Compromises in 2014 affecting 10,000 or more

Compromises in 2014 affecting less than 10,000
Compromises in 2014 affecting an unknown, or undisclosed number

01/02/2014 Barry University (Foot and Ankle Institute)

136,000 financial accounts compromised
A school laptop was infected with malware. Exposed information included patient full name, birthdate, Social Security numbers, bank account numbers, charge card number(s), driver’s license numbers, medical record numbers, health insurance information, diagnoses and/or health information about treatments received at the institute.


01/07/2014 Department of Health and Human Services (Medicaid)

State Government headquartered in Raleigh, North Carolina
48,752 non-financial accounts compromised
The North Carolina Department of Health and Human Services mailed more than 48,000 Medicaid cards for children to the wrong addresses.


01/07/2014 New Mexico Oncology Hematology Consultants (NMO)

a healthcare provider or servicer in Albuquerque, New Mexico
12,354 non-financial accounts compromised
When: On November 13, 2013 NMOHC discovered that a laptop computer was stolen. Notification was made on 1/7/2014. Scope: Exposed protected health information (PHI): included names, dates of birth, and in some cases addresses, diagnostic results. Scale: 12,354 were exposed.


01/10/2014 Department of Health

State Government headquartered in Cheyenne, Wyoming
11,935 non-financial accounts compromised
Who: Past and present clients of the Wyoming Department of Health (WDH) Special Supplemental Nutrition Program for Women, Infants and Children (WIC). Why: An unsecured file was sent to a WIC business partner. from an employee’s office. When: The file was sent 10/16/2013, notification was late December 2013 and publicized in early January 2014. Scope: birth dates and some medical details were exposed.


01/10/2014 Methodist Dallas Medical Center

a healthcare provider or servicer in Dallas, Texas
44,000 non-financial accounts compromised
When: There a breach from September 2005 and through August 1, 2013. (eight years!) Who: Patients who received inpatient or outpatient surgery at Methodist Dallas Medical Center may have had their data exposed. How: Information concerning their surgery may have been transmitted or stored on an Internet-based email service. Scope: Data included patient name, patient hospital account number, date and time of scheduled surgery, birth date, surgeons’ names and a brief description of the operative procedure. Patients with questions or concerns may call toll-free 1-866-652-1022 M-F 7 am to 7 pm until February 28, 2014 or contact: Privacy Officer Methodist Health System 1441 N. Beckley Ave. Dallas TX 75203 privacyofficer@mhd.com


01/10/2014 Neiman Marcus

a retail business at 1618 Main Street Dallas, Texas
1,100,000 financial accounts compromised

According to security researcher Brian Krebs the breach was uncovered in mid-December 2013 about the same time as the Target breach. According to a statement made today by Neiman Marcus they confirmed a security problem on January 1, 2014 which may have exposed an unknown number of customer cards.
Scale (number of compromises) and Scope (what was compromised) was later determined. The U. S. Secret Service, the company’s card processor and other specialists are investigating. Updates for scale, scope, and much more are linked here.

01/21/2014 Faux Card Shop Closed

INFORMATION: Investigators take over web shop that made fake cards to order, track customers, then make indictments.
About January 2013 the FBI and the US Postal Investigative Service started an investigation of a web site where people could order counterfeit charge cards and state identifications, embossed or not, even with the appropriate holographic overlays. An interesting narrative including links to the indictment, and images of the fake store, see Faux Card Store Shut.

01/25/2014 Michaels Stores Inc. (2014)

a retail business at 8000 Bent Branch Drive Irving, Texas
2,600,000 financial accounts compromised

Michael’s suffered another major breach. In April 2014 Michael’s confirmed that the breach lasted from May 8, 2013 through January 27, 2014, and may have affected about 2.6 million accounts. More information is available on Michael’s 2014 breach.

01/27/2014 Department of Labor

State government Connecticut
27,000 financial accounts compromised
Some 27,000 of the 250,000 tax forms mailed out to individuals who collected unemployment compensation payments in 2013 contain a printing error. The forms contain the proper information at the top of the form, but the bottom contains information pertinent to another individual.

01/27/2014 Coca-Cola Company

A retail business headquartered in Atlanda, Georgia
74,000 non-financial accounts compromised
What: Multiple computers were stolen with confidential information that was not encrypted. When: The company learned 12/10/2013 of the theft. Scope: Compromised information included names, Social Security Numbers, driver’s license numbers, compensation, ethnicity and addresses. Not all information was exposed for all affected. Scale: 74,000 were affected.


01/27/2014 Connecticut DOL

State Government headquartered in Hartford Connecticut
27,000 non-financial accounts compromised
What: Unemployment compensation tax forms UC-1099G for 2013 contained the correct information on the top portion of the form, but the bottom contained information for another individual. Scope: This exposed Social Security Numbers. Scale: Approximately 27,000 were exposed.

01/31/2014 Unity Health Insurance -UW MSOP

Unity Health Insurance for the University of Wisconsin Madison School of Pharmacy
41,437 non-financial accounts compromised
What: A hard drive with patient information went missing. Scope: Compromised information included the Unity member number, date of birth, city of residence, name of prescription drug, and dates of service. When: The loss was noted 12/12/2013 and made public about six weeks later. Scale: Information for more than 40,000 members were exposed.


01/31/2014 Walgreen Co. of Illinois

a healthcare provider or servicer in Illinois
17,350 non-financial accounts compromised
Walgreens became aware of a breach between September 18, 2013 to October 4, 2013. Although reported as required this breach seems to be completely uncovered in the media.


02/04/2014 Midland Independent Schools District

an educational institution in Texas
14,000 non-financial accounts compromised
How: A laptop and unsecured external hard drive were stolen from a district administrator’s vehicle. Scale” Roughly 14,000 current and former students. Scope: Personal information, including Social Security numbers were exposed. (source)

02/05/2014 St. Joseph Health System

a healthcare provider or servicer at P.O Box 325 Suwanee, Georgia
405,000 non-financial accounts compromised
St. Joseph Health System in Texas has reported a data breach of a server that stored information for numerous facilities. Information was accessed through a single server by hackers from China and other locations. The server contained employee and patient data for St. Joseph Regional Health Center in Bryan, Burleson St. Joseph Center, Madison St. Joseph Health Center, Grimes St. Joseph Health Center and St. Joseph Rehabilitation Center. The affected server was taken offline once the breach was discovered. The breach supposedly occurred between December 16 through the 18th, 2013. The data included patient names, birth dates, Social Security numbers, and possibly addresses. Medical information for patients was accessible, as well as bank information for current and former employees. Both adult and minor information may have been compromised. Currently, investigators could not determine if any information had been extracted or used.

02/06/2014 The Home Depot

a retail business at 2455 Paces Ferry Road SE#20 Atlanta, Georgia
30,000 non-financial accounts compromised
Three Home Depot employees were arrested for allegedly stealing personal information of some 300 employees, and were initially detected last fall and those employees whose files were notified of the breach. One of the three employees was caught using her Home Depot email to send the stolen information. Security investigators fear that this breach may have affected as many as 20,000 individuals. Information stolen included Social Security numbers and birthdates. Allegedly the employees opened numerous fraudulent accounts with the stolen personal information.

UPDATE (5/30/2014): Originally it was reported that up to 20,000 individuals may have been affected by this security breach. The number has now been increased to 30,000 individuals may have been affected. The first report that came out reported three Home Depot employees were involved, but according to the disclosure document sent on behalf of The Home Depot Corporation, one individual was arrested and The Home Depot will seek prosecution of the individual to the fullest extent of the law.

02/10/2014 University of Miami Health System

a healthcare provider or servicer in Miami, Florida
13,000 non-financial accounts compromised
What: The University of Miami Health System (Uhealth), one of the largest health providers in Southern Florida, notified patients of a data breach when an offsite storage vendor communicated that their records could not be located. When: The breach was discovered on June 27, 2013. They have just recently begun notifying patients of the breach. Scope: The missing files included patient names, dates of birth, physician names, insurance company names, medical record names, facility visited, procedures, diagnostic codes, and Social Security numbers. Scale: an estimated 13,000 accounts were compromised.

UPDATE (8/26/2014): Uhealth agreed to a class-action settlement where UHealth will be required to conduct various risk assessments, remediate any identified problems, and ensure vendors have adequate security controls in place. The agreement states that the university will pay $100,000 in individual claims, $90,000 in attorneys fees, and $1,500 to the named plaintiff who initiated the lawsuit. Both parties have asked the federal district court to approve the recently-filed proposed settlement agreement.

The proposed settlement [ http://www.phiprivacy.net/wp-content/uploads/Carsten_ProposedSettlement.pdf ]

2/13/2014 Gartner report on 2013 Smartphone Sales

Gartner reported that smartphone sales grew from 680.108 million in 2012 to 967.776 million in 2013 world wide. For 2013 smartphone sales were 53.6 percent of overall mobile phone sales in 2013.

By operating system Android grew from 66.4% (461.621 million units) of the market in 2012 to 78.4% (758.720 million units) of the market in 2013. iOS shrunk from 19.1% (130.133 million units in 2012) to 15.6% (150. 786 million units in 2013).

The Gartner summary http://www.gartner.com/newsroom/id/2665715
Also see http://bits.blogs.nytimes.com/2014/02/13/smartphone-sales-beat-feature-phones-in-2013

02/19/2014 University of Maryland

an educational institution in College Park, Maryland
309,079 non-financial accounts compromised
When: The University of Maryland had a database hacked Tuesday January 18, 2014 around 4:00 am by an outside source. Scale: Compromised were 309,079 records of faculty, staff, students and affiliated personnel from College Park and Shady Grove campuses who had been issued UofM identification including all current faculty, staff and students; and any faculty, staff and students who had UofM identification from 1998 and the present. Scope: The accessed records included name, Social Security number, date of birth, and University identification number. No financial, academic, contact, or health information was compromised.

The hackers did not alter anything in the actual database, but apparently have made a “copy” of the information. The university commented at how sophisticated the attack was by the hacker or hackers and they must have had a “very significant understanding” of how the database was designed and maintained, including the level of encryption and protection of the database. According to the university President, school officials are investigating the breach and taking steps to prevent any further system intrusions. The college has put out the following:

“The University is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service. University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information. If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at datasecurity@umd.edu”.

A letter from Wallace D. Loh, President, University of Maryland and the multiple updates to that letter. Article from UMD student newspaper

02/19/2014 VA Dept of Medical Assistance Services

State Government in Richmond, Virginia
25,513 non-financial accounts compromised
When: Breach in November 2013. Who:: Virginia Department of Medical Assistance Services Scale: 25,513 clients of Virginia Premier Health Plan (VPHP). Scope: Details of what was exposed was not released.

02/19/2014 CCH&HS

a healthcare provider or servicer in northen Illinois
22,511 non-financial accounts compromised
Who: Cook County Health & Hospitals System in Illinois When: disclosed in February 2014 about a breach that occurred in November 2012. Scale: some 22,511 were affected. Scope: What was exposed was not revealed.

02/26/2014 The Variable Annuity Life Insurance Company

a Financial or Insurance Services firm at 1050 N. Western Street Amarillo, Texas
774,723 non-financial accounts compromised
Variable Annuity Life Insurance Company has announced a breach that occurred in 2007. The company just discovered the breach in November of 2013. The discovery led to a previous employee of the company in possession of information relating to some of their customers. The information included customer names and either partial or complete Social Security numbers. The company has stated that they know of no unusual activity involving the stolen files but have set up identity protection services for one year for the affected parties. Call 1-713-831-6316 with questions.

02/26/2014 Indiana University

an educational institution at 107 South Indiana Avenue Bloomington, Indiana
146,000 non-financial accounts compromised
Indiana University announced that the personal data of 146,000 students and graduates was breached. The information included their Social Security numbers and addresses and may have affected students and graduates from 2011 to 2014 at seven of its campuses. According to the university “The information was not downloaded by an authorized individual looking for specific sensitive data, but rather was accessed by three automated computer data-mining applications, called webcrawlers, used to improve Web search capabilities.”The university also announced that the information was stored in an insecure location for the past 11 months. The site has since been locked down. The university will be providing the Social Security numbers of those affected to the three major credit-reporting agencies. 1-866-254-1484 is a hotline for students and there is a FAQ.

03/03/2014 Louisiana Care Health Plan

18,000 non-financial accounts compromised
Some who logged onto the medical portal were able to see another member’s information. Compromised information included name, address and member identification number.

03/05/2014 Sally Beauty Supply

a retail business in Denton, Texas
25,000 financial accounts compromised
Krebs on Security reported that some 282,000 stolen credit and debit cards were offered for sale on March 2nd, 2014. Note that the merchant didn’t “discover” the compromise until after the stolen cards were already for sale.

… it appears that Sally Beauty Supply may be one of the latest victims of a string of credit card data breaches affecting their payment systems. … Three different banks contacted by KrebsOnSecurity made targeted purchases from this store, buying back cards they had previously issued to customers”. The banks used a “common point of purchase” or “CPP” to determine where the cards were used over the same period of time. “Each bank independently reported that all of the cards (15 in total) had been used within the last ten days at Sally Beauty Supply locations across the United States”. The company had also detected some kind of intrusion into their network at or around the same time that the stolen card mapping or “CPP” dates that the banks found associated with Sally Beauty Supply. The company’s initial investigation did not show any evidence that data was compromised at the store level. The company hired Verizon Enterprise Solutions for the initial and continued investigation.

UPDATE (3-17-2014): Sally Beauty has confirmed that the breach they suffered was due to hackers breaking into their network, stealing credit card data from stores. Originally the retailer would not confirm that they suffered a breach as they had no evidence that any credit card data was stolen. The company confirmed that “fewer than 25,000 records containing card present (track 2) payment card data have been illegally accessed on our systems and we believe have been removed.” The company also states ” As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation. As a result, we will not speculate as to the scope or nature of the data security breach.” Statement from Sally Beauty Holdings, Inc. [ http://investor.sallybeautyholdings.com/phoenix.zhtml?c=203305&p=irol-newsArticle&ID=1909226&highlight ] See also their FAQ [ http://sallybeautyholdings.com/questions-and-answers.aspx ].

UPDATE (3/25/2014) As to how many accounts were compromised: Sally said “fewer than 25,000” (see above). A zipcode analysis of stolen cards being offered for sale, done by security researcher Brian Krebs, indicates that almost all of Sally’s 2,600+ locations were affecting making the scale a magnitude larger. “Sally Beauty declined to provide a list of its various store ZIP codes, but with the assistance of several researchers … there are nearly the exact same number of U.S. ZIP codes represented in the batch of cards for sale … as there are unique U.S. ZIP codes of Sally Beauty stores (~2,600). More importantly, there was a 99.99 percent overlap in the ZIP codes. That strongly suggests that virtually all Sally Beauty stores were compromised by this breach.”

03/05/2014 Assisted Living Concepts, LLC

in Chicago, Illinois
43,600 non-financial accounts compromised
Who: Assisted Living Concepts, LLC (“ALC”) and its subsidiaries own and/or operate approximately two hundred assisted living communities in twenty different states. ALC utilizes an outside payroll service vendor. When: On February 14, 2014, that vendor notified ALC that an unauthorized third party improperly obtained access to user credentials and hacked the vendor’s systems. Scope: Exposed information included names, addresses, birth dates, Social Security numbers and other pay information. Scale: Current and former employee information was exposed. (source)

03/06/2014 North Dakota University

an educational institution at 600 East Boulevard Avenue, 10th Floor Bismarck, North Dakota
291,465 non-financial accounts compromised
North Dakota University System has notified individuals of a security breach of a computer server that stores personal information on students, staff and faculty. When: On February 7, 2014 the server was hacked. Scale: More than 290,000 current and former students and 780 faculty and staff had personal information stored on that server. Scope: Data included names and Social Security numbers according to Larry Skogen, the Interim Chancellor.

Authorities have announced that “an entity operating outside the Unites States apparently used the server as a launching pad to attack other computers, possibly accessing outside accounts to send phishing emails” The university has notified officials and is organizing a call center for questions. Information can be found in the university’s notice with updates to 3/14/2014

03/06/2014 Sutherland Healthcare Solutions / LA County DOH

SHS is a healthcare provider or servicer in Los Angeles, California doing patient
  billing and collection services for the Los Angeles County Department of Health
168,000 non-financial accounts compromised (original 3/06/2014)
342,197 non-financial accounts compromised (update 5/22/2014)
On February 5, 2014 Sutherland Healthcare Solutions (SHS), which provides patient billing and collection services for Los Angeles County was broken into and computers were stolen. Information that was stored on these computers included first and last names, Social Security numbers, billing information, dates of birth, addresses, diagnoses and other medical information. Currently the breach is being investigated by authorities and the agency is offering credit monitoring services through ID Experts free for 12 months. To enroll in the free services by calling 1-877-868-92841-877-868-9284 or going to www.myidcare.com/securityandprotection.

UPDATE (3/7/2014): The Los Angeles County Department of Health and Human Services (DHS) announced recently that they will be notifying 168,000 patients of a data breach at Sutherland Healthcare Solutions. When originally reported the number of patients was not divulged.

UPDATE (5/22/2014): The Scale has increased to over 342,000 but the Scope of what was taken remains names, addresses and billing information for those patients whose data may have been taken from eight computers stolen from the Torrance office of SHS. (source)

UPDATE (5/27/2014): The Los Angeles County Department of Supervisors voted on Tuesday to tighten and add current requirements for county computers and hard drives. Currently, all laptops are required to be encrypted and the vote on Tuesday now extends that requirement to all county departments’ computer workstation hard drives as well. They also voted to have “all County-contracted agencies that exchange personally identifiable information and protected health information data with the County” be encrypted as a requirement for any contract.

03/10/2014 St. Joseph Home Care Network

11,800 non-financial accounts compromised
Private information of home health patients was included in a non-password, unencrypted Excel file, sent to an investment firm working on a business proposal for the health system. Exposed information included name, medical codes, referral source, referral type, admission date, admission status description, admission disposition description and the medical unit where the patient was treated.


03/10/2014 Statista

a business other than retail at 45 Broadway, Suite 710 New York, New York
50,000 non-financial accounts compromised
Online statistics portal, Statista, notified customers of a data breach that occurred with their system. The breach was noticed when the company internally started receiving spam emails. The company investigated and approximately 50,000 of its customers username and password combination were compromised. The company has not said whether or not the breach goes beyond access to username and passwords, but at present, this seems to be all that has been affected. The company notified users almost immediately and assured them that the compromised passwords “cannot be used by third parties due to masking procedures”. The company did not encourage customers to change their passwords. Experts are questioning how secure the passwords are for those that created accounts prior to December 2013 and have stated that “the passwords of those who signed up before this data were stored in the Statista database as MD5 hashes. As many experts will tell you, MD5 passwords can be easily cracked”. The main risk for those affected would be a higher incidence of spam and phishing emails, potentially impersonating Statista.

03/11/2014 Archdiocese of Seattle

90,000 non-financial accounts compromised
On 3/10/2014 the church reported that more than a dozen people found their tax returns were compromised. Crooks stole personal information from one Archdiocese database containing personal information on thousands of employees and volunteers at churches, schools, and agencies. Then they filed fake tax returns and directed refunds to themselves/ The FBI and IRS are investigating. (source) and [ www.kirotv.com/news/news/archdiocese-seattle-hacked-warns-90000-employees-a/nd9Xs ]

03/11/2014 Banner Health

in Phoenix, Arizona
55,207 non-financial accounts compromised
How: Magazine address labels showed Social Security or Medicare ID. Scale: More than 50,000 people were affected. (source)

03/11/2014 J.M. Smucker Company

in Ohio
23,000 financial accounts compromised
Hackers compromised the on line store and stolen payment card data and other personal information.

03/17/2014 Maryland Department of Health and Mental Hygiene

State Government at 201 West Preston Street Baltimore, Maryland
14,000 non-financial accounts compromised
Who: Service Coordination Incorporated of Frederick, Maryland provides case management services to DHMI When: SCI was hacked between October 20 and October 30 of 2013. Scope: Potentially compromised information includes names, social security numbers, medical assistance numbers, and other vital information that may have been shared with the Maryland Developmental Disabilities Administration. Scale: SCI provides support to DHMI for nearly 14,000 Maryland residents.

03/18/2014 IRS

Federal Government in Pennsylvania
20,000 non-financial accounts compromised
A former employee of the IRS took home a computer thumb drive that contained personal information on 20,000 current and former employees and contractors. The information included Social Security numbers, names and addresses. The thumb drive was plugged into the employees unsecured network, which could have left the information vulnerable. This incident dates back to 2007 before the IRS stared using automatic encryption. The IRS will not comment why they did not discover this breach until now, or if the employee who used the thumb drive is still working at the IRS.

03/21/2014 Auburn University College of Business

in Alabama
13,698 non-financial accounts compromised
On November 20, 2013, Auburn University became aware of a compromised server in the College of Business network. It was reported more than four months later when it was clear that names and Social Security numbers may have accessed.


03/21/2014 Department of Finance and Administration / Health

State Govein Arkansas
10,713 non-financial accounts compromised
A breach at Health Advantage occurred in October 2012. It was reported more than a year later. The incident involved paper records and affected several entities. Details of exactly what was exposed were not found.


03/21/2014 Health Advantage

in Arkansas
10,713 non-financial accounts compromised
A breach at the Arkansas Department of Finance and Administration, Employee Benefits Division exposed information on employees. The breach occurred in October 2012 over a year ago.

03/21/2014 Missouri Consolidated Health Care Plan (StayWell)

in Missouri
10,024 non-financial accounts compromised
Persons who participated in the 2012 Eat for the Health of It or Stress Quest programs had their information accessible via internet search because the spreadsheets were inadvertently stored in a publicly accessible folder on StayWell’s system. These spreadsheets were accessible from March 23, 2012 to January 22, 2014, almost two years. Exposed information included participant name, email address, internal identification number, the then current week of the program, election re email notifications, and whether a participant had taken two short program surveys.


03/21/2014 Patient Care Services at Saint Francis, Inc.

in Broken Arrow, Oklahoma
84,000 non-financial accounts compromised
What: From a secured room a burglar took a computer containing personally identifiable information. When: The burglary was in January 2011 and it was entered into the HHS database March 2014, more than three years later. Scope: Exposed were names, Social Security numbers, addresses and diagnostic information on patients treated prior to 2004. According to St. Francis the computer was not used after 2004. Scale: Information on an estimated 84,000 was exposed. (source)

03/21/2014 Spectrum Health Systems

in Worcester, Massachusetts
14,750 non-financial accounts compromised
What: A desktop computer, laptop computer and non-portable hard drive were stolen. When: The breach occurred on August 24, 2011 and was entered into the HHS database in March 2014, almost three years later. Scope: The hard drive contained full names, addresses, telephone numbers, dates of birth, Social Security numbers, diagnostic codes and medical insurance numbers for inpatients and outpatients. Scale: Affected were 14,750 patients who visited Spectrum Health Systems in the Worcester, Massachusetts, area including Westborough, Worcester, Milford, Framingham, Southbridge, Fitchburg and Weymouth between 2002 and March 2011. (source)

03/21/2014 Terrell County Health Department

State or Local Government in Georgia
18,000 non-financial accounts compromised
There was an incident exposing information between January 9, 2012 and April 17, 2012 which was reported in March 2014, almost two years later. Details on what happened and what information was exposed were not found.

03/21/2014 Wyatt Dental Group

in Louisiana
10,271 non-financial accounts compromised
The breach occurred between November 4, 2011 and April 15, 2012. It was publicly reported almost two years later. It appears an insider improperly obtained information including name, address and Social Security numbers.

[ http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-224477.pdf ]

03/27/2014 The University of Wisconsin-Parkside

an educational institution in Kenosha, Wisconsin
15,000 non-financial accounts compromised
Students were notified by officials from The University of Wisconsin-Parkside of a data breach that occurred to their system by hackers that installed malware on one university server. The information that is at risk includes names, addresses, telephone numbers, email addresses and Social Security numbers. The breach affects students who were either admitted or enrolled at the university since the fall of 2010. The server was shut down and the hacking was reported to local authorities. After launching an investigation it appears the malware was searching for credit card information and they show no evidence that any Social Security numbers were compromised. The university has set up a website with information for those who may have been affected http://www.uwp.edu/explore/contactus/index.cfm

04/02/2014 Boxee

a business other than retail in Ridgefield Park, New Jersey
158,128 non-financial accounts compromised
The personal data of over 158,000 Boxee.tv forum accounts were hacked and leaked online to a Tor Internet site and at least one researcher. The information included email addresses, birth dates, IP addresses, message histories, and password changes. It also included message archives and past password changes. The company was purchased by Samsung last July.

04/02/2014 Spec’s

in Texas
550,000 financial accounts compromised
Spec’s is a Texas superstore selling wines, spirits, and finer foods. It announced that customer data at 34 of its locations may have been hacked. The hack reportedly began October 31, 2012 and continued for more than a year and a half, until March 20, 2014. The reference has information on what stores were affected, no-charge credit monitoring and more.


04/06/2014 BigMoneyJobs.com

a business other than retail in Uknown,
36,802 non-financial accounts compromised
What: The recruiting site BigMoneyJobs.com has apparently been breached by a hacker that goes by the name of ProbablyOnion who exploited an SQL Injection vulnerability. Scope: The information included names, home addresses, phone numbers, emails and passwords and was published in a Excel file. Scale: Information on 36,802 people looking for a job and companies looking for talent was exposed.

04/07/2014 Deltek Inc.

in Herndon, Virginia
25,000 financial accounts compromised
55,000 non-financial accounts compromised

Software developer Deltek Inc. informed approximately 80,000 employees of a breach that occurred in Deltek’s GovWin IQ system. The company confirmed that on March 13, 2014 they suffered a cyberattack exposing usernames, passwords and credit card information for individuals who use the GovWin IQ system. 25,000 of those affected may have had credit card information breached. The company is offering membership to TransUnion Monitoring services at no charge for those who had charge card information exposed. Questions? protect@deltek.com

04/08/2014 Kmart Corporation

16,446 non-financial accounts compromised
Medical information was compromised.

04/08/2014 Macon-Bibb County

County Ggivernmin Georgia
12,378 non-financial accounts compromised
A county website exposed personal information, including Social Security numbers, drivers licenses, and birth certificates.

04/11/2014 Veterans Of Foreign Wars Of The United States

a Non-Governmental Organization (includes non-profits) at 406 West 34th Street Kansas City, Missouri
55,000 non-financial accounts compromised
The office of The Veterans Of Foreign Wars Of The United States notified members that an unauthorized party accessed VFW’s webserver through the use of a trojan and malicious code. The hacker, thought to be in China, was able to download tables containing the names, addresses, Social Security numbers of approximately 55,000 VFW members. The motivation of the hacker, according to IT experts, was to gain access to information regarding military plans or contracts and not for purposes of identity theft, although they have not ruled that out. VFW is providing 12 months free of AllClearID. Members can call 1-855-398-6437 with any questions. A security code must be provided and was included in the letter sent to those affected.

04/17/2014 Aaron Brothers

a retail business at 1221 South Beltline Road, Suite 500 Coppell, Texas
400,000 financial accounts compromised
Aaron Brothers (a division of Michaels Stores Inc.) appears to been a part of the data breach of Michaels Stores Inc. The company confirmed on Thursday April 17, 2014 that the payment system breach also affected its Aaron Brothers chain. Approximately 400,000 charge cards were potentially breached from June 26, 2013 through February 27, 2014.

04/18/2014 University Pittsburgh Medical Center

a healthcare provider or servicer in Pittsburgh, Pennsylvania
27,000 non-financial accounts compromised (original from 4/18/2014)
62,000 non-financial accounts compromised (updated from 5/30/2014)
The University Pittsburgh Medical Center (UPMC) informed employees of a data breach that compromised employee’s personal data, including their Social Security number and the potential for fraudulent tax returns being filed in their name. The number of employees affected was approximately 800. The full extent of the information exposed has not been communicated, however, due to the tax fraud, information such as names, addresses and Social Security numbers were assumed to be involved. UPMC was aware of the breach in February and thought that the breach included only 27 individuals. An investigation is currently being conducted.

UPDATE (4/21/2014): The extent of the data breach was expanded to around 27,000 employees affected. UPMC is offering Lifelock for 12 months for those affected. A letter went out to those individuals with the information. UPMC hotline (1-855-306-8274) or email JohnHouston@upmc.edu. A class action lawsuit has been filed against UPMC.

UPDATE (5/14/2014): On Friday May 9, 2014 the law firm of Kraemer, Manes & Associates sued University Pittsburgh Medical Center (UPMC) and Ultimate Software Group of Weston, Florida, over the loss of employee data and subsequent identity thefts. They are seeking class-action status in U.S. District Court, and would represent current and former UPMC employees who have been affected by the breach.

UPDATE (5/30/2014) The Scale has more than doubled to 62,000 employees. UPMC declined to say what led investigators to increase the number. The Scope remained the same and included names, Social Security numbers, addresses, salary information, and bank account information. (source)

04/22/2014 Iowa State University

an educational institution at 100 Enrollment Services Center Ames, Iowa
29,780 non-financial accounts compromised (original from 4/22/2014)
48,729 non-financial accounts compromised (update from 4/23/2014)
Iowa State University has reported a data breach of one of their systems that exposed a large amount of data of individuals who were enrolled in the university over the past 17-year period. Social Security numbers of approximately 30,000 people who enrolled in certain classes between 1995 and 2012 along with university ID numbers for nearly 19,000 additional people. Authorities believe that the person or persons motivation was apparently to generate enough computing power to create the virtual currency bitcoin. The university is offering AllClear ID for 12 months free for those whose Social Security numbers were affected. AllClear representatives can be reached at 1-877-403-0281. For those suspect fraud or question whether a request you receive is legitimate, please contact the ISU Foundation at 515-294-4607, the ISU Alumni Association at 515-294-6525, or Iowa State’s computer security team at serverbreach@iastate.edu. ISU information website Update 4/23/2014 Scale raised to 48,729 (source)

04/29/2014 Boston Medical Center

in Massachusetts
15,265 non-financial accounts compromised
A transcription service placed medical records of about 15,000 patients on the service website. They were posted without password protection exposing medical information.

04/29/2014 Centura Health

in Colorado
12,286 non-financial accounts compromised
Scope: Compromised information includes name, Social Security number, Medicare beneficiary number, address, date of birth and phone number, clinical information, diagnosis, date(s) of service, treating physician and medical-record numbers. According to a news release circulated by Centura Health, the hackers may have breached patients’ private information through a sophisticated “phishing” email attack that targeted Centura health employees. Scale: over 12,000 accounts were exposed.


04/29/2014 University of Miami Health System

in Florida
13,074 non-financial accounts compromised
Almost a year after paper medical records were exposed the UMHS reported the breach from June 2013.

05/01/2014 Grand Valley State University

in Michigan
10,000 non-financial accounts compromised
A university vendor accidentally exposed names, addresses and internal id numbers of more than 10,000 students by putting them on a web site.

05/06/2014 Central City Concern

in Oregon
17,914 non-financial accounts compromised
CCC was informed on 4/3/2014 that a former employee had been accused of improperly copying information from clients from its Employment Access Center program with the intent of processing fraudulent tax Returns. A follow up investigation found more potential exposures.

05/12/2014 Gingerbread Shed Corporation

in Arizona
50,000 financial accounts compromised
What: An unauthorized third party may have obtained access to the personal information of customers. Scope: names, addresses, telephone numbers, email addresses, credit card information, and the user names and passwords for their website. When: Between late November 2012 to mid-February 2014 and was discovered about April 2014, more than a year after the compromise started. Scale: About 50,000 customers were affected.

05/14/2014 Paytime

a Financial or Insurance Services firm at 5053 Ritter Rd Suite 100 Mechanicsburg, Pennsylvania
233,000 financial accounts compromised
Paytime issued notices to its customers about a data breach that it discovered on April 30. According to recent reports, the breach has affected approximately 233,000 individuals in every state, although the majority were in Pennsylvania. The information could have included “employees’ names, Social Security Numbers, direct deposit bank account information (if provided), dates of birth, hire dates, wage information, home and cell phone numbers, other payroll related information and home addresses”.The investigation so far has uncovered “intruders were skilled hackers working from foreign IP addresses.”

05/19/2014 Entercom Portland

in Oregon
13,000 non-financial accounts compromised
Storage devices were stolen from an employee’s vehicle. This exposed personal information about 13,000 people.

05/19/2014 Safety First

a business other than retail at 1055 Parsippany Blvd. Parsippany, New Jersey
35,000 non-financial accounts compromised
SafetyFirst has come forward to announce a data breach of their E-DriverFile service. The company is connected to the announcement that Lowe’s current and former employees were involved in a data loss.”A new filing with the California Attorney General’s Office obtained today indicates that a server containing a wealth of information about client vehicle operators was unprotected and accessible via the Internet for a period that exceeded six months. SafetyFirst reported that the breach dated back to September 27, 2013. It was not discovered until April 2, 2014 according to those records”.SafetyFirst unintentionally backed up data to an unsecured computer server that was accessible from the Internet. The information breached included Social Security numbers, and driver license numbers.

05/21/2014 Ebay

a business other than retail at 2065 Hamilton Avenue San Jose, California
145,000,000 non-financial accounts compromised
Who: Ebay, the online auction site. When: Hacked between late February and early March 2014. How: Hackers used login credentials from employees. Scale: Hackers accessed a database containing records of approximately 145 million users which they appeared to have copied. Scope: The information included email addresses, encrypted passwords, birth dates, mailing addresses. The company reports that no financial data or PayPal databases were compromised. The company is encouraging all who were affected to change their passwords. For additional information from Ebay

Hackers quietly broke into eBay two months ago and stole a database full of user information, the online auction site revealed Wednesday. Criminals now have possession of eBay (EBAY) customer names, account passwords, email addresses, physical addresses, phone numbers and birth dates. … It wasn’t until two weeks ago that eBay discovered employee credentials had been stolen, the company said. The company then conducted a forensic investigation of its computers and found the extent of the theft. The real danger here is in the fallout of such a major data breach. Hackers now know where you live. They can call you. Expect to receive fake deals and offers. Beware of getting duped into revealing even more sensitive information, like your bank details or Social Security number. CNN article [highlighting ours – ed]

05/22/2014 Lowes Corporation

a retail business at 1000 Lowes Boulevard Mooresville, North Carolina
35,000 non-financial accounts compromised
Lowes Corporation had to issue a data breach notice to current and former drivers for the company due to a security breach with one of the third party vendors they use. Information breached included including names, addresses, birthdays, Social Security numbers, driver’s license numbers, and other driving record information with a company called E-DriverFile, an online database provided by SafetyFirst, a driver safety firm headquartered in New Jersey. The third party vendor unintentionally backed up the data to an unsecure server that was accessible via the Internet. The information may have been exposed from July 2014 through April 2014 before it was discovered. Lowes is offering their current and former employees one year free of AllClearID. Those affected can call 1-877-322-8228

05/30/2014 Arkansas State University College of Education and Behavioral Science’s Department of Childhood Services

an educational institution in Jonesboro, Arkansas
50,000 non-financial accounts compromised
Arkansas State University was notified by the Arkansas Department of Human Services of a data breach in their College of Education and Behavioral Science’s Department of Childhood Services database, potentially exposing personally identifiable information. According to A-State’s Chief Information Officer Henry Torres, “We have confirmed unauthorized access to data, but we have no reports regarding illegal use of the information in these files”,Torres said. “We took immediate measures to address this issue after being notified by DHS. We are cooperating with DHS and working with programmers to assess and resolve the situation.” The breached involved a database related to the “Traveling Arkansas Professional Pathways (TAPP) Registry, which is a professional development system designed to track and facilitate training and continuing education for early childhood practitioners in Arkansas.” To date, the university has stated that Social Security numbers were compromised in the database, no other information as to the specific data was provided by the university.

06/03/2014 Department of Public Health and Human Services

State Government in Montana
1,062,509 non-financial accounts compromised
Hackers breached a server containing names, addresses, birth dates, Social Security numbers, dates of service and clinical information.

06/03/2014 Department of Public Health and Human Services

State Fivin Montana
1,062,509 non-financial accounts compromised
Hackers accessed servers containing information including names, addresses, birthdates, Social Security numbers, dates of service and clinical information.

06/03/2014 Essex Valley Cardiology / M.D. Manage

in New Jersey
35,357 non-financial accounts compromised
CBS discovered the online data breach at M.D. Manage where they failed to secure confidential information online. Data was “completely unprotected and available to anyone on the Internet.” CBS 2 found tax documents from doctors, a confidential psychological history of an Essex County woman, and hundreds of patient’ names, addresses, Social Security numbers, and dates of birth.


06/03/2014 Home Depot

in Georgia
30,000 financial accounts compromised
What: An authorized employee in the tool rental area took charge card information for improper use. When: May 7, 2014 to May 21, 2014.

06/03/2014 Union Labor Life Insurance Company

in Maryland
46,771 non-financial accounts compromised
A laptop computer was stolen from the company offices in Silver Springs MD. This exposed personal information.

06/04/2014 American Express

in New York
76,608 financial accounts compromised
Law enforcement informed AMEX that several large files containing personal information were posted on internet sites by claimed members of “Anonymous”, a worldwide hacking collective. AMEX had not detected a breach. Account numbers were exposed along with personal information.

06/10/2014 Craftsman Book Company

11,000 financial accounts compromised
It appears that customer information, including charge card information, was hacked from the company web site.

06/11/2014 Stanford Federal Credit Union

a Financial or Insurance Services firm in Palo Alto, California
18,000 non-financial accounts compromised
Stanford Federal Credit Union informed 18,000 members that their personal information was sent to another member accidentally. According to the letter sent to the members, credit union employees recognized the error immediately and the data was destroyed without it being read to the recipient. The data sent was a list of members who were pre-approved for loans. The credit union employee who sent the list inadvertently sent it to a member who had the same first name as the staff member it was meant for. According to the credit union, the member had not yet read the mail and worked with the staff of the credit union to properly destroy it.

06/12/2014 Redwood Regional Medical Group

a healthcare provider or servicer at 121 Sotoyome Drive Santa Rosa, California
33,702 financial accounts compromised
A thumb drive containing 33,702 patient records was stolen from the Redwood Regional Medical Group in Santa Rosa California. An employee placed the thumb drive in a “zipped container in an unlocked locker”, where the drive was stolen. The information contained on the device included patients’ first and last names, gender, medical record numbers, date of birth, date and time of service, area of body X-rayed, the X-ray technologist’s name and the radiation level required to produce the X-ray. No other images such as MRI’s or mammograms were stored on the device.The medical center was taken over by St. Joseph Health on April 1st. The records were backed up to the drive as a precaution while they were being moved to Santa Rosa Memorial Hospital’s electronic medical records system.

06/16/2014 Riverside Community College

an educational institution in Riverside, California
35,212 non-financial accounts compromised
Riverside Community College has suffered a data breach affecting 35,212 students. On May 30th, a district employee emailed a file containing information about all students who were enrolled in the spring term to a colleague working at home due to illness, for a research report that was on a deadline. The district employee used a personal email account to send the data because the file was too large for the district’s secure email to send. The employee then typed in the incorrect email address. The information contained in the file included names, addresses, birth dates, Social Security numbers, email addresses, student ID numbers, and telephone numbers. The district has set up a Call Assistance Center at 1-888-266-9438 for affected students. The center will be open from 6 a.m to 6 p.m Monday through Friday for 90 days.

06/16/2014 Community Health Center

in Connecticut
130,000 non-financial accounts compromised
The company fired an employee then shipped to him a hard drive as a “personal effect”. That drive contained medical information on clients of the Center. The former employee returned the hard drive promptly.

06/16/2014 Jimmy John’s

A national franchised sandwich restaurant chain founded 1983 by Jimmy John Liautaud in Charlston Illinois and now headquartered in Champaign, Illinois.

The initial investigation started after Jimmy John’s was found to be a nexus (common point) for compromised card information that was used to create physical cards with the same information, i.e. counterfeit. source

The breaches mostly occurred between June 16, 2014 and September 5, 2014 which means JJ didn’t notice until the stolen credentials appeared and were analyzed by providers.

While franchisees are independent operations the franchiser often makes recommendations for construction, layout, policies and equipment. Jimmy John’s recommended Signature Systems Inc. PDQ QSR point-of-sale product. See the upper left corner of this 1 page PDF.

Update (09/24/2014) Jimmy John’s confirms breach. In a statement Jimmy John’s reported that 216 of their 1,900+/- stores were compromised. A list and dates exposed (some exposures were on going as of 9/24) were provided by the company. If your card information was exposed the company is offering no-charge identity protection and assistance via AllClear ID. Source

Company officials confirmed that the point-of-sale (POS) equipment compromised was from Signature Systems. It remains unclear if companies, other than Jimmy John’s, using its point-of-sale solutions were similarly impacted. Source

9/25/2014 Chicago Channel 7 (ABC), video segment and story

Update (09/26/2014) Signature Systems posted a notice and FAQ [ http://www.pdqpos.com/notice.html ] which better defined the Scope to include cardholder’s name, card number, expiration date, and verification code and increased the Scale to include 108 other restaurants (listed in not discernible order on the notice) addition to the 216 Jimmy John’s restaurants. The number of affected consumers is still unknown.

SS stated an unauthorized person gained access to a user name and password that Signature Systems used to remotely access POS systems. Then the hacker installed malware which captured payment card data from cards that were swiped through terminals in certain restaurants.

According to PCI Signature Systems PDQ POS was not approved for new installations after October 28, 2013 meaning installations after that date could be facing fines and penalties. More than a dozen Jimmy John’s were opened after that date.

Potentially even more troublesome the company that performed the security audit on PDQ was Chief Security Officers (CSO) who are now out of business and had their certification authority revoked (4 page PDF) by the PCI Security Standards Council in August of 2011. See more at Krebs on Security

06/19/2014 Rady’s Childrens Hospital

a healthcare provider or servicer in San Diego, California
14,100 non-financial accounts compromised
Rady’s Children’s Hospital has suffered a data breach when an employee inadvertently sent an email with a file attached to 6 potential job applicants. The applicants were meant to receive approved information for an internal evaluation, instead they received the original file with the information of 14,100 patients. The information included names, dates of birth, primary diagnoses, medical records and insurance carrier claim information. According to the hospital no Social Security numbers, credit card information, addresses or parent/guardian information were included in this file. The file contained information on patientes admitted to the hospital between July 1, 2012 through June 30, 2013.

06/24/2014 NRAD Medical Associates, P.C.

in New York
97,000 financial accounts compromised
An employee radiologist took information from a billing system without authorization. Scope: Included were patient names and addresses, dates of birth, social security numbers and health insurance, diagnosis codes and procedure codes. No monitoring was offered, neither was an explanation of how a radiologist accessed the billing system.


06/26/2014 Splash Car Wash

a retail business at 625 West Putnam Avenue Greenwich, Connecticut
120,000 financial accounts compromised
Splash car wash has notified approximately 30,000 customers of a data breach to their system when malwar was found on their point of sale system at several of their locations affecting and potentially breaching credit card data. The car wash operates 13 locations in New York and Connecticut and was alerted by American Express of the breach. As soon as customers swiped their cards, the information was stolen, not giving the companies system time to encrypt the data. The breach is being investigated by authorities.

06/30/2014 Butler University

an educational institution at 4600 Sunset Avenue Indianapolis, Indiana
163,000 financial accounts compromised
Butler University in Indianapolis Indiana informed students, staff and alumni of a data breach to their system. Over 160,000 individuals may have been affected when hackers may have accessed their personal information. The university was contacted by California officials to “inform them that they had arrested an identity theft suspect who had a flash drive with Butler employee’s personal information on it”. In a letter sent to those affected, the university has said that “someone hacked the school’s network sometime between November 2013 and May 2014”.The school officials have discovered that the information exposed included birthdates, Social Security numbers and bank account information of approximately 163,000 students, faculty and staff, alumni, and prospective students who never enrolled in classes at Butler. The university is offering a year of free credit monitoring.

07/02/2014 Stanford Federal Credit Union

18,000 non-financial accounts compromised
A staffer inadvertently included their personal information in an email that was sent to another member

RSA uncovers Boleto fraud/Bolware

496,000+/- compromised Boleto financial transactions
192,000+ computers infected by malware
83,000+ compromised non-financial accounts
3.75+ billion USD, an estimated financial loss

During the FIFA World Cup 2014 the German National team took first place during the month-long event from Thursday, June 12, 2014 to Sunday, July 13, 2014.

In Brazil some people are paid, or pay, with a Boleto Bancário or Boleto (“ticket” in English) a regulated financial system under the supervision of the Brazilian Federation of Banks (FEBRABAN) and the Brazilian Payment System (SPB). A Boleto has many aspects of a check plus a “good until” date. Consumers can also obtain Boletos from an authorized vendor to pay their own bills.

A boleto can be converted to cash (paid in the Brazilian Real, shown as R$) or purchased at banks, branches of banks, automated teller machines of banks, internet access of banks, the post office, lottery agents and some supermarkets. An expired Boleto (having passed its “good until” date) is not valueless, but it can only be paid at a facility of the bank that issued it.

In addition to manually manufactured fraudulent Boletos there is Boleto malware which uses a variant of the man-in-the-middle attack that the RSA calls Man-in-the-browser (MITB)

“… that attacks online operations and is based on transaction modification on the client side. The malware infects web browsers to intercept and modify Boletos by two different methods. In both cases, the Boleto information is modified so that the payment is redirected wither to a fraudster’s account or a mule account. Since the malware is MITB, all malware activities will be invisible to both the user and the web application.” [ highlighting theirs -ed ]

        source: July 2014 RSA white paper, page 6 of a 31 page PDF

In addition to being invisible (per above) what can make this fraud hard to detect is that the printed Boleto contains little consumer-readable information other than the amount and use-by date. The identification field is a long number without something readable like the name of the organization. Even before the Boleto is printed, the entry screen echos the information as it was entered, not what will be printed.

The Boleto malware is clever and identifies many of the browser security plug-ins provided by banks. Then it modifies (patches) the plug-ins and their shared libraries (if they have any) with version specific modifications that bypasses the security functions provided. The plug-ins look like they are working, but that is a false sense of security as those functions have been bypassed.

According to the RSA white paper (page 25 of the 31 page PDF) 95.5% of the operating systems infected with the Boleto virus were either Windows 7 at a whopping 78.3% and Windows XP with 17.2%. Two browsers accounted for 82.7% of the infections: Internet Explorer at 48.7% and Google Chrome at 34%. These statistics don’t necessarily indicate that those pieces of software are more vulnerable. The incidents of infection are understandably concentrated in the highly populated areas.

Over 8,000 fraudulent ID numbers have been discovered. Most have been for between 1,000 and 6,000 Real, about $420 to $2,500 US dollars. There were several large ones for between 75,000,000 and 100,000,000 Real, between $31,430,728 and $41,907,638 US dollars.

In addition to the financial compromises the malware also collected over 83,000 user credentials, mostly user names, email accounts, passwords to email accounts, as well as access credentials to other on line services. 94% of these compromised credentials were from the HotMail.com domain. Again, not that HotMail is more vulnerable, just that it is more popular.

According to the RSA white paper (page 28 of the 31 page PDF)

“According to the number of affected unique IP addresses observed, the estimated number of Bolware operation victims is 192,227. The total value of all Boletos that were modified by the malware and are currently stored in the C&C [ command and control ] server is estimated to be up to R$8,572,513,355.59 ($3,753,946,994.04 USD or 2,760,517,477.32 Euro)/ However, it is important to nore that this may not represent the actual amount fraudsters were able to redirect into their accoutns as it is not known which Boletos were actually paid by the victims.” [ highlighting theirs, text in square brackets ours – ed ]

7/02/2014 The RSA published an article which reported 495,753 compromised Boletos transactions.

See also Krebs on Security

Brazil has been the leader in South America in adopting technology. This unfortunately also puts them in the lead for being victimized by technology crime. See Brazil   Cybersecurity Challenges Faced by a Fast-Growing Market Economy a 2013 Trend Micro Research Paper (35 page PDF) and the accompanying 8/26/2013 article

07/03/2014 Blue Shield of California/Department of Managed Healthcare

a Financial or Insurance Services firm in San Francisco, California
18,000 non-financial accounts compromised
The Department of Managed Health Care informed individuals of a breach concerning their personal information. Health plans regulated by the Department of Managed Health Care (DMHC) are required to provide the DMHC periodically with current rosters of the medical providers the health plans contract with. These plans are not supposed to include confidential or personal information in the rosters because these rosters are generally public documents.”The DMHC discovered that Blue Shield of California had inadvertently included provider Social Security numbers in the rosters Blue Shield provided to the DMHC in February, March and April, 2013″. Blue Shield neglected to inform the DMHC that the information was confidential or alert the DMHC that a mistake had been made on the documentation. The information included Social Security numbers, providers’ names, business addresses, business telephone numbers, medical groups, and practice areas. For those affected Blue Shield is offering you a free-one-year membership in Experian’s ProtectMyID Alert. For those with questions they can call 1-877-371-7902.

07/04/2014 St. Vincent Breast Center

a healthcare provider or servicer in Indianapolis, Indiana
63,000 non-financial accounts compromised
St. Vincent Breast Center have announced that patient’s health information may have been breached after the center sent around 63,000 letters to the wrong patients. The letters included patient names, addresses and in certain references to scheduled appointments. Reportedly no Social Security numbers, financial information or clinical information. St. Vincent Breast Centerentered into an agreement with Indianapolis Breast Center P.C. and Solis Womens Health Breast Imaging Specialists of Indiana P.C. after they both closed last year. On May 5, St. Vincent Breast Center mailed letters intended for prior patients of the Indianapolis Breast Center and Solis Womens Health to inform them that St. Vincent was available to provide care. Some letters also welcomed patients who had previously scheduled healthcare services. Officials said on May 15, people who had accidentally received another persons letter began calling St. Vincent. Affected? Call 1-877-216-3862 Monday through Friday 9:00 a.m. to 7:00 p.m.

07/04/2014 LIFX

LIFX is a wireless, multi-color, energy efficient LED light bulb that can be controlled with an iPhone or Android smartphone. The company has shipped over 100,000 of them around the world

6/23/2014 LIFX raised 12 million $USD led by Sequoia Capital.

7/04/2014 Less than three weeks later, a consulting company found that these wirelessly connected smart light bulbs were exposing WiFi credentials. With those hackers could copy files from home networked computers, print documents on networked printers, control the LIFX bulbs, and more.

Consumers need to download updates for their lightbulbs. Because the system uses the 802.15.4 6LoWPAN (IPv6 over Low power Wireless Personal Area Network) wireless mesh network updates are slow. “In an ideal scenario, the expected update time for a single bulb can take between 45 minutes to an hour. As more bulbs are added or radio signal drops, this expected time will increase.” source Or 1 to 3 hours according to the light bulb’s update message.

07/08/2014 Department of Managed Health Care (DMHC) / Blue Shield

18,000 non-financial accounts compromised
18,000 doctors had their Social Security numbers inlcuded in rosters Blue Shield provided to the DMHC in February, March and April, 2013. Those rosters included names, business addresses, business telephone numbers, medical groups, and practice areas.

07/08/2014 Park Hill School District

in Missouri
10,210 non-financial accounts compromised
Just before leaving the district, downloaded all files from this employee’s work computer onto a hard drive without consent. When the hard drive connected to a home network, all the files became internet accessible.

07/14/2014 Orangeburg-Calhoun Technical College

an educational institution at 3250 St. South Matthews Road Orangeburg, South Carolina
20,000 non-financial accounts compromised
Orangeburg-Calhoun Technical College is notifying 20,000 former and current students and faculty members that, during July 2014, an unencrypted laptop computer was stolen from a staff member’s office. The information included names, birth dates and Social Security numbers for the past six or seven years. O-C believes the thief wanted the hardware, not the data. The college did not comment on whether or not they are providing credit monitoring services for those affected.

07/15/2014 Houstonian Hotel, Club & Spa

in Texas
10,000 financial accounts compromised
The hotel’s payment card data was exposed for about six-month-long attack on their payment processing systems.

07/17/2014 Total Bank

a Financial or Insurance Services firm at 100 S.E Second Street Miami, Florida
72,500 financial accounts compromised
Total Bank, a subsidiary of Banco Popular that has 21 locations in South Florida, is notifying 72,500 customers that their account information was potentially exposed after an unauthorized third party gained access to the bank’s computer network. Information obtained by this unauthorized third party included names, addresses, account numbers, account balances, Social Security numbers and driver’s license numbers. The bank is offering 12 months free of credit monitoring services for those that were affected.

07/22/2014 Goodwill

in Maryland
868,000 financial accounts compromised
A third party vendor systems were compromised exposing the charge card information used at about 330 Goodwill stores in 20 states between February 10, 2013 and August 14, 2014.


07/24/2014 TFA w/OTP defeated – Operation Emmental

As of mid 2014 this attack is targeting users in Austria, Switzerland, Sweden, and Japan defeating their Two Factor Authentication with One Time Passwords. More detail ….

07/28/2014 Self Regional Healthcare

in South Carolina
38,906 financial accounts compromised
Two unauthorized individuals broke in stole a SRH laptop. While both intruders arrested were the laptop had been dropped into a lake where divers were unable to recover it. Scope: Exposed information included patient names, Social Security numbers, driver’s license numbers, treating physician names, insurance policy numbers, patient account numbers, service dates, diagnosis/procedure information, payment card information, financial account information, and possibly addresses.

07/29/2014 Symbius Medical, LLC (PRN Medical Services)

in Arizona
13,877 non-financial accounts compromised
Shortly before they resigned from the company five former sales representatives improperly downloaded patient information including names, addresses, phone numbers, birthdays, Social Security numbers, diagnoses, and treatments.

07/30/2014 Indian Health Service – Maryland

in Maryland
214,000 non-financial accounts compromised
Indian Health Service (IHS, headquartered in Rockville Maryland) determined that a contract physician in the Bemidji Minnesota area had improperly accessed protected health information from three IHS facilities. They are Fort Yates Service Unit in the IHS Great Plains Area, the Cass Lake Service Unit in the IHS Bemidji Area, and the Crow Service Unit in the IHS Billings Area. Scope: Exposed information included patient names, Social Security numbers, diagnoses, prescribed medications, and laboratory results.

07/31/2014 US-CERT re Backoff

United States Computer Emergency Response Team issued an alert. More details

07/31/2014 Paddy Power Bookmakers

A gambling company in Ireland was breached exposing 649,055 non-financial accounts.

When The breach was detected in October 2010 and compromised records from then and earlier. Customers who opened accounts after 2010 were not affected. Notification of customers started in July 2014, a delay of three and a half years. Scale The information for more than 649,000 customers was exposed. Scope Complete names, addresses and dates of birth were exposed. The company assured customers that financial information, such as charge card information, was not compromised. (source)

08/04/2014 Northern Trust

10,172 financial accounts compromised
Northern Trust transmitted an encrypted file containing information to a record-keeping companies that was not responsible for the employee health benefits plan described in that information. Scope: Exposed information included name, address, Social Security number, plan or program account number, payment/deduction amounts, bank routing and account numbers used for direct deposits.


08/05/2014 Russian Hackers

1,000,000,000+ non-financial accounts compromised
A gang of Russian hackers has amassed over 1 billion usernames and password combinations and more than 500 million email addresses, a security firm reported late Tuesday, calling it the largest-ever haul of stolen Internet credentials. The massive trove stolen from hundreds of thousands of websites was discovered by Hold Security of Milwaukee, Wisconsin. Hold took over seven months to identify the gang, dubbed CyberVor, or cyber-thief in Russian. It appears that no payment card information or Social Security numbers were threatened. Hold Security News Page

There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. … Yet for all the new security mousetraps, data security breaches have only gotten larger, more frequent and more costly. The average total cost of a data breach to a company increased 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM.

The ability to attack is certainly outpacing the ability to defend,” said Lillian Ablon, a security researcher at the RAND Corporation. “We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.”

NYTimes article [ highlighting ours – ed]

08/12/2014 Orthopaedic Specialty Institute Medical Group

a healthcare provider or servicer in Orange, California
49,000 non-financial accounts compromised
Orthopaedic Specialty Institute Medical Group has reported a data breach when it was discovered that 742 boxes of patient X-rays were stolen from an Iron Mountain Record Management storage facility. After an investigation by the authorities, it was discovered that two Iron Mountain Record Management employees stole the files and melted them down for the silver.The information in the records, which are 10 to 15 years old, and could have included patient names, birth dates and medical record numbers. Were you affected? Call the medical group at 1-714-937-4825


08/12/2014 Jersey City Medical Center (JCMC)

in New Jersey
36,400 non-financial accounts compromised
Patient information may have been compromised after an unencrypted CD went missing after being mailed.

08/12/2014 Virginia Wesleyan College

in Virginia
59,000 financial accounts compromised
A former student employee accessed a school database of stealing identities and opening charge card accounts.

08/12/2014 Western Regional Center for Brain & Spine Surgery

in Nevada
12,000 financial accounts compromised
Between November 28, 2011 and June 29, 2012 (more than two years prior to public notice) an employee stole data. The organization didn’t discover the breach, law enforcement told them. A letter to patients on 7/9/2014 made notification of the breach of personal health information from their billing files. Scope: Disclosed exposed information names, social security numbers, dates of birth, home addresses, billing account numbers. Exposure of payment information was not disclosed. No credit monitoring services were offered,


08/18/2014 Community Health Systems

a healthcare provider or servicer in Franklin, Tennessee
4,500,000 non-financial accounts compromised
What: Community Health Systems out of Franklin Tennessee has announced a large data breach of their medical system when hackers infiltrated the server of the health system. The company operates over 200 hospitals in 29 states, mostly in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas. Scope: Compromised were Social Security numbers, names, addresses, birthdays and telephone numbers. Scale: An estimated 4.5 million patients, anyone who received treatment from a physician’s office tied to a network-owned hospital in the last five years — or was merely referred there by an outside doctor — is affected. This breach increases risk of identity fraud and could allow criminals to open bank accounts, get credit cards and take out loans in the name of those exposed, potentially damaging a personal credit history.

Authorities believe that the hackers were based out of China and the attacks happened from April 2014 through June 2014. CHS is currently doing further investigations regarding the attack. See CNN article

UPDATE (8/26/2014): Five Alabama residents have filed a class-action lawsuit against Community Health Systems following last week’s announcement of the data breach of 4.5 million patients.


08/19/2014 IRS

in Washington DC
1,400,000 non-financial accounts compromised
The IRS requires contractor personnel to have a background investigation for access to Sensitive But Unclassified (SBU) information. Taxpayer information is SBU. As part of an audit, five contracts were found where the requirement was not being followed. For one printing services contract the contractor received a CD containing 1.4 million taxpayer names, addresses, and Social Security numbers. No person at this contractor who worked on this contract had a background investigation. There were other examples of non-adherence to data security requirements.


08/21/2014 United Parcel Service (UPS)

in Georgia
105,000 financial accounts compromised
Hackers may have stolen the charge card data for customers during January to August 2014. UPS (headquartered in Georgia) did not discover the breach themselves. An external security company was subsequently engaged and they found malware embedded on its cash register systems in 51 branches in more than 20 states.


08/22/2014 US Investigations Services (USIS)

a retail business in Falls Church, Virginia
25,000 non-financial accounts compromised
The US Investigations Services (USIS), a firm that performs background checks for U.S government employees had a breach in their data base. Cyber criminals were able to hack their system to gain personal information on employees with the Department of Homeland Security, U.S Immigration and Customs Enforcement and U.S Customs and Border Protection units. The information breached included Social Security numbers, education and criminal history, birth dates, information on spouses, other relatives and friends including names and addresses. Officials say the number may increase as the investigation continues. (source: Reuters)

8/29/2014 DHS confirms

WASHINGTON (AP) – A Homeland Security Department official says a recent computer breach at a major government security clearance contracting firm may have affected the internal files of as many as 25,000 of the agency’s workers.

The official says the estimate of Homeland Security workers affected by the breach at USIS may rise further. The official spoke on condition of anonymity in order to discuss details of an incident that is under active federal criminal investigation. Homeland Security will soon begin notifying employees whose files were compromised and urge them to monitor their financial accounts, the official said.

A USIS spokeswoman declined to comment. The company said earlier in a statement on its website that the cyberattack appeared to “have the markings of a state-sponsored attack.”

The FBI is investigating. [Source: AP highlighting ours -ed]

08/25/2014 Cedars-Sinai Medical Center

33,136 non-financial accounts compromised
A password-protected laptop was stolen from an employee’s home. The data was not encrypted and may have held medical record numbers, patient identification numbers, lab testing information, treatment information and diagnostic information, and Social Security numbers.

08/26/2014 Long Beach Internal Medical Group

10,000 financial accounts compromised
LBIMG stored data with Iron Mountain Information Management at their Riverside CA facility. The data went missing. Exposed information included name, gender, address, birth day, telephone number, account number, office charges, insurance information, diagnosis information, and social security number. X-ray files may also have been compromised.


08/26/2014 Onsite Health Diagnostics / Healthways

in Texas
60,582 non-financial accounts compromised
Healthways (of Franklin TN) has a contract to do Tennessee employee health screenings. They use services of Onsite Health Diagnostics (of Texas). OHD discovered a breach on April 11 and determined it may have been exposed as early as as January 4, 2014. OHD reported the breach to Healthways two months after discovery. Exposed information included name, date of birth, address, email address, phone number and gender. The number exposed was about one of five state workers,


08/26/2014 Orthopaedic Specialty Institute

in Alabama
49,714 non-financial accounts compromised
OSIMG discovered that 742 boxes of 10 to 15 year old patient X-rays were stolen from an Iron Mountain Record Management storage facility. An investigation found two Iron Mountain employees stole the files and melted them down for the silver. The records could have included patient names, birth dates and medical record numbers.

08/26/2014 The Hand Care Center/Shoulder and Elbow Institute

a healthcare provider or servicer in Orange, California
10,000 non-financial accounts compromised
The Hand Care Center/Shoulder and Elbow Institute in Orange California notified patients of data breach when they were notified by Iron Mountain Record Management, a facility where the medical practice stores old files, that 25 boxes of X-rays were stolen by two employees of the storage company.The employees sold the X-rays to recyclers who melted them down to recover the silver. The X-ray files included patient names, dates of birth, gender, treating physician, medical record numbers and the image on the X-ray itself. Affected? Call the center at 1-877-615-3762. The center is reporting that X-rays taken after 2002 were likely un-affected.

08/28/2014 JPMorgan Chase

a Financial or Insurance Services firm in New York, New York
1,000,000 non-financial accounts compromised per initial reports on 8/28/2014
10/2/2014 Update (see below) 83,000,000 non-financial accounts compromised

The FBI is investigating a sophisticated hacking attack on JP Morgan Chase and potentially four other large American banks. The hackers, who are reportedly Russian, gained enough personal information to completely wipe out bank accounts. The sophisticated and coordinated attacks go beyond the typical criminal hacker (s) according to authorities. Investigators are looking into the reasons behind the coordinated attack. More information from  FoxNews   Bloomberg  and  New York Times.

9/13/2014 Update: The hackers were able to review information about a million customer accounts … A fourth person with knowledge of the matter, also speaking on condition of anonymity, said hackers had not gained access to account holders’ financial information or Social Security numbers, and may have reviewed only names, addresses and phone numbers.

The hack began in June and was not detected until late July. JPMorgan briefed financial regulators on the extent of the damage last week. Investigators say they believe that at least four other banks or financial institutions were also affected. source [ highlighting ours -ed ]

[because of the contradiction between first reports that indicated a financial compromise and JPMorgan’s later statement, this is classified as a non-financial breach as of 9/13/2014 -ed]

Update 10/02/2014

JP Morgan filed a form 8-K with the Securities and Exchange Commission (SEC). The substantive contents were

Item 7.01 Regulation FD Disclosure.

On October 2, 2014, JPMorgan Chase & Co. (“JPMorgan Chase” or the “Firm”) updated information for its customers, on its Chase.com and JPMorganOnline websites and on the Chase and J.P. Morgan mobile applications, about the previously disclosed cyberattack against the Firm. The Firm disclosed that:

• User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised.

• The compromised data impacts approximately 76 million households and 7 million small businesses.

• However, there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.

• As of such date, the Firm continues not to have seen any unusual customer fraud related to this incident.

• JPMorgan Chase customers are not liable for unauthorized transactions on their account that they promptly alert the Firm to.

The Firm continues to vigilantly monitor the situation and is continuing to investigate the matter. In addition, the Firm is fully cooperating with government agencies in connection with their investigations. (Source: SEC) [ Highlighting ours. When searching SEC database use CIK#:0000019617 for JPMORGAN CHASE & CO -ed ]

Part of the story

Hackers drilled deep into the bank’s vast computer systems, reaching more than 90 servers, the people with knowledge of the investigation said. As they analyze the contours of the breach, investigators in law enforcement remain puzzled, partly because there is no evidence that the attackers looted any money from customer accounts.

That lack of any apparent profit motive has generated speculation among the law enforcement officials and security experts that the hackers, which some thought to be from Southern Europe, may have been sponsored by elements of the Russian government, the people with knowledge of the investigation said.

By the time the bank’s security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers, according to the people with knowledge of the investigation. It is still unclear how hackers managed to gain such deep access. (source)

Update 10/03/2014

More banks were hit “… about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers, according to people briefed on the matter.” (source)

The public might not have been informed at all. Unless there is financial loss to customers, banks are not required to report data breaches or online intrusions. There is no uniform standard and breach notification laws are different between states. Many require that companies disclose a breach only if customer names were stolen with credit card data or Social Security number. Timing is also undefined. Home Depot in 2014 was breached in April or May 2014 and the first the public heard about it is when security researcher Brian Krebs reported that the zipcodes on stolen card information recently offered for sale had a high correlation with Home Depot stores.

Update 10/15/2014

Annually JPMorgan Chase holds a series of charitable races in big cities across the world. The “Corporate Challenge” website is run by a small company in Ann Arbor, Michigan and was one of several avenues hackers tested for access to JPMorgan’s internal systems. The race web site wasn’t used, but it appears a human resources system was. The web site has now been limited to a simple list. Why? The bank said it discovered the Corporate Challenge breach August 7, about a week after it learned of the broader intrusion. The Challenge website exposed passwords and contact information for participants. JPMorgan Chase has invested “hundreds of millions of dollars into its digital defenses” and spends $250 million a year for digital security. (source)

Update 10/20/2014

FBI Cyber Division Assistant Director Joseph M. Demarest said “There’s no indication that [ the hack of JPMorgan Chase and other US banks came ] as a result of the sanctions.” Secret Service Special Agent in Charge Edward W. Lowery said this was a criminal investigation. According to Agent Lowery “this was not the biggest intrusion” and noted the Heartland Payment Systems breach had exposed 130 million credit card numbers. (source)

Update 12/22/2014

It appears that the point of entry into JPMorgan was a single computer server that had not been set up for the two-factor authentication common for access to large bank systems. The compromise of a single person’s credentials opened the door to this large intrusion. This was not an attack with high technology, and given the quarter billion spent on information protection this appears to be an embarrassing lapse.

Update 7/22/2015 4 Arrested

“Federal investigators were onto some of the names of the hackers at JPMorgan early on because the attack was not very sophisticated. It succeeded largely because the bank failed to properly put updates on a remote server that was part of its vast digital network.” Those arrested were charged with a pump-and-dump stock scheme, a plan involving ransomware on computers, a small New Jersey credit union and operations regarding a BitCoin exchange. Why no charges regarding the JPM breach that exposed 83 million consumer records? Read more at the source.

09/02/2014 Bartell Hotels

55,000 financial accounts compromised
Guest payment card information were stolen in the hack of five of the company’s San Diego area hotels.


09/02/2014 Bulloch Pediatrics Group

in Georgia
10,000 financial accounts compromised
A storage unit burglary compromised personal information, insurance and payment records.

09/02/2014 Care All Management, LLC

in Tennessee
28,300 non-financial accounts compromised
Improper disposal was all the information provided about this breach.

09/02/2014 Duke University Health System

Riverside Community College in North Carolina
10,993 non-financial accounts compromised
An unencrypted thumb drive containing patient information was stolen. Compromised information included patient names, medical record numbers, physicians’ names and other information.

09/02/2014 Memorial Hermann Health System

in Texas
10,604 non-financial accounts compromised
An employee inappropriately accessed confidential information over more than six years. The exposed information included medical records, health insurance information and, in some cases, social security numbers.

09/02/2014 Home Depot

56 million charge cards compromised (see 9/08/2014 update)
53 million email addresses compromised (see 11/06/2014 update)

As first reported by security researcher Brian Krebs multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity. Much more …

6/01/2016 Update  Home Depot

Almost two years ago Home Depot was breached exposing about 56 million charge card holders. Community banks, credit unions, the Credit Union National Association and 16 state credit union associations and leagues, filed a consolidated class-action suit in Atlanta, the corporate headquarters of Home Depot, claiming offers by charge card providers are considered insufficient by the plaintiffs to offset their costs for Home Depot’s potentially inadequate security.

In September 2015 Home Depot disclosed malware was found it its point-of-sale network exposing charge card information between April 2014 and September 2014. It was later disclosed that cybersecurity weaknesses were made known to Home Depot by its own I/T staff as early as 2008 and repeatedly thereafter. In at least one occasion the employee who sounded the warning was fired. The warnings were ignored. “[ Home Depot] IT management took affirmative steps to stop employees from fixing security deficiencies and made it known that they would not spend the money to make necessary improvements.” [source judge’s ruling (8 page PDF) on page 1, lower right column]

Home Depot made a motion to have the case dismissed on multiple grounds. On May 17, 2016 the judge agreed in part, disagreed in (a larger) part and refused to dismiss the case. U.S. District Judge Thomas W. Thrash wrote dismissing the case would suggest that retailers are not responsible for ensuring their own cybersecurity, which is far from the reality of today’s marketplace. “The court declines the defendant’s invitation to hold that it had no legal duty to safeguard information, even though it had warnings that its data security was inadequate and failed to heed them” “To hold that no such duty existed would allow retailers to use outdated security measures and turn a blind eye to the ever-increasing risk of cyberattacks, leaving consumers with no recourse to recover damages, even though the retailer was in a superior position to safeguard the public from such a risk.” More at Data Breach Today.

[ It is the demonstrated history of repeated warnings and actively avoiding solutions that demonstrates Home Depot’s intent to risk exposure of the information with which they were entrusted. That may be the cornerstone of the case. An acquittal would “send a message” that there is no “duty of protection” and that could to even less security than we have now. -ed ]

09/08/2014 Yandy.com

in Arizona
44,724 financial accounts compromised
An unauthorized, external cyber-attack on Yandy.com permitted access to customer payment card data. Compromised data included names, addresses, charge card number, expiration dates, CVV numbers, and email addresses.

09/12/2014 Gmail.com Yandex.ru Mail.ru

Credentials for electronic mail sites in multiple countries were offered for sale
10.8 million email names and passwords were exposed, maybe.

A Russian Bitcoin forum revealed that large files with email addresses and plain text passwords were compromised as follows:
  4,929,090 accounts and passwords at Gmail.com
  4,664,477 accounts and passwords at Mail.ru
  1,261,809 accounts and passwords at Yandex.ru
10,855,376 in total Source

Google replied that they had not been hacked and that less than 2% of those credentials would have actually worked. It may be that this was more of an attempt to cash in on the rise in exposed credentials. See eWeek and DarkNet.Org in the UK

[ this exposure is not included in the total for non-financial accounts -ed ]

09/17/2014 MITRE CVE Format Change

The number of Common Vulnerabilities and Exposures, abbreviated CVE®, has grown. MITRE Organization of McLean Virginia changed the format from YYYY-NNNN (year and a number from 0001 to 9999) to YYYY – n1 n2 … nx where the numbers start with four digits (0001) and can expand as necessary without limitation. See the Press Release and details. The change will occur no later than 1/13/2015 but could occur in 2014 if we reach the limitations imposed by four numerical digits. As of 9/17/2014 the CVE dictionary contains more than 63,000 unique entries and are used by products, services and organizations around the world to enhance the sharing of security information worldwide.

09/16/2014 24 On Physicians – PST Services (IN Compass Health)

in Georgia
10,104 non-financial accounts compromised
24 On Physicians of Georgia uses PST Services to provide medical billing services. PST is a subsidiary of McKesson. It appears the breach occurred December 1, 2013 almost nine months before it was reported. Someone had made records containing patient information potentially accessible on the Internet using very specific Google search terms. Exposed information included patient names, insurance information, diagnosis codes, and, in some instances, social security numbers.


09/16/2014 Aventura Hospital and Medical Center

in Florida
82,601 non-financial accounts compromised
The latest reported data breach involving the theft of personal information impacts 82,601 people. The breach ran from from September, 13, 2012 to June 9, 2014, almost two years. Exposed information included Social Security numbers that were subsequently used in tax refund fraud.


09/16/2014 Central Utah Clinic

Riverside Community College in Utah
31,677 non-financial accounts compromised
On June 9, 2014 hospital IT staff discovered that an attacker had compromised a hospital servers that contained radiology reporters dating back from 2010. The server also contained some names, dates of birth, Social Security numbers, addresses and phone numbers.

09/19/2014 Viator Travel Site

a tours and activities website headquartered in San Francisco, California
880,000 charge card accounts may have been compromised in addition to
560,000 non-financial web site accounts

Who  Viator.com is a tours and activities website now owned by TripAdvisor. When  Viator was notified (they didn’t discover it themselves) by their payment card service provider about 9/2/2014, more than two weeks ago, when unauthorized charges occurred on their customers’ credit cards. Scope  Charge card number (encrypted), card expiration date, name, billing address and email address. Also possible exposed is information related to the Viator web site including email address, password (encrypted) and Viator “nickname”. The CVV code is not believed to have been compromised. Debit PIN numbers are not collected by Viator thus were not compromised. Scalenbsp;nbsp;Initial estimates are 880,000 financial exposures and 560,000 non-financial exposures. Source  press release from Viator.

09/22/2014 Recorder of Deeds – St. Louis

in Missouri
19,000 non-financial accounts compromised
A security breach allowed 19,000 unauthorized copies of death certificates. Employees were allowed to log into Missouri’s vital records system by using the passcode of an employee who retired two years ago.

09/23/2014 Community Action Partnership of Natrona County

in Wyoming
15,000 non-financial accounts compromised
A virus infected a computer and exported data. Did it really? See the URL for a discussion of the abject state of in consistent reporting requirements and standards.


09/23/2014 Kaiser Foundation Health Plan of Colorado

in Colorado
11,551 non-financial accounts compromised
Unauthorized disclosure was the cited cause. Other details are …

09/23/2014 Office of Dennis Flynn, MD

in Illinois
13,646 non-financial accounts compromised
A laptop stolen on July 19, 2014 had patient information. No details on what information was compromised was available.

10/01/2014 National Cyber Awareness Month

October 2014 is the eleventh anniversary of National Cyber Security Awareness Month, sponsored by the Department of Homeland Security, in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center.

“The Internet is part of everyone’s life, every day. We use the Internet at work, home, for enjoyment, and to connect with those close to us. However, being constantly connected brings increased risk of theft, fraud, and abuse. No country, industry, community, or individual is immune to cyber risks. As a nation, we face constant cyber threats against our critical infrastructure and economy. … cybersecurity is one of our country’s most important national security priorities, and we each have a role to play—cybersecurity is a shared responsibility.” (more & source [http://www.dhs.gov/national-cyber-security-awareness-month ])

10/01/2014 HK protesters phished big time

Social engineering tricked Hong Kong protesters into downloading malware into their cell phones. A conservative estimate is that over 100,000 phones have been compromised.

Users get a note: “Check this app designed by Code4HK for the coordination of OCCUPY CENTRAL!” The app did not come from Code4HK (Code For Hong Kong). The app’s origin is uncertain and its contents are malware. Once the malware has been enabled it can access passwords and bank information, listen to calls, read messages and track the phone’s physical location. (source)

Because internet access can be centrally suppressed, the protesters have been using the FireChat (for Apple) (for Android) application which does not require the use of the internet to communicate with other near-by phones. It uses radio and Bluetooth communications to create a peer-to-peer network of phones within about 250 feet.

Hong Kong benefits greatly from cell phones as it has a land mass of 426 square miles (source) and supports GSM 900/1800/2100, PCS 1800, CDMA, and WCDMA (source). Hong Kong’s population is just over seven million as of 2013 year end (source).

As of June 2014 Hong Kong has just over 17.1 million mobile subscribers. Implying a penetration rate is 227%. Or, the average person in Hong Kong has 2.2 cell phone subscriptions. (source)

Hong Kong leads the list of mobile phones measured in users per 100 citizens. The world average is 6.8 billion+ phones for just over 7 billion people or about 97% (source)

According to Michael Shaulov (chief executive of Lacoon Mobile Security) the success rate of similar phishing expeditions is about 10%. So if just 6% of the phones got the message (just over a million) and 10% got infected that is 100,000 infected phones. [ we think it was more than 6% -ed ]

10/10/2014 Oregon Employment Department

The state government of Oregon is headquartered in the capital, Salem.
851,000 non financial compromises

What WorkSource Oregon Management Information System is a state program used for provide job search information. The breach wasn’t discovered internally, it took an email from an anonymous tipster emailed on Monday 10/6/2014. Security was restored by Tuesday 10/7/2014 and the public was told Friday 10/10/2014.

Scope The system stores personal information often used in job applications, including full names, addresses and Social Security numbers. Scale The number of compromised records was determined about a week later as just over 851,000.

The Oregon Employment Department’s information technology division expended “millions of dollars on failed computer software projects that launched in the aftermath of the recession. The problems escalated as managers feuded, and a state review found an agency so dysfunctional that it couldn’t properly do its job.” [ for the quote source – see 10/13/2014 update reference below -ed ]

10/10/2014 Initial report and the 10/13/2014 Update. The Oregon Secretary of State web site was improperly accessed back in February 2014.

10/14/2014 Department of Health Care Policy and Financing

in Colorado
15,380 non-financial accounts compromised
A postcard mailing on July 30, 2014 and September 3, 2014 contained health related information. Postcards are not considered secure mailers.


10/14/2014 North Dakota State College of Science

Riverside Community College in North Dakota
15,000 non-financial accounts compromised
Employees, current and former students may have had personal information, including Social Security numbers, exposed when malware was found on multiple computers containing that personal information.

10/17/2014 Executive Order

The headline paragraph of the Order is excellent. In paragraph three …


Given that identity crimes, including credit, debit, and other payment card fraud, continue to be a risk to U.S. economic activity, and given the economic consequences of data breaches, the United States must take further action to enhance the security of data in the financial marketplace. While the U.S. Government’s credit, debit, and other payment card programs already include protections against fraud, the Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system.

By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to improve the security of consumer financial transactions in both the private and public sectors, it is hereby ordered as follows:

Section 1. Secure Government Payments. In order to strengthen data security and thereby better protect citizens doing business with the Government, executive departments and agencies (agencies) shall, as soon as possible, transition payment processing terminals and credit, debit, and other payment cards to employ enhanced security features, including chip-and-PIN technology.

[ Full text from WhiteHouse.Gov and eventually this will be shown in the Archives highlighting ours -ed ]

While this has a binding effect only on the departments of the executive branch it imposes some rigorous requirements such that no later than January 1, 2015, all new payment processing terminals acquired in these ways shall include hardware necessary to support such enhanced security features. With the same aggressive deadline other agencies with payment card programs shall provide to the plans for ensuring that their other payment cards have enhanced security features. In a welcome move the President directed the Attorney General to issue guidance promoting regular submissions of compromised credentials. This might reduce the number of undisclosed, or under reported, compromises. The apparent recommendation of Chip & Pin (EMV) would be promoting a technology that is known to be less than effective and certainly less efficient.

10/21/2014 Touchstone Medical Imaging

Medical service provider headquartered in Brentwood, Tennessee
307,000+ non-financial accounts compromoised

What: TMI, a nationwide provider of medical diagnostic imaging services, learned on May 9, 2014 that a computer folder was accessible via the internet. Scope: The folder containing patient billing information. Scale: 307,000+ exposed [ http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html ] you have to search the database for the breach ]. Date Range: The folder contained information for patients treated August 2012 and earlier. Company Statement 10/21/2014 Article from HealthCareInfoSecurity.

10/21/2014 NeedMyTranscript.com

An internet-based transcript company serving 18,000+ high schools in all 50 states
Over 98,000 student files containing non-financial information was exposed.

What: No hacker attack, this appears to be a web site design which exposed one directory to the world. Scale: Exposed were 98,818 “Student Records Requests” and 20,183 “Education Verification Release Authorizations” dating back to November 2012. Scope: A veritable treasure for identity thieves the information included full names, dates of birth, last four digits of Social Security numbers, addresses, email addresses, mothers’ maiden names and more. According to the Washington Post: “Also exposed were corresponding signatures from individuals requesting the records.” [ first time we’ve seen that -ed ] How: A web site visitor received an error message and was able to view the unsecured directory. The vulnerability may date back to February 2012 when the site was started.

Concerned? On the NeedMyTranscript web site, in the upper right, is a link for “Notice to Our Customers” which shows Privacy@NeedMyTranscript.com as the way to contact them if you think your data has been “improperly accessed”.

Denial, not just a river

According to The Washington Post article they notified the company of the problem. NMT response indicated that personal information was not publicly accessible. Later they admitted to fixing the flaw with help from its web hosting company and engaged a cyber security firm to investigate. The NMT privacy policy states they have “appropriate physical, electronic and managerial procedure to safeguard and secure the information we collect online.” Given that statement and the information was exposed anyway, the NMT notice which says that they don’t store the actual transcripts, charge card numbers or full Social Security numbers, could use some additional confirmation.

10/25/2014 NC3.mobi joins a sad club

Our web site joins the sad club who have attracted attention from bad people. Today, between one and three seconds apart during 9:15:02 to 12:13:18 Eastern time, thousands of requests from a single IP address generated predominantly errors. The traffic generated was quite large and we are deploying two solutions to reduce the load on the servers and block that IP source.

10/27/2014 Office of Dr. Nisar Quraishi

in New York
20,000 non-financial accounts compromised
Dr. Quraishi kept old records in a locked shed behind the Chopin Court address, which no longer houses his practice. The doctor reported to police that someone had broken into the shed and made off with thousands of patients’ medical records, which included Social Security numbers, addresses and medical histories.


10/28/2014 Arizona State Retirement System

in Arizona
44,000 non-financial accounts compromised
Retirees enrolled in the ASRS dental plans are at risk from exposed data because the system sent two unencrypted computer discs containing the first and last names and Social Security numbers of members enrolled in ASRS dental plans to a benefits company.


10/28/2014 Cape May-Lewes Ferry’s

in Delaware
60,000 financial accounts compromised
Charge card information of ferry travelers may have been compromised from September 2013 for over a year.

10/28/2014 Public Safety Personnel Retirement System

in Arizona
52,000 non-financial accounts compromised
Managers of the 7.7 billion dollar trust have known about the exposure since the fall of 2013 and informed police officers, firefighters, politicians and corrections officers about the problem about a year later. An employee had concerns that senior management was not properly reporting the values of real estate asses. Higher values generated bonus payments to managers. Prior to resigning in protest he downloaded files from an internal computer before departing in 2013. He said he was unaware that what he took included the names, e-mail addresses, Social Security numbers and addresses of members. He took the data to protect it from a cover up. The US Attorney and the FBI are investigating.


11/10/2014 Texas Health and Human Services (Xerox)

in Texas
2,000,000 non-financial accounts compromised
Xerox worked on the Texas Medicaid program, may still have files that contain information about 2 million current and former Medicaid clients. Xerox is being sued by Texas has refused to return the files. The retained files may include information, such as a client’s name, birthdate, Medicaid number, medical and billing records related to care provided through Medicaid, such as reports, diagnosis codes, and photographs.

11/10/2014 Visionworks

in Maryland
74,944 non-financial accounts compromised
Customers at Visionworks, Inc. (based in Texas) Jennifer Square, Annapolis, Maryland location may have had data exposed. A database server was replaced on June 2, 2014 as part of a scheduled upgraded. The server potentially held partially encrypted protected health information. The old server cannot be located. Although charge card information was housed on the server that information was encrypted, and should not be at risk.

11/10/2014 USPS

2.9 million customers and 800,000 current or retired employees
   had non-financial information exposed

Scale: 800,000 current and retired employees of the United States Postal Service have had personal information compromised. Also exposed was data from 2.9 million consumers who contacted the Postal Service Customer Care Center via telephone or via e-mail between January 1, 2014 and August 16, 2014. Scope: Exposed employee information included full names, birthdays, Social Security numbers, addresses, dates of employment and other information. Exposed consumer data included names, e-mail addresses and phone numbers, may have included addresses, but did not include SSNs. When: The breach was discovered in mid-September 2014
by the FBI and other federal agencies. Actual remediation didn’t take place until the weekend of 8-9 November 2014. As of 11/10/2014 1130 Central time no information was found in the USPS web site.

10/20/2014 Staples

A nationwide retailer of office supplies headquartered in Framingham, Massachusetts
Several banks have reported a pattern of charge card fraud with a common nexus indicating that several locations of Staples office supplies may have been compromised. First reported at 7:28pm 10/20/2014 Eastern Time on Krebs on Security. “The office supply retailer disclosed the investigation after security reporter Brian Krebs reported” [ Reuters 0005 10/21/2014 highlighting ours -ed ]

Once again it appears the merchant didn’t know they’d been breached until after crooks started using the cards. Number of compromised accounts has not yet been disclosed.

Update: Friday 12/19/2014

Moved from unknown when Staples issued a statement which acknowledged a compromise at over 110 stores between April and September 2014 that may have exposed as many as 1,160,000 consumer credit and debit cards. The exposure dates vary depending on the source used. A 5 page PDF [ http://staples.newshq.businesswire.com/sites/staples.newshq.businesswire.com/themes/staplesREDESIGN_newshq_businesswire_com_theme/pdf/List%20of%20Impacted%20Stores.pdf ] shows by state the affected stores and their dates of exposure. Affected consumers can sign up for no-charge credit monitoring. More at KrebsOnSecurity.

11/12/2014 Central Dermatology

in North Carolina
76,258 non-financial accounts compromised
Patients in 11 countries and all 50 states may have had personal information (including Social Security numbers) compromised by malware on a computer servers. Patient bank account and payment card information were not compromised and electronic medical records were not on the server.


11/12/2014 Mount Sinai Beth Israel Hospital

in New York
10,793 non-financial accounts compromised
A password-protected, personal laptop computer was stolen from a staff room on the premises of Mount Sinai Beth Israel in August 2014. Contents were not encrypted. The laptop contained emails with information on patients, including names,dates of birth, medical record numbers, dates of service, procedure codes and description of procedures, as well as clinical information about the care the patients received. Social Security numbers, insurance information, addresses or telephone numbers were not stored on the laptop.

11/12/2014 New York City Health & Hospitals Corporation

in New York
10,058 non-financial accounts compromised
In July 2011 New York City Health & Hospitals Corporation,NY discovered a breach which it reported more than three years later. Records were improperly stored in boxes in an enclosed employee parking garage at the East New York Diagnostic and Treatment Center. Affected were patients of the Howard Houses Child Health Center; the Brevoort Houses Child Health Clinic; the Fifth Avenue Child Health Clinic and the Brownsville Child Health Clinic. As of November 2014 all four clinics were closed.


11/18/2014 Bayview Solutions

in Florida
28,000 financial accounts compromised
Bayview is a debt seller and (allegedly) posted consumers’ bank account numbers, charge card numbers, birth dates, contact information, employers’ names, and information about debts the consumers allegedly owed on a public website.

11/18/2014 Cornerstone and Company

in Florida
40,600 financial accounts compromised
Consumer names, dates of birth, addresses, phone numbers, bank account numbers, charge card details, and personal information regarding debts and employment were contained in unencrypted spreadsheet posted to publicly accessible website.

11/24/2014 Prince George’s County Public School System

in Maryland
10,400 non-financial accounts compromised
On 11/14/2014 a report generated by Human Resources inadvertently included the Social Security number, date of birth and employee ID identifications. PGCPS suspended the e-mail accounts of all recipients to delete the file. Some recipients Had already forwarded the report outside of the PGCPS e-mail domain. Notification was made in less that two weeks!

11/24/2014 Sentara Healthcare

in Virginia
56,820 non-financial accounts compromised
An electronic medication dispensing device was stolen from the locked car of an Omnicell employee. Omnicell is a business associate of Sentara. The exposed information included patient names, birth dates, patient numbers, medical record numbers, and other clinical information.

11/24/2014 Sony

What: A high powered hack of Sony Pictures network exposed information, digital versions of unreleased films, emails and then deleted some files. The access appears to have been, at least in part, enabled by malware that was digitally signed by Sony itself. That certificate started as part of a joke and that joke was revoked 12/7/2014, but the Sony certificates were valid as of at least 12/10/2014. It appears the company was unaware of the attack until it was reported by others including the hackers.

When: 11/24/2014 appears to be the date the exploit was made public. The date of infiltration is unknown as of 12/10/2014.

Scope: Social Security numbers, birthdays, salaries, home addresses, passwords, deal information on major movie releases, pseudonyms of celebrities, and a wide range of emails.

Scale: 47,400+ Social Security numbers have been exposed. According to Identity Finder they discovered: 601 files containing SSNs. Those files were 75 Acrobat PDFs, 523 Excel spreadsheets and 3 Word documents All in all there were 47,426 unique SSNs of which 15,232 SSNs belonged to current or former Sony employees, 3,253 SSNs appeared more than 100 times and 18 files containing between 10,860 and 22,533 SSNs each.

Update: 12/10/2014

A lengthy summary is on line at Engadget

Update: Friday 12/19/2014

A press release from the Federal Bureau of Investigation cited North Korea (Democratic Peoples Republic of Korea, PRK, DPRK or DPROK) as the source of the Sony systems compromise.

Update: Saturday 12/20/2014

North Korea proclaims it is being framed.

Update: Tueday 12/23/2014

Security researcher Brian Krebs makes multiple points supporting DPROK as the source of the Sony hack.

Update: Thursday 1/08/2015

Still conflicted – FBI director, James B. Comey cited evidence that ROK was “sloppy” in at least one instance and evidence points to their complicity. Evidence not released. Marc Rogers, security researcher at CloudFlare, is quoted as saying “If the government had laid out its attribution in the beginning, that may have quelled the criticism, but the evidence that’s been put before me and many of my colleagues is flimsy.” Source

Update: Wednesday 9/02/2015 Sony settles, some

A federal lawsuit that was seeking class-action status on behalf of nearly 50,000 Sony employees whose information was posted on line has been settled. The terms, or how many people were included in the settlement, were not disclosed. The lawsuit claimed Sony knew fro prior breaches that the company computer systems were not secure enough to protect confidential employee information.
(Source: CNET  Reuters)

12/02/2014 American Residuals and Talent, Inc. (ART Payroll)

16,000 financial accounts compromised
This is payroll company that serves SAG-AFTRA, Hollywood’s largest union. An unauthorized login onto the company’s Web application was detected giving the intruders access to the database for less than two hours. Compromised information accessed included Social Security numbers, private accounts and addresses. 16,000 is the reported number of compromised accounts, but there are 160,000 members of SAG-AFTRA.


12/02/2014 Visionworks#2

in Texas
47,683 non-financial accounts compromised
Data, or the whole server, was discovered 10/17/2014. There is a question (unanswered as of 2/1/2015) if this is indeed a second compromise or a clarification of the breach reported 11/10/2014.

12/09/2014 Highlands-Cashiers Hospital

in North Carolina
25,000 non-financial accounts compromised
Patient personal information was accessible via the internet for longer than two years. Compromised information included Social Security numbers.

12/16/2014 Coordinated Health

in Florida
13,907 non-financial accounts compromised
A laptop computer was stolen.

12/16/2014 MetroPlus Health Plan, Inc.

n New York
31,980 non-financial accounts compromised
A MetroPlus employee, while attempting to work off site, sent an e-mail with protected information to their personal e-mail account instead of their MetroPlus assigned e-mail account. The compromised information included name, member identification number, date of birth and social security number.

12/16/2014 Office of Dr. Loi Luu

13,177 non-financial accounts compromised
In September 2014 thieves stole equipment including a server with patient names, dates of birth, phone numbers, social security, and health insurance information, addresses, and the names of medical providers.

12/16/2014 Reeve-Woods Eye Center

30,000 non-financial accounts compromised
Unknown persons had installed malware which compromised the following information: name; Social Security number; date of birth; home address; phone numbers; dates of service; Medi-Cal ID number, Medicare ID number, and/or other insurance information; information regarding Medi-Cal appeals; diagnosis codes; treatment information; and medical history.

12/23/2014 Clay County Hospital

in Illinois
12,621 non-financial accounts compromised
The hospital received a letter threatening the release of compromised from patients who visited a Clay County Hospital clinic on or before February 2012 and includes patient names, addresses, Social Security numbers and birth dates. The question of whether or not the data was actually compromised was unresolved.


12/30/2014 Independence Blue Cross

in Pennsylvania
12,500 non-financial accounts compromised
Four boxes containing reports with sensitive information went missing when they were moved from one floor to another. The boxes never arrived at their intended destination. Compromised information included name, address, home phone number, physician name, healthcare plan and group number. Some had their member identification number which is their Social Security number plus a two-digit suffix.


12/31/2014 Office of Personnel Management / KeyPoint Government

in District of Columbia
48,439 non-financial accounts compromised
A computer breach exposed data on federal workers


12/31/2014 Sitesearch Corp., LeapLab LLC; Leads Company LLC

in Arizona
2,200,000 financial accounts compromised
A consumer data broker sold payday loan application data to scammers who used the information to pull money out of consumer bank accounts.


12/31/2014 Sony PlayStation / Microsoft Xbox / Amazon, and more

in New York
13,000 financial accounts compromised
Hackers compromised information containing user names, passwords and charge card information on multiple platforms from multiple providers.

12/31/2014 Walgreen Co.

in Alabama
160,000 non-financial accounts compromised
Details are sparse, but it appears paper records were lost.



View the 2014 summary
Return to References page
Return to Year links page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.