Order Code RL33199 Data Security Breaches: Context and Incident Summaries Updated May 7, 2007 Rita Tehan Information Research Specialist Knowledge Services Group Data Security Breaches: Context and Incident Summaries Summary Personal data security breaches are being reported with increasing regularity. Within the past few years, numerous examples of data such as Social Security, bank account, credit card, and driver’s license numbers, as well as medical and student records have been compromised. A major reason for the increased awareness of these security breaches is a California law that requires notice of security breaches to the affected individuals. This law, implemented in July 2003, was the first of its kind in the nation. State data security breach notification laws require companies and other entities that have lost data to notify affected consumers. As of January 2007, 35 states have enacted legislation requiring companies or state agencies to disclose security breaches involving personal information. Congress is considering legislation to address personal data security breaches, following a series of high-profile data security breaches at major financial services firms, data brokers (including ChoicePoint and LexisNexis), and universities. In the past three years, multiple measures have been introduced, but to date, none have been enacted. This report will be updated regularly. Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Data Security Breaches in Federal Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Data Security Breaches: Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 For Additional Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 List of Tables Table 1. Data Security Breaches in Businesses (2000-2007) . . . . . . . . . . . . . . . 11 Table 2. Data Security Breaches in Education (2000-2007) . . . . . . . . . . . . . . . . 26 Table 3. Data Security Breaches in Financial Institutions (2001-2007) . . . . . . . 47 Table 4. Data Security Breaches in Local, State, and Federal Government (2003-2007) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Table 5. Data Security Breaches in Health Care (2003-2007) . . . . . . . . . . . . . . 70 Data Security Breaches: Context and Incident Summaries Introduction Personal data security breaches are being reported with increasing regularity. During the past few years, there have been numerous examples of hackers breaking into corporate, government, academic, and personal computers and compromising computer systems or stealing personal data such as Social Security, bank account, credit card, and driver’s license numbers, as well as medical and student records. These breaches occur not only because of illegal or fraudulent attacks by computer hackers, but often because of careless business practices, such as lost or stolen laptop computers, or the inadvertent posting of personal data on public websites. A recent infamous example occurred in May 2006, when 26.5 million veterans and their spouses were in danger of identity theft because a Veterans Affairs data analyst took home a laptop computer containing personal data (including names, Social Security numbers, and dates of birth), which was later stolen in a burglary.1 Depending on the definition, the most common type of identity theft is credit card fraud, and there is evidence that the extent of credit card fraud has increased due to opportunities provided by the Internet.2 Although some aspects of identity theft have been known for many years, it is viewed now primarily as a product of the information age. A particular crime of identity theft may include one or all of these stages: Stage 1: Acquisition of the identity through theft, computer hacking, fraud, trickery, force, re-directing or intercepting mail, or even by legal means (e.g., purchase information on the Internet). Stage 2: Use of the identity for financial gain (the most common motivation) or to avoid arrest or otherwise hide one’s identity from law enforcement or other authorities (such as bill collectors). Crimes in this stage may include account takeover, opening of new accounts, extensive use of debit or credit cards, sale of the identity information on the street or 1 For additional information on legislative proposals introduced after the VA data theft (and in light of several ongoing information security and information technology management issues at the VA), see CRS Report RL33612, Department of Veterans Affairs: Information Security and Information Technology Management Reorganization, by Sidath Viranga Panangala. 2 Graeme Newman and Megan McNally, Identity Theft Literature Review, National Criminal Justice Reference Service (NCJRS), 2005, at [http://www.ncjrs.gov/pdffiles1/nij/grants/ 210459.pdf]. CRS-2 black market, acquisition (“breeding”) of additional identity related documents such as driver’s licenses, passports, visas, health cards, etc.), filing tax returns for large refunds, insurance fraud, stealing rental cars, and many more. Stage 3: Discovery of the theft. While many misuses of credit cards are discovered quickly, the “classic” identity theft involves a long period of time to discovery, typically from six months to as long as several years. Evidence suggests that the time it takes to discovery is related to the amount of loss incurred by the victim.3 Identity theft is rarely one crime, but is composed of the commission of a wide variety of other crimes, such as check and card fraud, financial crimes of various sorts, various telemarketing and Internet scams, auto theft, counterfeiting and forgery, etc. The difficulty in studying identity theft is investigating what portion of the long list of identity theft related crimes is related to the “classic” type of identity theft that results in repeat victimization. For example, a common type of credit card fraud is to steal an individual’s credit card. The offender makes a quick purchase of an expensive item then discards the card. Has the victim’s identity truly been stolen? The event clearly fits within the definition above, but it is not the wholesale theft of the victim’s identity. However, should the offender be working with an accomplice, the card could be turned over several times and even sold on the street. Finally, should the victim’s driver’s license and other identifying documents such as a health card with a Social Security number on it also be stolen, the basic elements for stealing an individual’s identity are present.4 A January 2007 white paper by the computer security research company McAfee Avert Labs reports a dramatic increase in global identity theft trends.5 One key finding was that “[p]ersonal data for tens of millions of people disappears each year. It’s either been stolen or misplaced. Despite this disturbing trend, the number of complaints is surprisingly low, which leads us to believe the losses are not fully acknowledged.”6 3 Ibid., p. v. 4 Ibid., p. 14. 5 Francois Paget. Identity Theft, McAfee Avert Labs, January 2007, at [http://www.mcafee.com/us/local_content/white_papers/wp_id_theft_en.pdf]. This report discusses recent high-profile examples of identity theft and how several countries define this type of fraud and its scope; examines both the criminals and their techniques to better understand how identity theft has evolved in recent years; and focuses on the victims and consequences of identity theft. 6 Ibid., p. 3. CRS-3 A California law that requires notice of security breaches to the affected individuals is the major reason for the increased awareness of these breaches.7 This law, which was implemented in July 2003, was the first of its kind in the nation. State security breach notification requires companies and other entities that have lost personal data to notify affected consumers. Thirty-five states have enacted legislation requiring companies or state agencies to disclose security breaches involving personal information.8 State security freeze9 laws allow a customer to block unauthorized third parties from obtaining one’s credit report. Statistics Identity theft victims spend almost 300 million hours a year trying to clear their names and re-establish good credit ratings.10 For additional information on this topic, see CRS Report RL31919, Remedies Available to Victims of Identity Theft, by Gina Marie Stevens. In December 2006, a senior editor for Wired News noted a milestone: “... the total number of lost or exposed personal records since February, 2005, [has passed] 7 California Department of Consumer Affairs, Office of Privacy Protection, Notice of Security Breach - Civil Code Sections1798.29 and 1798.82 - 1798.84, updated June 24, 2003, at [http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000 &file=1798.25-1798.29], [http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ& group=01001-02000&file=1798.80-1798.84], and Recommended Practices on Notification of Security Breach Involving Personal Information, October 10, 2003, at [http://www.privacy.ca.gov/recommendations/secbreach.pdf]. 8 See State Security Breach Notification Laws, National Conference of State Legislatures at [http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm]. As of January 9, 2007, the following states have enacted security breach notification laws: Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, Wisconsin. See also: State PIRG Summary of State Security Freeze and Security Breach Notification Laws, U.S. Public Interest Research Group (USPIRG) at [http://www.pirg.org/consumer/ credit/statelaws.htm#breach]. See also CRS Report RS22374, Data Security: Federal and State Laws, by Gina Marie Stevens. 9 A security freeze law allows a customer to block unauthorized third parties from obtaining his or her credit report or score. A consumer who places a security freeze on his or her credit report or score receives a personal identification number to gain access to credit information or to authorize the dissemination of credit information. See CRS Report RS22484, Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills, Tara Alexandra Rainson. 10 Peter Katel, “Identity Theft: Can Congress Give Americans Better Protection?,” CQ Researcher, June 10, 2005. CRS-4 the 100 million mark.”11 The New York Times wrote an article discussing this landmark and questioned the usefulness of computing such data breaches. [T]he bigger picture here may be that we are now slicing and dicing the niceties of data breaches against a running tally so large, that it has lost nearly any meaning at all... ‘The threat of identity theft from data losses is being greatly exaggerated,’ Fred H. Cate, the director of the Center for Applied Cybersecurity Research at Indiana University in Bloomington, told this newspaper not long ago. ‘And that’s because a lot of people have fallen into the trap of equating data loss with identity theft.’ Whether or not that is true is open to debate, but what all this data loss does represent, however, is the potential for identity theft — one that will never go away. Sure, it’s a game of odds. There is only so much a crook can do with a few hundred thousand names and Social Security numbers. But once they are out there, they are out there for good. Names don’t change. Neither do Social Security numbers or dates of birth. And as long as it remains easy enough to fashion that trifecta into a car loan, a home, a credit card, work papers, that would seem to be a bit of a long-term problem.12 The Identity Theft and Assumption Deterrence Act of 199813 established the Federal Trade Commission (FTC) as the government entity charged with developing “procedures to ... log and acknowledge the receipt of complaints by individuals,” as well as educate and assist potential victims.14 The FTC compiles annual reports and charts of aggregated statistics on these events, but does not identify which corporations, organizations, or other entities have been victims of security breaches. In February 2007, FTC issued its annual report on fraud complaints consumers have filed with the agency. For the seventh year in a row, identity theft topped the list, accounting for 36% of the 674,354 complaints received between January 1 and December 31, 2006.15 Credit card fraud was the most common form of reported identity theft, followed by phone or utilities fraud, bank fraud, and employment fraud. A number of federal agencies (e.g., the FTC, Department of Justice, Secret Service, U.S. Postal Service, and Social Security Administration), state attorneys general, and nonprofit organizations (such as the Electronic Privacy Information Center) are involved with data privacy investigations or related consumer assistance. 11 Kevin Poulsen, “Data Spills: 100 Million Served,” 27B Stroke 6, December 14, 2006, at [http://blog.wired.com/27bstroke6/2006/12/data_spills_100.html]. 12 Tom Zeller, “An Ominous Milestone: 100 Million Data Leaks,” New York Times, December 18, 2006, p. C3. 13 Identity Theft and Assumption Deterrence Act, as amended by P.L. 105-318, 112 Stat. 3007 (October 30, 1998), at [http://www.ftc.gov/os/statutes/itada/itadact.htm]. 14 For an overview of the federal laws that could assist victims of identity theft with purging inaccurate information from their credit records and removing unauthorized charges from credit accounts, as well as federal laws that impose criminal penalties on those who assume another person’s identity through the use of fraudulent identification documents, see CRS Report RL31919, Remedies Available to Victims of Identity Theft, by Gina Marie Stevens. (Relevant state laws are also discussed.) 15 Federal Trade Commission press release, “FTC Issues Annual List of Top Consumer Complaints,” February 7, 2007, at [http://www.ftc.gov/opa/2007/02/topcomplaints.htm]. CRS-5 None of them maintain a comprehensive itemized list of data security breaches.16 However, the Privacy Rights Clearinghouse maintains a frequently updated chronology of data breaches from February 2005 to the present.17 The United States Computer Emergency Readiness Team (US-CERT) interacts with federal agencies, industry, the research community, state and local governments, and others to collect reasoned and actionable cybersecurity information and to identify emerging cybersecurity threats. US-CERT has recently begun monitoring trends involving the acquisition of personally identifiable information (PII) by unauthorized, malicious users. Based on the information reported in the first quarter of FY2007, US-CERT identified the following cybersecurity trends: phishing18 made up the bulk of security threats reported to US-CERT, accounting for almost 75% of all incidents handled. The number of reports grew by more than 500%, with just over 16,000 reports in FY2006 Q1, compared with over 103,000 in FY2007 Q1. The second highest category was “others,” the bulk of which generally fell into two main areas: investigations, which were incidents found by US-CERT analysts combing through data, and incidents involving PII, both cyber and non-cyber in nature. The remaining 8% of incidents were spread across malware, equipment theft/loss, policy violations, and suspicious network activity.19 Data Security Breaches in Federal Agencies In reports to Congress since 1997, GAO has identified information security as a government-wide high-risk issue.20 In their FY2006 financial statement audit reports, 21 out of 24 agencies indicated that they had significant weaknesses in information security controls. As shown in reports by GAO and agency inspectors 16 For a brief discussion of federal and state data security laws, see CRS Report RS22374, Data Security: Federal and State Laws, by Gina Marie Stevens. 17 Privacy Rights Clearinghouse, A Chronology of Data Breaches at [http://www.privacyrights.org/ar/ChronDataBreaches.htm]. The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer organization which seeks to raise consumers’ awareness of how technology affects personal privacy, and to document privacy complaints. The chronology “begins with ChoicePoint’s 2/15/05 announcement of its data breaches because it was a watershed event in terms of disclosure to the affected individuals.” 18 Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well-known and trustworthy websites. Websites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America Online. (Source: SearchSecurity.com(powered by whatis.com), at [http://searchsecurity.techtarget.com/sDefinition/0,290660,sid14_gci916037,00.html]. 19 US-CERT, Quarterly Trends and Analysis Report, March 1, 2007, at [http://www.us-cert.gov/press_room/trendsandanalysisQ107.pdf]. This report summarizes and provides analysis of incident reports submitted to US-CERT during the first quarter of FY2007 (October 1, 2006, to December 31, 2006). 20 Government Accountability Office, Information Security: Persistent Weaknesses Highlight Need for Further Improvement, GAO-07-751T, April 19, 2007, at [http://www.gao.gov/new.items/d07751t.pdf]. CRS-6 general (IG), the weaknesses persist in major categories of controls — including, for example, access controls, which ensure that only authorized individuals can read, alter, or delete data; and configuration management controls, which provide assurance that only authorized software programs are implemented. “Organizations can reduce the risks associated with intrusions and misuse if they take steps to detect and respond to incidents before significant damage occurs, analyze the causes and effects of incidents, and apply the lessons learned.”21 In February 2007, the Federal Bureau of Investigation (FBI) reported that 160 laptop computers were lost or stolen in less than four years (February 2002 to September 2005), including at least 10 that contained sensitive or classified information — one of which held “personal identifying information on FBI personnel.”22 According to the report, the FBI failed to report 76% of the missing laptops to the Justice Department as required. 23 A number of data security breaches by federal agencies revealed many agencies do not have adequate security controls in place24 (see Table 3, below). In 2006, the list of agencies with incidents of potentially compromised data included the Departments of Agriculture, Defense, Energy, Veterans Affairs, and Transportation, the Federal Trade Commission, the Internal Revenue Service, the Government Accountability Office, the National Institutes of Health, and the Department of the Navy. The State Department also suffered a series of hacking attacks. In FY2006, 5,146 incidents were reported to the Department of Homeland Security’s incident response center for six categories of incidents, a substantial increase in the number of incidents (3,600) reported the prior year, including 706 instances of unauthorized access and 1,465 cases of malicious computer code, according to a yearly OMB report.25 [E]xperts say the federal government faces special challenges because of the variety of sensitive information it keeps, the increasingly mobile nature of the federal workforce and the pervasive use of contractors, which allow thousands of individuals with varying levels of security clearance to access government databases from remote sites. A 2004 government survey on the work practices of 1.8 million federal workers found that more than 140,000 had clearance to connect with government computer systems from home. The IRS says 50,000 of its employees have laptops allowing them to access personal and business tax information from anywhere. And 133 Education Department personnel can 21 Ibid., p.2. 22 U.S. Department of Justice, Office of the Inspector General, Audit Division, The Federal Bureau of Investigation’s Control over Weapons and Laptop Computers Follow-up Audit, Audit Report 07-18, February 2007, at [http://www.usdoj.gov/oig/reports/FBI/a0718/ final.pdf]. 23 Ibid., p. 6. 24 Rebecca Adams, “Data Drip: How the Feds Handle Personal Data,” CQ Weekly, July 10, 2006, p. 1846. 25 Office of Management and Budget, FY 2006 Report to Congress on Implementation of The Federal Information Security Management Act of 2002, March 1, 2007 at [http://www.whitehouse.gov/omb/inforeg/reports/2006_fisma_report.pdf]. CRS-7 access more than 10,000 records containing student loan recipients’ personal information.26 In a report released in October 2006, the House Government Reform Committee27 summarized information provided to the Committee by 19 federal departments and agencies regarding the loss or compromise of personal information since January 2003. The report finds that every agency has experienced at least one such breach and that the agencies do not always know what information has been lost or how many individuals could be affected. 28 In June, 2006, the Office of Management and Budget issued new security guidelines requiring federal civilian agencies to implement new measures to protect sensitive personal information held by federal agencies.29 To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as “non-sensitive” by an agency’s deputy director. Agency employees also would need two-factor authentication — a password plus a physical device such as a key card — to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity.30 The President’s Identity Theft Task Force,31 which was established by Executive Order on May 10, 2006,32 is now composed of 18 federal agencies and departments. After a year of study, the Identity Theft Task Force released its final recommendations in April 2007.33 The recommendations include the following: ! ! Reduce the unnecessary use of Social Security numbers by federal agencies, Establish national standards that require private sector entities to safeguard the personal data they compile and maintain and to 26 Zachary Goldfarb, “To Agency Insiders, Cyber Thefts And Slow Response Are No Surprise,” Washington Post, July 18, 2006, at [http://www.washingtonpost.com/ wp-dyn/content/article/2006/07/17/AR2006071701170.html]. 27 In the 110th Congress, the House Government Reform Committee was renamed the House Committee on Oversight and Government Reform. 28 U.S. House of Representatives. Committee on Government Reform, Staff Report Agency Data Breaches since January 1, 2003 at [http://oversight.house.gov/story.asp?ID=1127]. See also Agency response letters at House Committee on Government Reform website at [http://oversight.house.gov/story.asp?ID=1127]. 29 Office of Management and Budget Memorandum for the Heads of Departments and Agencies, Protection of Sensitive Agency Information, June 23, 2006, at [http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf]. 30 Ibid. 31 Identity Theft Task Force website at [http://www.usdoj.gov/ittf/]. 32 Executive Order 13402, “Strengthening Federal Efforts to Protect Against Identity Theft,” May 10, 2006, at [http://www.whitehouse.gov/news/releases/2006/05/20060510-3.html]. 33 The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, April 2007 at [http://www.identitytheft.gov/reports/StrategicPlan.pdf]. CRS-8 ! ! provide notice to consumers when a breach occurs that poses a significant risk of identity theft, Implement a broad, sustained awareness campaign by federal agencies to educate consumers, the private sector, and the public sector on methods to deter, detect, and defend against identity theft, and Create a National Identity Theft Law Enforcement Center to allow law enforcement agencies to coordinate their efforts and information more efficiently, and investigate and prosecute identity thieves more effectively.34 In June 2006, a group of government agencies, corporations, and universities launched a research center dedicated to the study of identity fraud. The Center for Identity Management and Information Protection is dedicated to furthering a national research agenda on identity management, information sharing, and data protection.35 Congress considered legislation in the 109th Congress to address data security following a series of high-profile data security breaches at major financial services firms and data brokers, including ChoicePoint and LexisNexis. Multiple measures were introduced in 2005 and 2006, and several were reported out of committee, but none were brought to the floor. For information on proposed data security legislation in the 110th Congress, see CRS Report RL33273, Data Security: Federal Legislative Approaches, by Gina Marie Stevens. For a discussion of legislative and other issues on this topic, see ! ! ! ! ! ! ! 34 35 CRS Report RS22374, Data Security: Federal and State Laws, by Gina Marie Stevens; CRS Report RL33273, Data Security: Federal Legislative Approaches, by Gina Marie Stevens; CRS Report RS22484, Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills, by Tara Alexandra Rainson; CRS Report RL33005, Information Brokers: Federal and State Laws, by Angie A. Welborn; CRS Report RL33612, Department of Veterans Affairs: Information Security and Information Technology Management Reorganization, by Sidath Viranga Panangala; CRS Report RL31919, Remedies Available to Victims of Identity Theft by Gina Marie Stevens; and CRS Report RS22082, Identity Theft: The Internet Connection, by Marcia S. Smith. Ibid. Center for Identity Management and Information Protection, at [http://www.utica.edu/ academic/institutes/cimip/]. CRS-9 Data Security Breaches: Highlights Tables 1 through 5 summarize selected data security or identity theft breaches reported in the press since 2000. A few highlights compiled from the report include the following. ! More than half of the security breaches occurred at institutions of higher education. (A Chronicle of Higher Education article examines why this is so, noting that while colleges have become better at detecting electronic break-ins, security practices, particularly password protections, are lax.36 In addition, academic culture embraces the open exchange of information and provides a target-rich environment for data breaches — an abundance of computer equipment filled with sensitive data and a pool of financially naive students.37) In September 2006, Louisiana State University (LSU), under a year-long agreement with Equifax Inc., provided students, faculty and staff members with free daily monitoring of their credit reports and $2,500 in identity-theft insurance. LSU claims this is the first agreement of its kind between a credit agency and a higher-education institution. The university will pay Equifax, Inc. $150,000.38 ! Other prevalent targets for identity theft are financial institutions (banks, credit card companies, securities companies, etc.), and government agencies (international, federal, state, and local). ! The AARP analyzed 244 publicly disclosed security breaches from January 1, 2005 through May 26, 2006, identified by the Identity Theft Resource Center (ITRC).39 An examination of the most frequent cause of reported security breaches reveals that a third of all breaches were caused by hackers who broke into computer systems to gain access to sensitive personal information. The analysis finds that educational institutions are more likely than any other type of entity to report having had a security breach. In fact, educational institutions were more than twice as likely to report suffering a breach as any other type of entity. Physical theft of computers, computer equipment, or paper files is the next most common cause of security breaches, followed by improper display (allowing 36 Dan Carnevale, “Why Can’t Colleges Hold On to Their Data?,” Chronicle of Higher Education, May 6, 2005, p. A35. 37 Reuters, “U.S. Colleges Struggle to Combat Identity Theft,” eWeek, August 17, 2005, at [http://www.findarticles.com/p/articles/mi_zdewk/is_200508/ai_n14906864]. 38 Andrea L. Foster, “Louisiana State U. Signs Deal to Protect Students and Employees in Case of Data Breach,” Chronicle of Higher Education, September 13, 2006, at [http://chronicle.com/daily/2006/09/2006091301t.htm]. 39 AARP, “Into the Breach: Security Breaches and Identity Theft,” July 2006, at [http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html]. CRS-10 sensitive personal information to be viewed by those who should not have access (for example, printing of Social Security numbers on address labels, inadvertently making sensitive personal information accessible on Internet sites viewable by the general public, or not properly disposing of files containing sensitive personal information). CRS-11 Table 1. Data Security Breaches in Businesses (2000-2007) Business Incidents Date Publicized Who Was Affected customers Number Affected 11,500 Type of Data Released/Compromised credit card information Source(s) Johnny’s Selected Seeds (Winslow, ME) - hacker broke into website March 2007 “Security Log,” ComputerWorld, March 8, 2007. TJ Maxx date breach (see below) worse than previously thought. while the company previously believed that the intrusion took place from May 2006 to January 2007, TJX now believes its computer system was hacked in July 2005 and on various subsequent dates in 2005. February 2007 customers undisclosed drivers’ license numbers, names, addresses were compromised for the last four months of 2003 and May and June 2004 Greenemeir, Larry, “ T.J. Maxx Probe Reveals Data Breach Worse Than Originally Thought,” Information Week, February 21, 2007 at [http://www.informationweek.com/sto ry/showArticle.jhtml?articleID=19700 7754&cid=RSSfeed_IWK_News]. KB Home - stolen computer January 2007 customers 2,700 names, SSNs of people who had visited the sales office for Foxbank Plantation, a new home community in Berkeley County Rupon, Kristy, “KB Home warns of ID theft risk: Home builder issues alert to customers after computer is stolen from company’s Charleston sales,” The State (Columbia, SC), January 18, 2007. Note: 20 stolen card numbers have been used fraudulently CRS-12 Business Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Nationwide Mutual Insurance stolen lockbox containing customer information backup tapes stored at subcontractor Concenta Preferred Systems (Waymouth, MA) office January 2007 customers of health insurance unit, Nationwide Health Plans 28,279 names, SSNs, hospital stay information. To find the information on the tapes requires “a very specific high-tech tape reader with matching software,” that police concluded was unlikely to be accessible to the thieves Babcock, Charles, “ Data On 28,279 Nationwide Customers Stolen, Information Week, January 25, 2007, at [http://www.informationweek.com/sto ry/showArticle.jhtml?articleID=19700 0630&cid=RSSfeed_IWK_News]. T.J. Maxx, Marshalls, HomeGoods, A.J. Wright, and possibly Bob’s Stores in U.S. & Puerto Rico — Winners and HomeSense stores in Canada — and possibly T.K. Maxx stores in UK and Ireland - TJX Companies Inc. experienced an “unauthorized intrusion” into its computer systems that process and store customer transactions January 2007 customers undisclosed credit card, debit card, check, and merchandise return transactions Vijayan, Jaikumar, “Breach at TJX Puts Card Info at Risk; Network intrusion shows IT security still not up to snuff at some retailers, despite push for stronger protections,” Computerworld, January 17, 2007. Altria (parent company of Phillp Morris/Kraft Foods) via consultant Towers Perrin (New York, NY) - five stolen laptops January 2007 past and present employees 18,000 names, SSNs, salaries, dates of birth Jones, Chip. “Altria employees’ data missing / Personal information was on laptop taken from firm in New York, police say,” Richmond TimesDispatch, January 12, 2007, p. B1. note: employee was arrested and charged with theft CRS-13 Business Incidents Boeing (Seattle, WA) - laptop stolen from employee’s car Date Publicized December 2006 Who Was Affected current and former employees Number Affected 400,000 Type of Data Released/Compromised names, addresses, SSNs, phone numbers, dates of birth, salary information note: Boeing fired employee whose laptop was stolen and some managers will be disciplined Source(s) Wallace, James, “Worker Fired over Lost Laptop; Boeing Managers to Be Reprimanded for Leaving Employees Vulnerable,” Seattle PostIntelligencer, December 15, 2006. Starbucks (Seattle, WA) - four laptops misplaced from headquarters November 2006 current and former employees 60,000 names, addresses, SSNs Harris, Craig, “Starbucks Data Missing ; Company Says Laptops with Employees’ Records Are Lost,” Seattle Post-Intelligencer, November 4, 2006, p. E1. Gymboree (San Francisco, CA) twice in one week, three laptops stolen from headquarters October 2006 employees 20,000 names, SSNs “Gymboree gumshoe hunts thief,” San Francisco Chronicle, October 27, 2006, p. D1. T-Mobile USA (Bellevue, WA) laptop disappeared from employee’s checked luggage (laptop was protected by password) October 2006 current and former employees 43,000 names, addresses, SSNs, home phone numbers, dates of birth, salary information Rogoway, Mike, “T-Mobile reports ID-theft risk,” The Oregonian (Portland), October 20, 2006. CRS-14 Business Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) General Electric (Frairfield, CT) laptop stolen from locked hotel room (computer was password protected) September 2006 current and former employees 50,000 names, SSNs Anderson, Eric and Rick Clemenson, “50,000 among missing at GE ; Names in stolen laptop have retiree questioning company’s need for sensitive lists,” Times-Union (Albany), September 27, 2006, p. A1. AT&T - hackers broke into computer system August 2006 customers who purchased DSL equipment from AT&T online store 19,000 credit card data Associated Press, “Hackers Gain Data on AT&T Shoppers,” New YorkTimes.com, August 30, 2006. Automated Data Processing (ADP) (Roseland, NJ) - “an unauthorized party impersonated officers” to obtain information on investors July 2006 individual investors with 60 companies including Fidelity, UBS, Morgan Stanley , Bear Stearns, Citigroup, Merrill Lynch hundreds of thousands names, addresses, number of shares held of investors Spangler, Todd, “ADP Duped into Disclosing Data,”BaselineMag.com, July 10, 2006, at [http://www.baselinemag.com/article2 /0,1540,1986655,00.asp]. Kaiser HMO - stolen laptop July 2006 HMO subscribers to Kaiser health plan 160,000 names, phone numbers, Kaiser numbers Singel, Ryan, “Kaiser Joins Lost Laptop Crowd,” InfoSecurity, July 30, 2006, at [http://infosecurity.us/mambo//content /view/90/49/]. C.S. Stars (insurance contractor) lost computer containing workers’ records July 2006 injured New York state workers (claiming compensation funds) 540,000 SSNs, names, addresses Hines, Matt, “Insurance Company Loses 540,000 N.Y Employee Records,” eWeek, July 26, 2006, at [http://www.eweek.com/article2/0,18 95,1994416,00.asp]. CRS-15 Business Incidents Date Publicized Number Affected Who Was Affected Type of Data Released/Compromised Source(s) National Association of Securities Dealers (NASD)(Boca Raton, FL) - 10 stolen laptops July 2006 securities dealers who were the subject of investigations involving possible misconduct. 73 SSNs of securities dealers, plus inactive account numbers of about 1,000 consumers Jamieson, Dan, “Rule Likely on Notification of Data Breaches, Some Say; Theft of NASD Laptops Raises Questions about Regulators’ security,” Investment News, July 10, 2006, p. 2. American Red Cross, Farmers Branch (Dallas, TX) - 3 stolen laptops July 2006 regional blood donors 8,000 names, SSNs, birth dates, medical information Schreier, Laura, “Donor Data Stolen at Local Red Cross Exclusive: 3 Laptops from Farmers Branch Office Held Encrypted Records,” Dallas Morning News, July 1, 2006, p. 1A. Bisys Group Inc.(Roseland, NJ) employee’s truck carrying backup tapes was stolen July 2006 hedge fund donors 61,000 SSNs of 35,000 individuals Clair, Chris, “Bisys Discloses Data Theft,” HedgeWorld Daily News, July 6, 2006 (no page given). American International Group (AIG)- burglary of a file server June 2006 employees of various companies whose insurance information was submitted to AIG 970,000 names, addresses, SSNs, medical information Smith, Elliot Blair, “AIG: Personal Data on 970,000 Lost in Burglary; Insurer Has Yet to Alert Those Affected by March 31 Break-in,” USA Today, June 19, 2006, p. 5B. Ernst & Young- stolen laptop June 2006 Hotels.com customers 243,000 names, credit card numbers Reilly, David, “Hotels.com CreditCard Data Lost in Stolen Laptop Computer,” Wall Street Journal, June 2, 2006, p. A14. CRS-16 Business Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Union Pacific- stolen laptop June 2006 employees of the railroad company 30,000 personal data Vijayan, Jaikumar and Todd Weiss, “Flurry of New Data Breaches Disclosed,” Computerworld, June 19, 2006 at [http://www.computerworld.com/acti on/article.do?command=viewArticleB asic&articleId=9001282]. Ross-Simmons- data breach April 2006 customers undisclosed credit card numbers, financial information, other personal information “Ross-Simons Says Security Breach Exposes Customers,” Computerworld, April 12, 2006, at [http://www.computerworld.com/secu ritytopics/security/story/0,10801,1104 25,00.html?source=x3888]. EBay- hackers harvesting and selling user information March 2006 customers undisclosed account information Niccolai, James, “Russian Web Site Offered eBay Account Info for $5,” Computerworld, March 24, 2006, at [http://www.computerworld.com/secu ritytopics/security/cybercrime/story/0, 10801,109881,00.html]. Deloitte & Touche- unencrypted CD left on a plane February 2006 all U.S. and Canadian employees of McAfee Software hired before April 2005 9,200 names, SSNs, McAfee stock holdings Kuruvila, Matthai C., “Security Giant’s Data Lost,” Silicon Valley, February 24, 2006. CRS-17 Business Incidents Date Publicized Number Affected Who Was Affected Type of Data Released/Compromised Source(s) Atlantis Resort- theft from the hotel’s database January 2006 customers 55,000 names, addresses, credit card details, SSNs, driver’s license numbers, bank account data “IDs of 50,000 Bahamas Resort Guests Stolen,” CNet News, January 10, 2006. Guidance Software- hacker December 2005 security researchers and law enforcement agencies worldwide 3,800 credit card numbers Krebs, Brian, “Hackers Break Into Computer-Security Firm’s Customer Database,” Washington Post December 19, 2005, p. D5. Sam’s Club- “card-skimming” devices December 2005 customers who bought fuel at its gas stations between September 21 and October 2. 600 credit card information Vijayan, Jaikumar, “Card Skimmers Eyed in Sam’s Club Data Theft,” Computerworld, December 14, 2005, at [http://www.computerworld.com/data basetopics/data/story/0,10801,107067 ,00.html]. Marriott Vacation Club International- missing data tapes December 2005 customers and employees 206,000 addresses and credit card information “Marriott Vacation Club reports missing data tapes,” Computerworld, December 26, 2005, at [http://computerworld.com/securityto pics/security/story/0,10801,107366,00 .html?SKC=security-107366]. Ford Motor Company- stolen computer December 2005 current and former Ford employees 70,000 names and SSNs “Tech Crime Gets Personal at Ford,” CNN Money, December 22, 2005, at [http://money.cnn.com/2005/12/22/ne ws/fortune500/ford_theft/]. CRS-18 Business Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Safeway - company laptop stolen from manager’s home November 2005 employees 1,200 names, SSNs, hire dates and work locations Akkad, Dania, “Safeway Discloses Security Breach,”Monterey County Herald, November 5, 2005 (no page given). Boeing - theft of company computer November 2005 current and former Boeing workers 161,000 names, Social Security numbers (SSNs), some birth dates and banking information for employees who elected to use direct deposit of payroll Bowermaster, David and Dominic Gates and Melissa Allison, “161,000 Workers’ Personal Data on PC Stolen from Boeing,” Seattle Times, November 19, 2005, p. A1. Eastman Kodak - laptop stolen from a consultant’s locked car trunk. June 2005 former Eastman Kodak workers 5,800 names, Social Security numbers, birth dates and benefits information Davia, Joy, “Kodak Warns of Data Theft,” Rochester Democrat and Chronicle (New York), June 22, 2005, p. 8D. Time Warner - loss of 40 computer backup tapes containing sensitive data while being shipped by Iron Mountain to an offsite storage center May 2005 current and former employees, some of their dependents and beneficiaries, and individuals who provided services for the company 600,000 names, SSNs Zeller, Tom, “Time Warner Says Data on Employees Is Lost,” New York Times, May 3, 2005, p. C4. MCI - laptop stolen from a car that was parked in the garage at the home of a MCI financial analyst May 2005 current and former employees 16,500 names and SSNs Young, Shawn, “MCI Reports Loss Of Employee Data On Stolen Laptop,” Wall Street Journal, May 23, 2005, p. A2. CRS-19 Business Incidents Date Publicized LEXIS/NEXIS - intruders used passwords of legitimate customers to get access to a Seisint database called Accurint, which sells reports to law-enforcement agencies and businesses. Later analysis determined that its databases had been fraudulently breached 59 times using stolen passwords. March 2005 DSW Shoe Warehouse store information stolen from computer database over 3- month period March 2005 T-Mobile - hacker intrusion into company database Number Affected Who Was Affected customers Type of Data Released/Compromised 32,000 names, addresses, passwords, (subsequent SSNs, drivers license investigation reveals the actual number is 310,000) Source(s) El-Rashidi, Yasmine, “LexisNexis Reports Data Breach; Personal Records Are Hacked as Concerns About Security and Identity Theft Intensify,” Wall Street Journal, March 10, 2005, p. A3; and Krim, Jonathan, “LexisNexis Data Breach Bigger Than Estimated: 310,000 Consumers May Be Affected, Firm Says,” Washington Post, April 13, 2005, p. E1. February 2005 customers of 103 of the chain’s 175 stores T-Mobile customers initially “hundreds of thousands,” then raised to 1.4 million credit card information 400 customer records, passwords, SSNs, private e-mail and candid celebrity photos Associated Press, “DSW ID Theft May Affect Over 100,000,” Chicago Tribune, March 11, 2005, p. 4; and “Firm Raises Data Theft Count,” Washington Post, April 19, 2005, p. E2. note: data offered for sale via online forum Poulsen, Kevin, “Known Hole Aided T-Mobile Breach,”Wired News, February 28, 2005, at [http://www.wired.com/news/privacy/ 0,1848,66735,00.html]. CRS-20 Business Incidents Date Publicized Number Affected Who Was Affected Type of Data Released/Compromised SSNs and personal information Source(s) Motorola - Thieves broke into the offices of Affiliated Computer Services (ACS), a provider of human resources services, and stole two computers June 2005 Motorola employees 34,000 in U.S. “Two Computers Stolen with Motorola Staff Data,” Reuters, June 10, 2005. ChoicePoint - criminals used fake documentation to open 50 fraudulent accounts to access consumer data February 2005 consumers 30,000-35,000 in names, addresses, SSNs, credit California; reports 145,000 nationwide Perez, Evan, “ChoicePoint Is Pressed to Explain Database Breach,” Wall Street Journal, February 5, 2005, p. A6. Affiliated Computer Services inmate hacked into county database October 2004 county employees 900 names, birth dates, SSNs, bank account routing numbers and checking account numbers Whaley, Monte, “FBI on Weld ID-Theft Case Feds to Analyze Data from Cell of Inmate Who Hacked Computer,” Denver Post, November 11, 2004, p. B1. Lowe’s (home improvement store) - hacker used vulnerable wireless network to attempt to steal credit card info June 2004 customers unknown skimmed credit account information for every transaction processed at a particular Lowe’s store Roberts, Paul, “Wireless Hacker Pleads Guilty: Man Admits Using Store’s Wireless Network to Steal Credit Card Info,” PC World, June 7, 2004, at [http://msn.pcworld.com/news/article/ 0,aid,116411,00.asp]. CRS-21 Business Incidents Date Publicized Number Affected Who Was Affected Type of Data Released/Compromised Source(s) eBay - hackers tricked online merchants who used the PayPal payment processing system into disclosing their user names and passwords, then logged onto the merchants’ accounts March 2004 several eBay merchants company did not disclose customer names, e-mail addresses, home addresses and transactions Kirby, Carrie, “New Scam Threat at eBay / Hackers Obtained Information on Some Customers,” San Francisco Chronicle, March 16, 2004, p. C1. Kinko’s - hacker installed a key logger to record every character typed on 13 Kinko’s computers November 2003 Customers at Internet terminals at 13 Kinko’s copy shops in Manhattan 450 SSNs, names, passwords, credit cards, bank account data Napoli, Lisa, “A Hacker Masters Keystroke Theft: Personal Data Stolen from 450 Victims,” International Herald Tribune, August 9, 2003, p. 1. note: data was sold Acxiom (marketing company) hacker downloaded data August 2003 clients include 14 of the top 15 credit card companies, 5 of the top 6 retail banks, IBM, Microsoft, and federal government 10% of clientele (no total number given) passwords, personal, financial, and company information Lee, W.A. “Hacker Breaches Acxiom Data,” American Banker, August 11, 2003, p. 5. DirecTV - hacker stole trade secrets for access card April 2003 DirecTV subscribers 50,000 customers used counterfeit access cards to watch programming without paying details about the design and architecture of DirecTV’s “Period 4” cards “U. of C. Student Pleads Guilty to Theft of Direc TV Card Data ; Trade Secrets Ended up on Hacker Site, Enabling Free Access,” Chicago SunTimes, April 30, 2003, p. 16. note: data was sold CRS-22 Business Incidents TCI help-desk worker sold client access codes to two others, who then used the codes to obtain more than 15,000 customer credit records Date Publicized November 2002 Who Was Affected credit reporting bureau customers Number Affected 15,000 (Wired News) 30,000 (Seattle Times) Type of Data Released/Compromised Source(s) names, addresses, SSNs, credit card Delio, Michelle, “Cops Bust Massive ID Theft Ring,” Wired News, November 25, 2002, at [http://www.wired.com/news/privacy/ 0,1848,56567,00.html]; and note: data sold, for $60 per record Masters, Brooke, “Huge ID-Theft Ring Broken; 30,000 Consumers at Risk ; Men Charged with Stealing Personal, Financial Data ,” Seattle Times, November 26, 2002, p. A1. passenger names and airport security screening results Larson, Virgil, “Computer Hackers Breach Midwest Express Systems,” Omaha World-Herald, April 22, 2002, p. 1D. Midwest Express Airlines and Federal Aviation Administration - hackers posted list of customer names to website and posted a list of airport security screening results taken from the FAA’s system April 2002 Midwest Express Airlines customers; FAA (two separate incidents) unknown ChoicePoint - Nigerian-born brother and sister posed as legitimate businesses to set up ChoicePoint accounts 2002 unknown 7,000-10,000 names and SSNs inquiries on names and SSNs, then used identities to note: data was sold commit fraud Associated Press, “ChoicePoint Suffered Previous Breach: Two ID Thieves Arrested in 2002 for Tapping into Data” MSNBC, February 3, 2005, at [http://www.msnbc.msn.com/id/7065 902/]. CRS-23 Business Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) New York City restaurant busboy duped credit reporting companies into providing detailed credit reports March 2001 chief executives, celebrities and tycoons from Forbes list of richest Americans 200 SSNs, home addresses and birth dates, credit card numbers Hays, Tom, “Busboy Hacks Only the Richest, Used Forbes’ List in Plot to Steal Identity, Credit Info, Big Bucks,” Pittsburgh Post-Gazette, March 21, 2001, p. A11. World Economic Forum hackers broke into computer February 2001 attendees 3,200 passport numbers, cell phone numbers, credit card numbers, exact arrival and departure times, hotel names, room numbers, number of overnights, sessions attended, plus information on 27,000 people who have attended the global forum in recent years Higgins, Alexander, “Hackers Steal World Leaders’ Personal Data,” Chicago Sun-Times, February 6, 2001, p. 20. International credit card ring adds fraudulent charges of 277 Russian rubles ($5-10) to credit cards January 2001 Internet shopping sites unknown credit card numbers James, Michael, “Small-time Thefts Reap Big Net Gain Tens of Thousands of Phony $5-$10 Credit-Card Charges Rake in Millions for Hackers,” Orlando Sentinel, January 27, 2001, p. E5. note: data was sold CRS-24 Business Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Egghead - hacker attacked computer system December 2000 customers 3.5 million credit credit card info card accounts; 7500 of which showed “suspected fraudulent activity” “Sayer, Peter, “Egghead Says Customer Data Safe After Hack Attack,” PC World, January 8, 2001 at [http://msn.pcworld.com/news/article/ 0,aid,37781,00.asp]. Western Union - hackers made electronic copies of the credit and debit card information September 2000 customers who transferred money on a company website 15,700 Cobb, Alan, “Hackers Steal Credit Card Info from Western Union Site,” Chicago Sun-Times, September 11, 2000, p. 22. America Online - AOL customer-service representatives mistakenly downloaded an e-mail attachment sent by hackers June 2000 customers 500 records were names, addresses, and credit viewed card numbers “Hackers Breach Security At America Online Inc,” Wall Street Journal, June 19, 2000, p. A34. Two British teens intruded into 9 e-commerce websites in the United States, Canada, Thailand, Japan and Britain March 2000 customers 26,000 credit card accounts Sniffen, Michael, “2 Teens Accused of Hacking Charged in $3 Million Credit Card Theft,” Chicago SunTimes, March 25, 2000, p. 9. CD Universe (online music store) - hacker stole credit card numbers and released thousands of them on a website when the company refused to pay a $100,000 ransom January 2000 credit and debit card information credit card data note: some data was posted on the Web customers 300,000 credit card numbers note: Maxus Credit Card Pipeline Website posted up to 25,000 stolen numbers Associated Press, “Hacker Said to Steal 300,000 Card Numbers,” Arizona Republic, January 11, 2000, p. A3. CRS-25 Business Incidents Pacific Bell - 16-year-old teenager hacked into server and stole passwords Date Publicized January 2000 Who Was Affected subscribers Number Affected Type of Data Released/Compromised 63,000 accounts passwords were decrypted; 330,000 customers told to change passwords Source(s) Gettleman, Jeffrey, “Passwords of PacBell Net Accounts Stolen; Computers: Authorities Say 16-year-old Hacker Took the Data for Fun. Theft Affects 63,000 Customers,” Los Angeles Times, January 12, 2000, p. 2. CRS-26 Table 2. Data Security Breaches in Education (2000-2007) Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) New Mexico State Univ. (Las Cruces, NM) - personal information posted to school’s website April 2007 students 5,600 names, SSNs Associated Press, “Personal data of NMSU students posted online,” April 19, 2007. University of California, San Francisco - computer file server stolen from locked office April 2007 research subjects in clinical studies 3,000 names, SSNs, and for some individuals, personal health information Rauber, Chris, “UCSF research data on at least 3,000 people missing in server theft,” San Francisco Business Times, April 18, 2007. Ohio State University (Columbus, OH) - two laptops stolen from professor’s house in February 2007 April 2007 chemistry students 3,500 names, SSNs, employee ID numbers, birth dates, grades Bush, Bill, “Hacker, thieves get OSU ID data: About 14,000 faculty and staff and 3,500 students affected,” Columbus Dispatch, April 17, 2007. Ohio State University (Columbus, OH) - hacker using foreign Internet address broke through computer firewall April 2007 current and former staff members 17,500 names, SSNs, employee ID numbers, birth dates Bush, Bill, “Hacker, thieves get OSU ID data: About 14,000 faculty and staff and 3,500 students affected,” Columbus Dispatch, April 17, 2007. Chicago Public Schools - two stolen laptops April 2007 current and former employees 40,000 names, SSNs Walberg, Matthew, “Laptops with teacher data stolen,” Chicago Tribune, April 7, 2007. CRS-27 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) University of California, San Francisco - campus server compromised April 2007 students, faculty, and staff associated with UCSF or UCSF Medical Center over the past two years 46,000 names, SSNs, bank accounts Lazarus, David, “Security Breached at UCSF,” San Francisco Chronicle, April15, 2007, p. D1. University of Missouri, Research Board Grant Application System (Columbia, MO) - a hacker broke into computer server February 2007 researchers, faculty members, computer users 3,799 names, SSNs “Hacker hits MU database: Personal info stored in computer system,” Columbia Daily Tribune (Missouri), February 2, 2007. Georgia Institute of Technology (Atlanta, GA) unauthorized access to computer account Februrary 2007 current and former employees of School of Electrical and Computer Engineering 3,000 names, addresses, SSNs, other sensitive information “Hackers hit Georgia Tech and steal personal info,” Atlanta Business Chronicle, February 21, 2007. Vanguard University (Costa Mesa, CA) - two computers stolen from financial aid office January 2007 financial aid applicants for 2005-2006 and 2006-2007 school years 5,105 names, SSNs, dates of birth, phone numbers, driver’s license numbers, lists of assets Edds, Kimberly, “Computer theft puts financial data at risk for 5,105 students; Costa Mesa police officer says stolen equipment holds extensive information on aid applicants at Vanguard,” Orange County Register (CA), January 27, 2007. CRS-28 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Eastern Illinois University (Charleston, IL) - stolen desktop January 2007 membership rosters of of the University’s 23 fraternities and sororities 1,400 SSNs, birthdates, addresses U.S. State News, “ Computer Theft Results in Security Breach; Students Notified,” January 26, 2007. University of Idaho (Moscow, ID ) - theft of three desktop computers January 2007 university alumni, donors, students and employees 70,000 names, addresses, SSNs Prince, Brian, “University of Idaho Reports Computer Thefts,” eWeek.com, January 12, 2007 at [http://www.eweek.com/article2/0,1759,2082796,00.a sp?kc=EWRSS03129TX1K0000614]. Montana State University (Bozeman, MT) - student working in loan office mistakenly sent personal information to other students December 2006 students who had paid off their student loans 259 names, SSNs Associated Press, “University apologizes for mistakenly sharing student information,” December 27, 2006. Mississippi State University (Jackson, MS) - information inadvertently published on website December 2006 students and employees 2,400 names, SSNs, some dates of birth Lake, Richard, “MSU Data Put Online in Mishap,” Clarion-Ledger (Jackson, Mississippi), December 20, 2006, p. 1A. University of Colorado (Boulder) - server hacked December 2006 individuals who attended orientation sessions from 2002 to 2004 17,500 names, SSNs Danna, Nicole, “U. Colorado security breach not used for nefarious purposes,” University Wire, December 19, 2006. Source(s) CRS-29 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Riverside High School (Durham, NC) - two students accused of hacking into databases December 2006 employees “thousands” (unspecified) names, SSNs Dopart, Brianne, “Students accused of hacking DPS; Two told teacher about security breach found during computer class,” Herald-Sun (Durham, NC), December 15, 2006, p. B1. Virginia Commonwealth University (Richmond, VA) personal information inadvertently included in two e-mail attachments December 2006 students 561 students in the College of Humanities and Sciences names, SSNs, addresses, grade point averages Robertson, Gary, “E-mail includes data on students,”Richmond Times - Dispatch (Virginia), December 9, 2006. University of Texas (Dallas) computer network intrusion December 2006 current and former students, faculty, staff, and others 5,000 - 6,000 names, SSNs, and in some cases, addresses, e-mail addresses and telephone numbers Hacker, Holly, “UTD computer attack worse than first thought: Campus officials now say 6,000 at risk of identity theft,” Dallas Morning News , December 14, 2006. Nassau Community College (Garden City, NY) - theft of computer printout December 2006 all registered students 21,000 names, addresses, SSNs, phone numbers Winslow, Olivia, “College loses data; Printed list with personal information of Nassau Community College students gone missing, officials say,” Newsday, December 6, 2006, p. A9. California State University (Los Angeles) - stolen USB drive containing unencrypted personal data November 2006 students, applicants, faculty supervisors 2,534 names, SSNs, campus identification numbers (CIN), phone numbers, e-mail addresses US States News, “Education College Alerts Teacher Credential Applicants of Information Security Incident,” November 28, 2006. CRS-30 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) GreenvilleCounty School District (Greenville, SC) computers containing personal information inadvertently sold at auctions November 2006 students and employees 101,000 names, SSNs, dates of birth, addresses, phone numbers, contact information Barnett, Ron, “Student Data Left on Sold Computers,” Greenville News (South Carolina), November 27, 2006, p. 1A. Chicago Public School District - contractor mistakenly mailed personal information as part of an insurance-information package November 2006 former school employees 1,740 names, SSNs, home addresses Flynn, Courtney, “Teachers’ IDs mailed by mistake: 1,740 Social Security numbers included in city schools’ packets,” Chicago Tribune, November 27, 2006. Adams State College (Alamosa, CO) - stolen laptop October 2006 high school Outward Bound students 184 unspecified personal data Smith, Erin, “Stolen ASC laptop holds student data,” Pueblo Chieftain, October 10, 2006. Connors State College(Warner, OK) - stolen laptop November 2006 students who receive Oklahoma Higher Learning Access Program scholarships 22,500 SSNs and other (unspecified) identifying information Simpson, Susan, “Stolen computer contained student data,” Daily Oklahoman, November 15, 2006. University of Minnesota (Spain) - laptop stolen from a faculty member on a trip to Spain October 2006 students 200 names, university IDs, grades Tosto, Paul, “Second laptop with student data was stolen: No Social Security numbers compromised,” Pioneer Press (St. Paul, Minnesota), October 20, 2006. CRS-31 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) University of Texas (Arlington) - stolen computers October 2006 students 2,500 names, SSNs, university IDs, grades, emails “U. Texas-Arlington student info on stolen computers,” University Wire, October 12, 2006. San Juan Capistrano Unified School District (CA) - theft of 5 computers October 2006 employees unknown unknown McDonald, John, “Computers stolen from offices of Capistrano school district; the five machines, valued at $5,000, may have contained confidential information on employees, a spokeswoman says,” Orange County Register (California), October 6, 2006, p. South_B. Troy Athens High School (Troy, MI) - stolen hard drive October 2006 alumni 4,400 names, addresses, SSNs Lewis, Shawn, “Alumni will get credit watch; In wake of lost data, Troy district offers 14 months of free identity theft protection,” Detroit News, October 23, 2006. University of Iowa Department of Psychology (Iowa City, IA) - computer attack September 2006 subjects who participated in research studies on maternal and child health from 1995 until the present. 14,500 SSNs “University of Iowa Contacts Research Subjects about Computer Intrusion,” US Fed News, September 29, 2006. CRS-32 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Western Illinois Universityhacker accessed several electronic student services systems July 2006 students, customers of the university’s online bookstore, guests of the university hotel 180,000 SSNs, personal data, credit card information Maguire, John, “Alums Just Told of Computer Breach: Data on 180,000 with Ties to WIU Hacked a Month Ago,” Chicago Sun-Times, July 5, 2006, p. 8. University of Tennessee hacker broke into UT computer July 2006 past and current employees 36,000 SSNs, names, addresses Herrington, Angie, “UT Notifies Workers of Computer Hacking,” Chattanooga Times Free Press, July 7, 2006, p. O. Northwestern University (Chicago) - hackers broke into nine desktop computers in the Office of Admissions and Financial Aid July 2006 students and applicants to the school 17,000 names, addresses, SSNs “Hackers break into NU Admissions, Financial Aid Computers,” Chicago Sun Times, July 15, 2006, at [http://www.suntimes.com/cgi-bin/print.cgi?getReferr er=[http://www.suntimes.com/output/news/cst-nwshack15.html]. Moraine Park Technical College (Beaver Dam, Fond du Lac, & West Bend, WI) - missing computer disk July 2006 apprenticeship students back to 1993 1,500 names, addresses, phone numbers, SSNs “News Summaries Ozaukee and Washington Counties,” Milwaukee Journal Sentinel, July 16, 2006, p. Z3. CRS-33 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Catawba County Schools (Newton, NC) - website exposed personal data June 2006 students who had taken keyboarding and computer applications placement test during the 2001-02 school year 619 names, SSNs, test scores Shain, Andrew, and Hannah Mitchell, “619 Students’ Secure Data Revealed Online: Google Page Showed Social Security Numbers, Test Scores, Charlotte Observer, June 24, 2006, p. 1B. San Francisco State University - faculty member’s laptop stolen June 2006 current and former students 3,000 names, SSNs, phone numbers and grade point averages. Asimov, Nanette, “SFSU students’ information stolen; School alerts 3,000 affected by theft of faculty laptop,” San Francisco Chronicle, June 23, 2006, p. B5. University of Kentucky- stolen thumb drive June 2006 current and former students 6,500 SSNs Kiernan, Vincent, “Incidents at Two Universities Put More Than 200,000 Students at Risk of Data Theft,” The Chronicle of Higher Education, June 19, 2006, p. A21. CRS-34 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Ohio University (Athens, OH) - hackers breach servers in two separate incidents May 2006 individuals and organizations listed in the alumni database, owners of patents and other intellectual property 300,00 SSNs, personal information, biographical information, patent data, intellectual property files Vijayan, Jaikumar, “Ohio University Reports Two Separate Security Breaches,” Computerworld, May 3, 2006, at [http://www.computerworld.com/action/article.do?co mmand=viewArticleBasic&articleId=111113&intsrc =article_pots_bot]. Sacred Heart Universityhackers intrude system May 2006 students and some individuals not associated with the university 135,000 personal information, SSNs Sandoval, Greg, “Sacred Heart is Latest University to be Hacked,” CNet News, May 26, 2006, at [http://news.com.com/2100-7349_3-6077212.html]. University of Texas, Austindata breach April 2006 students, alumni, faculty, and staff of the business school 200,000 SSNs, biographical materials Associated Press, “University of Texas Probes Computer Breach,” MSNBC, April 24, 2006, at [http://www.msnbc.msn.com/id/12459840/]. University of Arizona- hackers break into journalism department’s computer system February 2006 journalism students undisclosed none so far Grossman, Djamila, “Romanian Hacker Breaks into UA Journalism Computers,” Arizona Daily Star, February 14, 2006, p. B2. CRS-35 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Notre Dame- hackers attack server January 2006 alumni and other donors to the university undisclosed SSNs, credit card numbers, check images Roberts, Paul F., “Hackers Target Notre Dame Donors,” eWeek, January 24, 2006, at [http://www.eweek.com/article2/0,1895,1915087,00.a sp]. Indiana University - malicious software programs installed on business instructor’s computer November 2005 Kelly School of Business students enrolled in introductory business course between 20012005 5,300 personal student information Associated Press,”IU Finds ‘Malicious’ Software,” FortWayne.com, November 18, 2005, at [http://www.fortwayne.com/mld/fortwayne/news/loca l/13202338.htm]. University of Tennessee Medical Center - laptop computer stolen November 2005 patients who received treatment in 2003 3,800 names and SSNs “UT Patients Warned of Stolen Computer,” Chattanooga Times Free-Press, November 2, 2005, p. B2. Georgia Institute of Technology Office of Enrollment Services computer theft November 2005 past, present, and prospective students 13,000 SSNs, birth dates, names, addresses Kantor, Arcadiy, “Georgia Tech Computer Theft Compromises Student Data,” The Technique (via University Wire), November 11, 2005 at [http://www.nique.net/issues/2005-11-11/news/3]. CRS-36 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) University of Tennessee inadvertent posting of names and Social Security numbers to Internet lists October 2005 students and employees 1,900 names and SSNs “State Briefs: UT Students’ Private Data Posted on the ‘Net,” The Tennessean.com, October 29, 2005, at [http://tennessean.com/apps/pbcs.dll/article?AID=/20 051029/NEWS01/510290327/1006/NEWS01]. University of Georgia - hacker hits employee records server September 2005 current and former employees of university’s College of Agricultural and Environmental Sciences 1,600 SSNs Simmons, Kelly, “Hackers Breach Database at UGA,” The Atlanta Journal - Constitution, September 29, 2005, p. C2. Miami University (Ohio) report containing SSNs and grades of more than 20,000 students has been accessible via the Internet since 2002 September 2005 students 21,762 SSNs, grades Giordano, Joe, “Miami University, Ohio, Finds Huge Online Security Breach,” Journal-News (Hamilton, OH), September 16, 2005 (no page given). Kent State University - five desktop computers stolen from campus September 2005 students and professors 100,000 names, SSNs, grades Gonzalez, Jennifer, “Student, Faculty Data on Stolen Computers,” Plain Dealer (Cleveland), September 10, 2005, p. B1. CRS-37 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Sonoma State University hacking August 2005 people who either attended, applied, graduated or worked at the school from 1995 to 2002 61,709 names, SSNs Park, Rohnert, “Hackers Hit College Computer System: Identity Theft Fears at Sonoma State,” San Francisco Chronicle, August 9, 2005, p. B2. California State University Office of the Chancellor may have experienced unauthorized access to one of its computers August 2005 students who receive financial aid and two financial aid administrators 154 names, SSNs “California State University Chancellor’s Office Experiences Potential Computer Security Breach,”U.S. States News, August 29, 2005 (no page given). University of Florida Health Sciences Center/ChartOne stolen laptop August 2005 patients and physicians 3,851 names, SSNs, dates of birth, medical records Chun, Diane, “3,851 Patients at Risk of ID Theft,” Gainesville.com, August 27, 2005 at [http://www.gainesville.com/apps/pbcs.dll/article?AI D=/20050827/LOCAL/208270336/1078/news]. University of Colorado hacking into campus Card Office (creates IDs for staff and students) August 2005 students and faculty 36,000 university accounts and personal information Uhls, Anna, “U. Colorado students getting (re)carded,” University Wire/Colorado Daily, August 4, 2005 (no page given). Source(s) CRS-38 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised University of North Texas hacking August 2005 current, former and prospective students 38,607 names, addresses, telephone numbers, SSNs, student identification numbers, student ID passwords, student classification information and possibly 524 credit card numbers Tessyman, Neal, “Hackers Steal Student Info from U. North Texas,” University Wire, August 11, 2005 (no page given). University of Colorado hackers tapped into a database in the registrar’s office August 2005 student records from June 1999 to May 2001 and from fall 2003 to summer 2005. 49,000 names, SSNs, addresses, phone numbers Mccrimmon, Katie Kerwin, “Hackers Tap CU Registrar’s Database; Privacy of 49,000 Students Potentially Invaded in Breach,” Rocky Mountain News (Denver), August 20, 2005, p. 20A. California State University, Stanislaus - hacking August 2005 student workers 900 names, SSNs Togneri, Chris, “Hacker Breaks into Stan State Computer,” Modesto Bee, August 16, 2005, p. B1. University of Southern California - individual hacked into USC’s online application system July 2005 applicants 270,000 name, address, SSNs, e-mail address, phone number, date of birth, login information Hawkins, Stephanie, “Hacker Hits Application System at USC,” University Wire/ Daily Trojan, August 18, 2005 (no page given). Source(s) CRS-39 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) California Polytechnic, Pomona - two computers hacked July 2005 university applicants and current and former faculty, staff and students 31,077 names, SSNs Ruiz, Kenneth, “Hackers Infiltrate Cal Poly,” Whittier Daily News (CA), August 5, 2005 (no page given). University of Colorado, Boulder - hackers broke into a computer server containing information used to issue identification cards July 2005 students and professors 29,000 students and 7,000 professors SSNs, names, photographs Associated Press, “Hackers Break into CU Computers Containing 36k Records,” August 1, 2005. Michigan State University breach of a server in the College of Education July 2005 students 27,000 names, addresses, SSNs, course information, personal identification numbers Associated Press, “Students Informed Social Security Numbers Possibly Compromised,” July 7, 2005. University of California, San Diego - hackers broke into university server July 2005 students, staff, faculty who had attended or worked at UCSD Extension in the past five years 3,300 SSNs, driver license and credit card numbers “SD UCSD Hackers,” City News Service, July 1, 2005 (no page given). California State University Dominguez Hills - hacking July 2005 students 9613 names, SSNs Associated Press, “Hackers crack computers, access private student information,” July 29, 2005. CRS-40 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) University of Connecticut hacking - rootkit (collection of programs that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network) placed on server on October 26, 2003, but not detected until July 20, 2005 June 2005 students, staff, and faculty 72,000 names, SSNs, dates of birth, phone numbers and addresses Naraine, Ryan, “UConn Finds Rootkit in Hacked Server,” eWeek, June 27, 2005, at [http://www.eweek.com/article2/0,1759,1831892,00.a sp]. Kent State University - laptop stolen from employee’s car June 2005 full-time faculty members since 2001 1,400 names, SSNs Hampp, David, “Kent State U. Faculty Affected by Stolen Computer,” Daily Kent Stater (via University Wire), June 22, 2005 (no page given). Ohio State University Medical Center - two stolen laptops June 2005 patients 15,000 patient names, admission and discharge dates, whether the patient had insurance, total charges and adjustments to the account. Crane, Misti, “Laptop Containing Patients’ Billing Information Stolen; Birth Dates, Social Security Numbers Not in Data Taken from Consultant, Osu Says,” Columbus Dispatch (OH), June 30, 2005, p. 4C. University of Hawaii dishonest library worker indicted on federal charges of bank fraud related to identity theft June 2005 students, faculty, staff and library patrons at any of the 10 campuses between 1999 and 2003 150,000 SSNs, addresses and phone numbers Associated Press, “UH Warns of Possible Identity Theft,” June 19, 2005. CRS-41 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Jackson Community College (MI)- hacker breaks into computer system May 2005 employees and students of the college 8,000 SSNs “Computer Crime: Hacker May Have Stolen Social Security Numbers From Jackson Community Collegea,” Computer Crime Research Center,” May 29, 2005 (no page given). Carnegie Mellon University security breach of school’s computer network May 2005 graduates of the Tepper School of Business from 1997 to 2004; current graduate students; applicants to the doctoral program from 2003 to 2005; applicants to the MBA program from 2002 to 2004; and administrative employees 5,000 SSNs and personal information Associated Press, “Carnegie Mellon Reports Computer Breach,” MSNBC, April 21, 2005, at [http://msnbc.msn.com/id/7590506/]. Stanford University- computer system breach May 2005 students and recruiters of the university 9,600 SSNs, resumes, financial data, government information Musil, Steven, “FBI Probes Network Breach at Stanford,” CNet News, May 25, 2005. CRS-42 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Florida International University (FIU) - a hacker acquired user names and passwords for 165 computers on campus May 2005 faculty and students unknown SSNs, credit card numbers Leyden, John, “Florida Univ on Brown Alert after Hack Attack,” The Register, April 29, 2005, at [http://www.theregister.com/2005/04/29/fiu_id_fraud _alert/]. Northwestern University (Kellog School of Management) - computer network breach May 2005 faculty, students, and alumni 17,500 user IDs and passwords Meglio, Francesca Di, “Hacker Break-In,” Computer Crime Research Center, May 23, 2005 (no page given). University of California, San Francisco - hacker gained access to server used by accounting and personnel department April 2005 students, faculty and staff 7,000 names and SSNs numbers Lazarus, David, “Another Incident for UC,” San Francisco Chronicle, April 6, 2005, p. C1. Tufts University - possible security breach in an alumni and donor database after abnormal activity on the server in October and December, 2004 April 2005 alumni 106,000 SSNs and other unspecified personal information Roberts, Paul, “Tufts Warns 106,000 Alumni, Donors of Security Breach: Personal Data on a Server Used for Fund Raising May Have Been Exposed,” Computerworld, April 13, 2005, at [http://www.computerworld.com/securitytopics/securi ty/privacy/story/0,10801,101043,00.html?source=x10 ]. CRS-43 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised University of Nevada, Las Vegas - hackers accessed school’s Student and Exchange Visitor Information System (SEVIS) database March 2005 current and former students and faculty 5,000 personal records, including birth dates, countries of origin, passport numbers, and SSNs Lipka, Sara, “Hacker Breaks Into Database for Tracking International Students at UNLV,” Chronicle of Higher Education, March 21, 2005, p. A43. California State University, Chico - hackers broke into servers March 2005 students, former students, prospective students, and faculty 59,000 SSNs Associated Press, “Hackers Gain Personal Information of 59,000 People Affiliated with California University,”Grand Rapids Press, March 22, 2005, p. A2. University of California, Berkeley laptop stolen from restricted area of campus office March 2005 alumni, graduate students, and past applicants 100,000 SSNs numbers, names; addresses, and birth dates for 1/3 of affected people Liedtke, Michael, “Laptop Theft Causes Identity Fraud Worry,” Daily Breeze (Torrance, CA), March 28, 2005, p. A10. George Mason University hackers gained access to information January 2005 faculty, staff, and students 30,000 names, photos, SSNs, and campus ID numbers McCullagh, Declan, “Hackers Steal ID Info from Virginia University,” Wired News, January 10, 2005, at [http://news.com.com/2100-7349_3-5519592.html]. University of California, San Diego (UCSD) - hacker breached computer system January 2005 students and alumni of UCSD Extension 3,500 names, SSNs Yang, Eleanor, “Hacker Breaches Computers That Store UCSD Extension Student, Alumni Data,” San Diego Union Tribune, January 18, 2005, p. B3. Source(s) CRS-44 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) University of California, Berkeley - hacker compromised the university’s computer system October 2004 Californians participating in California’s In-Home Supportive Services program since 2001 1.4 million individuals SSNs, names, addresses, phone numbers, and dates of birth Reuters, “Hacker Strikes University Computer System,”CNET News, October 19, 2004, at [http://news.com.com/2100-7349_3-5418388.html]. California State - auditor from chancellor’s office lost hard drive containing personal information August 2004 380,000 current and former students, applicants, staff, faculty and alumni at UC San Diego and 178,000 at San Diego State 23,500 name, address, SSNs Connell, Sally Ann, “Security Lapses, Lost Equipment Expose Students to Possible ID Theft; in the Latest Incident, a Cal State Hard Drive with Data on 23,500 Individuals Is Missing,” Los Angeles Times, August 29, 2004, p. B4. University of California, Los Angeles - stolen laptop w/ blood donor info June 2004 blood donors 145,000 names, birth dates and SSNs Becker, David, “UCLA Laptop Theft Exposes ID Info,”CNET News, October 6, 2004, at [http://news.com.com/UCLA+laptop+theft+exposes+ ID+info/2100-1029_3-5230662.html?tag=nl]. CRS-45 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) University of California, San Diego (UCSD) - hackers breached security at the San Diego Supercomputer Center and the University’s Business and Financial Services Department April 2004 UCSD students, alumni, faculty, employees and applicants 380,000 SSNs, and driver license numbers Sidener, Jonathan, “SD Supercomputer Center Among Victims of Intrusion,” San Diego Union Tribune, April 15, 2004, p. B3. Georgia Institute of Technology March 2003 patrons of art and theatre program 57,000 credit card numbers Lemos, Robert, “Data Thieves Strike Georgia Tech,” Wired News, March 31, 2003, at [http://news.com.com/Data+thieves+strike+Georgia+ Tech/2100-1002_3-994821.html?tag=nl]. University of Texas, Austin computer hackers broke into database on multiple occasions March 2003 current and former student, faculty and staff members, as well as job applicants 55,200 names, addresses, SSNs, email addresses, office phone numbers Read, Brock, “Hackers Steal Data From U. of Texas Database,” Chronicle of Higher Education, March 21, 2003, p. 35. foreign students 1,400 University of Kansas - hacker break-in to Student and Exchange Visitor Information System (SEVIS) January 2003 note: perpetrator claimed he did not distribute the numbers and had not used them “to anyone’s detriment” SSNs, passport numbers, countries of origin, and birth dates. Arnone, Michael, “Hacker Steals Personal Data on Foreign Students at U. of Kansas,”Chronicle of Higher Education, January 24, 2003 (no page given). CRS-46 Education Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) College of the Canyons (California) - computer hard drive containing personal student information stolen October 2001 current and former students 36,000 names, SSNs, and photographs Mistry, Bhavna, “Identity Theft Alert Issued at College,” Los Angeles Daily News, October 21, 2001, p. N7. University of Washington Medical Center - hacker broke into computer system December 2000 cardiology and rehabilitation patients 5,000 names, addresses, birth dates, heights and weights, SSNs, and the medical procedure undergone “Hacker Steals Patient Records,” San Diego UnionTribune, December 9, 2000, p. A3. CRS-47 Table 3. Data Security Breaches in Financial Institutions (2001-2007) Financial Institutions Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) New Horizons Community Credit Union (Denver, CO) stolen laptop. Note: computer was protected by two layers of security, a unique user-identifier, and a multiple-character, alpha-numeric password. April 2007 credit union members 9,000 loan account information States News Service, “New Horizons Community CU Takes Action after Potential Data Breach; Members Informed of Protections,” April 11, 2007. MoneyGram International server unlawfully accessed January 2007 customers 79,000 names, addresses, phone numbers, and in some cases, bank accounts Onaran, Yalman and Elizabeth Hester, “Breach affects 79,000 MoneyGram accounts; Money-transfer and bill-paying service doesn’t know if hackers stole personal data,” Saint Paul Pioneer Press (Minnesota), January 13, 2007, p. 1C. Premier Bank - report stolen from truck December 2006 customers 1,8000 names, account numbers of customers who opened accounts in October, 2006 Sorkin, Michael, “ Bank data stolen out of exec’s vehicle: Names with account numbers were in truck outside award ceremony,” St. Louis Post-Dispatch, December 6, 2006, p. C1. CRS-48 Financial Institutions Incidents Date Publicized TD Ameritrade - criminals, using stolen customer accounts acquired from a hacked computer, drove up the prices of low-priced stocks through high-volume purchases and then sold those shares at a profit December 2006 ING Financial Services- stolen laptop June 2006 Equifax Inc.- stolen laptop Fidelity Investments- stolen laptop Who Was Affected customers Number Affected Type of Data Released/Compromised Source(s) unknown; company has 6 million clients names, addresses, birth dates, SSNs District of Columbia government workers and retirees 13,000 SSNs, personal data Dwyer, Timothy, “ING Financial to Notify Potential Identity Theft Victims,” Washington Post, June 19, 2006, p. B4. June 2006 nearly all the U.S. employees of the credit reporting bureau 2,500 names, SSNs Stempel, Jonathan, “Equifax Says Laptop With Employee Data Was Stolen,” eWeek, June 20, 2006, at [http://www.eweek.com/article2/0,1759, 1979296,00.asp?kc=EWRSS03129TX1 K0000614]. March 2006 Hewlett-Packard employees 196,000 personal data Hines, Matt, “Stolen Fidelity Laptop Exposes HP Workers,” eWeek, March 23, 2006, at [http://www.eweek.com/article2/0,1895, 1942049,00.asp]. note: TD Ameritrade had to cover $4 million in fraudulent transactions for its most recent quarter Greenemeier, Larry, “Cybercrooks Get Smarter; E-Trade and TD Ameritrade were victims of an online brokerage pump-and-dump scheme,” Wall Street & Technology, December 1, 2006, p. 14. CRS-49 Financial Institutions Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Bank of America, Washington Mutual- debit cards cancelled February 2006 customers using debit cards issued by the two banks at Sam’s Club gas stations and Office Max 200,000 debit card information which was used to accrue fraudulent charges Sandoval, Greg “Web of Intrigue Widens in Debit-Card Theft Case,” CNet News, February 13, 2006, at [http://news.com.com/Web+of+intrigue+ widens+in+debit-card+theft+case/2100-1 029_3-6038405.html]. Ameriprise Financial- laptop theft January 2006 customers and advisers with the financial firm 230,000 names, SSNs, internal account numbers Dash, Eric, “Ameriprise Loses Data on 230,000 Customers and Advisers,” New York Times, January 25, 2006. H&R Block- Social Security numbers printed on unsolicited packages containing free software January 2006 recipients of the company’s tax preparation software undisclosed SSNs Gilbert, Alorie, “H&R Block Blunder Exposes Consumer Data,” CNet News, January 3, 2006, at [http://news.com.com/H38R+Block+blu nder+exposes+consumer+data/2100-102 9_3-6016720.html]. Visa USA December 2005 customers with Visa cards from various financial institutions using a mutual merchant undisclosed credit card information Weinstein, Natalie, “Visa Deals With Possible Data Breach,” CNet News, December 24, 2005, at [http://news.com.com/2100-1029_3-600 7759.html]. CRS-50 Financial Institutions Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Scottrade Inc.- internet hacker December 2005 customers of the stock brokerage firm 140,000 names, birth dates, drivers license numbers, phone numbers, bank names, bank routing numbers, bank account numbers, and Scottrade account numbers “Hackers Reveal 140,000 Customer ID’s,” Computer Crime Research Center, December 2, 2005 (no page given). TransUnion (credit reporting bureau) - stolen desktop computer November 2005 customers 3,600 SSNs and personal credit information Paul, Peralte, “Credit Bureau Burglary Leaves 3,600 Vulnerable,” Atlanta Journal and Constitution, November 11, 2005, p. 5G. Choicepoint - Miami-Dade County Police Department may have misused the department’s account to illegally access consumer records September 2005 consumers 5,103 SSNs, driver’s license information Husted, Bill, “Another Breach of Records Feared; Choicepoint Tells 5,103 Customers about Incident,” Atlanta Journal-Constitution, September 17, 2005, p. 1H. Bank of America - stolen laptop September 2005 Visa Buxx card users undisclosed names, credit card numbers, bank account numbers, routing transit numbers McMillan, Robert, “Bank of America Notifying Customers After Laptop Theft,” Computerworld, October 7, 2005, at [http://www.computerworld.com/securit ytopics/security/story/0,10801,105246,0 0.html]. J.P. Morgan (Dallas) - stolen laptop August 2005 clients unknown personal and financial information “Security Breach at J.P. Morgan Private Bank,”AFX International Focus, August 30, 2005 (no page given). CRS-51 Financial Institutions Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Citigroup - a box of computer tapes with account information for 3.9 million customers was lost in shipment by CitiFinancial, a unit of Citigroup June 2005 personal and home equity loan customers 3.9 million names, addresses, SSNs and loan-account data Krim, Jonathan, “Customer Data Lost, Citigroup Unit Says:3.9 Million Affected As Firms’ Security Lapses Add Up, Washington Post, June 7, 2005, p. A1. Japanese credit cardholders hackers behind U.S. data theft may have compromised the data of Japanese cardholders, according to the government. Fraudulent transactions have now emerged in Japan. June 2005 customers of 26 domestic Japanese credit card firms unknown unknown “Japan Cardholders ‘Hit’ by Theft,”BBC News, June 21, 2005 at [http://news.bbc.co.uk/2/hi/business/411 4252.stm]. CRS-52 Financial Institutions Incidents Date Publicized MasterCard - breach occurred in 2004 at a processing center in Tucson operated by CardSystems Solutions, one of several companies that handle transfers of payment between the bank of a credit card-using consumer and the bank of the merchant where a purchase was made. CardSystems’ computers were breached by malicious code that allowed access to customer data. June 2005 Bank of America - laptop stolen from car in Walnut Creek, CA June 2005 Who Was Affected MasterCard credit card and some debit card customers Number Affected 40 million Type of Data Released/Compromised names, account numbers, security codes, expiration dates Source(s) Krim, Jonathan and Michael Barbaro, “40 Million Credit Card Numbers Hacked: Data Breached at Processing Center,”Washington Post, June 18, 2005, p. A1; Zeller, Tom and Eric Dash, “MasterCard Says 40 Million Files Put at Risk,”New York Times, June 18, 2005, p. A1; and Evers, Joris, “Credit Card Suit Now Seeks Damages,” CNET News.com, July 7, 2005, at [http://news.com.com/Credit+card+suit+ now+seeks+damages/2100-7350_3-5777 818.html]. California customers 18,000 names, addresses, SSNs, Lazarus, David, “Breaches in Security Require New Laws,” San Francisco Chronicle, June 29, 2005, p. C1. CRS-53 Financial Institutions Incidents New Jersey cybercrime ring stole financial records from bank accounts Date Publicized May 2005 Who Was Affected Number Affected customers of four banks (Charlotte, North Carolina-based Bank of America and Wachovia, Cherry Hill, New Jersey-based Commerce Bank, and PNC Bank of Pittsburgh) 700,000 Type of Data Released/Compromised names, SSNs, bank account information note: bank employees sold financial records to collection agencies and law firms. Source(s) Weiss, Todd, “Scope of Bank Data Theft Grows to 676,000 Customers: Bank Employees Used Computer Screen Captures to Snag Customer Data,” Computerworld, May 20, 2005, at [http://www.computerworld.com/securit ytopics/security/cybercrime/story/0,1080 1,101903,00.html]. Ameritrade (securities broker) loses tapes with back-up information on customer accounts April 2005 Ameritrade current and former customers 200,000 account information “Ameritrade Loses Customer Account Info,” CNN Money, April 19, 2005, at [http://money.cnn.com/2005/04/19/techn ology/ameritrade/index.htm]. HSBC (global bank) sent out warning letters notifying customers that criminals may have gained access to credit card info April 2005 holders of General Motors MasterCard who had shopped at Polo Ralph Lauren stores 180,000 credit card information “Security Scare Hits HSBC’s Cards,”BBC News, April 14, 2005, at [http://news.bbc.co.uk/2/hi/business/444 4477.stm]; and Vijayan, Jaikumar, “Update: Scope of Credit Card Security Breach Expands,” Computerworld, April 15, 2005, at [http://www.computerworld.com/securit ytopics/security/story/0,10801,101101,0 0.html]. CRS-54 Financial Institutions Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Bank of America - computer data tapes lost during shipment February 2005 GSA charge card program (Visa cards issued to federal employees) 1.2 million customer and account information Carrns, Ann, “Bank of America Is Missing Tapes With Card Data,”Wall Street Journal, February 28, 2005, p. B2. Wells Fargo - computers stolen from Wells Fargo vendor November 2004 mortgage and student-loan customers company would not disclose customers’ names, addresses, and SSNs, and account numbers Breyer, R. Michelle, “Wells Fargo Customer Data Stolen in Computer Theft ,”Austin-American Statesman, November 3, 2004, p. D1. Wells Fargo - hacker arrested with stolen computers and laptop November 2003 customers with personal lines of credit used for consumer loans and overdraft protection company would not disclose names, addresses, account and SSNs “Suspect Is Arrested in Theft of Bank Data,” Los Angeles Times, November 27, 2003, p. C2. Weichert Financial Services credit profiles were unlawfully accessed from internal computer system May 2003 clients 3,774 credit reports, driver’s license info Associated Press, “Pair Accused of Fraud in Credit Reports’ Theft: Allegedly Used Data to Buy Goods over the Internet,”The Record (Bergen County, NJ), May 2, 2003, p. A10. CRS-55 Financial Institutions Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Visa, MasterCard, American Express and Discover account numbers - hacker stole 8 million February 2003 credit card customers PNC Bank cancelled 16,000 cards; Citizens Bank cancelled 8,000-10,000 cards ATM/debit/check cards Sabatini, Patricia, “PNC Cancels 16,000 Cards After Hacking Theft Incident,” Pittsburgh Post-Gazette, February 20, 2003, p. C1. Fullerton, California - bogus credit card ring opened bank accounts, credit lines, auto and home loans June 2001 impersonated more than 1,500 people nationwide and defrauded 76 financial institutions 1,500 birth dates, SSNs, mothers’ maiden names, credit cards, driver’s licenses, and receipts for car and home purchases. Brown, Aldrin and Jeff Collins, “Suspicious Mail Triggered Probe of Identity Theft Crime Losses from the Alleged Ring, Which Used Data Stolen as Far Back as the Early ‘90s, May Hit $10 Million,” Orange County Register, June 21, 2001 (no page given). CRS-56 Table 4. Data Security Breaches in Local, State, and Federal Government (2003-2007) Government (Local, State and Federal) Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Transportation Security Administration - missing external hard drive May 2007 individuals employed by the agency from January 2002 until August 2005 100,000 name, SSN, date of birth, payroll information, bank account and routing information Hu, Spencer, “TSA Hard Drive With Employee Data Is Reported Stolen,” Washington Post, May 5, 2007, p. A9. U.S. Department of Agriculture - public information disclosed for more than a decade on public website April 2007 recipients of loans or other financial assistance 63,000 (first estimate), then 38,700 (after USDA investigation) SSNs Nakashima, Ellen, “U.S. Exposed Personal Data; Census Bureau Posted 63,000 Social Security Numbers Online,” Washington Post, April 2, 2007, p. A5 and Prince, Brian, “ USDA Cuts Number Affected by Data Exposure,” eWeek, April 23, 2007. Georgia Secretary of State (Atlanta, GA) - 30 boxes of voter registration records found in trash April 2007 Fulton County voters 75,000 name, address, SSNs Associated Press, “75,000 voter registration cards found in trash bin in Atlanta,” April 12, 2007. ChildNet (non-profit that runs Broward County’s child welfare program (Fort Lauderdale, FL) - former employee allegedly stole laptop April 2007 adoptive and foster-care parents 12,000 SSNs, financial and credit data, driver’s license data, passport numbers Haas, Brian, and Bill Hirschman, “Stolen ChildNet laptop puts 12,000 at risk of ID theft,” South Florida Sun-Sentinel (Fort Lauderdale), April 12, 2007. CRS-57 Government (Local, State and Federal) Incidents Date Publicized Who Was Affected Los Angeles County Child Support Services (Los Angeles, CA) - three missing laptops March 2007 child support clients 243,000 130,500 SSNs (most without names attached), about 12,000 individuals’ names and addresses, and more than 101,000 child support case numbers Rosenblatt, Susannah, “Child support data may be at risk; L.A. County agency tells 243,000 clients that three missing laptops may contain personal info,” Los Angeles Times, March 30, 2007, p. B4. Fort Monroe (Fort Monroe, VA) - stolen Army laptop March 2007 civilian employees 16,000 names, SSNs, payroll information Howe, Kevin, “Army warns of data theft: laptop with information of 16,000 civilian employees stolen in Virginia,” Monterey County Herald (California), March 29, 2007. California National Guard (Sacramento, CA) - stolen computer hard drive March 2007 California National Guard troops deployed to the U.S.-Mexico border 1,300 names, addresses, SSNs, dates of birth Associated Press, “Stolen hard drive contains data for California Guard troops,” March 10, 2007. U.S. Department of Veterans Affairs, VA Medical Center (Birmingham, AL) - missing hard drive February 2007 veterans 535,000. Hard drive also may have included data, not all of it sensitive, on about 1.3 million non-VA physicians, both living and dead names, SSNs, some Medicare billing record information and billing codes for 1.3 million doctors Thornton, William, “535,000 on lost VA drive: Agency to notify those possibly affected,” Birmingham News (Alabama), February 12, 2007. Number Affected Type of Data Released/Compromised Source(s) CRS-58 Government (Local, State and Federal) Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Connecticut - personal information inadvertently posted to state Administrative Services Department’s website February 2007 state employees 1,700 names, SSNs Greenemeir, Larry, “ Stop & Shop PIN Pads Breached; Connecticut Removes Worker Data From Site,” Information Week, February 20, 2007, at [http://www.informationweek.com/story /showArticle.jhtml?articleID=197007473&cid= RSSfeed_IWK_News]. Massachusetts Department of Industrial Accidents (Boston, MA) - contractor accessed a workers’ compensation data file and stole the identities of at least three people, opened credit card accounts in their names, and charged thousands of dollars for jewelry and other purchases February 2007 accident victims 1,200 names, SSNs Murphy, Sean, “Worker charged with identity theft,” Boston Globe, February 2, 2007. CRS-59 Government (Local, State and Federal) Incidents Chicago Board of Elections computer disks mistakenly distributed to aldermen and ward committeemen Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) January 2007 Chicago voters 1.3 million names, SSNs, dates of birth, addresses Associated Press, Social Security numbers distributed on computer discs,” January 23, 2007. January 2007 taxpayers unknown unknown (potentially contain taxpayers’ names, SSNs, bank account numbers, or employer information) Horsley, Lynne, “26 IRS tapes missing from City Hall: Records were delivered in August. Trail of where taxpayer data went is under investigation,” Kansas City Star, January 19, 2007, p. A1. November 2006 women in the state’s Breast and Cervical Cancer Program 7,700 name, address, SSN, medical information Associated Press, “Women alerted to possible identity theft,” November 26, 2006. Note: class-action lawsuit was filed against the Board of Elections in Cook County Circuit Court Internal Revenue Service, Kansas City, KS - 26 computer tapes missing Note: tapes require special equipment to read and software that is not commonly used Indiana State Department of Health via Family Health Center of Clark County (Jeffersonville, IN) - two stolen computers CRS-60 Government (Local, State and Federal) Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Bowling Green Police Dept. (Bowling Green, OH) inadvertent publishing of personal data to website November 2006 victims or suspects on the daily blotter 200 names, SSNs, phone numbers Feehan, Jennifer, “Bowling Green police mistakenly put private data online,” Blade (Toledo, Ohio), November 14, 2006. Administration for Children’s Services (New York, NY) unshredded files found on the street in clear plastic garbage bag November 2006 families, social workers and police 200 case files unspecified confidential information Schapiro, Rich and Nicole Bode, “Secret Shame for All to See. Confidential Acs Files Found Dumped on Street,” New York Daily News, November 20, 2006, p. 3. City of Lubbock (TX) hackers broke into city job application website November 2006 job applicants 5,800 names, addresses, SSNs, drivers license numbers Roberts, Paul, “Texas Tech-are police discover security breach in city database” (sic), University Wire, November 9, 2006. Manhattan Veterans Affairs Medical Center, New York Harbor Health Care System (New York, NY) unencrypted stolen laptop November 2006 veterans who receive pulmonary care at the facility 1,600 names, SSNs, medical diagnoses Hutchinson, Bill, “Your Identity May Be Stolen, Vets Are Warned, New York Daily News, November 2, 2006, p. 19. Veterans Affairs Hospital and McAlester Clinic - missing computer disks (Muskogee, OK) November 2006 veterans 1,400 names, SSNs, billing information Thornton, Tony, “VA hospital loses data on patients; No indication of misuse, agency says,” The Oklahoman, November 2, 2006, p. 1A. CRS-61 Government (Local, State and Federal) Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) U.S. Army Cadet Command (Fort Monroe, VA) - stolen laptop November 2006 high school students who applied for Army ROTC scholarships. 4,600 names, addresses, W-2 tax forms, SSNs Petkofsy, Andrew, “ROTC applicants’ data on stolen computer,” Richmond Times Dispatch (Virginia), November 2, 2006, p. B6. Colorado Dept. of Human Services via private contractor Affiliated Computer Services (Dallas, TX) - stolen computer November 2006 recently hired employees up to 1.4 million names, SSNs, birth dates Migoya, David, “Stolen state database puts 1.4 million at ID-theft risk,” Denver Post, November 2, 2006, p. B1. Port of Seattle (Seattle, WA) missing CD-ROMS October 2006 individuals who applied for airport security badges 6,943 unspecified personal information “Port of Seattle Hires Id Protection Service,” Pacific Shipper, October 27, 2006. Camp Pendleton Marine Corps base, via Lincoln BP Management (near Oceanside, CA) - missing laptop October 2006 Marines who live on the base 2,400 unspecified personal information Hoellworth, John, “Lost laptop contains 2,400 Pendleton Marines’ info,” Marine Corps Times, October 23, 2006, p. 13. City of Visalia, Recreation Division (Visalia, CA) - city documents were found scattered on a city street. October 2006 current and former employees 200 names, SSNs Castellon, David, “Tossed records are still a mystery,” Visalia Times-Delta (California), October 17, 2006, p. 1C. CRS-62 Government (Local, State and Federal) Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Poulsbo Department of Licensing (Poulsbo, WA) missing data backup device October 2006 citizens processed at one workstation 2,200 names, addresses, drivers license photos US States News, “Small Department of Licensing Data Backup Device Missing,” October 10, 2006. Congressional Budget Office mailing list hacked and phishing email that appeared to come from CBO was sent October 2006 subscribers to CBO’s mailing list unknown unknown “Hackers Breach Budget Office’s Mailing List,” National Journal, Technology Daily, October 13, 2006. Cleveland Air Route Traffic Control Center (Oberlin, OH) computer hard drive stolen October 2006 air traffic controllers 400 names, SSNs Sangiacomo, Michael, “FAA data in Oberlin computer lost Drives had names, Social Security numbers,” Cleveland Plain Dealer, October 6, 2006, p. B3. Florida Department of Labor personal information inadvertently posted on test server October 2006 individuals enrolled for services with regional workforce boards 4,624 names, SSNs, Samples, Eve, “More than 4,600 Floridians’ personal data accidentally posted,”Palm Beach Post, October 11, 2006. Cumberland County, PA SSNs in meeting minutes posted on website October 2006 employees 1,200 names, SSNs Miller, Matt, “Employee numbers removed from Web,” Patriot-News, October 3, 2006, p. B1. CRS-63 Government (Local, State and Federal) Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Kentucky Personnel Cabinet (Frankfort, KY) - letters sent to employees displayed their SSNs on front September 2006 employees in state agencies, community and technical colleges, school districts, health departments and other offices covered by the state’s insurance program 146,000 SSNs Alford, Roger, “State sends out letters with Social Security numbers visible,” Associated Press, September 29, 2006. North Carolina Department of Motor Vehicles (Louisburg, NC) - stolen computer September 2006 drivers 16,000 names, SSNs, driver’s license numbers, dates of birth “Thieves take N.C. DMV computer with personal info,” Associated Press, September 28, 2006. U.S. Department of Commerce - 1,137 stolen, lost, or missing laptops September 2006 Census Bureau and National Oceanic and Atmospheric Administration 6,200 households (estimated) unknown Sipress, Alan, “1,100 Laptops Missing from Commerce Dept.,” Washington Post, September 22, 2006, p. A3. U. S. Department of Veterans Affairs - missing computer from contractor’s office August 2006 patients at VA hospitals in Pennsylvnia 38,000 SSNs, names, addresses, birth dates, insurance carriers, billing information, details of service Rash, Wayne, “Another VA Computer Goes Missing,” eWeek, August 7, 2006, at [http://www.eweek.com/article2/0,1895,200026 8,00.asp]. CRS-64 Government (Local, State and Federal) Incidents Date Publicized Who Was Affected U.S. Department of Transportation - stolen laptop August 2006 drivers license records of Florida residents 133,000 SSNs, names, addresses Rash, Wayne, “DOT is the Latest Victim of Computer Theft,” eWeek, August 10, 2006, at [http://www.eweek.com/article2/0,1895,200214 8,00.asp?kc=EWNAVEMNL081106EOAD]. U.S. Department of Education - exposed loan data August 2006 students who borrowed money under the Federal Direct Student Loan program 21,000 names, birth dates, SSNs, addresses, phone numbers and in some cases account information for holders of federal direct student loans Yen, Hope, “Ed. Dept. offers free credit monitoring,” Houston Chronicle, August 24, 2006 (no page given). Naval Safety Center - personal data exposed on website and on 1,100 computer discs mailed to naval commands July 2006 Naval and Marine Corps aviators and air crew, both active and reserve “more than 100,000” SSNs, personal information “Naval Safety Center Finds Personal Data on Website,” U.S. Department of Defense press release, July 8, 2006, at [http://www.news.navy.mil/search/display.asp?s tory_id=24568]. U.S. State Department hackers July 2006 Washington headquarters, and the Bureau of East Asian and Pacific Affairs unknown access to data and passwords “State Department Releases Details Of Computer System Attacks,” COMMWEB, July 13, 2006 (no page given), and Greenemeier, Larry, “State Department Hack Escalates Federal Data Insecurity,” Information Week, July 12, 2006, at [http://www.informationweek.com/news/showA rticle.jhtml?articleID=190302905]. Number Affected Type of Data Released/Compromised Source(s) CRS-65 Government (Local, State and Federal) Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Federal Trade Commission June 2006 subjects of law enforcement investigations 110 names, addresses, SSNs, financial account numbers Reuters, “FTC Laptops Stolen, 110 People at Risk of ID Theft,” Baseline.com, June 23, 2006 (no page given). U.S. Navy - an open website contained five spreadsheet files with personal information June 2006 Navy members and dependents 30,000 names, birth dates and SSNs “Navy Personal Data on Web Is Katrina-related,” States News Service, June 26, 2006 (no page given). Texas Guaranteed Student Loan- computer equipment lost June 2006 college students borrowing money from the loan company 1.3 million names, SSNs Evers, Joris, “Loan Company Reports Loss of Data on 1.3 Million,” CNet News, June 1, 2006, at [http://news.com.com/Loan+company+reports+ loss+of+data+on+1.3+million/2100-1029_3-60 79261.html]. National Institutes of Health Federal Credit Union (Rockville, MD) June 2006 credit union members “small number” unidentified personal information Trejos, Nancy, “Identity Thieves Hit NIH Credit Union; Scheme Is Latest in Spate of Breaches Affecting Millions,” Washington Post, June 29, 2006, p. B3. U.S. Department of Agriculture- external security breach of a workstation and two servers June 2006 current and retired employees of the department 26,000 names, SSNs, employee photos, internal building locations Azaroff, Rachel, “Hacker Might Have Breached Personal Data at USDA,” FCW, June 22, 2006, at [http://www.fcw.com/article94991-06-22-06-W eb]. CRS-66 Government (Local, State and Federal) Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Minnesota Department of Revenue (St. Paul, MN) - missing data tape June 2006 individuals and businesses (taxpayers) 2,400 individuals and 48,000 businesses names, addresses, SSNs, employment data MN Department of Revenue, “Department of Revenue to Assist Taxpayers Whose Private Information Was Included in a Package Lost in the Mail,” June 28, 2006, at [http://www.taxes.state.mn.us/taxes/publications /press_releases/content/taxpayer_information.sh tml] Department of Energy- file stolen by hacker June 2006 employees of the Energy Department’s nuclear weapons agency 1,500 names, SSNs, birth datess, codes showing where the employees worked, codes showing their security clearance Associated Press, “DOE Computers Hacked; Info on 1,500 Taken,” June 11, 2006. Government Accountability Office (GAO) -website exposed data from audit reports on Defense Department travel vouchers from the 1970s June 2006 DoD employees “fewer than 1,000” service members’ names, SSNs, addresses Thormeyer, Rob, “GAO Removes Archived Personal Data from Web Site,” WashingtonTechnology.com, June 27, 2006 at [http://www.washingtontechnology.com/news/1 _1/daily_news/28845-1.html]. King County Records, Elections, and Licensing Services Division (Seattle, WA) - website exposed personal data June 2006 current and former county residents unknown (potentially thousands) SSNs Associated Press, “Councilman Irked by Data Postings on Web,” June 27, 2006. CRS-67 Government (Local, State and Federal) Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Internal Revenue Service - lost laptop June 2006 IRS employees and job applicants 291 names, birth dates, SSNs, fingerprints Lee, Christopher, “IRS Laptop Lost with Data on 291 People,” Washington Post, June 8, 2006, p. A4. Nebraska Treasurer’s Office (Lincoln, NE) - hacker broke into a child-support computer system June 2006 individuals and employers who pay and receive child support payments 300,000 individuals and 9,000 employers names, SSNs, tax identification numbers for businesses Nebraska State Treasurer, “Hacker Virus Stopped by Treasurer’s Office,” June 29, 2006, at [http://www.treasurer.state.ne.us/ie/server.asp] Pentagon, Tricare Management Activity- hackers break into server May 2006 Defense Department conference attendees 14,000 names, SSNs, credit card numbers, employer identification, other personal information Barr, Stephen, “Conference Attendees’ Personal Data May Be at Risk,” Washington Post, May 12, 2006, p. D4. Department of Veterans Affairs- laptop and external hard drive stolen May 2006 military veterans 26.5 million names, birth dates, SSNs Lee, Christopher and Steve Vogel, “Personal Data on Veterans is Stolen,” Washington Post, May 23, 2006, p. A1. National Institutes of Health (NIH)- posting of confidential grant applications October 2005 applicants to the NIH undisclosed grant proposals and other grant review materials Pulley, John L., “NIH Accidentally Posts Confidential Grant Applications on the Web,” The Chronicle of Higher Education, October 31, 2005 (no page given). U.S. Air Force - records stolen from the Air Force Personnel Center’s online Assignment Management System August 2005 officers and 19 NCOs 33,300 SSNs, birth dates, and other sensitive information Dorsett, Amy, “Identity theft Threat Hangs over AF Officers,” San Antonio Express-News, August 24, 2005, p. 1A. CRS-68 Government (Local, State and Federal) Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) San Diego County Employees Retirement Association hackers broke into two computers July 2005 current and retired county government employees 33,000 workers’ names, Social Security numbers, addresses and dates of birth Chacon, Daniel, “Hackers Breach County’s Personal Records; 33,000 People at Risk in Retirement Association,” San Diego Union-Tribune, July 30, 2005, p. B1. Federal Deposit Insurance Corporation - computer breach in early 2004. The agency wrote to employees that it learned of the breach only “recently”, but did not explain how the breach occurred, aside from stating that it was not the result of a computer security failure. June 2005 FDIC current and former employees or anyone employed at the agency as of July 2002. 6,000 names, birth dates, SSNs, and salary information Krim, Jonathan, “FDIC Alerts Employees of Data Breach”, Washington Post, June 16 2005, p. D1. Lucas County (OH) Children Services - information from the agency’s personnel database was compiled and e-mailed to an outside computer June 2005 agency’s 400 current employees and about 500 others who have worked there since 1991 900 names, telephone numbers, SSNs Patch, David, “Lucas County Children Services Data Stolen,” Toledo Blade, June 28, 2005, p. B1. hackers breached Illinois Employment Development Department server February 2004 people who work as domestic employees and those who employ them 90,000 SSNs, wages “Hackers Breach State Files on 90,000,” Chicago Tribune, February 15, 2004, p. 12. CRS-69 Government (Local, State and Federal) Incidents Date Publicized Who Was Affected U.S. Department of Defense hackers downloaded Navy credit cards August 2003 Navy’s purchase card program, used to order routine office supplies 13,000 credit card numbers Reddy, Anitha, “Hackers Steal 13,000 Credit Card Numbers; Navy Says No Fraud Has Been Noticed,” Washington Post, November 23, 2003, p. E1. Bronx identity theft ring filed thousands of fraudulent income tax returns February 2003 income tax filers not specified SSNs Weiser, Benjamin, “19 Charged in Identity Theft That Netted $7 Million in Tax Refunds,” New York Times, February 5, 2003, p. B3. Number Affected Type of Data Released/Compromised note: ID theft ring obtained $7million in tax refunds Source(s) CRS-70 Table 5. Data Security Breaches in Health Care (2003-2007) Healthcare Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Georgia Dept. of Community Health (Atlanta, GA) and private contractor Affiliated Computer Services (ACS) missing computer disk April 2007 state health care recipients 2,900,000 SSNs, addresses, birthdates, dates of eligibility, full names, Medicaid or children’s health care recipient identification numbers Miller, Andy, and Bill Hendrick, “Georgians’ personal data lost; Medicaid, PeachCare clients: A computer disk including Social Security numbers on 2.9 million people was lost in transit,” Atlanta Journal and Constitution, April 11, 2007, p. 1A. DCH Health Systems (Tuscaloosa, AL) - lost computer disk and documents April 2007 employees and retirees 6,000 retirement benefit information, SSNs, other uspecified personal information Associated Press State & Local Wire, “Tuscaloosa-based DCH loses personal data on employees,” April 5, 2007. Group Health Cooperative Health Care System (Seattle, WA) - two laptops missing March 2007 patients and employees 31,000 names, addresses, SSNs, group health numbers “Pacific Northwest,” Seattle Times, March 27, 2007, p. B3. Westerly Hospital (Westerly, RI) - patients’ confidential information posted on public website March 2007 patients 2,242 names, SSNs, insurance information Armental, Maria, “ Data breach at Westerly Hospital,” Providence Journal (Rhode Island), March 2, 2007. CRS-71 Healthcare Incidents Wellpoint, Inc (IN-based health insurer) - lost compact disk Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) March 2007 members of its Empire Blue Cross and Blue Shield unit in New York 75,000 names, SSNs, health plan identification numbers, descriptions of medical services back to 2003 Freudenheim, Milt, “Medical Data on Empire Blue Cross Members May Be Lost,” New York Times, March 14, 2007. and Gaudin, Sharon, “ WellPoint Finds Missing CD With Data On 75,000 People,” Information Week, March 15, 2007, at [http://www.informationweek.com/story /showArticle.jhtml?articleID=19800110 5&cid=RSSfeed_IWK_News]. Seton Family of Hospitals (Austin, TX) - stolen laptop February 2007 patients who sought care as part of an outpatient or clinic visit since July 1, 2005 7,800 SSNs, dates of birth, insurance program numbers Gaudin, Sharon, “ Hospital Laptop Stolen; Info On 7,800 Patients At Risk,” Information Week, February 26, 2007, at [http://www.informationweek.com/story /showArticle.jhtml?articleID=19700871 1&cid=RSSfeed_IWK_News]. Johns Hopkins University (JHU) and Johns Hopkins Hospital (Baltimore, MD) eight backup tapes containing personal information on JHU employees lost; one backup tape containing information on JH hospital patients lost February 2007 new Johns Hopkins Hospital patients first seen between July 4 and Dec. 18, 2006 52,000 university employees and 83,000 hospital patients information on the university payroll tapes included Social Security numbers and, in some cases, bank account information for present and former employees; information on hospital patients included names and dates of birth Johns Hopkins Institutions press release, “Identity Alert: A Joint Statement from The Johns Hopkins University and The Johns Hopkins Hospital, “ February 7, 2007, at [http://www.jhu.edu/identityalert/release s/statement.html]. Note: Company found the CD less than a week later. WellPoint did not release any information on where the disk was found. CRS-72 Healthcare Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Gulf Coast Medical Center (Nashville, TN & Tallahassee, FL) - two computers missing in two separate incidents February 2007 patients, employees and former employees 1,900 individuals were affected by a theft in Nashville, TN in November and 8,000 when another computer was stolen in Tallahassee names, SSNs Vavala, Donna, “Laptop thefts cause alarm: Devices contained hospital patient, employee information; no ID thefts reported,” News Herald (Panama City, Florida), March 1, 2007. St. Mary’s Hospital (Leonardtown, MD) - stolen laptop February 2007 former and current hospital patients 130,000 names, SSNs, dates of birth O’Brien, Dennis, “ Second Hospital Reports Lost Data. St. Mary’s Notifies 130,000, Days after Hopkins’ Notice; Second Md. Hospital Reports Loss of Patients’ Data,” Baltimore Sun, February 13, 2007, p. A1. Wellpoint/Anthem Blue Cross Blue Shield - cassette tapes stolen from a lock box held by vendor Concentra Preferred Systems February 2007 Anthem members in Kentucky, Indiana, Ohio and Virginia 196,000 names, SSNs Howington, Patrick, “Cassette tapes containing customer information were stolen from a lock box held by one of its vendors,”Courier-Journal (Louisville, Kentucky), February 15, 2007. Ohio Board of Nursing website posted names and SSNs of nurses twice in one month January 2007 newly licensed nurses 3,031 names, SSNs Hoholik, Suzanne, “Error puts nurses’ personal data online,” Columbus Dispatch (OH), January 25, 2007. CRS-73 Healthcare Incidents Date Publicized Who Was Affected Number Affected Type of Data Released/Compromised Source(s) Swedish Medical Center, Ballard Campus (Seattle, WA) - employee used patients’ personal information to open credit card accounts October 2006 patients 1,100 names, dates of birth, SSNs Song, Kyung, “3 Swedish patients say IDs stolen at Ballard campus; worker fired; Employee allegedly opened credit cards; Hospital warns patients to watch for activity on their credit reports,” Seattle Times, October 25, 2006, p. B4. Sisters of St. Francis Health Services via Advanced Receivables Strategy (Indianapolis, IN) - contractor inadvertently left CDs containing confidential billing information in a new computer bag she purchased but later returned to a store October 2006 patients, employees, physicians and Board members 260,000 patients and 6,200 employees names, SSNs Lee, Daniel, “Lost and found: info on 260,000 patients,” Indianopolis Star, October 25, 2006. Erlanger Health System (Chattanooga, TN) - missing data device September 2006 current and former employees 4,150 names, SSNs Berry, Emily, “Erlanger loses computer device, personnel data,” Chattanooga Times/Free Press, September 24, 2006. Medco Health Solutionsstolen laptop March 2006 Ohio state employees and their dependents 4,600 SSNs, birth dates Weiss, Todd R., “Vendor Waited Six Weeks to Notify Ohio Officials of Data Breach,” Computerworld, March 1, 2006, at [http://www.computerworld.com/printth is/2006/0,4814,109116,00.htm]. CRS-74 Healthcare Incidents Date Publicized Who Was Affected Type of Data Released/Compromised Number Affected Source(s) Children’s Health Council, San Jose, California - stolen backup tape September 2005 patients, employees, and parents of patients 5,000-6,000 psychiatric records, evaluations and SSNs; also payroll data on hundreds of current and former employees and credit card information from parents of patients Walsh, Diana, “Data Stolen from Children’s Psychiatric Center,” San Francisco Chronicle, September 20, 2005, p. B8. San Jose Medical Group Management - desktop computers stolen from locked administrative office April 2005 former patients from last seven years 185,000 names, addresses, SSNs, confidential medical information Weiss, Todd, “Update: Stolen Computers Contain Data on 185,000 Patients,” Computerworld, April 8, 2005, at [http://www.computerworld.com/databa setopics/data/story/0,10801,100961,00.h tml]. TriWest Healthcare Alliance theft of a database containing names and SSNs December 2002 military personnel and their dependents 500,000 names, addresses, SSNs Gorman, Tom, “Reward Offered in Huge Theft of Identity Data; Stolen Computers Had Names, Social Security Numbers of 500,000 Military Families,”Los Angeles Times, January 1, 2003, p. 14. Source: The tables were prepared by CRS from publicly available and news media sources. Note: URLs are listed for exclusively online sources; other publications are identified by name and date. CRS-75 For Additional Reading CRS Report RS22374. Data Security: Federal and State Laws, by Gina Marie Stevens. CRS Report RL33273. Data Security: Federal Legislative Approaches, by Gina Marie Stevens. CRS Report RS22484. Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills, by Tara Alexandra Rainson. CRS Report RL33005. Information Brokers: Federal and State Laws, by Angie A. Welborn. CRS Report RL33612. Department of Veterans Affairs: Information Security and Information Technology Management Reorganization, by Sidath Viranga Panangala. CRS Report RL31919. Remedies Available to Victims of Identity Theft, by Gina Marie Stevens. CRS Report RS22082. Identity Theft: The Internet Connection (archived), by Marcia S. Smith.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project