Compromises in 2012 affecting 10,000 or more

Compromises in 2012 affecting less than 10,000
Compromises in 2012 affecting an unknown, or undisclosed number

01/15/2012 Amazon and Zappos.com

a retail business in Las Vegas, Nevada
24,000,000 financial accounts compromised
24 million customers had stolen their names, addresses, credit card numbers, the three digit security codes on the back of those credit cards, despite efforts to “cryptographically scramble” the numbers.
Analysts say the futility of creating completely hacker-proof security systems has been dramatized by several incidents in the past few years. “There are a lot of companies out there that are highly [ security ] compliant and those that are completely compromised (at risk)”1 said Martin Roesch, the founder and chief technology officer of network security provider Sourcefire.

1 Quoted in Investor’s Business Daily –

Customers were informed that their customer account information on Zappos.com may have been illegally accessed by unauthorized parties. Customer names, email addresses, billing and shipping addresses, phone numbers, final four digits of credit card numbers, and/or cryptographically scrambled passwords were linked to customer accounts and could have been obtained. The secure database that stores detailed credit card and payment information was not affected by the breach or accessed. Since passwords may have been affected, customers should change their passwords and make sure that their old Zappos.com password is not used for any other sites. Customers with questions about their Zappos passwords may email passwordchange@zappos.com
UPDATE(1/21/2012): A resident of Texas is suing Zappos.com and Zappos’ parent company Amazon.com on behalf of millions of customers who were affected by the release of personal account information. The lawsuit is being filed Kentucky.

01/20/2012 Arizona State University (ASU)

an educational institution in Tempe, Arizona
300,000 non-financial accounts compromised
ASU shutdown its online computer system after discovering a breach. An encrypted file containing user names and passwords was downloaded on Wednesday, January 18 by an unauthorized party. All online services were suspended until the night of Thursday, January 19. Students and staff will be required to enter new passwords to access their accounts since there is a chance that some information could have been compromised. ASU online system users with questions about logging into their accounts may call (855) 278-5080.

01/24/2012 NYSEG, RG&E and Iberdrola USA

New York State Electric & Gas, Rochester Gas and Electric, and Iberdrola USA
State Government in Rochester, New York
1,245,000 non-financial accounts compromised
An employee at a software development consulting firm that was contracted by Iberdrola USA, the parent company of both NYSEG and RG&E, allowed the information systems of clients to be accessed by an unauthorized party. Customer Social Security numbers, birth dates, and in some cases, financial institution account numbers were exposed. A total of 878,000 NYSEG customers and 367,000 RG&E electricity customers were affected. An unknown number of additional customers from both companies who signed up for gas services, but not electricity services were also affected. Affected customers may call 1-877-736-4495. More information can be found on the websites of the companies www.nyseg.com and www.rge.com.

UPDATE(07/12/2012): The Department of Public Service reviewed the NYSEG/FG&E incident and concluded that there was no evidence that any confidential customer information was misused. In addition, the Department of Public Service recommended that both companies further refine their policies, processes, and procedures regarding confidentiality safeguards. The companies were ordered to send plans for handling the costs incurred in responding to the breach and progress reports about the implementation of recommendations.

01/27/2012 President’s Challenge

650,000 non-financial accounts compromised
A security breach caused the personal information of 650,000 President’s Challenge participants nationwide to be exposed. Hackers may have accessed participant names, email addresses, dates of birth, and nutritional data. No financial information was available to the hacker or hackers. A small percentage and unknown number of Social Security numbers may have been available through other organizations that participate in President’s Challenge programs. It is unclear how many other organizations were affected by the President’s Challenge hack.

01/30/2012 TryMedia (TM Acquisition)

a retail business in Seattle, Washington
12,456 financial accounts compromised
Try Media’s ActiveStore application was attacked by intruders who were able to intercept and obtain the credit card information of customers. Credit card numbers, expiration dates, security codes, addresses, email addresses, and passwords to user accounts for transactions that occurred between November 4, 2011 and December 2, 2011 were accessed. TryMedia is a division of RealNetwork. RealNetworks is located in Seattle, Washington.

02/06/2012 Molina Healthcare of California

a healthcare provider or servicer in Long Beach, California
11,081 non-financial accounts compromised
An unauthorized disclosure of paper documents occurred on January 31, 2011. The breach may have affected records that date from September 23, 2009 through October 18, 2011. No further details are available.

02/06/2012 Office of Robert S. Smith, M.D., Inc.

a healthcare provider or servicer in Atlanta, Georgia
17,000 non-financial accounts compromised
An October 17 office burglary resulted in the theft of a laptop. The laptop contained patient names, dates of birth, physicians, and diagnosis information. Those with questions may call the Lab Management at 1-888-263-0388.

02/08/2012 Chiefs of Police

including West Virginia Chiefs of Police Association, Alabama Department of Public Safety, Texas Department of Public Safety, City of Mobile Police Department, Texas Police Chiefs Association, and the Texas Police Association. 46,000 non-financial accounts were compromised in West Virginia
A hacker obtained and revealed 156 home addresses, phone numbers, cell phone numbers, email addresses, and usernames of police officers associated with the West Virginia Chiefs of Police Association. Retired police chiefs, and every current police chief in West Virginia had their information exposed. The hacker was associated with Anonymous.

UPDATE(08/24/2012): A hacker associated with the attack on West Virginia Chiefs of Police Association and several other law enforcement associations was caught and sentenced to 27 months in federal prison. He was also ordered to pay $14,062.17 in restitution. Alabama Department of Public Safety spreadsheets with information on sex crimes and a database listing descriptions of offenders’ cars were posted online. Over 46,000 citizens in the state of Alabama may have had their names, Social Security numbers, license plate numbers, dates of birth, phone numbers, addresses, and criminal records accessed by hackers who attacked the City of Mobile Police Department. A total of 787 police officer names, usernames, plain text passwords, addresses, and other agency information from The Texas Police Association was posted online. The Wisconsin Chiefs of Police Association, the Texas Department of Public Safety, the Dallas Police Department, and the Texas Police Chiefs Association also experienced hack attacks.

02/11/2012 Manwin Holding SARL (Brazzers)

a retail business in Waltham, Massachusetts
350,000 non-financial accounts compromised
A hacker or hackers were able to access user records from the inactive forum of a website run by Brazzers. A portion of the compromised emails, usernames, and encrypted passwords were posted online.

02/15/2012 University of North Carolina at Charlotte

an educational institution in Charlotte, North Carolina
350,000 non-financial accounts compromised
An online security breach occurred at the UNC-Charlotte campus and was discovered on January 31. It is unclear how much information could have been accessed. The number of people affected was not revealed. An email alert was sent to students and staff on February 15, 2012 informing them that a “potentially significant data exposure of its Information Systems” had occurred. The University also stated that it had corrected the known issues related to the breach. (855) 205-6937.

UPDATE(5/09/2012): Around 350,000 people had their Social Security numbers exposed. Financial information was also exposed. A system misconfiguration and incorrect access settings caused a large amount of electronic data hosted by the University to be accessible from the Internet. One exposure issue affected general University systems over a period of about three months. A second exposure issue affected the college of engineering systems for over a decade.

02/15/2012 St. Joseph Health System

a healthcare provider or servicer in Orange California
31,800 non-financial accounts compromised
Protected patient information may have been available on the internet for one year. A patient’s attorney contacted St. Jude officials to inform them that the information was available online. The patient health records included names, body mass index, blood pressure, lab results, smoking status, diagnoses lists, medication allergies, and demographic information such as gender, date of birth, language spoken, ethnicity, and race. The information was removed from online and co no longer be accessed by unauthorized parties. A total of 6,235 patients from Santa Rosa Memorial Hospital, two from Petaluma Valley Hospital, 4,263 from Queen of the Valley in Napa, and an unknown number of patients from St. Jude Medical Center in Fullerton, and Mission Hospitals in Laguna Beach and Mission Viejo were affected.

UPDATE(07/10/2012): The California Department of Public Health was still investigating Queen of the Valley Medical Center as of July 10, 2012. Additionally, two patients who were treated at Santa Rosa Memorial Hospital, filed a class action lawsuit on behalf of the 31,800 patients who were affected. They seek $31.8 million, or $1,000 per patient.

03/16/2016 Update  Four years later – suit results

Four years later a class action lawsuit settles in favor of the wronged and sounds a cautionary note for organizations to address their information security controls, before a similar breach naffects them.

The 31,800 affected will receive checks and be eligible for more up to $7.5 million dollars in total plus up to $25,000 reimbursement expenses and identity theft related losses incurred. The total settlement package is $28 million and includes ID theft protection. More at Health Care Info Security

02/16/2012 Central Connecticut State University (CCSU)

an educational institution in New Britain, Connecticut
18,763 non-financial accounts compromised
A computer breach in a CCSU Business Office exposed the information of current and former faculty, staff, and student workers. A Z-Bot virus designed to relay information was discovered on the computer on December 6, 2011. The computer had been exposed for eight days and only exposed the Social Security numbers of those who were affected. People associated with CCSU as far back as 1998 were affected.

02/21/2012 Trident University International

an educational institution in Cypress, California
81,000 non-financial accounts compromised
An unsuccessful attempt to access a database was detected by Trident University on November 29, 2011. It contained usernames and passwords of current and former students. The attempt appeared to be unsuccessful and no other information was contained in the database. Trident University offered credit monitoring services despite the belief that the attempt to access non-financial information had been unsuccessful.

02/22/2012 Coca-Cola Company Family Federal Credit Union

a retail business in Atlanta, Georgia
13,800 non-financial accounts compromised
The theft of two laptops resulted in the exposure of credit union member information. The laptops were stolen on December 21, 2011 and contained names and Social Security numbers, as well as credit card numbers in some cases.

02/25/2012 Piedmont Behavioral Healthcare (PBH), Alamance-Caswell LME (AC LME)

a healthcare provider or servicer in Concord, North Carolina
50,000 non-financial accounts compromised
A miscommunication caused AC LME to lose access to servers containing sensitive health information. An Alamance County employee mistakenly changed a lock on the facility that housed data servers for AC LME.It appears that AC LME forgot to inform the county that AC LME was extending a contract for server maintenance.Former consumers of AC LME, including those who became PBH consumers on October 1, 2011, may have had their personal health information stored on these servers. The servers are now in the possession of the county and could contain the names, Social Security numbers, medical record identification numbers, addresses, and diagnoses of AC LME consumers. LME officials have not had access to the server room without being monitored by a county employee or with the forensics team assigned to examine the servers.

03/05/2012 Digital Playground

a retail business in Van Nuys, California
44,663 financial accounts compromised
A group of hackers accessed customer details, credit card numbers, and administrator information. At least a) 28 administrator names, usernames, email addresses, and encrypted passwords, b) 85 affiliate usernames, plain-text passwords, c) 100 user email addresses, usernames, and plain-text passwords, and d) 82 .gov and .mil email addresses and plain-text passwords were posted. The hackers criticized the ease of obtaining the credit card numbers, expiration dates, cvvs, and customer billing addresses which were all in plain text. The hackers chose not to post customer credit card numbers.

03/12/2012 Impairment Resources, LLC

a healthcare provider or servicer in San Diego, California
14,000 non-financial accounts compromised
An office burglary on New Year’s Eve 2011 resulted in the loss of hardware that contained sensitive personal information. The full names, addresses, Social Security numbers, and medical information of clients were on the hardware. Impairment Resources notified patients in February and then filed for bankruptcy in March. The high cost of handling the breach led directly to the decision to file for bankruptcy.

03/16/2012 University of Tampa

an educational institution in Tampa, Florida
30,000 non-financial accounts compromised
A server management error caused files containing sensitive information to be made publicly accessible between July of 2011 and the breach’s discovery on March 13, 2012. A classroom exercise revealed that the information was compromised and the University of Tampa’s IT office was immediately informed of the discovery. The University of Tampa then notified Google and asked that the cached file be removed from the search engine. One file included 6,818 records of students who attended in Fall of 2011. Two other files contained the information of an additional 29,540 people and included University ID numbers, names, Social Security numbers, and photos. Some people also had their dates of birth exposed. The IT office at the University of Tampa concluded that the files had only been accessed by the people who reported the breach.

UPDATE(3/22/2012):Additionally, 22,722 current and former faculty, staff, and students who were associated with the University between January 29, 2000 and July 11, 2011 may have had their information exposed.The IT office confirmed that these files had only been accessed by University insiders as well. The University will not cover the cost of credit monitoring services for those who were affected.

03/19/2012 Kaiser Foundation Health Plan

a healthcare provider or servicer in Oakland, California
30,000 non-financial accounts compromised
Someone purchased a hard drive in September of 2011 and immediately notified law enforcement that it contained confidential information. The external hard drive did not come from a Kaiser Permanente office. It contained employee data back to 2009. Current and former employees may have had their names, Social Security numbers, dates of birth, addresses, phone numbers, pay stubs, COBRA Error, Trust Fund Paid Hours, or Fidelity Savings Plan Deduction reports may have been exposed.

Kaiser obtained the hard drive in December 2011 and within a week completed an initial forensic examination that revealed that over 30,000 Social Security numbers in addition to other “employee-related sensitive information” were loaded onto the drive, the complaint says.

Update 3/19/2012

The company started mailing out the letters to notify 20,539 California residents that their personal information may have been compromised. There is no evidence that the information from the hard drive was used for illegal purposes as of March of 2012.

Update 4/16/2012

At least one source lists the total number of affected current and former employees as 30,000.

Update 1/29/2013

California’s attorney general sued Kaiser Foundation Health Plan Inc. alleging the company took too long to notify more than 20,000 current and former employees that their personal information had been compromised in a 2011 security breach.

In the January 23, 2013 complaint it was alleged that the company failed to notify affected individuals of the breach until March 2012, which may have violated Kaiser’s duty under California law to disclose a security breach and issue a notification “in the most expedient time possible and without unreasonable delay.” per California Civil Code §1798.82. Kaiser may have also violated CCC §1798.85 by “publicly posting” or displaying the Social Security numbers of more than 20,000 California residents on the unencrypted hard drive wound up in the hands of the general public.

The California attorney general is seeking to stop Kaiser from committing any acts of unfair competition, a fine of $2,500 for each violation, and the recovery of the state’s costs for the suit and its investigation of the matter. If the number compromised was 30,000 that is a potential fine of $75 million. The case is The People of the State of California v. Kaiser Foundation Health Plan Inc., case number RG14711370, in the Superior Court of the State of California, County of Alameda. (source)

Update 2/04/2014

Attorney General Kamala Harris has agreed to drop a data breach lawsuit against the Oakland based managed care provider, Kaiser, if they agreed to a $150,000 fine paid to the state and improved their information handling practices. Originally the suit contended that the health care provider violated the three-month notification law. Kaiser learned of the violation in December 2011 but did not send letters to 20,539 affected Californians until mid-March 2012. The law requires data-holders disclose any breach “in the most expedient time possible and without unreasonable delay”.

03/19/2012 Adult Insider Network, Adultinsider.com

a business other than retail in Killeen, Texas
10,704 non-financial accounts compromised
A hacker or hackers accessed and posted information from the adultinsider.com database online. The leaked information included email addresses, passwords with associated salts, and usernames.

03/22/2012 Indiana Internal Medicine Consultants

a healthcare provider or servicer in Greenwood, Indiana
20,000 non-financial accounts compromised
The February 11, 2012 theft of a laptop resulted in the exposure of protected health information.

03/22/2012 Delta Dental

a healthcare provider or servicer in Sacramento, California
11,646 non-financial accounts compromised
The unauthorized disclosure of paper records sometime around December 22, 2011 may have resulted in the exposure of protected health information.

03/25/2012 MilitarySingles.com

a retail business in New York, New York
171,000 non-financial accounts compromised
Hackers affiliated with LulzSec (Reborn) claimed responsibility for revealing a database of militarysingles.com names, usernames, email addresses, IP addresses, and passwords on the Internet. People who used their same email and password combination for Militarysingles.com and other sites are encouraged to change their passwords. Militarysingles.com is owned by ESingles, Inc. An ESingles executive claimed that no evidence of an attack had been found as of March 28; however, a number of sources revealed that they could download and decrypt sensitive information by following a Twitter announcement.

UPDATE(3/28/2012): ESingles released a statement claiming that a thorough investigation revealed that the database had not been hacked. A discrepancy between the number of users in the militarysingles.com database, the use of encrypted user passwords, and the fact that the website was already scheduled to be down for maintenance during the time the hackers claimed to have taken it down led ESingles to this conclusion.

03/27/2012 Howard University Hospital

a healthcare provider or servicer in Washington, District Of Columbia
66,601 non-financial accounts compromised
The January 27 theft of a laptop from a former contractor’s vehicle resulted in the loss of patient information. The patient files included Social Security numbers, names, addresses, identification numbers, medical record numbers, dates of birth, admission dates, diagnosis-related information, and discharge dates. The majority of those affected were patients who were treated at the Hospital between December 2010 and October 2011. Some patients who received treatment as far back as 2007 were also affected. The patient files had been downloaded onto the contractor’s personal laptop in violation of the Hospital’s policy. The contractor stopped working for the hospital in December of 2011.

UPDATE(09/21/2012): The number of patients who were notified was revised from 34,503 to 66,601.

03/29/2012 Department of Child Support Services

also affected were International Business Machines (IBM) and Iron Mountain, Inc.
State Government in Boulder, Colorado
800,000 non-financial accounts compromised
On March 12, 2012, the Department of Child Support Services (DCSS) was notified that contractors International Business Machines (IBM) and Iron Mountain, Inc. could not locate several computer devices that had been shipped from Colorado to California. Californians who used state child support services were affected by the loss. Names, Social Security numbers, addresses, driver’s licenses, names of health insurance providers, health insurance plan membership identification numbers, and employer information may have been exposed.

03/30/2012 Global Payments Inc.

a Financial or Insurance Services firm in Atlanta, Georgia
7,000,000 financial accounts compromised
Global Payments’ security systems detected unusual activity and discovered a massive breach in early March 2012. Global Payments processes credit and debit cards for banks and merchants. Initially reported more than one million card numbers may have been compromised. Later reported over 7 million credit and debit cards from all major brands. Want more information on this huge breach of millions of charge cards? Here it is! More references are below.

[ www.thedailybeast.com/newsweek/2012/04/08/security-breaches-shake-confidence-in-credit-card-safety.html ]
7/25/2013 Five Charged

04/06/2012 Vote Sex!

a business other than retail
35,959 non-financial accounts compromised
A hacker or hackers posted 35,959 usernames, email addresses, and passwords online.

04/06/2012 Utah Department of Health

State Government in Salt Lake City, Utah
280,000 non-financial accounts compromised
Utah Medicaid clients have had their information exposed by a hack of an improperly protected Utah Department of Health computer server. The breach was discovered when an unusual amountof data was found to be streaming out of the server on April 2. Medicaid clients who had not had their Social Security numbers transitioned into the system had their Social Security numbers exposed. A majority of the affected individuals had medical claims, dates of birth, addresses, physicians’ names, and other forms of medical information exposed, but not Social Security numbers. Two out of three of those who were affected were children. The cost of working with the credit-reporting company Experian to contain the breach is estimated to be $460,000.

UPDATE(04/10/2012): Though the number of affected individuals was originally reported as 181,604 with 25,096 Social Security numbers exposed, Utah Department of Health reported that nearly 280,000 people had their Social Security numbers exposed by the breach. An additional 500,000 victims did not have their Social Security numbers exposed, but had some form of personal information such as date of birth, name, and address exposed. People who visited a health care provider in the past four months is likely to have been affected by the breach.

UPDATE(05/15/2012): The governor of Utah fired the Director of the Department of Technology Services and appointed a new employee, an ombudsman, to shepherd victims through the process of protecting their identities and credit. Two other members of the technology services department are under review. The vulnerability that caused the breach was partly, if not fully, due to failure to change a default password. Additionally, data will now be encrypted while it is on Utah servers as well as when it is in transit.

UPDATE(07/22/2012): Those who wish to learn more about the Utah Department of Health breach will be able to attend a series of statewide workshops running from July 26 until August 22. Information on Utah’s Data Breach Security Tour can be found here.

UPDATE(03/25/2013): The state of legislature of Utah added an second year of free credit monitoring to those who were affected by the breach. Additionally, a Utah health department official revealed that only 59,500 people had taken advantage of the first year of free credit monitoring service. Those who did not enroll in 2012 may call 801-538-6923 or email ombudsman@utah.gov to sign up for the 2013-2014 term.

04/12/2012 Housatonic Community College

an educational institution in Bridgeport, Connecticut
87,667 non-financial accounts compromised
Two campus computers were determined to have been infected by malware. The breach occurred when a faculty or staff member opened an email that contained a virus. The virus was immediately detected. Faculty, staff, and students affiliated with the school between the early 1990’s and the day of the breach may have had their names, Social Security numbers, dates of birth, and addresses exposed. Housatonic’s president acknowledged that the cost of handling the breach could be as much as $500,000.

04/18/2012 Emory Healthcare, Emory University Hospital

a healthcare provider or servicer in Atlanta, Georgia
228,000 non-financial accounts compromised
Emory Healthcare revealed that 10 backup discs that contained patient information are missing from a storage location at Emory University Hospital. The discs were determined to have been removed sometime between February 7, 2012, and February 20, 2012. The patient information was related to surgery and included names, Social Security numbers, diagnoses, dates of surgery, procedure codes or the name of the surgical procedures, surgeon names, anesthesiologist names, device implant information, and other protected health information. Patients treated at Emory University Hospital, Emory University Hospital Midtown (formerly known as Emory Crawford Long Hospital) and Emory Clinic Ambulatory Surgery Center between September of 1990 and April of 2007 were affected. Patients with questions may call the Emory Healthcare Support Center hotline at 1-855-205-6950.

UPDATE(6/09/2012): A suit seeking class action status was filed on June 4. The suit seeks unspecified damages over the loss of 10 computer disks containing the personal and health information of between 250,000 and 315,000 patients treated between 1999 and 2007.

04/19/2012 South Carolina Health and Human Services, South Carolina Medicaid

a healthcare provider or servicer in Columbia, South Carolina
228,435 non-financial accounts compromised
An employee was fired and arrested after he sent the names, addresses, phone numbers, and dates of birth of Medicaid patients to his private email. It was discovered that he had compiled and emailed the information of South Carolina Medicaid patients over a period of several months. He was charged with five misdemeanor counts of violating the confidentiality of medical indigents and one count of disclosing confidential information. At least 22,600 patients had their Medicaid ID numbers emailed. It is unclear how many of those patients had their Social Security number used in place of a Medicaid ID number. Patients were warned not to give any personal information to anyone contacting them and claiming to be from the Medicaid agency. Those with questions may call 888-829-6561 or visit www.myscmedicaid.org.

UPDATE (02/20/2013): A dishonest employee and another individual have been charged with criminal conspiracy. The employee was also charged with willful examination of private records by a public official, public member, or public employee.

UPDATE(10/09/2013): The former employee pleaded guilty to four counts of willfull examination of private records by a public employee and one count of criminal conspiracy. The dishonest former employee faces up to 25 years in prison.

04/20/2012 Office of Dr. Rex Smith

a healthcare provider or servicer in Eugene, Oregon
20,915 non-financial accounts compromised
An office burglary that occurred on or around February 19 resulted in the theft of medications and a computer. The computer contained patient names, Social Security numbers, and dates of birth. It is unclear if the computer was encrypted. The total number of patients affected and all types of information exposed are also unclear.

04/27/2012 Three Rivers Park District

Local Government in Maple Plain, Minnesota
82,000 non-financial accounts compromised
Hackers were able to access the user names and passwords located on the Three Rivers Park District database. Anyone who has ever made a reservation or registered for a program associated with with the districts 21 parks was affected. No financial information, names, or addresses was exposed. The breach was discovered on April 19 and immediately addressed.

04/27/2012 Office of the Texas Attorney General

State Government in Austin, Texas
6,500,000 non-financial accounts compromised
Lawyers responsible for challenging a voter ID law in Texas requested the Texas voter database for analysis. The Texas Attorney General’s office released encrypted discs with the personal records of 13 million Texas voters, but half still contained Social Security numbers. A state police officer was dispatched to New York, Washington D.C., and Boston to retrieve the encrypted discs when the opposing lawyers revealed that a mistake had occurred.

04/30/2012 Volunteer State Community College

an educational institution in Gallatin, Tennessee
14,000 non-financial accounts compromised
The University became aware of an unintended disclosure. Files with the information of current and former faculty and former students were placed on a web server that was not secure. The information could have been accessed anytime between 2008 and the discovery of the error. Names and Social Security numbers were exposed. (615) 230-3390.

May 2012 Tennessee Electric Company

an industrial and construction company in Kingsport, Tennessee
Just one account was compromised, their own payroll account.

Over $300,000 was removed from their account at TriSummit Bank. Eventually $135,000 was recovered by the bank leaving the company out almost $200,000. How the funds were removed is described in another excellent piece by security researcher Brian Krebs. What is important about this are the legal considerations as to who was responsible for the loss. Is the company (a/k/a TEC Industrial) going to suffer the loss or did the bank have liability? See Who Loses? for more.

05/02/2012 Florida Department of Children and Families

State Government in Tallahassee, Florida
100,000 non-financial accounts compromised
The information of Florida child care workers was placed on a state website. The information was not password protected and could have been found through an internet search. An unnamed vendor working for the state of Florida was responsible for placing the information online. Florida daycare workers may have had their dates of birth, names, and Social Security numbers exposed. It is not clear how long the information was exposed.

05/11/2012 First Data Corporation

a Financial or Insurance Services firm in Atlanta, Georgia
15,399 non-financial accounts compromised
On April 25, 2012, First Data learned that certain limited personal information about approximately 108,500 merchants who currently process with First Data or who applied for processing services had been shared outside of the company. The names, addresses, and Social Security numbers of merchants who submitted applications to First Data for merchant processing services were purposely disclosed to an outside party in January and February of 2012. First Data later discovered that this action was not clearly permitted in some merchant contracts.

UPDATE: (5/29/2012): Bank of America Merchant Services (BAMS), a joint venture between First Data Corporation and Bank of America, was also involved in the breach. The personal information of 15,399 California residents was involved. Of the 15,399 California residents affected, a total of 4,058 residents were merchant customers of BAMS.

05/12/2012 California Department of Social Services and Hewlett Packard

State Government in Riverside, California
701,000 non-financial accounts compromised
Around 700,000 caregivers and care recipients had their information lost or stolen during transit between Hewlett Packard and the State Compensation Insurance Fund in Riverside, California. A package that originally contained microfiche with payroll data entries and possibly other sensitive information arrived via U.S. Postal Service damaged and missing thousands of payroll data entries. Names, wages, Social Security numbers, and state identification numbers were exposed. A total of 375,000 In-Home Supportive Services workers were affected and 326,000 recipients of In-Home Supportive Services care were affected.

UPDATE(05/30/2013): A total of 748,902 elderly home care recipients and their caretakers were affected.

05/14/2012 York County, South Carolina

County Government in York, South Carolina
17,000 non-financial accounts compromised
Hackers gained access to York County’s web application server. It contained two databases with the information of 17,000 job applicants and vendors. The first database contained about 12,500 names from as far back as 15 years ago. The second database was newer and contained information that had been collected up until August 29, 2011. The intrusion was discovered by the county on August 29 and no new applicants or vendors were affected by the breach. Those who may have been affected were not notified until after a thorough investigation by York County’s IT department. No definitive evidence was found for a breach after the nine-month investigation.

05/18/2012 Lady of the Lake Regional Medical Center

a healthcare provider or servicer in Baton Rouge, Louisiana
17,130 non-financial accounts compromised
A laptop went missing from a physician’s office sometime between March 16 and March 20 of 2012. The laptop contained patient outcomes data from patients in the adult ICU from 2000 to 2008. Patient names, race, age, dates of admission and discharge from the Intensive Care Unit, and results of treatment may have been exposed.

05/18/2012 UnitedHealthcare (United Health Group Plan)

a healthcare provider or servicer in Minneapolis, Minnesota
19,100 non-financial accounts compromised
A dishonest employee used the names, Social Security numbers, addresses, phone numbers, dates of birth, and Medicare Health Insurance Claim Numbers to steal the identities of at least 24 Idaho customers enrolled in UnitedHealthcare Medicare plans. On January 30, 2012, it was discovered that the former employee may have accessed the information in the United Health Care database in a way that was inconsistent with his job duties and possibly for fraud purposes. The information was taken between June 28 and December 12 of 2011. Affected patients were notified on March 30.

05/25/2012 Serco, Inc., Federal Retirement Thrift Investment Board

a Financial or Insurance Services firm in Reston, Virginia
123,201 non-financial accounts compromised
One of the computers used by the contractor Serco to support the Federal Retirement Thrift Investment Board (FRTIB) was the target of a sophisticated cyber attack. Thrift Savings Plan participants and others who received TSP payments may have had their information exposed. However, there is no evidence that the entire TSP network of 4.5 million participants was breached. A total of 43,587 participants may have had their Social Security numbers, names, and addresses compromised. An additional 80,000 may have had their Social Security numbers and no other information compromised. The attack appears to have occurred in July of 2011 and was discovered through an FBI investigation in April of 2012.

05/25/2012 University of Nebraska, Nebraska Student Information System, Nebraska College System

an educational institution in Lincoln, Nebraska
654,000 non-financial accounts compromised
A University technical staff member discovered a breach on May 23. Staff took steps to limit the breach and there was no clear evidence that any information was downloaded. The Social Security numbers, addresses, grades, transcripts, housing and financial aid information for current and former University of Nebraska students may have been accessed. The database also included the information of people who applied to the University of Nebraska, but may have not been admitted, and alumni information as far back as Spring of 1985. The University of Nebraska was still investigating the extent of the breach as of May 25, 2012.

UPDATE(05/29/2012): The University of Nebraska created a webpage for information about the breach. Close to 21,000 people had bank account information that was linked to the student information system and exposed. The University of Nebraska’s computer database also held 654,000 Social Security numbers, though it is unclear if that number completely overlaps the number of individuals who had their bank account information exposed. Current and former students of the University of Nebraska campuses in Lincoln, Omaha, and Kearney were affected; as well as anyone who applied to the University since 1985.

UPDATE(06/01/2012): The Nebraska College System began using a shared student information system called NeSIS in 2009. This resulted in data from Chadron State, Peru State, and Wayne State colleges being exposed.

UPDATE (09/10/2012): Police seized computers and related equipment belonging to a University of Nebraska-Lincoln (UNL) undergraduate student who is believed to be involved in the incident.

UPDATE(12/11/2012): The former UNL student has been charged with intentionally accessing a protected computer system and causing damage of at least $5,000.

UPDATE (06/22/2013): The hacker now faces an additional nine charges of exceeding his authorized access to a computer and two charges of knowingly transmitting a program that damaged computers owned by the University of Nebraska and Nebraska State College Systems.

UPDATE(12/03/2013): The hacker and former UNL student pleaded guilty to one count of intentionally damaging a protected computer and causing loss in excess of $5,000. His sentencing was scheduled for March 21, 2014.

05/30/2012 American Pharmacist Association (APhA), Pharmacist.com

a Non-Governmental Organization (includes non-profits) in Washington, District Of Columbia
28,000 non-financial accounts compromised
Hackers associated with the group Anonymous posted donations, emails, personal account information, server information, and other information from APhA’s online database. The hackers also claim to have accessed the records of 16,000 patients by hacking the website, but did not post that information. Anonymous claims that the organization was targeted due to its connection to government officials.

UPDATE(6/09/2012): Some names and addresses were also posted. The data posted included information on over 28,000 visitors, donors, and members.

UPDATE(07/18/2012): The website was defaced on May 28. APhA immediately noticed and shut down the website and related computer servers. However, names, addresses, and credit card information (excluding security codes) stored on computer servers may have been accessed between April 23 and May 28.

06/06/2012 LinkedIn.com

a business other than retail in Mountain View, California
6,458,020 non-financial accounts compromised
A file containing 6,458,020 encrypted passwords was posted online by a group of hackers. It is unclear what other types of information were taken from Linkedin users. LinkedIn recommends that users change their passwords.

UPDATE(08/30/2012): Four potential class actions against LinkedInCorp. were consolidated. The consolidated suits allege that LinkedIn violated its user agreement and privacy policy by failing to properly safeguard digitally stored user data. LinkedIn is also accused of not publicizing the attack in a timely manner.

UPDATE(03/06/2013): A lawsuit that was filed in a federal court in San Jose, California in 2012 was dismissed. The lawsuit was based on negligence claims, California consumer protection statutes, and breach of contract. The judge dismissed the lawsuit (8 page PDF) because the plaintiffs failed to demonstrate that any alleged misrepresentation by Linkedin was connected to the harm the plaintiffs suffered.

UPDATE(06/17/2013): A second class-action lawsuit against LinkedIn is in the making. Linkedin is accused of of failing to use basic encryption techniques to secure personally identifiable information. LinkedIn is trying to stop the second lawsuit form proceeding in federal court because the lead plaintiff has been able to show that she suffered an injury.

5/18/2016 Update  Breach much bigger

The estimate of accounts exposed was about 6.5 million in June 2012. Almost four years later the company disclosed that over 100 million accounts were compromised. Other sources report the total now approaches 170 million. See Krebs on Security, Data Breach Today and The Hacker News.

[ This means that the password reset applied to the first 6.5 million provided no protection to the 160+ million in the second group. LinkedIn’s response to this latest, much larger breach, is the same: force a password reset for some, not all users. Please

a) change your password on LinkedIn

b) Was your password 123456? Congratulations! Over 750,000 people used the same password. Here are the top 20 passwords used. Use a strong password, or think of a pass-phrase.

c) One site – one password. Don’t re-use credentials.

Anyone betting against another multi-year lawsuit? -ed ]

06/09/2012 Franklin’s Budget Car Sales, Inc.

a retail business in Statesboro, Georgia
95,000 non-financial accounts compromised
The FTC fined Franklin’s Budget Car Sales for compromising consumers’ personal information by allowing peer-to-peer software to be installed on its network. Any computers that were connected to the peer-to-peer network could have accessed Franklin’s network of consumer names, Social Security numbers, addresses, dates of birth, and driver’s license numbers. The FTC claimed that Franklin’s failed to assess risks to the consumer information it collected and stored online and failed to adopt policies to prevent or limit unauthorized disclosure of information. Franklin’s also allegedly failed to prevent, detect and investigate unauthorized access to personal information on its networks, failed to adequately train employees and failed to employe reasonable measures to respond to unauthorized access to personal information. Franklin’s settlement agreement bars Franklin’s from misrepresentations about the privacy, security, confidentiality, and integrity of personal information it collected from consumers. Franklin’s must also establish and maintain a comprehensive information security program and undergo data security audits.

06/11/2012 Eugene School District 4J

an educational institution in Eugene, Oregon
16,000 non-financial accounts compromised
An unauthorized person accessed confidential files that contained current and former students’ personal information. Names, Social Security numbers, Dates of birth, student ID numbers, phone numbers, students’ free or reduced-price school lunch status, and addresses may have been exposed. Eugene School District 4J’s notification can be read here:http://www.4j.lane.edu/communications/story/2012/06/11/securitybreachinformation

UPDATE(07/12/2012): A minor was arrested for possible involvement in the breach. It appears that the teenager may have obtained the login credentials of an employee and used them to access the computer system. Records for approximately 16,000 current students, as well as free and reduced-price lunch records from 2007 were exposed.

UPDATE(08/25/2012): The student was released from custody and expelled by North Eugene High School. He also posted hundreds of students’ confidential information on a computer account to taunt district officials. He is on house arrest and his attorney entered not guilty pleas.

06/11/2012 University of North Florida (UNF)

an educational institution in Jacksonville, Florida
23,246 non-financial accounts compromised
UNF became aware of a server breach that exposed Social Security numbers and other sensitive information. Students who submitted housing contracts between 1997 and spring 2011 may have had their information exposed. Multiple servers were affected and secured upon discovery. The information may have been accessed as early as spring of 2011.

06/12/2012 Bethpage Federal Credit Union

a Financial or Insurance Services firm in Bethpage, New York
86,000 financial accounts compromised
An employee accidentally posted data onto a file transfer protocol site that was not secure on May 3. The data contained customer VISA debit card names, addresses, dates of birth, card expiration dates and checking and savings account numbers. The error was discovered on June 3. The data was accessed, but there was no evidence of identity theft or fraud as of June 12. New cards were issued to 25% of the affected members and the remaining members will have their affected cards deactivated on June 30.

06/15/2012 Atkinson & Company LLP Consultants and Certified Public Accountants, The Public Employees Retirement Association (PERA) of New Mexico

a Financial or Insurance Services firm in Albuquerque, New Mexico
100,000 financial accounts compromised
A computer containing PERA information was stolen from Atkinson & Company. The information was related to a PERA annual audit that Atkinson & Company were hired to perform. PERA current and former members, as well as retirees may have had their personal information on a file on the computer.

UPDATE(06/15/2012): Names, addresses, financial institution routing numbers, account types, account numbers, payment amounts, and PERA identification numbers may have been exposed. Family members of current and former PERA members may have also been affected.

06/25/2012 Towards Employment

a Non-Governmental Organization (includes non-profits) in Cleveland, Ohio
26,000 financial accounts compromised
The May theft of a laptop that contained Towards Employment client data may have exposed personal information. The laptop was password protected and contained the names, Social Security numbers, and addresses of clients. Towards Employment is altering its policy so that only the last four digits of clients’ Social Security numbers are tracked and used. Those with questions may call 216-297-4470 or go to the Towards Employment website: towardsemployment.org

06/25/2012 Paper presented

This is information, not reporting a breach.
Measuring the Cost of Cybercrime was presented at the Workshop on the Economics of Information Security in Berlin, June 25-26, 2012 by Professor Ross Anderson et. al.
(31 page PDF)

Abstract: In this paper we present what we believe to be the first systematic study of the costs of cybercrime. It was prepared in response to a request from the UK Ministry of Defence following skepticism that previous studies had hyped the problem. For each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now `cyber’ because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly. As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/Euros/dollars a year; transitional frauds cost a few pounds/Euros/dollars; while the new computer crimes cost in the tens of pence/cents. However, the indirect costs and defence costs are much higher for transitional and new crimes. For the former they may be roughly comparable to what the criminals earn, while for the latter they may be an order of magnitude more. As a striking example, the botnet behind a third of the spam sent in 2010 earned its owners around US$2.7m, while worldwide expenditures on spam prevention probably exceeded a billion dollars. We are extremely inefficient at fighting cybercrime; or to put it another way, cybercrooks are like terrorists or metal thieves in that their activities impose disproportionate costs on society. Some of the reasons for this are well-known: cybercrimes are global and have strong externalities, while traditional crimes such as burglary and car theft are local, and the associated equilibria have emerged after many years of optimisation. As for the more direct question of what should be done, our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response – that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail. [ highlighting ours – ed]

07/04/2012 North Point Dental Care

a healthcare provider or servicer in Winston Salem, North Carolina
10,000 non-financial accounts compromised
The owner of North Point Dental accused a former colleague of stealing the information of about 10,000 current and former patients. The men worked together on a political campaign and the former colleague used the patient information to call patients for campaign support as part of his role as the campaign manager. The former campaign manager countered that he had received an email from the dentist encouraging him to take information from an office computer and use it to call the patients. Patients had their names, email addresses, treatment dates, and home addresses distributed to third parties. The information was also uploaded to an online data storage service.

07/11/2012 Formspring

a business other than retail in San Francisco, California
420,000 non-financial accounts compromised
A hacker or hackers accessed Formspring’s development server and posted the password hashes of 420,000 users online. Formspring immediately reset all 28 million user passwords and addressed the security issues upon confirming that a breach had occurred.

07/12/2012 Yahoo! Voices

a business other than retail in Sunnyvale, California
453,492 non-financial accounts compromised
A hacker or hackers used an SQL injection technique to access the plain-text passwords of over 450,000 Yahoo! Voices (formerly known as Associated Content) users. The information was then posted online. Yahoo! Voice users are encouraged to change their Yahoo! passwords immediately. Users from as far back as 2006 or earlier may have had their passwords exposed.

UPDATE(08/02/2012): A Yahoo! user is suing Yahoo! Inc. for negligence. The user claims that Yahoo!’s failure to adequately safeguard his personal information should result in compensation for himself and other users who experienced account fraud and had to take measures to protect accounts put at risk by the Yahoo! breach.

07/13/2012 Nvidia

a retail business in Santa Clara, California
400,000 non-financial accounts compromised
A security breach affected Nvidia’s developer forums. Hashed passwords and other sensitive information may have been obtained. Public information such as birthdays, gender, and location may have been exposed. People who used the forums were given temporary passwords and instructed to choose a new forum password.

UPDATE(07/13/2012): A Nvidia representative said that its forum has 290,000 registered accounts, its DevZone site has 100,000 accounts, and its research site has 1,200 accounts.

07/13/2012 American Express Travel Related Services Company, Inc. (AXP)

a Financial or Insurance Services firm in Los Angeles, California
27,257 financial accounts compromised
A man was arrested in his Los Angeles home for allegedly purchasing and using stolen payment card numbers. The credit and debit card numbers from American Express, Visa, MasterCard, and Discover were in the man’s possession between January 11, 2012 and February 26, 2012. The payment card numbers came from hacking the computer systems of a restaurant and a restaurant supply business in the Seattle area. Two people who were associated with the hacking incidents had already been arrested. The man who purchased the payment card numbers is charged with conspiracy to access protected computers to further fraud, to commit access device fraud, and to commit bank fraud; eight counts of bank fraud; six counts of access device fraud; five counts of aggravated identity theft; and two counts of accessing a protected computer without authorization.

UPDATE(07/20/2012): Customer names and payment card expiration dates were also compromised.

07/15/2012 High Tech Crime Solutions

a business other than retail in Atlanta, Georgia
32,000 non-financial accounts compromised
A hacker or hackers accessed and posted information from High Tech Crime Solutions Inc.’s website by using an SQL injection cyber attack. A total of 8,900 names and phone numbers were posted online. Over 32,000 private messages were also exposed.

07/17/2012 Safe Ride Services, Inc.

a healthcare provider or servicer in Phoenix, Arizona
42,000 non-financial accounts compromised
A former employee may have accessed computer systems without authorization and accessed service files. The incident or incidents occurred between August 31, 2011 and January 31, 2012. Employee personal information as well as patient demographic and insurance information were exposed. It is unclear if the former employee was currently employed at the time of the incidents. The incident was posted on the HHS website on June 8.

07/18/2012 ITWallStreet.ccom

a business other than retail in New York, New York
50,000 non-financial accounts compromised
A hacker may have accessed as many as 12 data files containing detailed information on IT professionals searching for work with Wall Street. First and last names, mailing addresses, email addresses, usernames, hashed passwords, and phone numbers were posted online. Many of the passwords were decrypted and displayed in plain-text. Past salaries, salary expectations, contact information for references, and other types of job search information were also exposed.

07/23/2012 Gamigo

a retail business in Hamburg,
8,243,802 non-financial accounts compromised
Hackers were able to access Gamigo’s server in February of 2012. Notification of the breach was sent on March 1. Gamigo warned users and advised that they change any passwords for emails associated with Gamigo. The hacked information was released on July 6. A total of 8,243,809 user email addresses and encrypted passwords were posted online.

07/24/2012 Wisconsin Department of Revenue

State Government in Madison, Wisconsin
110,795 non-financial accounts compromised
An annual sales report contained the Social Security and tax identification numbers of people and businesses who sold property in Wisconsin in 2011. The report was available online between April 5, 2012 and July 23, 2012 and meant for real estate professionals. The report was accessed a total of 138 times before being taken down. Sensitive seller information was in an an embedded file included in an Microsoft Access file which showed sales data. A total of 110,795 sales were made in Wisconsin in 2011, but not everyone who made a sale provided their Social Security or tax identification number for the paperwork.

07/25/2012 Oregon State University

an educational institution in Corvallis, Oregon
21,000 financial accounts compromised
An unnamed check printing vendor for the University copied data from the University’s cashier’s office during software upgrades. The information included 30,000 to 40,000 checks that contained student and employee names, University IDs, check numbers, and check amounts. Current and former student, faculty, and staff records older than 2004 may have included Social Security numbers. it does not appear that the vendor acted with malicious intent.

07/27/2012 Upper Valley Medical Center, Data Image

a healthcare provider or servicer in Troy, Ohio
15,000 non-financial accounts compromised
A data breach of Data Image’s online billing system may have exposed the private information of Upper Valley Medical Center patients. Names, addresses, hospital account numbers, and balances owed could have been obtained during an 18-month period. Current and former patients were notified that the breach was discovered on March 21, 2012, but could have occurred as early as October 1, 2010.

08/03/2012 Memorial Healthcare System (MHS)

a healthcare provider or servicer in ,
102,153 non-financial accounts compromised
MHS discovered a second breach during the process of investigating a dishonest employee’s misuse of patient data in January of 2012. Employees of affiliated physicians’ offices may have improperly accessed patient information through a web portal used by physicians who provide care and treatment at MHS. Patient names, Social security numbers, and dates of birth may have been accessed during the period between January 1, 2011 and July 5, 2012.

08/13/2012 Apria

a healthcare provider or servicer in Phoenix, Arizona
65,700 non-financial accounts compromised
An employee’s laptop was stolen on June 14, 2012 from a locked vehicle in June. The password-protected computer contained billing information about Apria patients in California, Arizona, New Mexico, and Nevada. 65,700 current and former patient names, Social Security numbers, dates of birth, and other personal or health information may have been exposed.

08/21/2012 Colorado State University – Pueblo

an educational institution in Pueblo, Colorado
19,000 non-financial accounts compromised
A few students accidentally gained access to sensitive student files. It is not clear if the files were physical or electronic. The students notified school authorities immediately and the problem was fixed. It is not clear what types of student information were exposed.

08/28/2012 Cancer Care Group

a healthcare provider or servicer in Indianapolis, Indiana
55,000 non-financial accounts compromised
An employee’s computer bag was stolen on July 19. The bag contained a computer server back-up that had patient and employee names, Social Security numbers, dates of birth, insurance information, medical record numbers, limited clinical information, and addresses.

09/04/2012 Apple

a retail business in Cupertino, California
1,000,000 non-financial accounts compromised
Hackers associating themselves with Anonymous claim to have obtained 12 million Apple Unique Device Identifiers (UDIDs) by hacking an FBI agent’s laptop. The hackers offered proof of the breach by posting over one million UDIDs. However, both Apple and the FBI are denying that an FBI agent would have access to that information and kept it on a laptop. The hack occurred in March. Apple replaced the types of identifiers the hackers appear to have obtained and will discontinue their use.

09/07/2012 University of Miami Health System

a healthcare provider or servicer in Miami, Florida
64,846 non-financial accounts compromised
Two University of Miami Hospital employees were using patient registration sheets to inappropriately access patient information. Anyone who was seen at University of Miami Hospital between October 2010 and July 2012 may have been affected. Patient names, addresses, dates of birth, insurance policy numbers, and reasons for visits were exposed. The last four digits of patients’ Social Security numbers, were exposed in many cases and full Social Security numbers were exposed in some cases. The dishonest employees were terminated immediately and may have sold some of the information to unauthorized parties.

09/14/2012 Feinstein Institute for Medical Research

a healthcare provider or servicer in Manhasset,
13,000 non-financial accounts compromised
A laptop stolen on or around September 2, 2012 contained current and former patient names, Social Security numbers, and other personal information. The laptop was taken from the car of a contractor or employee and may have also contained current and former patient mailing addresses, dates of birth, and medical information. Participants in about 50 different research studies that date back an unknown number of years were affected. Those with questions may call 888-591-3911.

09/19/2012 United States Navy, Smart Web Move

Military in Washington, District Of Columbia
200,000 non-financial accounts compromised
A hacker or hackers accessed sensitive information and posted it online. Former and current Navy personnel who used Smart Web Move to arrange household moves could have been affected. The compromised database stored 11 years of private information, but only 20 people had their information publicly posted. Usernames, email addresses, security questions and corresponding answers were exposed.

09/19/2012 Blue Cross Blue Shield of Massachusetts (BCBS)

a healthcare provider or servicer in Boston, Massachusetts
15,000 non-financial accounts compromised
A BCBS vendor misused BCBS employee information. The misuse appears to have been limited to one instance. Names, Social Security numbers, dates of birth, compensation information, and bank account information may have been exposed.

10/02/2012 Robeson County Board of Elections

County Government in Lumberton, North Carolina
71,000 non-financial accounts compromised
Five password-protected laptop computers that contained personal information of registered voters in Robeson County were discovered stolen in September. Voters had their names, addresses, dates of birth, and the last four digits of their Social Security numbers exposed. The computers went missing between July 18 and September 4. They were most likely taken while outside of their normally secured area and left with unsupervised community volunteers. Driver’s license numbers may have also been exposed. Those who were affected were mailed letters on September 12.

10/08/2012 TD Bank

a Financial or Insurance Services firm in Cherry Hill, New Jersey
260,000 financial accounts compromised
Two data backup tapes were lost during shipping in late March 2012. The tapes included customer names, Social Security numbers, addresses, account numbers, debit card numbers, and credit card numbers. 260,000 customers from Maine to Florida were notified.

10/10/2012 PlaySpan

a retail business in Foster City, California
100,000 non-financial accounts compromised
A hacker or hackers accessed PlaySpans computer system. User IDs, encrypted passwords, and email addresses of online players were exposed. Users are advised to immediately change their passwords and also any similar passwords for other logins associated with compromised email addresses. PlaySpan Marketplace may have also been affected and could be linked to user financial information.

10/10/2012 Northwest Florida State College

an educational institution in Niceville, Florida
200,050 non-financial accounts compromised
An internal review revealed a hack of Northwest College servers. One or more hackers accessed at least one folder in the server between May 21, 2012 and September 24, 2012. Over 3,000 employees, 76,000 Northwest College student records, and 200,000 students eligible for Bright Future scholarships in 2005-06 and 2006-07 were affected. Bright Future scholarship data included names, Social Security numbers, dates of birth, ethnicity, and genders. Current and former employees that have used direct deposit anytime since 2002 may have had some information exposed. At least 50 employees had enough information in the folder to be at risk for identity theft.

10/10/2012 Equifax

a Financial or Insurance Services firm in Atlanta, Georgia
17,000 non-financial accounts compromised
Equifax settled charges with the Federal Trade Commission after it was discovered that Equifax Information Services improperly sold lists of consumer data. People who were late on their mortgage payments had their information sold to firms that should not have received the information and subsequently resold it to other firms. Equifax agreed to pay nearly $1.6 million to resolve charges that it violated the FTC and Fair Credit Reporting Acts. The settlement prohibits Equifax from providing prescreened lists to unauthorized parties, having poor procedures for releasing prescreened lists, and selling prescreened lists in certain circumstances.

10/15/2012 District 202, Plainfield School District

an educational institution in Plainfield, Illinois
23,000 non-financial accounts compromised
People who applied online at www.applitrack.com for a job in District 202 may have had their information accessed by a hacker. The hacker sent messages to former and current job applicants and informed them that the Plainfield School District 202 website was breached. A few days later a 14-year-old Joliet West High School student was to a juvenile detention center for his alleged involvement in the breach.

10/22/2012 L.A. Care Health Plan

a healthcare provider or servicer in Los Angeles, California
18,000 non-financial accounts compromised
A mailing error caused ID cards to be mailed to the wrong members. The cards were mailed on September 17, 2012 and the problem was discovered on September 18, 2012. Names, member ID numbers, and dates of birth were exposed. In May of 2013 it was determined that 18,000 people had been affected.

10/26/2012 South Carolina Department of Revenue

State Government in Columbia, South Carolina
6,400,000 financial accounts compromised
South Carolina Department of Revenue’s website was hacked by a foreign hacker. The hack most likely began on August 27, was discovered on October 10, and was neutralized on October 20. Around 3.6 million Social Security numbers and 387,999 credit card and debit card numbers were exposed. A total of 16,000 payment card numbers were not encrypted. Citizens concerned about exposure may visit protectmyid.com/scdor and enter the code SCDOR123 or call 1-866-578-5422. Do you want to more information about this large financial breach? Here it is!

11/06/2012 Women & Infants Hospital

a healthcare provider or servicer in Providence, Rhode Island
14,004 non-financial accounts compromised
Backup tapes containing unencrypted ultrasound images from ambulatory sites were found to be missing on September 13, 2012. The information was from Providence, Rhode Island between 1993 and 1997 and New Bedford, Massachusetts between 2002 and 2007. 14,004 patient names, dates of birth, dates of exams, physicians’ names, and patient ultrasound images were exposed. A limited number of current and former patients also had their Social Security numbers exposed. 1-877-810-7928. A Patient Notice

11/10/2012 Alere Home Monitoring, Inc.

a healthcare provider or servicer in Livermore, California
100,000 non-financial accounts compromised
The September 23 theft of an employee’s unencrypted laptop resulted in the exposure of information of over 100,000 patients. The laptop was stolen from the employee’s home. Names, Social Security numbers, addresses, and diagnosis information of patients taking drugs to prevent blood clots were exposed. Alere became aware of the breach on October 1.

11/10/2012 Gulf Coast Health Care Services

a healthcare provider or servicer in Pensacola, Florida
13,000 non-financial accounts compromised
A network security incident resulted in the expose of patient information. The breach occurred on August 17.

UPDATE(11/26/2012): An employee accessed and downloaded patient information without authorization or a legitimate purpose on five occasions between June 29 and September 20 of 2012. Gulf Coast Health Care Services discovered the issue on September 26. Patients who were seen between 1992 and September 20, 2012 may have had their names, addresses, dates of birth, and phone numbers accessed. It appears that the employee was accessing the data for the purpose of helping outside practitioners recruit patients to their own practices. The incident was reported to the FBI, the Sarasota Police Department, and the Florida Department of Law Enforcement.This entry on the Privacy Rights Clearinghouse Chronology of Data Breaches was previously listed as a hack and was reclassified as an insider breach based on new information.

11/13/2012 National Aeronautics and Space Administration (NASA)

Federal Government in Washington, District Of Columbia
10,000 non-financial accounts compromised
An October 31 theft of a NASA laptop and sensitive NASA documents from an employee’s locked car resulted in the exposure of employee information. Contractors and other non-employees associated with NASA were also affected. Employees are encouraged to be suspicious of communication from individuals claiming to be from NASA. It may take up to 60 days to send official notifications to those who were affected.

UPDATE(12/14/2012): Up to 10,000 employees and people associated with NASA may have been affected.

11/16/2012 Nationwide Mutual Insurance Company and Allied Insurance

a Financial or Insurance Services firm in Columbus, Ohio
1,000,000 non-financial accounts compromised
A portion of the computer network used by Nationwide and Allied Insurance agents was breached by cyber criminals on October 3. The attack was discovered on the same day and contained. On October 16, it was determined that names, Social Security numbers, driver’s license numbers, dates of birth, marital status, gender, occupation, and employer information had been stolen. Affected parties were identified on November 2 and notifications were sent on November 16. Affected Georgia consumers may call 1-800-760-1125. Other consumers with questions may call 1-800-656-2298.

UPDATE(11/20/2012): At least 28,000 people in Georgia were affected. The total number of affected people is not known.

UPDATE(12/10/2012): A total of 28,468 people in Georgia, 534 in Oklahoma, 12,490 in South Carolina, 286 in Maryland, 5,050 in California, 91,000 in Iowa, 170 in Hawaii, 8,000 in New Mexico, and 98,191 in Minnesota were affected. This brings the known total to 244,188. Nationwide/Allied Group reported that the breach compromised the information of one million policyholders and non-policyholders nationwide.

11/28/2012 Advanced Data Processing, Inc. (ADPI), Grady EMS

a Financial or Insurance Services firm in Roseland, New Jersey
15,000 non-financial accounts compromised
Information from certain ambulance agencies was inappropriately accessed and disclosed. Patient account information such as names, Social Security numbers, dates of birth, and record identifiers were exposed by a dishonest ADPI employee. ADPI learned of the breach on October 1. The dishonest employee was fired and apprehended by authorities.

UPDATE(12/04/2012): The former ADPI employee stole information associated with Grady EMS ambulance service. About 900 Grady EMS patients had their information exposed between June 15, 2012 and October 12, 2012.

UPDATE(01/05/2013): A detailed list of the organizations and number of people who were affected is available on phiprivacy.net here:http://www.phiprivacy.net/?p=10825

UPDATE(03/08/2013): Osceola County EMS released a notification in March of 2013 here: http://tinyurl.com/a335kak

UPDATE(03/14/2013): The Yuma, Arizona Fire Department was also affected by the breach. ADP handles the billing for Yuma’s emergency medical services. Names, Social Security numbers, dates of birth, and record identifiers may have been accessed.

UPDATE(08/28/2013): ADPI learned of the tax scheme after being notified by Tampa, Florida police. The IRS confirmed that Valparaiso Fire Department information was compromised by the breach in July of 2013. Patients seen at Valparaiso Fire Department or by Valparaiso Fire Department ambulances between January 1 and June 21 of 2012 may have had their names, Social Security numbers, and dates of birth exposed.

11/30/2012 Western Connecticut State University

an educational institution in Danbury, Connecticut
235,000 non-financial accounts compromised
A computer vulnerability allowed the information of students, student families, and other people affiliated with the University to be exposed. The records covered a 13 year period and included Social Security numbers. High school students who had associations with the University may have had their SAT scores exposed as well. The issue existed between April 2009 and September 2012.

12/05/2012 California Department of Healthcare Services

a healthcare provider or servicer in Sacramento, California
14,000 non-financial accounts compromised
Names and Social Security numbers for nearly 14,000 people were discovered on the website of the Department of Health Care Services. People who sent their information in order to become a provider of In-Home Supportive Services (IHSS) may have had their information exposed online between November 5, 2012 and November 20. The issue was discovered on November 14 and was not fully addressed until November 20. The list should have only contained provider names, addresses, and provider types. It also contained Social Security numbers that were listed in the column for Provider Billing Numbers. The Social Security numbers were not easily recognizable in this format. Call1-855-297-5064 for assistance from DHCS.

12/28/2012 Gibson General Hospital

a healthcare provider or servicer in Princeton, Indiana
29,000 non-financial accounts compromised
The November 27 theft of a laptop may have resulted in the exposure of patient information. Names, Social Security numbers, addresses, and clinical information may have been exposed. Patients who have received services since 2007 may have been affected.

12/29/2012 US Army Fort Monmouth

Military in Oceanport, New Jersey
36,000 non-financial accounts compromised
Hackers were able to access database information from Command, Control, Communications, Intelligence, Surveillance and Reconnaissance as well as nongovernmental personnel and people who visited Fort Monmouth. The breach was discovered and addressed on December 6. Names, Social Security numbers, dates of birth, places of birth, home addresses, and salaries were exposed. (443) 861-6571.

47K 2012 incidents analyzed

INFORMATION: Verizon analyzed 47,000 incidents in 2012 and breaks them down in very interesting ways. The study was released in April 2013.



In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended.


View the 2012 summary
Return to References page
Return to Year links page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.