on September 30. The laptop was used to store patient addresses, medical information and names. Patients in the area may call (860) 444-1111 or (855) 732-3107.
11/16/2010 Messiah College
an educational institution in Grantham, Pennsylvania
43,000 non-financial accounts compromised
An external hard drive was lost or stolen. Current, former and prospective students and their parents may have had their names, Social Security numbers, dates of birth and transcripts exposed. The information was from the financial aid department and spans from 1994 to 2010. Social Security numbers were not collected for all individuals involved, but exact number of individuals who had their Social Security or financial information exposed was not given.
UPDATE(11/21/2010): The drive was found by the employee responsible for it. The likelihood that someone was able to access the information on the drive for a malicious purpose is very low or nonexistent.
12/03/2010 Mesa County, Western Colorado Drug Task Force
County Government in Grand Junction, Colorado
200,000 non-financial accounts compromised
A former employee accidentally posted sensitive information in a place that was publicly accessible on the Internet. The home addresses of sheriff’s deputies, names of confidential drug informants, confidential emails between officers and other sensitive information were accessible from April until the discovery in November. The FBI is investigating which computer users may have accessed the information. The breach was discovered on November 24 when an individual searched the Internet and found one of the files mentioning his or her name.
12/10/2010 University of Wisconsin – Madison
an educational institution in Madison, Wisconsin
60,000 non-financial accounts compromised
Some records of people affiliated with UW Madison were hacked into. The University discovered the breach on October 26 and sent notification to many former students, faculty and staff on November 30. One of the files had the photo ID of former students with their Social Security numbers embedded in the ID numbers and cardholder names. Only students enrolled prior to 2008 would have had their Social Security numbers exposed. It is unclear how far back the records date.
12/12/2010 Gawker
a business other than retail in New York, New York
1,300,000 non-financial accounts compromised
Hackers gained access to the Site’s database. Staff and user emails and passwords, the site code and staff messages were made accessible to anyone. The group claiming responsibility calls themselves Gnosis. Gawker encouraged users to change their passwords after their information was exposed. This may also mean changing passwords for other sites where users have similar screen names and passwords. Gnosis claims they had access to the site for a long time and exposed Gawker’s information “because of their outright arrogance.”
12/15/2010 Ohio State University
an educational institution in Columbus, Ohio
750,000 non-financial accounts compromised
Students, professors and other University affiliates were notified that their information may have been accessed by a hacker. University officials discovered the breach in late October. Unauthorized individuals logged into an Ohio State server and had access to names, Social Security numbers, dates of birth and addresses of current and former students, faculty, staff, University consultants and University contractors.
UPDATE(1/14/2011): 517,729 former students and 65,663 current students were affected. Exact numbers for current and former faculty, staff, consultants and contractors were not given.
UPDATE(2/22/2011): As of February 22, OSU was still attempting to find and inform affected individuals of the breach. Around 226,000 notification letters were mailed to alumni in February.
[ www.osu.edu/creditsafety ]
12/15/2010 Social Security Administration
Office of Temporary Disability Assistance
State Government in New York, New York
15,000 non-financial accounts compromised
While performing upgrades a subcontractor illegally downloaded around 15,000 Social Security numbers, dates of birth, addresses and phone numbers. People who had made Social Security disability claims may have been affected.
12/16/2010 Twin America LLC, CitySights NY
a business other than retail in New York, New York
110,000 financial accounts compromised
On or around October 25 a web programmer discovered that malicious script had been placed on the server. The script appears to have been uploaded on September 26 and had allowed access to the customer database multiple times between that date and October 19. Customer names, credit card numbers, credit card expiration dates, CVV2 data, addresses and email addresses may have been exposed.
12/17/2010 deviantART, Silverpop Systems Inc.
a business other than retail in Hollywood, California
13,000,000 non-financial accounts compromised
Mirroring the Gawker an McDonald’s breaches earlier this month, hackers exposed the email addresses, user names and birth dates of the entire deviantART user database. Hackers were able to breach deviantART’s marketing company Silverpop Systems Inc. Passwords and sensitive information were not exposed, but the breach is expected to increase spam for registered users.
12/19/2010 Stony Brook University
an educational institution in Stony Brook, New York
61,001 non-financial accounts compromised
Student and faculty network and student IDs were posted online on sbuchat.com. A file with all registered student and faculty ID numbers could be downloaded in a PDF or Excel format. A systems engineer undergraduate discovered a flaw in the SOLAR system that allowed him to change students’ NetID passwords without knowledge of the original password. The student then accessed the complete list of student and faculty IDs and posted the information.
12/20/2010 Centra
a healthcare provider or servicer in Alpharetta, Georgia
11,982 non-financial accounts compromised
A laptop was stolen from the trunk of an employee’s rental car overnight on November 11. Patient names and billing information were on the laptop. The delay in notification occurred because of the time it took to determine what information was on the stolen laptop.
UPDATE (1/14/2011): The total number of affected individuals was changed from 13,964 to 11,982.
12/27/2010 American Honda Motor Company
a retail business in Torrance, California
4,900,000 non-financial accounts compromised
A Honda vendor maintaining a customer mailing list for My Acura and Honda’s Owner Link websites was hacked. Names, email addresses, vehicle identification numbers and user IDs may have been exposed. There is speculation that this breach is connected to a hack of Silverpop that exposed the information of McDonald’s and deviantART subscribers.
UPDATE (1/24/2011): Around 2.2 million Honda customers had their information exposed. Around 2.7 million Acura customers had their email addresses exposed, but names and other information were not breached.
In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended.
View the 2010 summary
Return to References page
Return to Year links page
Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.