For other versions of this document, see http://wikileaks.org/wiki/CRS-RL33199 ------------------------------------------------------------------------------ Order Code RL33199 Data Security Breaches: Context and Incident Summaries Updated May 7, 2007 Rita Tehan Information Research Specialist Knowledge Services Group Data Security Breaches: Context and Incident Summaries Summary Personal data security breaches are being reported with increasing regularity. Within the past few years, numerous examples of data such as Social Security, bank account, credit card, and driver's license numbers, as well as medical and student records have been compromised. A major reason for the increased awareness of these security breaches is a California law that requires notice of security breaches to the affected individuals. This law, implemented in July 2003, was the first of its kind in the nation. State data security breach notification laws require companies and other entities that have lost data to notify affected consumers. As of January 2007, 35 states have enacted legislation requiring companies or state agencies to disclose security breaches involving personal information. Congress is considering legislation to address personal data security breaches, following a series of high-profile data security breaches at major financial services firms, data brokers (including ChoicePoint and LexisNexis), and universities. In the past three years, multiple measures have been introduced, but to date, none have been enacted. This report will be updated regularly. Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Data Security Breaches in Federal Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Data Security Breaches: Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 For Additional Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 List of Tables Table 1. Data Security Breaches in Businesses (2000-2007) . . . . . . . . . . . . . . . 11 Table 2. Data Security Breaches in Education (2000-2007) . . . . . . . . . . . . . . . . 26 Table 3. Data Security Breaches in Financial Institutions (2001-2007) . . . . . . . 47 Table 4. Data Security Breaches in Local, State, and Federal Government (2003-2007) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Table 5. Data Security Breaches in Health Care (2003-2007) . . . . . . . . . . . . . . 70 Data Security Breaches: Context and Incident Summaries Introduction Personal data security breaches are being reported with increasing regularity. During the past few years, there have been numerous examples of hackers breaking into corporate, government, academic, and personal computers and compromising computer systems or stealing personal data such as Social Security, bank account, credit card, and driver's license numbers, as well as medical and student records. These breaches occur not only because of illegal or fraudulent attacks by computer hackers, but often because of careless business practices, such as lost or stolen laptop computers, or the inadvertent posting of personal data on public websites. A recent infamous example occurred in May 2006, when 26.5 million veterans and their spouses were in danger of identity theft because a Veterans Affairs data analyst took home a laptop computer containing personal data (including names, Social Security numbers, and dates of birth), which was later stolen in a burglary.1 Depending on the definition, the most common type of identity theft is credit card fraud, and there is evidence that the extent of credit card fraud has increased due to opportunities provided by the Internet.2 Although some aspects of identity theft have been known for many years, it is viewed now primarily as a product of the information age. A particular crime of identity theft may include one or all of these stages: Stage 1: Acquisition of the identity through theft, computer hacking, fraud, trickery, force, re-directing or intercepting mail, or even by legal means (e.g., purchase information on the Internet). Stage 2: Use of the identity for financial gain (the most common motivation) or to avoid arrest or otherwise hide one's identity from law enforcement or other authorities (such as bill collectors). Crimes in this stage may include account takeover, opening of new accounts, extensive use of debit or credit cards, sale of the identity information on the street or 1 For additional information on legislative proposals introduced after the VA data theft (and in light of several ongoing information security and information technology management issues at the VA), see CRS Report RL33612, Department of Veterans Affairs: Information Security and Information Technology Management Reorganization, by Sidath Viranga Panangala. 2 Graeme Newman and Megan McNally, Identity Theft Literature Review, National Criminal Justice Reference Service (NCJRS), 2005, at [http://www.ncjrs.gov/pdffiles1/nij/grants/ 210459.pdf]. CRS-2 black market, acquisition ("breeding") of additional identity related documents such as driver's licenses, passports, visas, health cards, etc.), filing tax returns for large refunds, insurance fraud, stealing rental cars, and many more. Stage 3: Discovery of the theft. While many misuses of credit cards are discovered quickly, the "classic" identity theft involves a long period of time to discovery, typically from six months to as long as several years. Evidence suggests that the time it takes to discovery is related to the amount of loss incurred by the victim.3 Identity theft is rarely one crime, but is composed of the commission of a wide variety of other crimes, such as check and card fraud, financial crimes of various sorts, various telemarketing and Internet scams, auto theft, counterfeiting and forgery, etc. The difficulty in studying identity theft is investigating what portion of the long list of identity theft related crimes is related to the "classic" type of identity theft that results in repeat victimization. For example, a common type of credit card fraud is to steal an individual's credit card. The offender makes a quick purchase of an expensive item then discards the card. Has the victim's identity truly been stolen? The event clearly fits within the definition above, but it is not the wholesale theft of the victim's identity. However, should the offender be working with an accomplice, the card could be turned over several times and even sold on the street. Finally, should the victim's driver's license and other identifying documents such as a health card with a Social Security number on it also be stolen, the basic elements for stealing an individual's identity are present.4 A January 2007 white paper by the computer security research company McAfee Avert Labs reports a dramatic increase in global identity theft trends.5 One key finding was that "[p]ersonal data for tens of millions of people disappears each year. It's either been stolen or misplaced. Despite this disturbing trend, the number of complaints is surprisingly low, which leads us to believe the losses are not fully acknowledged."6 3 Ibid., p. v. 4 Ibid., p. 14. 5 Francois Paget. Identity Theft, McAfee Avert Labs, January 2007, at [http://www.mcafee.com/us/local_content/white_papers/wp_id_theft_en.pdf]. This report discusses recent high-profile examples of identity theft and how several countries define this type of fraud and its scope; examines both the criminals and their techniques to better understand how identity theft has evolved in recent years; and focuses on the victims and consequences of identity theft. 6 Ibid., p. 3. CRS-3 A California law that requires notice of security breaches to the affected individuals is the major reason for the increased awareness of these breaches.7 This law, which was implemented in July 2003, was the first of its kind in the nation. State security breach notification requires companies and other entities that have lost personal data to notify affected consumers. Thirty-five states have enacted legislation requiring companies or state agencies to disclose security breaches involving personal information.8 State security freeze9 laws allow a customer to block unauthorized third parties from obtaining one's credit report. Statistics Identity theft victims spend almost 300 million hours a year trying to clear their names and re-establish good credit ratings.10 For additional information on this topic, see CRS Report RL31919, Remedies Available to Victims of Identity Theft, by Gina Marie Stevens. In December 2006, a senior editor for Wired News noted a milestone: "... the total number of lost or exposed personal records since February, 2005, [has passed] 7 California Department of Consumer Affairs, Office of Privacy Protection, Notice of Security Breach - Civil Code Sections1798.29 and 1798.82 - 1798.84, updated June 24, 2003, at [http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000 &file=1798.25-1798.29], [http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ& group=01001-02000&file=1798.80-1798.84], and Recommended Practices on Notification of Security Breach Involving Personal Information, October 10, 2003, at [http://www.privacy.ca.gov/recommendations/secbreach.pdf]. 8 See State Security Breach Notification Laws, National Conference of State Legislatures at [http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm]. As of January 9, 2007, the following states have enacted security breach notification laws: Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, Wisconsin. See also: State PIRG Summary of State Security Freeze and Security Breach Notification Laws, U.S. Public Interest Research Group (USPIRG) at [http://www.pirg.org/consumer/ credit/statelaws.htm#breach]. See also CRS Report RS22374, Data Security: Federal and State Laws, by Gina Marie Stevens. 9 A security freeze law allows a customer to block unauthorized third parties from obtaining his or her credit report or score. A consumer who places a security freeze on his or her credit report or score receives a personal identification number to gain access to credit information or to authorize the dissemination of credit information. See CRS Report RS22484, Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills, Tara Alexandra Rainson. 10 Peter Katel, "Identity Theft: Can Congress Give Americans Better Protection?," CQ Researcher, June 10, 2005. CRS-4 the 100 million mark."11 The New York Times wrote an article discussing this landmark and questioned the usefulness of computing such data breaches. [T]he bigger picture here may be that we are now slicing and dicing the niceties of data breaches against a running tally so large, that it has lost nearly any meaning at all... `The threat of identity theft from data losses is being greatly exaggerated,' Fred H. Cate, the director of the Center for Applied Cybersecurity Research at Indiana University in Bloomington, told this newspaper not long ago. `And that's because a lot of people have fallen into the trap of equating data loss with identity theft.' Whether or not that is true is open to debate, but what all this data loss does represent, however, is the potential for identity theft -- one that will never go away. Sure, it's a game of odds. There is only so much a crook can do with a few hundred thousand names and Social Security numbers. But once they are out there, they are out there for good. Names don't change. Neither do Social Security numbers or dates of birth. And as long as it remains easy enough to fashion that trifecta into a car loan, a home, a credit card, work papers, that would seem to be a bit of a long-term problem.12 The Identity Theft and Assumption Deterrence Act of 199813 established the Federal Trade Commission (FTC) as the government entity charged with developing "procedures to ... log and acknowledge the receipt of complaints by individuals," as well as educate and assist potential victims.14 The FTC compiles annual reports and charts of aggregated statistics on these events, but does not identify which corporations, organizations, or other entities have been victims of security breaches. In February 2007, FTC issued its annual report on fraud complaints consumers have filed with the agency. For the seventh year in a row, identity theft topped the list, accounting for 36% of the 674,354 complaints received between January 1 and December 31, 2006.15 Credit card fraud was the most common form of reported identity theft, followed by phone or utilities fraud, bank fraud, and employment fraud. A number of federal agencies (e.g., the FTC, Department of Justice, Secret Service, U.S. Postal Service, and Social Security Administration), state attorneys general, and nonprofit organizations (such as the Electronic Privacy Information Center) are involved with data privacy investigations or related consumer assistance. 11 Kevin Poulsen, "Data Spills: 100 Million Served," 27B Stroke 6, December 14, 2006, at [http://blog.wired.com/27bstroke6/2006/12/data_spills_100.html]. 12 Tom Zeller, "An Ominous Milestone: 100 Million Data Leaks," New York Times, December 18, 2006, p. C3. 13 Identity Theft and Assumption Deterrence Act, as amended by P.L. 105-318, 112 Stat. 3007 (October 30, 1998), at [http://www.ftc.gov/os/statutes/itada/itadact.htm]. 14 For an overview of the federal laws that could assist victims of identity theft with purging inaccurate information from their credit records and removing unauthorized charges from credit accounts, as well as federal laws that impose criminal penalties on those who assume another person's identity through the use of fraudulent identification documents, see CRS Report RL31919, Remedies Available to Victims of Identity Theft, by Gina Marie Stevens. (Relevant state laws are also discussed.) 15 Federal Trade Commission press release, "FTC Issues Annual List of Top Consumer Complaints," February 7, 2007, at [http://www.ftc.gov/opa/2007/02/topcomplaints.htm]. CRS-5 None of them maintain a comprehensive itemized list of data security breaches.16 However, the Privacy Rights Clearinghouse maintains a frequently updated chronology of data breaches from February 2005 to the present.17 The United States Computer Emergency Readiness Team (US-CERT) interacts with federal agencies, industry, the research community, state and local governments, and others to collect reasoned and actionable cybersecurity information and to identify emerging cybersecurity threats. US-CERT has recently begun monitoring trends involving the acquisition of personally identifiable information (PII) by unauthorized, malicious users. Based on the information reported in the first quarter of FY2007, US-CERT identified the following cybersecurity trends: phishing18 made up the bulk of security threats reported to US-CERT, accounting for almost 75% of all incidents handled. The number of reports grew by more than 500%, with just over 16,000 reports in FY2006 Q1, compared with over 103,000 in FY2007 Q1. The second highest category was "others," the bulk of which generally fell into two main areas: investigations, which were incidents found by US-CERT analysts combing through data, and incidents involving PII, both cyber and non-cyber in nature. The remaining 8% of incidents were spread across malware, equipment theft/loss, policy violations, and suspicious network activity.19 Data Security Breaches in Federal Agencies In reports to Congress since 1997, GAO has identified information security as a government-wide high-risk issue.20 In their FY2006 financial statement audit reports, 21 out of 24 agencies indicated that they had significant weaknesses in information security controls. As shown in reports by GAO and agency inspectors 16 For a brief discussion of federal and state data security laws, see CRS Report RS22374, Data Security: Federal and State Laws, by Gina Marie Stevens. 17 Privacy Rights Clearinghouse, A Chronology of Data Breaches at [http://www.privacyrights.org/ar/ChronDataBreaches.htm]. The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer organization which seeks to raise consumers' awareness of how technology affects personal privacy, and to document privacy complaints. The chronology "begins with ChoicePoint's 2/15/05 announcement of its data breaches because it was a watershed event in terms of disclosure to the affected individuals." 18 Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well-known and trustworthy websites. Websites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America Online. (Source: SearchSecurity.com(powered by whatis.com), at [http://searchsecurity.techtarget.com/sDefinition/0,290660,sid14_gci916037,00.html]. 19 US-CERT, Quarterly Trends and Analysis Report, March 1, 2007, at [http://www.us-cert.gov/press_room/trendsandanalysisQ107.pdf]. This report summarizes and provides analysis of incident reports submitted to US-CERT during the first quarter of FY2007 (October 1, 2006, to December 31, 2006). 20 Government Accountability Office, Information Security: Persistent Weaknesses Highlight Need for Further Improvement, GAO-07-751T, April 19, 2007, at [http://www.gao.gov/new.items/d07751t.pdf]. CRS-6 general (IG), the weaknesses persist in major categories of controls -- including, for example, access controls, which ensure that only authorized individuals can read, alter, or delete data; and configuration management controls, which provide assurance that only authorized software programs are implemented. "Organizations can reduce the risks associated with intrusions and misuse if they take steps to detect and respond to incidents before significant damage occurs, analyze the causes and effects of incidents, and apply the lessons learned."21 In February 2007, the Federal Bureau of Investigation (FBI) reported that 160 laptop computers were lost or stolen in less than four years (February 2002 to September 2005), including at least 10 that contained sensitive or classified information -- one of which held "personal identifying information on FBI personnel."22 According to the report, the FBI failed to report 76% of the missing laptops to the Justice Department as required. 23 A number of data security breaches by federal agencies revealed many agencies do not have adequate security controls in place24 (see Table 3, below). In 2006, the list of agencies with incidents of potentially compromised data included the Departments of Agriculture, Defense, Energy, Veterans Affairs, and Transportation, the Federal Trade Commission, the Internal Revenue Service, the Government Accountability Office, the National Institutes of Health, and the Department of the Navy. The State Department also suffered a series of hacking attacks. In FY2006, 5,146 incidents were reported to the Department of Homeland Security's incident response center for six categories of incidents, a substantial increase in the number of incidents (3,600) reported the prior year, including 706 instances of unauthorized access and 1,465 cases of malicious computer code, according to a yearly OMB report.25 [E]xperts say the federal government faces special challenges because of the variety of sensitive information it keeps, the increasingly mobile nature of the federal workforce and the pervasive use of contractors, which allow thousands of individuals with varying levels of security clearance to access government databases from remote sites. A 2004 government survey on the work practices of 1.8 million federal workers found that more than 140,000 had clearance to connect with government computer systems from home. The IRS says 50,000 of its employees have laptops allowing them to access personal and business tax information from anywhere. And 133 Education Department personnel can 21 Ibid., p.2. 22 U.S. Department of Justice, Office of the Inspector General, Audit Division, The Federal Bureau of Investigation's Control over Weapons and Laptop Computers Follow-up Audit, Audit Report 07-18, February 2007, at [http://www.usdoj.gov/oig/reports/FBI/a0718/ final.pdf]. 23 Ibid., p. 6. 24 Rebecca Adams, "Data Drip: How the Feds Handle Personal Data," CQ Weekly, July 10, 2006, p. 1846. 25 Office of Management and Budget, FY 2006 Report to Congress on Implementation of The Federal Information Security Management Act of 2002, March 1, 2007 at [http://www.whitehouse.gov/omb/inforeg/reports/2006_fisma_report.pdf]. CRS-7 access more than 10,000 records containing student loan recipients' personal information.26 In a report released in October 2006, the House Government Reform Committee27 summarized information provided to the Committee by 19 federal departments and agencies regarding the loss or compromise of personal information since January 2003. The report finds that every agency has experienced at least one such breach and that the agencies do not always know what information has been lost or how many individuals could be affected. 28 In June, 2006, the Office of Management and Budget issued new security guidelines requiring federal civilian agencies to implement new measures to protect sensitive personal information held by federal agencies.29 To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity.30 The President's Identity Theft Task Force,31 which was established by Executive Order on May 10, 2006,32 is now composed of 18 federal agencies and departments. After a year of study, the Identity Theft Task Force released its final recommendations in April 2007.33 The recommendations include the following: ! Reduce the unnecessary use of Social Security numbers by federal agencies, ! Establish national standards that require private sector entities to safeguard the personal data they compile and maintain and to 26 Zachary Goldfarb, "To Agency Insiders, Cyber Thefts And Slow Response Are No Surprise," Washington Post, July 18, 2006, at [http://www.washingtonpost.com/ wp-dyn/content/article/2006/07/17/AR2006071701170.html]. 27 In the 110th Congress, the House Government Reform Committee was renamed the House Committee on Oversight and Government Reform. 28 U.S. House of Representatives. Committee on Government Reform, Staff Report Agency Data Breaches since January 1, 2003 at [http://oversight.house.gov/story.asp?ID=1127]. See also Agency response letters at House Committee on Government Reform website at [http://oversight.house.gov/story.asp?ID=1127]. 29 Office of Management and Budget Memorandum for the Heads of Departments and Agencies, Protection of Sensitive Agency Information, June 23, 2006, at [http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf]. 30 Ibid. 31 Identity Theft Task Force website at [http://www.usdoj.gov/ittf/]. 32 Executive Order 13402, "Strengthening Federal Efforts to Protect Against Identity Theft," May 10, 2006, at [http://www.whitehouse.gov/news/releases/2006/05/20060510-3.html]. 33 The President's Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, April 2007 at [http://www.identitytheft.gov/reports/StrategicPlan.pdf]. CRS-8 provide notice to consumers when a breach occurs that poses a significant risk of identity theft, ! Implement a broad, sustained awareness campaign by federal agencies to educate consumers, the private sector, and the public sector on methods to deter, detect, and defend against identity theft, and ! Create a National Identity Theft Law Enforcement Center to allow law enforcement agencies to coordinate their efforts and information more efficiently, and investigate and prosecute identity thieves more effectively.34 In June 2006, a group of government agencies, corporations, and universities launched a research center dedicated to the study of identity fraud. The Center for Identity Management and Information Protection is dedicated to furthering a national research agenda on identity management, information sharing, and data protection.35 Congress considered legislation in the 109th Congress to address data security following a series of high-profile data security breaches at major financial services firms and data brokers, including ChoicePoint and LexisNexis. Multiple measures were introduced in 2005 and 2006, and several were reported out of committee, but none were brought to the floor. For information on proposed data security legislation in the 110th Congress, see CRS Report RL33273, Data Security: Federal Legislative Approaches, by Gina Marie Stevens. For a discussion of legislative and other issues on this topic, see ! CRS Report RS22374, Data Security: Federal and State Laws, by Gina Marie Stevens; ! CRS Report RL33273, Data Security: Federal Legislative Approaches, by Gina Marie Stevens; ! CRS Report RS22484, Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills, by Tara Alexandra Rainson; ! CRS Report RL33005, Information Brokers: Federal and State Laws, by Angie A. Welborn; ! CRS Report RL33612, Department of Veterans Affairs: Information Security and Information Technology Management Reorganization, by Sidath Viranga Panangala; ! CRS Report RL31919, Remedies Available to Victims of Identity Theft by Gina Marie Stevens; and ! CRS Report RS22082, Identity Theft: The Internet Connection, by Marcia S. Smith. 34 Ibid. 35 Center for Identity Management and Information Protection, at [http://www.utica.edu/ academic/institutes/cimip/]. CRS-9 Data Security Breaches: Highlights Tables 1 through 5 summarize selected data security or identity theft breaches reported in the press since 2000. A few highlights compiled from the report include the following. ! More than half of the security breaches occurred at institutions of higher education. (A Chronicle of Higher Education article examines why this is so, noting that while colleges have become better at detecting electronic break-ins, security practices, particularly password protections, are lax.36 In addition, academic culture embraces the open exchange of information and provides a target-rich environment for data breaches -- an abundance of computer equipment filled with sensitive data and a pool of financially naive students.37) In September 2006, Louisiana State University (LSU), under a year-long agreement with Equifax Inc., provided students, faculty and staff members with free daily monitoring of their credit reports and $2,500 in identity-theft insurance. LSU claims this is the first agreement of its kind between a credit agency and a higher-education institution. The university will pay Equifax, Inc. $150,000.38 ! Other prevalent targets for identity theft are financial institutions (banks, credit card companies, securities companies, etc.), and government agencies (international, federal, state, and local). ! The AARP analyzed 244 publicly disclosed security breaches from January 1, 2005 through May 26, 2006, identified by the Identity Theft Resource Center (ITRC).39 An examination of the most frequent cause of reported security breaches reveals that a third of all breaches were caused by hackers who broke into computer systems to gain access to sensitive personal information. The analysis finds that educational institutions are more likely than any other type of entity to report having had a security breach. In fact, educational institutions were more than twice as likely to report suffering a breach as any other type of entity. Physical theft of computers, computer equipment, or paper files is the next most common cause of security breaches, followed by improper display (allowing 36 Dan Carnevale, "Why Can't Colleges Hold On to Their Data?," Chronicle of Higher Education, May 6, 2005, p. A35. 37 Reuters, "U.S. Colleges Struggle to Combat Identity Theft," eWeek, August 17, 2005, at [http://www.findarticles.com/p/articles/mi_zdewk/is_200508/ai_n14906864]. 38 Andrea L. Foster, "Louisiana State U. Signs Deal to Protect Students and Employees in Case of Data Breach," Chronicle of Higher Education, September 13, 2006, at [http://chronicle.com/daily/2006/09/2006091301t.htm]. 39 AARP, "Into the Breach: Security Breaches and Identity Theft," July 2006, at [http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html]. CRS-10 sensitive personal information to be viewed by those who should not have access (for example, printing of Social Security numbers on address labels, inadvertently making sensitive personal information accessible on Internet sites viewable by the general public, or not properly disposing of files containing sensitive personal information). CRS-11 Table 1. Data Security Breaches in Businesses (2000-2007) Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised Johnny's Selected Seeds March 2007 customers 11,500 credit card information "Security Log," ComputerWorld, (Winslow, ME) - hacker broke March 8, 2007. into website Note: 20 stolen card numbers have been used fraudulently TJ Maxx date breach (see below) February 2007 customers undisclosed drivers' license numbers, Greenemeir, Larry, " T.J. Maxx Probe worse than previously thought. names, addresses were Reveals Data Breach Worse Than while the company previously compromised for the last four Originally Thought," Information believed that the intrusion took months of 2003 and May and Week, February 21, 2007 at place from May 2006 to January June 2004 [http://www.informationweek.com/sto 2007, TJX now believes its ry/showArticle.jhtml?articleID=19700 computer system was hacked in 7754&cid=RSSfeed_IWK_News]. July 2005 and on various subsequent dates in 2005. KB Home - stolen computer January 2007 customers 2,700 names, SSNs of people who Rupon, Kristy, "KB Home warns of had visited the sales office for ID theft risk: Home builder issues Foxbank Plantation, a new alert to customers after computer is home community in Berkeley stolen from company's Charleston County sales," The State (Columbia, SC), January 18, 2007. CRS-12 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised Nationwide Mutual Insurance - January 2007 customers of health 28,279 names, SSNs, hospital stay Babcock, Charles, " Data On 28,279 stolen lockbox containing insurance unit, Nationwide information. To find the Nationwide Customers Stolen, customer information backup Health Plans information on the tapes Information Week, January 25, 2007, tapes stored at subcontractor requires "a very specific at Concenta Preferred Systems high-tech tape reader with [http://www.informationweek.com/sto (Waymouth, MA) office matching software," that police ry/showArticle.jhtml?articleID=19700 concluded was unlikely to be 0630&cid=RSSfeed_IWK_News]. accessible to the thieves T.J. Maxx, Marshalls, January 2007 customers undisclosed credit card, debit card, check, Vijayan, Jaikumar, "Breach at TJX HomeGoods, A.J. Wright, and and merchandise return Puts Card Info at Risk; Network possibly Bob's Stores in U.S. & transactions intrusion shows IT security still not Puerto Rico -- Winners and up to snuff at some retailers, despite HomeSense stores in Canada -- push for stronger protections," and possibly T.K. Maxx stores in Computerworld, January 17, 2007. UK and Ireland - TJX Companies Inc. experienced an "unauthorized intrusion" into its computer systems that process and store customer transactions Altria (parent company of Phillp January 2007 past and present 18,000 names, SSNs, salaries, dates of Jones, Chip. "Altria employees' data Morris/Kraft Foods) via employees birth missing / Personal information was on consultant Towers Perrin (New laptop taken from firm in New York, York, NY) - five stolen laptops note: employee was arrested police say," Richmond Times- and charged with theft Dispatch, January 12, 2007, p. B1. CRS-13 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised Boeing (Seattle, WA) - laptop December current and former 400,000 names, addresses, SSNs, phone Wallace, James, "Worker Fired over stolen from employee's car 2006 employees numbers, dates of birth, salary Lost Laptop; Boeing Managers to Be information Reprimanded for Leaving Employees Vulnerable," Seattle Post- note: Boeing fired employee Intelligencer, December 15, 2006. whose laptop was stolen and some managers will be disciplined Starbucks (Seattle, WA) - four November current and former 60,000 names, addresses, SSNs Harris, Craig, "Starbucks Data laptops misplaced from 2006 employees Missing ; Company Says Laptops headquarters with Employees' Records Are Lost," Seattle Post-Intelligencer, November 4, 2006, p. E1. Gymboree (San Francisco, CA) - October 2006 employees 20,000 names, SSNs "Gymboree gumshoe hunts thief," twice in one week, three laptops San Francisco Chronicle, October 27, stolen from headquarters 2006, p. D1. T-Mobile USA (Bellevue, WA) - October 2006 current and former 43,000 names, addresses, SSNs, home Rogoway, Mike, "T-Mobile reports laptop disappeared from employees phone numbers, dates of birth, ID-theft risk," The Oregonian employee's checked luggage salary information (Portland), October 20, 2006. (laptop was protected by password) CRS-14 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised General Electric (Frairfield, CT) - September current and former 50,000 names, SSNs Anderson, Eric and Rick Clemenson, laptop stolen from locked hotel 2006 employees "50,000 among missing at GE ; room (computer was password Names in stolen laptop have retiree protected) questioning company's need for sensitive lists," Times-Union (Albany), September 27, 2006, p. A1. AT&T - hackers broke into August 2006 customers who purchased 19,000 credit card data Associated Press, "Hackers Gain Data computer system DSL equipment from on AT&T Shoppers," New AT&T online store YorkTimes.com, August 30, 2006. Automated Data Processing July 2006 individual investors with hundreds of names, addresses, number of Spangler, Todd, "ADP Duped into (ADP) (Roseland, NJ) - "an 60 companies including thousands shares held of investors Disclosing Data,"BaselineMag.com, unauthorized party impersonated Fidelity, UBS, Morgan July 10, 2006, at officers" to obtain information on Stanley , Bear Stearns, [http://www.baselinemag.com/article2 investors Citigroup, Merrill Lynch /0,1540,1986655,00.asp]. Kaiser HMO - stolen laptop July 2006 HMO subscribers to 160,000 names, phone numbers, Kaiser Singel, Ryan, "Kaiser Joins Lost Kaiser health plan numbers Laptop Crowd," InfoSecurity, July 30, 2006, at [http://infosecurity.us/mambo//content /view/90/49/]. C.S. Stars (insurance contractor) - July 2006 injured New York state 540,000 SSNs, names, addresses Hines, Matt, "Insurance Company lost computer containing workers (claiming Loses 540,000 N.Y Employee workers' records compensation funds) Records," eWeek, July 26, 2006, at [http://www.eweek.com/article2/0,18 95,1994416,00.asp]. CRS-15 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised National Association of July 2006 securities dealers who 73 SSNs of securities dealers, plus Jamieson, Dan, "Rule Likely on Securities Dealers (NASD)- were the subject of inactive account numbers of Notification of Data Breaches, Some (Boca Raton, FL) - 10 stolen investigations involving about 1,000 consumers Say; Theft of NASD Laptops Raises laptops possible misconduct. Questions about Regulators' security," Investment News, July 10, 2006, p. 2. American Red Cross, Farmers July 2006 regional blood donors 8,000 names, SSNs, birth dates, Schreier, Laura, "Donor Data Stolen Branch (Dallas, TX) - 3 stolen medical information at Local Red Cross Exclusive: 3 laptops Laptops from Farmers Branch Office Held Encrypted Records," Dallas Morning News, July 1, 2006, p. 1A. Bisys Group Inc.(Roseland, NJ) - July 2006 hedge fund donors 61,000 SSNs of 35,000 individuals Clair, Chris, "Bisys Discloses Data employee's truck carrying Theft," HedgeWorld Daily News, July backup tapes was stolen 6, 2006 (no page given). American International Group June 2006 employees of various 970,000 names, addresses, SSNs, Smith, Elliot Blair, "AIG: Personal (AIG)- burglary of a file server companies whose medical information Data on 970,000 Lost in Burglary; insurance information was Insurer Has Yet to Alert Those submitted to AIG Affected by March 31 Break-in," USA Today, June 19, 2006, p. 5B. Ernst & Young- stolen laptop June 2006 Hotels.com customers 243,000 names, credit card numbers Reilly, David, "Hotels.com Credit- Card Data Lost in Stolen Laptop Computer," Wall Street Journal, June 2, 2006, p. A14. CRS-16 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised Union Pacific- stolen laptop June 2006 employees of the railroad 30,000 personal data Vijayan, Jaikumar and Todd Weiss, company "Flurry of New Data Breaches Disclosed," Computerworld, June 19, 2006 at [http://www.computerworld.com/acti on/article.do?command=viewArticleB asic&articleId=9001282]. Ross-Simmons- data breach April 2006 customers undisclosed credit card numbers, financial "Ross-Simons Says Security Breach information, other personal Exposes Customers," Computerworld, information April 12, 2006, at [http://www.computerworld.com/secu ritytopics/security/story/0,10801,1104 25,00.html?source=x3888]. EBay- hackers harvesting and March 2006 customers undisclosed account information Niccolai, James, "Russian Web Site selling user information Offered eBay Account Info for $5," Computerworld, March 24, 2006, at [http://www.computerworld.com/secu ritytopics/security/cybercrime/story/0, 10801,109881,00.html]. Deloitte & Touche- unencrypted February 2006 all U.S. and Canadian 9,200 names, SSNs, McAfee stock Kuruvila, Matthai C., "Security CD left on a plane employees of McAfee holdings Giant's Data Lost," Silicon Valley, Software hired before February 24, 2006. April 2005 CRS-17 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised Atlantis Resort- theft from the January 2006 customers 55,000 names, addresses, credit card "IDs of 50,000 Bahamas Resort hotel's database details, SSNs, driver's license Guests Stolen," CNet News, January numbers, bank account data 10, 2006. Guidance Software- hacker December security researchers and 3,800 credit card numbers Krebs, Brian, "Hackers Break Into 2005 law enforcement agencies Computer-Security Firm's Customer worldwide Database," Washington Post December 19, 2005, p. D5. Sam's Club- "card-skimming" December customers who bought 600 credit card information Vijayan, Jaikumar, "Card Skimmers devices 2005 fuel at its gas stations Eyed in Sam's Club Data Theft," between September 21 and Computerworld, December 14, 2005, October 2. at [http://www.computerworld.com/data basetopics/data/story/0,10801,107067 ,00.html]. Marriott Vacation Club December customers and employees 206,000 addresses and credit card "Marriott Vacation Club reports International- missing data tapes 2005 information missing data tapes," Computerworld, December 26, 2005, at [http://computerworld.com/securityto pics/security/story/0,10801,107366,00 .html?SKC=security-107366]. Ford Motor Company- stolen December current and former Ford 70,000 names and SSNs "Tech Crime Gets Personal at Ford," computer 2005 employees CNN Money, December 22, 2005, at [http://money.cnn.com/2005/12/22/ne ws/fortune500/ford_theft/]. CRS-18 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised Safeway - company laptop stolen November employees 1,200 names, SSNs, hire dates and Akkad, Dania, "Safeway Discloses from manager's home 2005 work locations Security Breach,"Monterey County Herald, November 5, 2005 (no page given). Boeing - theft of company November current and former Boeing 161,000 names, Social Security numbers Bowermaster, David and Dominic computer 2005 workers (SSNs), some birth dates and Gates and Melissa Allison, "161,000 banking information for Workers' Personal Data on PC Stolen employees who elected to use from Boeing," Seattle Times, direct deposit of payroll November 19, 2005, p. A1. Eastman Kodak - laptop stolen June 2005 former Eastman Kodak 5,800 names, Social Security Davia, Joy, "Kodak Warns of Data from a consultant's locked car workers numbers, birth dates and Theft," Rochester Democrat and trunk. benefits information Chronicle (New York), June 22, 2005, p. 8D. Time Warner - loss of 40 May 2005 current and former 600,000 names, SSNs Zeller, Tom, "Time Warner Says Data computer backup tapes employees, some of their on Employees Is Lost," New York containing sensitive data while dependents and Times, May 3, 2005, p. C4. being shipped by Iron Mountain beneficiaries, and to an offsite storage center individuals who provided services for the company MCI - laptop stolen from a car May 2005 current and former 16,500 names and SSNs Young, Shawn, "MCI Reports Loss that was parked in the garage at employees Of Employee Data On Stolen the home of a MCI financial Laptop," Wall Street Journal, May analyst 23, 2005, p. A2. CRS-19 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised LEXIS/NEXIS - intruders used March 2005 customers 32,000 names, addresses, passwords, El-Rashidi, Yasmine, "LexisNexis passwords of legitimate (subsequent SSNs, drivers license Reports Data Breach; Personal customers to get access to a investigation Records Are Hacked as Concerns Seisint database called Accurint, reveals the actual About Security and Identity Theft which sells reports to number is Intensify," Wall Street Journal, law-enforcement agencies and 310,000) March 10, 2005, p. A3; and businesses. Later analysis determined that its databases had Krim, Jonathan, "LexisNexis Data been fraudulently breached 59 Breach Bigger Than Estimated: times using stolen passwords. 310,000 Consumers May Be Affected, Firm Says," Washington Post, April 13, 2005, p. E1. DSW Shoe Warehouse store - March 2005 customers of 103 of the initially credit card information Associated Press, "DSW ID Theft information stolen from computer chain's 175 stores "hundreds of May Affect Over 100,000," Chicago database over 3- month period thousands," then Tribune, March 11, 2005, p. 4; and raised to 1.4 million "Firm Raises Data Theft Count," Washington Post, April 19, 2005, p. E2. T-Mobile - hacker intrusion into February 2005 T-Mobile customers 400 customer records, passwords, Poulsen, Kevin, "Known Hole Aided company database SSNs, private e-mail and T-Mobile Breach,"Wired News, candid celebrity photos February 28, 2005, at [http://www.wired.com/news/privacy/ note: data offered for sale via 0,1848,66735,00.html]. online forum CRS-20 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised Motorola - Thieves broke into the June 2005 Motorola employees 34,000 in U.S. SSNs and personal information "Two Computers Stolen with offices of Affiliated Computer Motorola Staff Data," Reuters, June Services (ACS), a provider of 10, 2005. human resources services, and stole two computers ChoicePoint - criminals used fake February 2005 consumers 30,000-35,000 in names, addresses, SSNs, credit Perez, Evan, "ChoicePoint Is Pressed documentation to open 50 California; reports to Explain Database Breach," Wall fraudulent accounts to access 145,000 Street Journal, February 5, 2005, p. consumer data nationwide A6. Affiliated Computer Services - October 2004 county employees 900 names, birth dates, SSNs, bank Whaley, Monte, "FBI on Weld inmate hacked into county account routing numbers and ID-Theft Case Feds to Analyze Data database checking account numbers from Cell of Inmate Who Hacked Computer," Denver Post, November 11, 2004, p. B1. Lowe's (home improvement June 2004 customers unknown skimmed credit account Roberts, Paul, "Wireless Hacker store) - hacker used vulnerable information for every Pleads Guilty: Man Admits Using wireless network to attempt to transaction processed at a Store's Wireless Network to Steal steal credit card info particular Lowe's store Credit Card Info," PC World, June 7, 2004, at [http://msn.pcworld.com/news/article/ 0,aid,116411,00.asp]. CRS-21 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised eBay - hackers tricked online March 2004 several eBay merchants company did customer names, e-mail Kirby, Carrie, "New Scam Threat at merchants who used the PayPal not disclose addresses, home addresses and eBay / Hackers Obtained Information payment processing system into transactions on Some Customers," San Francisco disclosing their user names and Chronicle, March 16, 2004, p. C1. passwords, then logged onto the merchants' accounts Kinko's - hacker installed a key November Customers at Internet 450 SSNs, names, passwords, credit Napoli, Lisa, "A Hacker Masters logger to record every character 2003 terminals at 13 Kinko's cards, bank account data Keystroke Theft: Personal Data typed on 13 Kinko's computers copy shops in Manhattan Stolen from 450 Victims," note: data was sold International Herald Tribune, August 9, 2003, p. 1. Acxiom (marketing company) - August 2003 clients include 14 of the 10% of clientele passwords, personal, financial, Lee, W.A. "Hacker Breaches Acxiom hacker downloaded data top 15 credit card (no total number and company information Data," American Banker, August 11, companies, 5 of the top 6 given) 2003, p. 5. retail banks, IBM, Microsoft, and federal government DirecTV - hacker stole trade April 2003 DirecTV subscribers 50,000 details about the design and "U. of C. Student Pleads Guilty to secrets for access card customers used architecture of DirecTV's Theft of Direc TV Card Data ; Trade counterfeit "Period 4" cards Secrets Ended up on Hacker Site, access cards to Enabling Free Access," Chicago Sun- watch note: data was sold Times, April 30, 2003, p. 16. programming without paying CRS-22 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised TCI help-desk worker sold client November credit reporting bureau 15,000 (Wired names, addresses, SSNs, credit Delio, Michelle, "Cops Bust Massive access codes to two others, who 2002 customers News) card ID Theft Ring," Wired News, then used the codes to obtain 30,000 (Seattle November 25, 2002, at more than 15,000 customer credit Times) [http://www.wired.com/news/privacy/ records 0,1848,56567,00.html]; and note: data sold, for $60 per Masters, Brooke, "Huge ID-Theft record Ring Broken; 30,000 Consumers at Risk ; Men Charged with Stealing Personal, Financial Data ," Seattle Times, November 26, 2002, p. A1. Midwest Express Airlines and April 2002 Midwest Express Airlines unknown passenger names and airport Larson, Virgil, "Computer Hackers Federal Aviation Administration customers; FAA (two security screening results Breach Midwest Express Systems," - hackers posted list of customer separate incidents) Omaha World-Herald, April 22, names to website and posted a list 2002, p. 1D. of airport security screening results taken from the FAA's system ChoicePoint - Nigerian-born 2002 unknown 7,000-10,000 names and SSNs Associated Press, "ChoicePoint brother and sister posed as inquiries on Suffered Previous Breach: Two ID legitimate businesses to set up names and SSNs, Thieves Arrested in 2002 for Tapping ChoicePoint accounts then used into Data" MSNBC, February 3, identities to note: data was sold 2005, at commit fraud [http://www.msnbc.msn.com/id/7065 902/]. CRS-23 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised New York City restaurant busboy March 2001 chief executives, 200 SSNs, home addresses and Hays, Tom, "Busboy Hacks Only the duped credit reporting companies celebrities and tycoons birth dates, credit card numbers Richest, Used Forbes' List in Plot to into providing detailed credit from Forbes list of richest Steal Identity, Credit Info, Big reports Americans Bucks," Pittsburgh Post-Gazette, March 21, 2001, p. A11. World Economic Forum - February 2001 attendees 3,200 passport numbers, cell phone Higgins, Alexander, "Hackers Steal hackers broke into computer numbers, credit card numbers, World Leaders' Personal Data," exact arrival and departure Chicago Sun-Times, February 6, times, hotel names, room 2001, p. 20. numbers, number of overnights, sessions attended, plus information on 27,000 people who have attended the global forum in recent years International credit card ring adds January 2001 Internet shopping sites unknown credit card numbers James, Michael, "Small-time Thefts fraudulent charges of 277 Reap Big Net Gain Tens of Russian rubles ($5-10) to credit Thousands of Phony $5-$10 cards note: data was sold Credit-Card Charges Rake in Millions for Hackers," Orlando Sentinel, January 27, 2001, p. E5. CRS-24 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised Egghead - hacker attacked December customers 3.5 million credit credit card info "Sayer, Peter, "Egghead Says computer system 2000 card accounts; Customer Data Safe After Hack 7500 of which Attack," PC World, January 8, 2001 showed at "suspected [http://msn.pcworld.com/news/article/ fraudulent 0,aid,37781,00.asp]. activity" Western Union - hackers made September customers who transferred 15,700 credit and debit card Cobb, Alan, "Hackers Steal Credit electronic copies of the credit and 2000 money on a company information Card Info from Western Union Site," debit card information website Chicago Sun-Times, September 11, 2000, p. 22. America Online - AOL June 2000 customers 500 records were names, addresses, and credit "Hackers Breach Security At America customer-service representatives viewed card numbers Online Inc," Wall Street Journal, June mistakenly downloaded an e-mail 19, 2000, p. A34. attachment sent by hackers Two British teens intruded into 9 March 2000 customers 26,000 credit credit card data Sniffen, Michael, "2 Teens Accused e-commerce websites in the card accounts of Hacking Charged in $3 Million United States, Canada, Thailand, note: some data was posted on Credit Card Theft," Chicago Sun- Japan and Britain the Web Times, March 25, 2000, p. 9. CD Universe (online music store) January 2000 customers 300,000 credit card numbers Associated Press, "Hacker Said to - hacker stole credit card numbers Steal 300,000 Card Numbers," and released thousands of them note: Maxus Credit Card Arizona Republic, January 11, 2000, on a website when the company Pipeline Website posted up to p. A3. refused to pay a $100,000 ransom 25,000 stolen numbers CRS-25 Date Number Type of Data Business Incidents Who Was Affected Source(s) Publicized Affected Released/Compromised Pacific Bell - 16-year-old January 2000 subscribers 63,000 accounts passwords Gettleman, Jeffrey, "Passwords of teenager hacked into server and were decrypted; PacBell Net Accounts Stolen; stole passwords 330,000 Computers: Authorities Say customers told to 16-year-old Hacker Took the Data for change Fun. Theft Affects 63,000 passwords Customers," Los Angeles Times, January 12, 2000, p. 2. CRS-26 Table 2. Data Security Breaches in Education (2000-2007) Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised New Mexico State Univ. April 2007 students 5,600 names, SSNs Associated Press, "Personal data of NMSU students (Las Cruces, NM) - personal posted online," April 19, 2007. information posted to school's website University of California, San April 2007 research 3,000 names, SSNs, and for some Rauber, Chris, "UCSF research data on at least 3,000 Francisco - computer file subjects in individuals, personal health people missing in server theft," San Francisco server stolen from locked clinical studies information Business Times, April 18, 2007. office Ohio State University April 2007 chemistry 3,500 names, SSNs, employee ID Bush, Bill, "Hacker, thieves get OSU ID data: About (Columbus, OH) - two laptops students numbers, birth dates, grades 14,000 faculty and staff and 3,500 students affected," stolen from professor's house Columbus Dispatch, April 17, 2007. in February 2007 Ohio State University April 2007 current and 17,500 names, SSNs, employee ID Bush, Bill, "Hacker, thieves get OSU ID data: About (Columbus, OH) - hacker former staff numbers, birth dates 14,000 faculty and staff and 3,500 students affected," using foreign Internet address members Columbus Dispatch, April 17, 2007. broke through computer firewall Chicago Public Schools - two April 2007 current and 40,000 names, SSNs Walberg, Matthew, "Laptops with teacher data stolen laptops former stolen," Chicago Tribune, April 7, 2007. employees CRS-27 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised University of California, San April 2007 students, 46,000 names, SSNs, bank accounts Lazarus, David, "Security Breached at UCSF," San Francisco - campus server faculty, and Francisco Chronicle, April15, 2007, p. D1. compromised staff associated with UCSF or UCSF Medical Center over the past two years University of Missouri, February researchers, 3,799 names, SSNs "Hacker hits MU database: Personal info stored in Research Board Grant 2007 faculty computer system," Columbia Daily Tribune Application System members, (Missouri), February 2, 2007. (Columbia, MO) - a hacker computer users broke into computer server Georgia Institute of Februrary current and 3,000 names, addresses, SSNs, other "Hackers hit Georgia Tech and steal personal info," Technology (Atlanta, GA) - 2007 former sensitive information Atlanta Business Chronicle, February 21, 2007. unauthorized access to employees of computer account School of Electrical and Computer Engineering Vanguard University (Costa January 2007 financial aid 5,105 names, SSNs, dates of birth, Edds, Kimberly, "Computer theft puts financial data Mesa, CA) - two computers applicants for phone numbers, driver's at risk for 5,105 students; stolen from financial aid office 2005-2006 and license numbers, lists of assets Costa Mesa police officer says stolen equipment 2006-2007 holds extensive information on aid applicants at school years Vanguard," Orange County Register (CA), January 27, 2007. CRS-28 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised Eastern Illinois University January 2007 membership 1,400 SSNs, birthdates, addresses U.S. State News, " Computer Theft Results in (Charleston, IL) - stolen rosters of of the Security Breach; Students Notified," January 26, desktop University's 23 2007. fraternities and sororities University of Idaho (Moscow, January 2007 university 70,000 names, addresses, SSNs Prince, Brian, "University of Idaho Reports Computer ID ) - theft of three desktop alumni, donors, Thefts," eWeek.com, January 12, 2007 at computers students and [http://www.eweek.com/article2/0,1759,2082796,00.a employees sp?kc=EWRSS03129TX1K0000614]. Montana State University December students who 259 names, SSNs Associated Press, "University apologizes for (Bozeman, MT) - student 2006 had paid off mistakenly sharing student information," December working in loan office their student 27, 2006. mistakenly sent personal loans information to other students Mississippi State University December students and 2,400 names, SSNs, some dates of Lake, Richard, "MSU Data Put Online in Mishap," (Jackson, MS) - information 2006 employees birth Clarion-Ledger (Jackson, Mississippi), December 20, inadvertently published on 2006, p. 1A. website University of Colorado December individuals who 17,500 names, SSNs Danna, Nicole, "U. Colorado security breach not used (Boulder) - server hacked 2006 attended for nefarious purposes," University Wire, December orientation 19, 2006. sessions from 2002 to 2004 CRS-29 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised Riverside High School December employees "thousands" names, SSNs Dopart, Brianne, "Students accused of hacking DPS; (Durham, NC) - two students 2006 (unspecified) Two told teacher about security breach found during accused of hacking into computer class," Herald-Sun (Durham, NC), databases December 15, 2006, p. B1. Virginia Commonwealth December students 561 students names, SSNs, addresses, grade Robertson, Gary, "E-mail includes data on University (Richmond, VA) - 2006 in the College point averages students,"Richmond Times - Dispatch (Virginia), personal information of December 9, 2006. inadvertently included in two Humanities e-mail attachments and Sciences University of Texas (Dallas) - December current and 5,000 - 6,000 names, SSNs, and in some Hacker, Holly, "UTD computer attack worse than computer network intrusion 2006 former students, cases, addresses, e-mail first thought: Campus officials now say 6,000 at risk faculty, staff, addresses and telephone of identity theft," Dallas Morning News , December and others numbers 14, 2006. Nassau Community College December all registered 21,000 names, addresses, SSNs, phone Winslow, Olivia, "College loses data; (Garden City, NY) - theft of 2006 students numbers Printed list with personal information of Nassau computer printout Community College students gone missing, officials say," Newsday, December 6, 2006, p. A9. California State University November students, 2,534 names, SSNs, campus US States News, "Education College Alerts Teacher (Los Angeles) - stolen USB 2006 applicants, identification numbers (CIN), Credential Applicants of Information Security drive containing unencrypted faculty phone numbers, e-mail Incident," November 28, 2006. personal data supervisors addresses CRS-30 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised GreenvilleCounty School November students and 101,000 names, SSNs, dates of birth, Barnett, Ron, "Student Data Left on Sold District (Greenville, SC) - 2006 employees addresses, phone numbers, Computers," Greenville News (South Carolina), computers containing personal contact information November 27, 2006, p. 1A. information inadvertently sold at auctions Chicago Public School District November former school 1,740 names, SSNs, home addresses Flynn, Courtney, "Teachers' IDs mailed by mistake: - contractor mistakenly mailed 2006 employees 1,740 Social Security numbers included in city personal information as part of schools' packets," Chicago Tribune, November 27, an insurance-information 2006. package Adams State College October high school 184 unspecified personal data Smith, Erin, "Stolen ASC laptop holds student data," (Alamosa, CO) - stolen laptop 2006 Outward Bound Pueblo Chieftain, October 10, 2006. students Connors State November students who 22,500 SSNs and other (unspecified) Simpson, Susan, "Stolen computer contained student College(Warner, OK) - stolen 2006 receive identifying information data," Daily Oklahoman, November 15, 2006. laptop Oklahoma Higher Learning Access Program scholarships University of Minnesota October students 200 names, university IDs, grades Tosto, Paul, "Second laptop with student data was (Spain) - laptop stolen from a 2006 stolen: No Social Security numbers compromised," faculty member on a trip to Pioneer Press (St. Paul, Minnesota), October 20, Spain 2006. CRS-31 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised University of Texas October students 2,500 names, SSNs, university IDs, "U. Texas-Arlington student info on stolen (Arlington) - stolen computers 2006 grades, emails computers," University Wire, October 12, 2006. San Juan Capistrano Unified October employees unknown unknown McDonald, John, "Computers stolen from offices of School District (CA) - theft of 2006 Capistrano school district; the five machines, valued 5 computers at $5,000, may have contained confidential information on employees, a spokeswoman says," Orange County Register (California), October 6, 2006, p. South_B. Troy Athens High School October alumni 4,400 names, addresses, SSNs Lewis, Shawn, "Alumni will get credit watch; (Troy, MI) - stolen hard drive 2006 In wake of lost data, Troy district offers 14 months of free identity theft protection," Detroit News, October 23, 2006. University of Iowa Department September subjects who 14,500 SSNs "University of Iowa Contacts Research Subjects of Psychology (Iowa City, IA) 2006 participated in about Computer Intrusion," US Fed News, September - computer attack research studies 29, 2006. on maternal and child health from 1995 until the present. CRS-32 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised Western Illinois University- July 2006 students, 180,000 SSNs, personal data, credit Maguire, John, "Alums Just Told of Computer hacker accessed several customers of the card information Breach: Data on 180,000 with Ties to WIU Hacked a electronic student services university's Month Ago," Chicago Sun-Times, July 5, 2006, p. 8. systems online bookstore, guests of the university hotel University of Tennessee - July 2006 past and current 36,000 SSNs, names, addresses Herrington, Angie, "UT Notifies Workers of hacker broke into UT employees Computer Hacking," Chattanooga Times Free Press, computer July 7, 2006, p. O. Northwestern University July 2006 students and 17,000 names, addresses, SSNs "Hackers break into NU Admissions, Financial Aid (Chicago) - hackers broke into applicants to the Computers," Chicago Sun Times, July 15, 2006, at nine desktop computers in the school [http://www.suntimes.com/cgi-bin/print.cgi?getReferr Office of Admissions and er=[http://www.suntimes.com/output/news/cst-nws- Financial Aid hack15.html]. Moraine Park Technical July 2006 apprenticeship 1,500 names, addresses, phone "News Summaries Ozaukee and Washington College students back to numbers, SSNs Counties," Milwaukee Journal Sentinel, July 16, (Beaver Dam, Fond du Lac, & 1993 2006, p. Z3. West Bend, WI) - missing computer disk CRS-33 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised Catawba County Schools June 2006 students who 619 names, SSNs, test scores Shain, Andrew, and Hannah Mitchell, "619 Students' (Newton, NC) - website had taken Secure Data Revealed Online: Google Page Showed exposed personal data keyboarding and Social Security Numbers, Test Scores, Charlotte computer Observer, June 24, 2006, p. 1B. applications placement test during the 2001-02 school year San Francisco State University June 2006 current and 3,000 names, SSNs, phone numbers Asimov, Nanette, "SFSU students' information - faculty member's laptop former students and grade point averages. stolen; stolen School alerts 3,000 affected by theft of faculty laptop," San Francisco Chronicle, June 23, 2006, p. B5. University of Kentucky- stolen June 2006 current and 6,500 SSNs Kiernan, Vincent, "Incidents at Two Universities Put thumb drive former students More Than 200,000 Students at Risk of Data Theft," The Chronicle of Higher Education, June 19, 2006, p. A21. CRS-34 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised Ohio University (Athens, OH) May 2006 individuals and 300,00 SSNs, personal information, Vijayan, Jaikumar, "Ohio University Reports Two - hackers breach servers in two organizations biographical information, Separate Security Breaches," Computerworld, May 3, separate incidents listed in the patent data, intellectual 2006, at alumni database, property files [http://www.computerworld.com/action/article.do?co owners of mmand=viewArticleBasic&articleId=111113&intsrc patents and =article_pots_bot]. other intellectual property Sacred Heart University- May 2006 students and 135,000 personal information, SSNs Sandoval, Greg, "Sacred Heart is Latest University to hackers intrude system some be Hacked," CNet News, May 26, 2006, at individuals not [http://news.com.com/2100-7349_3-6077212.html]. associated with the university University of Texas, Austin- April 2006 students, 200,000 SSNs, biographical materials Associated Press, "University of Texas Probes data breach alumni, faculty, Computer Breach," MSNBC, April 24, 2006, at and staff of the [http://www.msnbc.msn.com/id/12459840/]. business school University of Arizona- hackers February journalism undisclosed none so far Grossman, Djamila, "Romanian Hacker Breaks into break into journalism 2006 students UA Journalism Computers," Arizona Daily Star, department's computer system February 14, 2006, p. B2. CRS-35 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised Notre Dame- hackers attack January 2006 alumni and undisclosed SSNs, credit card numbers, Roberts, Paul F., "Hackers Target Notre Dame server other donors to check images Donors," eWeek, January 24, 2006, at the university [http://www.eweek.com/article2/0,1895,1915087,00.a sp]. Indiana University - malicious November Kelly School of 5,300 personal student information Associated Press,"IU Finds `Malicious' Software," software programs installed on 2005 Business FortWayne.com, November 18, 2005, at business instructor's computer students [http://www.fortwayne.com/mld/fortwayne/news/loca enrolled in l/13202338.htm]. introductory business course between 2001- 2005 University of Tennessee November patients who 3,800 names and SSNs "UT Patients Warned of Stolen Computer," Medical Center - laptop 2005 received Chattanooga Times Free-Press, November 2, 2005, computer stolen treatment in p. B2. 2003 Georgia Institute of November past, present, 13,000 SSNs, birth dates, names, Kantor, Arcadiy, "Georgia Tech Computer Theft Technology Office of 2005 and prospective addresses Compromises Student Data," The Technique (via Enrollment Services - students University Wire), November 11, 2005 at computer theft [http://www.nique.net/issues/2005-11-11/news/3]. CRS-36 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised University of Tennessee - October students and 1,900 names and SSNs "State Briefs: UT Students' Private Data Posted on inadvertent posting of names 2005 employees the `Net," The Tennessean.com, October 29, 2005, at and Social Security numbers to [http://tennessean.com/apps/pbcs.dll/article?AID=/20 Internet lists 051029/NEWS01/510290327/1006/NEWS01]. University of Georgia - hacker September current and 1,600 SSNs Simmons, Kelly, "Hackers Breach Database at hits employee records server 2005 former UGA," The Atlanta Journal - Constitution, employees of September 29, 2005, p. C2. university's College of Agricultural and Environmental Sciences Miami University (Ohio) - September students 21,762 SSNs, grades Giordano, Joe, "Miami University, Ohio, Finds Huge report containing SSNs and 2005 Online Security Breach," Journal-News (Hamilton, grades of more than 20,000 OH), September 16, 2005 (no page given). students has been accessible via the Internet since 2002 Kent State University - five September students and 100,000 names, SSNs, grades Gonzalez, Jennifer, "Student, Faculty Data on Stolen desktop computers stolen from 2005 professors Computers," Plain Dealer (Cleveland), September campus 10, 2005, p. B1. CRS-37 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised Sonoma State University - August 2005 people who 61,709 names, SSNs Park, Rohnert, "Hackers Hit College Computer hacking either attended, System: Identity Theft Fears at Sonoma State," San applied, Francisco Chronicle, August 9, 2005, p. B2. graduated or worked at the school from 1995 to 2002 California State University - August 2005 students who 154 names, SSNs "California State University Chancellor's Office Office of the Chancellor may receive financial Experiences Potential Computer Security have experienced unauthorized aid and two Breach,"U.S. States News, August 29, 2005 (no page access to one of its computers financial aid given). administrators University of Florida Health August 2005 patients and 3,851 names, SSNs, dates of birth, Chun, Diane, "3,851 Patients at Risk of ID Theft," Sciences Center/ChartOne - physicians medical records Gainesville.com, August 27, 2005 at stolen laptop [http://www.gainesville.com/apps/pbcs.dll/article?AI D=/20050827/LOCAL/208270336/1078/news]. University of Colorado - August 2005 students and 36,000 university accounts and Uhls, Anna, "U. Colorado students getting hacking into campus Card faculty personal information (re)carded," University Wire/Colorado Daily, August Office (creates IDs for staff 4, 2005 (no page given). and students) CRS-38 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised University of North Texas - August 2005 current, former 38,607 names, addresses, telephone Tessyman, Neal, "Hackers Steal Student Info from U. hacking and prospective numbers, SSNs, student North Texas," University Wire, August 11, 2005 (no students identification numbers, student page given). ID passwords, student classification information and possibly 524 credit card numbers University of Colorado - August 2005 student records 49,000 names, SSNs, addresses, phone Mccrimmon, Katie Kerwin, "Hackers Tap CU hackers tapped into a database from June 1999 numbers Registrar's Database; Privacy of 49,000 Students in the registrar's office to May 2001 Potentially Invaded in Breach," Rocky Mountain and from fall News (Denver), August 20, 2005, p. 20A. 2003 to summer 2005. California State University, August 2005 student workers 900 names, SSNs Togneri, Chris, "Hacker Breaks into Stan State Stanislaus - hacking Computer," Modesto Bee, August 16, 2005, p. B1. University of Southern July 2005 applicants 270,000 name, address, SSNs, e-mail Hawkins, Stephanie, "Hacker Hits Application California - individual hacked address, phone number, date of System at USC," University Wire/ Daily Trojan, into USC's online application birth, login information August 18, 2005 (no page given). system CRS-39 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised California Polytechnic, July 2005 university 31,077 names, SSNs Ruiz, Kenneth, "Hackers Infiltrate Cal Poly," Whittier Pomona - two computers applicants and Daily News (CA), August 5, 2005 (no page given). hacked current and former faculty, staff and students University of Colorado, July 2005 students and 29,000 SSNs, names, photographs Associated Press, "Hackers Break into CU Computers Boulder - hackers broke into a professors students and Containing 36k Records," August 1, 2005. computer server containing 7,000 information used to issue professors identification cards Michigan State University - July 2005 students 27,000 names, addresses, SSNs, Associated Press, "Students Informed Social Security breach of a server in the course information, personal Numbers Possibly Compromised," July 7, 2005. College of Education identification numbers University of California, San July 2005 students, staff, 3,300 SSNs, driver license and credit "SD UCSD Hackers," City News Service, July 1, Diego - hackers broke into faculty who had card numbers 2005 (no page given). university server attended or worked at UCSD Extension in the past five years California State University July 2005 students 9613 names, SSNs Associated Press, "Hackers crack computers, access Dominguez Hills - hacking private student information," July 29, 2005. CRS-40 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised University of Connecticut - June 2005 students, staff, 72,000 names, SSNs, dates of birth, Naraine, Ryan, "UConn Finds Rootkit in Hacked hacking - rootkit (collection of and faculty phone numbers and addresses Server," eWeek, June 27, 2005, at programs that a hacker uses to [http://www.eweek.com/article2/0,1759,1831892,00.a mask intrusion and obtain sp]. administrator-level access to a computer or computer network) placed on server on October 26, 2003, but not detected until July 20, 2005 Kent State University - laptop June 2005 full-time faculty 1,400 names, SSNs Hampp, David, "Kent State U. Faculty Affected by stolen from employee's car members since Stolen Computer," Daily Kent Stater (via University 2001 Wire), June 22, 2005 (no page given). Ohio State University Medical June 2005 patients 15,000 patient names, admission and Crane, Misti, "Laptop Containing Patients' Billing Center - two stolen laptops discharge dates, whether the Information Stolen; patient had insurance, total Birth Dates, Social Security Numbers Not in Data charges and adjustments to the Taken from Consultant, Osu Says," Columbus account. Dispatch (OH), June 30, 2005, p. 4C. University of Hawaii - June 2005 students, 150,000 SSNs, addresses and phone Associated Press, "UH Warns of Possible Identity dishonest library worker faculty, staff numbers Theft," June 19, 2005. indicted on federal charges of and library bank fraud related to identity patrons at any of theft the 10 campuses between 1999 and 2003 CRS-41 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised Jackson Community College May 2005 employees and 8,000 SSNs "Computer Crime: Hacker May Have Stolen Social (MI)- hacker breaks into students of the Security Numbers From Jackson Community computer system college Collegea," Computer Crime Research Center," May 29, 2005 (no page given). Carnegie Mellon University - May 2005 graduates of the 5,000 SSNs and personal information Associated Press, "Carnegie Mellon Reports security breach of school's Tepper School Computer Breach," MSNBC, April 21, 2005, at computer network of Business [http://msnbc.msn.com/id/7590506/]. from 1997 to 2004; current graduate students; applicants to the doctoral program from 2003 to 2005; applicants to the MBA program from 2002 to 2004; and administrative employees Stanford University- computer May 2005 students and 9,600 SSNs, resumes, financial data, Musil, Steven, "FBI Probes Network Breach at system breach recruiters of the government information Stanford," CNet News, May 25, 2005. university CRS-42 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised Florida International May 2005 faculty unknown SSNs, credit card numbers Leyden, John, "Florida Univ on Brown Alert after University (FIU) - a hacker and students Hack Attack," The Register, April 29, 2005, at acquired user names and [http://www.theregister.com/2005/04/29/fiu_id_fraud passwords for 165 computers _alert/]. on campus Northwestern University May 2005 faculty, 17,500 user IDs and passwords Meglio, Francesca Di, "Hacker Break-In," Computer (Kellog School of students, and Crime Research Center, May 23, 2005 (no page Management) - computer alumni given). network breach University of California, San April 2005 students, faculty 7,000 names and SSNs numbers Lazarus, David, "Another Incident for UC," San Francisco - hacker gained and staff Francisco Chronicle, April 6, 2005, p. C1. access to server used by accounting and personnel department Tufts University - possible April 2005 alumni 106,000 SSNs and other unspecified Roberts, Paul, "Tufts Warns 106,000 Alumni, Donors security breach in an alumni personal information of Security Breach: Personal Data on a Server Used and donor database after for Fund Raising May Have Been Exposed," abnormal activity on the server Computerworld, April 13, 2005, at in October and December, [http://www.computerworld.com/securitytopics/securi 2004 ty/privacy/story/0,10801,101043,00.html?source=x10 ]. CRS-43 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised University of Nevada, Las March 2005 current and 5,000 personal records, including Lipka, Sara, "Hacker Breaks Into Database for Vegas - hackers accessed former students birth dates, countries of origin, Tracking International Students at UNLV," Chronicle school's Student and Exchange and passport numbers, and of Higher Education, March 21, 2005, p. A43. Visitor Information System faculty SSNs (SEVIS) database California State University, March 2005 students, former 59,000 SSNs Associated Press, "Hackers Gain Personal Chico - hackers broke into students, Information of 59,000 People Affiliated with servers prospective California University,"Grand Rapids Press, March students, and 22, 2005, p. A2. faculty University of California, March 2005 alumni, 100,000 SSNs numbers, names; Liedtke, Michael, "Laptop Theft Causes Identity Berkeley laptop stolen from graduate addresses, and birth dates for Fraud Worry," Daily Breeze (Torrance, CA), March restricted area of campus students, and 1/3 of affected people 28, 2005, p. A10. office past applicants George Mason University - January 2005 faculty, staff, 30,000 names, photos, SSNs, and McCullagh, Declan, "Hackers Steal ID Info from hackers gained access to and students campus ID numbers Virginia University," Wired News, January 10, 2005, information at [http://news.com.com/2100-7349_3-5519592.html]. University of California, San January 2005 students and 3,500 names, SSNs Yang, Eleanor, "Hacker Breaches Computers That Diego (UCSD) - hacker alumni of Store UCSD Extension Student, Alumni Data," San breached computer system UCSD Diego Union Tribune, January 18, 2005, p. B3. Extension CRS-44 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised University of California, October Californians 1.4 million SSNs, names, addresses, phone Reuters, "Hacker Strikes University Computer Berkeley - hacker 2004 participating in individuals numbers, and dates of birth System,"CNET News, October 19, 2004, at compromised the university's California's [http://news.com.com/2100-7349_3-5418388.html]. computer system In-Home Supportive Services program since 2001 California State - auditor from August 2004 380,000 current 23,500 name, address, SSNs Connell, Sally Ann, "Security Lapses, Lost chancellor's office lost hard and former Equipment Expose Students to Possible ID Theft; in drive containing personal students, the Latest Incident, a Cal State Hard Drive with Data information applicants, staff, on 23,500 Individuals Is Missing," Los Angeles faculty and Times, August 29, 2004, p. B4. alumni at UC San Diego and 178,000 at San Diego State University of California, Los June 2004 blood donors 145,000 names, birth dates and SSNs Becker, David, "UCLA Laptop Theft Exposes ID Angeles - stolen laptop w/ Info,"CNET News, October 6, 2004, at blood donor info [http://news.com.com/UCLA+laptop+theft+exposes+ ID+info/2100-1029_3-5230662.html?tag=nl]. CRS-45 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised University of California, San April 2004 UCSD students, 380,000 SSNs, and driver license Sidener, Jonathan, "SD Supercomputer Center Diego (UCSD) - hackers alumni, faculty, numbers Among Victims of Intrusion," San Diego Union breached security at the San employees and Tribune, April 15, 2004, p. B3. Diego Supercomputer Center applicants and the University's Business and Financial Services Department Georgia Institute of March 2003 patrons of art 57,000 credit card numbers Lemos, Robert, "Data Thieves Strike Georgia Tech," Technology and theatre Wired News, March 31, 2003, at program [http://news.com.com/Data+thieves+strike+Georgia+ Tech/2100-1002_3-994821.html?tag=nl]. University of Texas, Austin - March 2003 current and 55,200 names, addresses, SSNs, email Read, Brock, "Hackers Steal Data From U. of Texas computer hackers broke into former student, addresses, office phone Database," Chronicle of Higher Education, March 21, database on multiple occasions faculty and staff numbers 2003, p. 35. members, as well as job note: perpetrator claimed he applicants did not distribute the numbers and had not used them "to anyone's detriment" University of Kansas - hacker January 2003 foreign students 1,400 SSNs, passport numbers, Arnone, Michael, "Hacker Steals Personal Data on break-in to Student and countries of origin, and birth Foreign Students at U. of Kansas,"Chronicle of Exchange Visitor Information dates. Higher Education, January 24, 2003 (no page given). System (SEVIS) CRS-46 Education Incidents Date Who Was Number Type of Data Source(s) Publicized Affected Affected Released/Compromised College of the Canyons October current and 36,000 names, SSNs, and photographs Mistry, Bhavna, "Identity Theft Alert Issued at (California) - computer hard 2001 former students College," Los Angeles Daily News, October 21, 2001, drive containing personal p. N7. student information stolen University of Washington December cardiology and 5,000 names, addresses, birth dates, "Hacker Steals Patient Records," San Diego Union- Medical Center - hacker broke 2000 rehabilitation heights and weights, SSNs, and Tribune, December 9, 2000, p. A3. into computer system patients the medical procedure undergone CRS-47 Table 3. Data Security Breaches in Financial Institutions (2001-2007) Financial Institutions Date Number Type of Data Who Was Affected Source(s) Incidents Publicized Affected Released/Compromised New Horizons Community April 2007 credit union 9,000 loan account information States News Service, "New Horizons Credit Union (Denver, CO) - members Community CU Takes Action after stolen laptop. Note: computer Potential Data Breach; Members was protected by two layers of Informed of Protections," April 11, 2007. security, a unique user-identifier, and a multiple-character, alpha-numeric password. MoneyGram International - January 2007 customers 79,000 names, addresses, phone numbers, Onaran, Yalman and Elizabeth Hester, server unlawfully accessed and in some cases, bank accounts "Breach affects 79,000 MoneyGram accounts; Money-transfer and bill-paying service doesn't know if hackers stole personal data," Saint Paul Pioneer Press (Minnesota), January 13, 2007, p. 1C. Premier Bank - report stolen December customers 1,8000 names, account numbers of Sorkin, Michael, " Bank data stolen out from truck 2006 customers who opened accounts in of exec's vehicle: Names with account October, 2006 numbers were in truck outside award ceremony," St. Louis Post-Dispatch, December 6, 2006, p. C1. CRS-48 Financial Institutions Date Number Type of Data Who Was Affected Source(s) Incidents Publicized Affected Released/Compromised TD Ameritrade - criminals, December customers unknown; names, addresses, birth dates, SSNs Greenemeier, Larry, "Cybercrooks Get using stolen customer accounts 2006 company has Smarter; E-Trade and TD Ameritrade acquired from a hacked 6 million were victims of an online brokerage computer, drove up the prices clients note: TD Ameritrade had to cover $4 pump-and-dump scheme," Wall Street & of low-priced stocks through million in fraudulent transactions for Technology, December 1, 2006, p. 14. high-volume purchases and its most recent quarter then sold those shares at a profit ING Financial Services- stolen June 2006 District of Columbia 13,000 SSNs, personal data Dwyer, Timothy, "ING Financial to laptop government workers Notify Potential Identity Theft Victims," and retirees Washington Post, June 19, 2006, p. B4. Equifax Inc.- stolen laptop June 2006 nearly all the U.S. 2,500 names, SSNs Stempel, Jonathan, "Equifax Says employees of the Laptop With Employee Data Was credit reporting Stolen," eWeek, June 20, 2006, at bureau [http://www.eweek.com/article2/0,1759, 1979296,00.asp?kc=EWRSS03129TX1 K0000614]. Fidelity Investments- stolen March 2006 Hewlett-Packard 196,000 personal data Hines, Matt, "Stolen Fidelity Laptop laptop employees Exposes HP Workers," eWeek, March 23, 2006, at [http://www.eweek.com/article2/0,1895, 1942049,00.asp]. CRS-49 Financial Institutions Date Number Type of Data Who Was Affected Source(s) Incidents Publicized Affected Released/Compromised Bank of America, Washington February customers using 200,000 debit card information which was Sandoval, Greg "Web of Intrigue Widens Mutual- debit cards cancelled 2006 debit cards issued by used to accrue fraudulent charges in Debit-Card Theft Case," CNet News, the two banks at February 13, 2006, at Sam's Club gas [http://news.com.com/Web+of+intrigue+ stations and Office widens+in+debit-card+theft+case/2100-1 Max 029_3-6038405.html]. Ameriprise Financial- laptop January 2006 customers and 230,000 names, SSNs, internal account Dash, Eric, "Ameriprise Loses Data on theft advisers with the numbers 230,000 Customers and Advisers," New financial firm York Times, January 25, 2006. H&R Block- Social Security January 2006 recipients of the undisclosed SSNs Gilbert, Alorie, "H&R Block Blunder numbers printed on unsolicited company's tax Exposes Consumer Data," CNet News, packages containing free preparation software January 3, 2006, at software [http://news.com.com/H38R+Block+blu nder+exposes+consumer+data/2100-102 9_3-6016720.html]. Visa USA December customers with Visa undisclosed credit card information Weinstein, Natalie, "Visa Deals With 2005 cards from various Possible Data Breach," CNet News, financial institutions December 24, 2005, at using a mutual [http://news.com.com/2100-1029_3-600 merchant 7759.html]. CRS-50 Financial Institutions Date Number Type of Data Who Was Affected Source(s) Incidents Publicized Affected Released/Compromised Scottrade Inc.- internet hacker December customers of the 140,000 names, birth dates, drivers license "Hackers Reveal 140,000 Customer 2005 stock brokerage firm numbers, phone numbers, bank ID's," Computer Crime Research names, bank routing numbers, bank Center, December 2, 2005 (no page account numbers, and Scottrade given). account numbers TransUnion (credit reporting November customers 3,600 SSNs and personal credit information Paul, Peralte, "Credit Bureau Burglary bureau) - stolen desktop 2005 Leaves 3,600 Vulnerable," Atlanta computer Journal and Constitution, November 11, 2005, p. 5G. Choicepoint - Miami-Dade September consumers 5,103 SSNs, driver's license information Husted, Bill, "Another Breach of County Police Department may 2005 Records Feared; have misused the department's Choicepoint Tells 5,103 Customers about account to illegally access Incident," Atlanta Journal-Constitution, consumer records September 17, 2005, p. 1H. Bank of America - stolen September Visa Buxx card users undisclosed names, credit card numbers, bank McMillan, Robert, "Bank of America laptop 2005 account numbers, routing transit Notifying Customers After Laptop numbers Theft," Computerworld, October 7, 2005, at [http://www.computerworld.com/securit ytopics/security/story/0,10801,105246,0 0.html]. J.P. Morgan (Dallas) - stolen August 2005 clients unknown personal and financial information "Security Breach at J.P. Morgan Private laptop Bank,"AFX International Focus, August 30, 2005 (no page given). CRS-51 Financial Institutions Date Number Type of Data Who Was Affected Source(s) Incidents Publicized Affected Released/Compromised Citigroup - a box of computer June 2005 personal and home 3.9 million names, addresses, SSNs and Krim, Jonathan, "Customer Data Lost, tapes with account information equity loan loan-account data Citigroup Unit Says:3.9 Million Affected for 3.9 million customers was customers As Firms' Security Lapses Add Up, lost in shipment by Washington Post, June 7, 2005, p. A1. CitiFinancial, a unit of Citigroup Japanese credit cardholders - June 2005 customers of 26 unknown unknown "Japan Cardholders `Hit' by Theft,"BBC hackers behind U.S. data theft domestic Japanese News, June 21, 2005 at may have compromised the credit card firms [http://news.bbc.co.uk/2/hi/business/411 data of Japanese cardholders, 4252.stm]. according to the government. Fraudulent transactions have now emerged in Japan. CRS-52 Financial Institutions Date Number Type of Data Who Was Affected Source(s) Incidents Publicized Affected Released/Compromised MasterCard - breach occurred June 2005 MasterCard credit 40 million names, account numbers, security Krim, Jonathan and Michael Barbaro, in 2004 at a processing center card and some debit codes, expiration dates "40 Million Credit Card Numbers in Tucson operated by card customers Hacked: Data Breached at Processing CardSystems Solutions, one of Center,"Washington Post, June 18, 2005, several companies that handle p. A1; transfers of payment between the bank of a credit card-using Zeller, Tom and Eric Dash, "MasterCard consumer and the bank of the Says 40 Million Files Put at Risk,"New merchant where a purchase was York Times, June 18, 2005, p. A1; and made. CardSystems' computers were breached by malicious Evers, Joris, "Credit Card Suit Now code that allowed access to Seeks Damages," CNET News.com, July customer data. 7, 2005, at [http://news.com.com/Credit+card+suit+ now+seeks+damages/2100-7350_3-5777 818.html]. Bank of America - laptop June 2005 California customers 18,000 names, addresses, SSNs, Lazarus, David, "Breaches in Security stolen from car in Walnut Require New Laws," San Francisco Creek, CA Chronicle, June 29, 2005, p. C1. CRS-53 Financial Institutions Date Number Type of Data Who Was Affected Source(s) Incidents Publicized Affected Released/Compromised New Jersey cybercrime ring May 2005 customers of four 700,000 names, SSNs, bank account Weiss, Todd, "Scope of Bank Data Theft stole financial records from banks (Charlotte, information Grows to 676,000 Customers: Bank bank accounts North Carolina-based Employees Used Computer Screen Bank of America and note: bank employees sold financial Captures to Snag Customer Data," Wachovia, Cherry records to collection agencies and Computerworld, May 20, 2005, at Hill, New law firms. [http://www.computerworld.com/securit Jersey-based ytopics/security/cybercrime/story/0,1080 Commerce Bank, and 1,101903,00.html]. PNC Bank of Pittsburgh) Ameritrade (securities broker) - April 2005 Ameritrade current 200,000 account information "Ameritrade Loses Customer Account loses tapes with back-up and former Info," CNN Money, April 19, 2005, at information on customer customers [http://money.cnn.com/2005/04/19/techn accounts ology/ameritrade/index.htm]. HSBC (global bank) sent out April 2005 holders of General 180,000 credit card information "Security Scare Hits HSBC's warning letters notifying Motors MasterCard Cards,"BBC News, April 14, 2005, at customers that criminals may who had shopped at [http://news.bbc.co.uk/2/hi/business/444 have gained access to credit Polo Ralph Lauren 4477.stm]; and card info stores Vijayan, Jaikumar, "Update: Scope of Credit Card Security Breach Expands," Computerworld, April 15, 2005, at [http://www.computerworld.com/securit ytopics/security/story/0,10801,101101,0 0.html]. CRS-54 Financial Institutions Date Number Type of Data Who Was Affected Source(s) Incidents Publicized Affected Released/Compromised Bank of America - computer February GSA charge card 1.2 million customer and account information Carrns, Ann, "Bank of America Is data tapes lost during shipment 2005 program (Visa cards Missing Tapes With Card Data,"Wall issued to federal Street Journal, February 28, 2005, p. B2. employees) Wells Fargo - computers stolen November mortgage and company customers' names, addresses, and Breyer, R. Michelle, "Wells Fargo from Wells Fargo vendor 2004 student-loan would not SSNs, and account numbers Customer Data Stolen in Computer Theft customers disclose ,"Austin-American Statesman, November 3, 2004, p. D1. Wells Fargo - hacker arrested November customers with company names, addresses, account and SSNs "Suspect Is Arrested in Theft of Bank with stolen computers and 2003 personal lines of would not Data," Los Angeles Times, November 27, laptop credit used for disclose 2003, p. C2. consumer loans and overdraft protection Weichert Financial Services - May 2003 clients 3,774 credit reports, driver's license info Associated Press, "Pair Accused of credit profiles were unlawfully Fraud in Credit Reports' Theft: accessed from internal Allegedly Used Data to Buy Goods over computer system the Internet,"The Record (Bergen County, NJ), May 2, 2003, p. A10. CRS-55 Financial Institutions Date Number Type of Data Who Was Affected Source(s) Incidents Publicized Affected Released/Compromised Visa, MasterCard, American February credit card customers PNC Bank ATM/debit/check cards Sabatini, Patricia, "PNC Cancels 16,000 Express and Discover account 2003 cancelled Cards After Hacking Theft Incident," numbers - hacker stole 8 16,000 cards; Pittsburgh Post-Gazette, February 20, million Citizens Bank 2003, p. C1. cancelled 8,000-10,000 cards Fullerton, California - bogus June 2001 impersonated more 1,500 birth dates, SSNs, mothers' maiden Brown, Aldrin and Jeff Collins, credit card ring opened bank than 1,500 people names, credit cards, driver's licenses, "Suspicious Mail Triggered Probe of accounts, credit lines, auto and nationwide and and receipts for car and home Identity Theft Crime Losses from the home loans defrauded 76 purchases. Alleged Ring, Which Used Data Stolen financial institutions as Far Back as the Early `90s, May Hit $10 Million," Orange County Register, June 21, 2001 (no page given). CRS-56 Table 4. Data Security Breaches in Local, State, and Federal Government (2003-2007) Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised Transportation Security May 2007 individuals 100,000 name, SSN, date of birth, Hu, Spencer, "TSA Hard Drive With Employee Administration - missing employed by the payroll information, bank Data Is Reported Stolen," Washington Post, external hard drive agency from account and routing May 5, 2007, p. A9. January 2002 until information August 2005 U.S. Department of April 2007 recipients of loans 63,000 (first SSNs Nakashima, Ellen, "U.S. Exposed Personal Agriculture - public or other financial estimate), then Data; information disclosed for more assistance 38,700 (after Census Bureau Posted 63,000 Social Security than a decade on public USDA Numbers Online," Washington Post, April 2, website investigation) 2007, p. A5 and Prince, Brian, " USDA Cuts Number Affected by Data Exposure," eWeek, April 23, 2007. Georgia Secretary of State April 2007 Fulton County 75,000 name, address, SSNs Associated Press, "75,000 voter registration (Atlanta, GA) - 30 boxes of voters cards found in trash bin in Atlanta," April 12, voter registration records 2007. found in trash ChildNet (non-profit that runs April 2007 adoptive and 12,000 SSNs, financial and credit data, Haas, Brian, and Bill Hirschman, "Stolen Broward County's child foster-care parents driver's license data, passport ChildNet laptop puts 12,000 at risk of ID theft," welfare program (Fort numbers South Florida Sun-Sentinel (Fort Lauderdale), Lauderdale, FL) - former April 12, 2007. employee allegedly stole laptop CRS-57 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised Los Angeles County Child March 2007 child support 243,000 130,500 SSNs (most without Rosenblatt, Susannah, "Child support data may Support Services (Los clients names attached), about 12,000 be at risk; L.A. County agency tells 243,000 Angeles, CA) - three missing individuals' names and clients that three missing laptops may contain laptops addresses, and more than personal info," Los Angeles Times, March 30, 101,000 child support case 2007, p. B4. numbers Fort Monroe March 2007 civilian 16,000 names, SSNs, payroll Howe, Kevin, "Army warns of data theft: laptop (Fort Monroe, VA) - stolen employees information with information of 16,000 civilian employees Army laptop stolen in Virginia," Monterey County Herald (California), March 29, 2007. California National Guard March 2007 California 1,300 names, addresses, SSNs, dates Associated Press, "Stolen hard drive contains (Sacramento, CA) - stolen National Guard of birth data for California Guard troops," March 10, computer hard drive troops deployed to 2007. the U.S.-Mexico border U.S. Department of Veterans February veterans 535,000. Hard names, SSNs, some Medicare Thornton, William, "535,000 on lost VA drive: Affairs, VA Medical Center 2007 drive also may billing record information and Agency to notify those possibly affected," (Birmingham, AL) - missing have included billing codes for 1.3 million Birmingham News (Alabama), February 12, hard drive data, not all of it doctors 2007. sensitive, on about 1.3 million non-VA physicians, both living and dead CRS-58 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised Connecticut - personal February state employees 1,700 names, SSNs Greenemeir, Larry, " Stop & Shop PIN Pads information inadvertently 2007 Breached; Connecticut Removes Worker Data posted to state Administrative From Site," Information Week, February 20, Services Department's website 2007, at [http://www.informationweek.com/story /showArticle.jhtml?articleID=197007473&cid= RSSfeed_IWK_News]. Massachusetts Department of February accident victims 1,200 names, SSNs Murphy, Sean, "Worker charged with identity Industrial Accidents 2007 theft," Boston Globe, February 2, 2007. (Boston, MA) - contractor accessed a workers' compensation data file and stole the identities of at least three people, opened credit card accounts in their names, and charged thousands of dollars for jewelry and other purchases CRS-59 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised Chicago Board of Elections - January 2007 Chicago voters 1.3 million names, SSNs, dates of birth, Associated Press, Social Security numbers computer disks mistakenly addresses distributed on computer discs," January 23, distributed to aldermen and 2007. ward committeemen Note: class-action lawsuit was filed against the Board of Elections in Cook County Circuit Court Internal Revenue Service, January 2007 taxpayers unknown unknown (potentially contain Horsley, Lynne, "26 IRS tapes missing from Kansas City, KS - 26 computer taxpayers' names, SSNs, bank City Hall: Records were delivered in August. tapes missing account numbers, or employer Trail of where taxpayer data went is under information) investigation," Kansas City Star, January 19, Note: tapes require special 2007, p. A1. equipment to read and software that is not commonly used Indiana State Department of November women in the 7,700 name, address, SSN, medical Associated Press, "Women alerted to possible Health via Family Health 2006 state's Breast and information identity theft," November 26, 2006. Center of Clark County Cervical Cancer (Jeffersonville, IN) - two Program stolen computers CRS-60 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised Bowling Green Police Dept. November victims or 200 names, SSNs, phone numbers Feehan, Jennifer, "Bowling Green police (Bowling Green, OH) - 2006 suspects on the mistakenly put private data online," Blade inadvertent publishing of daily blotter (Toledo, Ohio), November 14, 2006. personal data to website Administration for Children's November families, social 200 case files unspecified confidential Schapiro, Rich and Nicole Bode, "Secret Shame Services (New York, NY) - 2006 workers and information for All to See. Confidential Acs Files Found unshredded files found on the police Dumped on Street," New York Daily News, street in clear plastic garbage November 20, 2006, p. 3. bag City of Lubbock (TX) - November job applicants 5,800 names, addresses, SSNs, Roberts, Paul, "Texas Tech-are police discover hackers broke into city job 2006 drivers license numbers security breach in city database" (sic), application website University Wire, November 9, 2006. Manhattan Veterans Affairs November veterans who 1,600 names, SSNs, medical Hutchinson, Bill, "Your Identity May Be Stolen, Medical Center, New York 2006 receive diagnoses Vets Are Warned, New York Daily News, Harbor Health Care System pulmonary care at November 2, 2006, p. 19. (New York, NY) - the facility unencrypted stolen laptop Veterans Affairs Hospital and November veterans 1,400 names, SSNs, billing Thornton, Tony, "VA hospital loses data on McAlester Clinic - missing 2006 information patients; No indication of misuse, agency says," computer disks (Muskogee, The Oklahoman, November 2, 2006, p. 1A. OK) CRS-61 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised U.S. Army Cadet Command November high school 4,600 names, addresses, W-2 tax Petkofsy, Andrew, "ROTC applicants' data on (Fort Monroe, VA) - stolen 2006 students who forms, SSNs stolen computer," Richmond Times Dispatch laptop applied for Army (Virginia), November 2, 2006, p. B6. ROTC scholarships. Colorado Dept. of Human November recently hired up to 1.4 million names, SSNs, birth dates Migoya, David, "Stolen state database puts 1.4 Services via private contractor 2006 employees million at ID-theft risk," Denver Post, Affiliated Computer Services November 2, 2006, p. B1. (Dallas, TX) - stolen computer Port of Seattle (Seattle, WA) - October individuals who 6,943 unspecified personal "Port of Seattle Hires Id Protection Service," missing CD-ROMS 2006 applied for airport information Pacific Shipper, October 27, 2006. security badges Camp Pendleton Marine Corps October Marines who live 2,400 unspecified personal Hoellworth, John, "Lost laptop contains 2,400 base, via Lincoln BP 2006 on the base information Pendleton Marines' info," Marine Corps Times, Management (near Oceanside, October 23, 2006, p. 13. CA) - missing laptop City of Visalia, Recreation October current and 200 names, SSNs Castellon, David, "Tossed records are still a Division (Visalia, CA) - city 2006 former employees mystery," Visalia Times-Delta (California), documents were found October 17, 2006, p. 1C. scattered on a city street. CRS-62 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised Poulsbo Department of October citizens processed 2,200 names, addresses, drivers US States News, "Small Department of Licensing (Poulsbo, WA) - 2006 at one workstation license photos Licensing Data Backup Device Missing," missing data backup device October 10, 2006. Congressional Budget Office - October subscribers to unknown unknown "Hackers Breach Budget Office's Mailing List," mailing list hacked and 2006 CBO's mailing National Journal, Technology Daily, October phishing email that appeared list 13, 2006. to come from CBO was sent Cleveland Air Route Traffic October air traffic 400 names, SSNs Sangiacomo, Michael, "FAA data in Oberlin Control Center (Oberlin, OH) - 2006 controllers computer lost Drives had names, Social Security computer hard drive stolen numbers," Cleveland Plain Dealer, October 6, 2006, p. B3. Florida Department of Labor - October individuals 4,624 names, SSNs, Samples, Eve, "More than 4,600 Floridians' personal information 2006 enrolled for personal data accidentally posted,"Palm Beach inadvertently posted on test services with Post, October 11, 2006. server regional workforce boards Cumberland County, PA - October employees 1,200 names, SSNs Miller, Matt, "Employee numbers removed SSNs in meeting minutes 2006 from Web," Patriot-News, October 3, 2006, p. posted on website B1. CRS-63 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised Kentucky Personnel Cabinet September employees in state 146,000 SSNs Alford, Roger, "State sends out letters with (Frankfort, KY) - letters sent to 2006 agencies, Social Security numbers visible," Associated employees displayed their community and Press, September 29, 2006. SSNs on front technical colleges, school districts, health departments and other offices covered by the state's insurance program North Carolina Department of September drivers 16,000 names, SSNs, driver's license "Thieves take N.C. DMV computer with Motor Vehicles (Louisburg, 2006 numbers, dates of birth personal info," Associated Press, September 28, NC) - stolen computer 2006. U.S. Department of Commerce September Census Bureau 6,200 households unknown Sipress, Alan, "1,100 Laptops Missing from - 1,137 stolen, lost, or missing 2006 and National (estimated) Commerce Dept.," Washington Post, September laptops Oceanic and 22, 2006, p. A3. Atmospheric Administration U. S. Department of Veterans August 2006 patients at VA 38,000 SSNs, names, addresses, birth Rash, Wayne, "Another VA Computer Goes Affairs - missing computer hospitals in dates, insurance carriers, billing Missing," eWeek, August 7, 2006, at from contractor's office Pennsylvnia information, details of service [http://www.eweek.com/article2/0,1895,200026 8,00.asp]. CRS-64 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised U.S. Department of August 2006 drivers license 133,000 SSNs, names, addresses Rash, Wayne, "DOT is the Latest Victim of Transportation - stolen laptop records of Florida Computer Theft," eWeek, August 10, 2006, at residents [http://www.eweek.com/article2/0,1895,200214 8,00.asp?kc=EWNAVEMNL081106EOAD]. U.S. Department of Education August 2006 students who 21,000 names, birth dates, SSNs, Yen, Hope, "Ed. Dept. offers free credit - exposed loan data borrowed money addresses, phone numbers and monitoring," Houston Chronicle, August 24, under in some cases account 2006 (no page given). the Federal Direct information for holders of Student Loan federal direct student loans program Naval Safety Center - personal July 2006 Naval and Marine "more than SSNs, personal information "Naval Safety Center Finds Personal Data on data exposed on website and Corps aviators 100,000" Website," U.S. Department of Defense press on 1,100 computer discs and air crew, both release, July 8, 2006, at mailed to naval commands active and reserve [http://www.news.navy.mil/search/display.asp?s tory_id=24568]. U.S. State Department - July 2006 Washington unknown access to data and passwords "State Department Releases Details Of hackers headquarters, and Computer System Attacks," COMMWEB, July the Bureau of East 13, 2006 (no page given), and Greenemeier, Asian and Pacific Larry, "State Department Hack Escalates Affairs Federal Data Insecurity," Information Week, July 12, 2006, at [http://www.informationweek.com/news/showA rticle.jhtml?articleID=190302905]. CRS-65 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised Federal Trade Commission June 2006 subjects of law 110 names, addresses, SSNs, Reuters, "FTC Laptops Stolen, 110 People at enforcement financial account numbers Risk of ID Theft," Baseline.com, June 23, 2006 investigations (no page given). U.S. Navy - an open website June 2006 Navy members 30,000 names, birth dates and SSNs "Navy Personal Data on Web Is contained five spreadsheet and dependents Katrina-related," States News Service, June 26, files with personal information 2006 (no page given). Texas Guaranteed Student June 2006 college students 1.3 million names, SSNs Evers, Joris, "Loan Company Reports Loss of Loan- computer equipment borrowing money Data on 1.3 Million," CNet News, June 1, 2006, lost from the loan at company [http://news.com.com/Loan+company+reports+ loss+of+data+on+1.3+million/2100-1029_3-60 79261.html]. National Institutes of Health June 2006 credit union "small number" unidentified personal Trejos, Nancy, "Identity Thieves Hit NIH Credit Federal Credit Union members information Union; (Rockville, MD) Scheme Is Latest in Spate of Breaches Affecting Millions," Washington Post, June 29, 2006, p. B3. U.S. Department of June 2006 current and retired 26,000 names, SSNs, employee Azaroff, Rachel, "Hacker Might Have Breached Agriculture- external security employees of the photos, internal building Personal Data at USDA," FCW, June 22, 2006, breach of a workstation and department locations at two servers [http://www.fcw.com/article94991-06-22-06-W eb]. CRS-66 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised Minnesota Department of June 2006 individuals and 2,400 individuals names, addresses, SSNs, MN Department of Revenue, "Department of Revenue businesses and 48,000 employment data Revenue to Assist Taxpayers Whose Private (St. Paul, MN) - missing data (taxpayers) businesses Information Was Included in a Package Lost in tape the Mail," June 28, 2006, at [http://www.taxes.state.mn.us/taxes/publications /press_releases/content/taxpayer_information.sh tml] Department of Energy- file June 2006 employees of the 1,500 names, SSNs, birth datess, Associated Press, "DOE Computers Hacked; stolen by hacker Energy codes showing where the Info on 1,500 Taken," June 11, 2006. Department's employees worked, codes nuclear weapons showing their security agency clearance Government Accountability June 2006 DoD employees "fewer than service members' names, Thormeyer, Rob, "GAO Removes Archived Office (GAO) -website 1,000" SSNs, addresses Personal Data from Web Site," exposed data from audit WashingtonTechnology.com, June 27, 2006 at reports on Defense Department [http://www.washingtontechnology.com/news/1 travel vouchers from the 1970s _1/daily_news/28845-1.html]. King County Records, June 2006 current and unknown SSNs Associated Press, "Councilman Irked by Data Elections, and Licensing former county (potentially Postings on Web," June 27, 2006. Services Division residents thousands) (Seattle, WA) - website exposed personal data CRS-67 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised Internal Revenue Service - lost June 2006 IRS employees 291 names, birth dates, SSNs, Lee, Christopher, "IRS Laptop Lost with Data laptop and job applicants fingerprints on 291 People," Washington Post, June 8, 2006, p. A4. Nebraska Treasurer's Office June 2006 individuals and 300,000 names, SSNs, tax identification Nebraska State Treasurer, "Hacker Virus (Lincoln, NE) - hacker broke employers who individuals and numbers for businesses Stopped by Treasurer's Office," June 29, 2006, into a child-support computer pay and receive 9,000 employers at system child support [http://www.treasurer.state.ne.us/ie/server.asp] payments Pentagon, Tricare May 2006 Defense 14,000 names, SSNs, credit card Barr, Stephen, "Conference Attendees' Personal Management Activity- hackers Department numbers, employer Data May Be at Risk," Washington Post, May break into server conference identification, other personal 12, 2006, p. D4. attendees information Department of Veterans May 2006 military veterans 26.5 million names, birth dates, SSNs Lee, Christopher and Steve Vogel, "Personal Affairs- laptop and external Data on Veterans is Stolen," Washington Post, hard drive stolen May 23, 2006, p. A1. National Institutes of Health October applicants to the undisclosed grant proposals and other grant Pulley, John L., "NIH Accidentally Posts (NIH)- posting of confidential 2005 NIH review materials Confidential Grant Applications on the Web," grant applications The Chronicle of Higher Education, October 31, 2005 (no page given). U.S. Air Force - records stolen August 2005 officers and 19 33,300 SSNs, birth dates, and other Dorsett, Amy, "Identity theft Threat Hangs over from the Air Force Personnel NCOs sensitive information AF Officers," San Antonio Express-News, Center's online Assignment August 24, 2005, p. 1A. Management System CRS-68 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised San Diego County Employees July 2005 current and retired 33,000 workers' names, Social Chacon, Daniel, "Hackers Breach County's Retirement Association - county Security numbers, addresses Personal Records; 33,000 People at Risk in hackers broke into two government and dates of birth Retirement Association," San Diego computers employees Union-Tribune, July 30, 2005, p. B1. Federal Deposit Insurance June 2005 FDIC current and 6,000 names, birth dates, SSNs, and Krim, Jonathan, "FDIC Alerts Employees of Corporation - computer breach former employees salary information Data Breach", Washington Post, June 16 2005, in early 2004. The agency or anyone p. D1. wrote to employees that it employed at the learned of the breach only agency as of July "recently", but did not explain 2002. how the breach occurred, aside from stating that it was not the result of a computer security failure. Lucas County (OH) Children June 2005 agency's 400 900 names, telephone numbers, Patch, David, "Lucas County Children Services Services - information from current employees SSNs Data Stolen," Toledo Blade, June 28, 2005, p. the agency's personnel and about 500 B1. database was compiled and others who have e-mailed to an outside worked there computer since 1991 hackers breached Illinois February people who work 90,000 SSNs, wages "Hackers Breach State Files on 90,000," Employment Development 2004 as domestic Chicago Tribune, February 15, 2004, p. 12. Department server employees and those who employ them CRS-69 Government (Local, State Date Who Was Type of Data Number Affected Source(s) and Federal) Incidents Publicized Affected Released/Compromised U.S. Department of Defense - August 2003 Navy's purchase 13,000 credit card numbers Reddy, Anitha, "Hackers Steal 13,000 Credit hackers downloaded Navy card program, Card Numbers; Navy Says No Fraud Has Been credit cards used to order Noticed," Washington Post, November 23, routine office 2003, p. E1. supplies Bronx identity theft ring filed February income tax filers not specified SSNs Weiser, Benjamin, "19 Charged in Identity thousands of fraudulent 2003 Theft That Netted $7 Million in Tax Refunds," income tax returns note: ID theft ring obtained New York Times, February 5, 2003, p. B3. $7million in tax refunds CRS-70 Table 5. Data Security Breaches in Health Care (2003-2007) Date Who Was Type of Data Healthcare Incidents Number Affected Source(s) Publicized Affected Released/Compromised Georgia Dept. of Community April 2007 state health care 2,900,000 SSNs, addresses, birthdates, dates of Miller, Andy, and Bill Hendrick, Health (Atlanta, GA) and recipients eligibility, full names, Medicaid or "Georgians' personal data lost; private contractor Affiliated children's health care recipient Medicaid, PeachCare clients: A Computer Services (ACS) - identification numbers computer disk including Social Security missing computer disk numbers on 2.9 million people was lost in transit," Atlanta Journal and Constitution, April 11, 2007, p. 1A. DCH Health Systems April 2007 employees and 6,000 retirement benefit information, SSNs, Associated Press State & Local Wire, (Tuscaloosa, AL) - lost retirees other uspecified personal information "Tuscaloosa-based DCH loses personal computer disk and documents data on employees," April 5, 2007. Group Health Cooperative March 2007 patients and 31,000 names, addresses, SSNs, group health "Pacific Northwest," Seattle Times, Health Care System employees numbers March 27, 2007, p. B3. (Seattle, WA) - two laptops missing Westerly Hospital (Westerly, March 2007 patients 2,242 names, SSNs, insurance information Armental, Maria, " Data breach at RI) - patients' confidential Westerly Hospital," Providence Journal information posted on public (Rhode Island), March 2, 2007. website CRS-71 Date Who Was Type of Data Healthcare Incidents Number Affected Source(s) Publicized Affected Released/Compromised Wellpoint, Inc (IN-based March 2007 members of its 75,000 names, SSNs, health plan Freudenheim, Milt, "Medical Data on health insurer) - lost compact Empire Blue identification numbers, descriptions Empire Blue Cross Members May Be disk Cross and Blue of medical services back to 2003 Lost," New York Times, March 14, 2007. Shield unit in and Note: Company found the CD New York Gaudin, Sharon, " WellPoint Finds less than a week later. Missing CD With Data On 75,000 WellPoint did not release any People," Information Week, March 15, information on where the disk 2007, at was found. [http://www.informationweek.com/story /showArticle.jhtml?articleID=19800110 5&cid=RSSfeed_IWK_News]. Seton Family of Hospitals February patients who 7,800 SSNs, dates of birth, insurance Gaudin, Sharon, " Hospital Laptop (Austin, TX) - stolen laptop 2007 sought care as program numbers Stolen; Info On 7,800 Patients At Risk," part of an Information Week, February 26, 2007, at outpatient or [http://www.informationweek.com/story clinic visit since /showArticle.jhtml?articleID=19700871 July 1, 2005 1&cid=RSSfeed_IWK_News]. Johns Hopkins University February new Johns 52,000 university information on the university payroll Johns Hopkins Institutions press release, (JHU) and Johns Hopkins 2007 Hopkins Hospital employees and tapes included Social Security "Identity Alert: A Joint Statement from Hospital (Baltimore, MD) - patients first seen 83,000 hospital numbers and, in some cases, bank The Johns Hopkins University and eight backup tapes containing between July 4 patients account information for present and The Johns Hopkins Hospital, " February personal information on JHU and Dec. 18, 2006 former employees; information on 7, 2007, at employees lost; one backup hospital patients included names and [http://www.jhu.edu/identityalert/release tape containing information dates of birth s/statement.html]. on JH hospital patients lost CRS-72 Date Who Was Type of Data Healthcare Incidents Number Affected Source(s) Publicized Affected Released/Compromised Gulf Coast Medical Center February patients, 1,900 individuals names, SSNs Vavala, Donna, "Laptop thefts cause (Nashville, TN & Tallahassee, 2007 employees and were affected by a alarm: Devices contained hospital FL) - two computers missing former employees theft in Nashville, patient, employee information; no ID in two separate incidents TN in November thefts reported," News Herald (Panama and 8,000 when City, Florida), March 1, 2007. another computer was stolen in Tallahassee St. Mary's Hospital February former and 130,000 names, SSNs, dates of birth O'Brien, Dennis, " Second Hospital (Leonardtown, MD) - stolen 2007 current hospital Reports Lost Data. St. Mary's Notifies laptop patients 130,000, Days after Hopkins' Notice; Second Md. Hospital Reports Loss of Patients' Data," Baltimore Sun, February 13, 2007, p. A1. Wellpoint/Anthem Blue Cross February Anthem members 196,000 names, SSNs Howington, Patrick, "Cassette tapes Blue Shield - cassette tapes 2007 in Kentucky, containing customer information were stolen from a lock box held by Indiana, Ohio and stolen from a lock box held by one of its vendor Concentra Preferred Virginia vendors,"Courier-Journal (Louisville, Systems Kentucky), February 15, 2007. Ohio Board of Nursing - January newly licensed 3,031 names, SSNs Hoholik, Suzanne, "Error puts nurses' website posted names and 2007 nurses personal data online," Columbus SSNs of nurses twice in one Dispatch (OH), January 25, 2007. month CRS-73 Date Who Was Type of Data Healthcare Incidents Number Affected Source(s) Publicized Affected Released/Compromised Swedish Medical Center, October patients 1,100 names, dates of birth, SSNs Song, Kyung, "3 Swedish patients say Ballard Campus (Seattle, WA) 2006 IDs stolen at Ballard campus; worker - employee used patients' fired; Employee allegedly opened credit personal information to open cards; Hospital warns patients to watch credit card accounts for activity on their credit reports," Seattle Times, October 25, 2006, p. B4. Sisters of St. Francis Health October patients, 260,000 names, SSNs Lee, Daniel, "Lost and found: info on Services via Advanced 2006 employees, patients and 6,200 260,000 patients," Indianopolis Star, Receivables Strategy physicians and employees October 25, 2006. (Indianapolis, IN) - contractor Board members inadvertently left CDs containing confidential billing information in a new computer bag she purchased but later returned to a store Erlanger Health System September current and 4,150 names, SSNs Berry, Emily, "Erlanger loses computer (Chattanooga, TN) - missing 2006 former employees device, personnel data," Chattanooga data device Times/Free Press, September 24, 2006. Medco Health Solutions- March 2006 Ohio state 4,600 SSNs, birth dates Weiss, Todd R., "Vendor Waited Six stolen laptop employees and Weeks to Notify Ohio Officials of Data their dependents Breach," Computerworld, March 1, 2006, at [http://www.computerworld.com/printth is/2006/0,4814,109116,00.htm]. CRS-74 Date Who Was Type of Data Healthcare Incidents Number Affected Source(s) Publicized Affected Released/Compromised Children's Health Council, September patients, 5,000-6,000 psychiatric records, evaluations and Walsh, Diana, "Data Stolen from San Jose, California - stolen 2005 employees, and SSNs; also payroll data on hundreds Children's Psychiatric Center," San backup tape parents of patients of current and former employees and Francisco Chronicle, September 20, credit card information from parents 2005, p. B8. of patients San Jose Medical Group April former patients 185,000 names, addresses, SSNs, confidential Weiss, Todd, "Update: Stolen Management - desktop 2005 from last seven medical information Computers Contain Data on 185,000 computers stolen from locked years Patients," Computerworld, April 8, administrative office 2005, at [http://www.computerworld.com/databa setopics/data/story/0,10801,100961,00.h tml]. TriWest Healthcare Alliance - December military personnel 500,000 names, addresses, SSNs Gorman, Tom, "Reward Offered in theft of a database containing 2002 and their Huge Theft of Identity Data; Stolen names and SSNs dependents Computers Had Names, Social Security Numbers of 500,000 Military Families,"Los Angeles Times, January 1, 2003, p. 14. Source: The tables were prepared by CRS from publicly available and news media sources. Note: URLs are listed for exclusively online sources; other publications are identified by name and date. CRS-75 For Additional Reading CRS Report RS22374. Data Security: Federal and State Laws, by Gina Marie Stevens. CRS Report RL33273. Data Security: Federal Legislative Approaches, by Gina Marie Stevens. CRS Report RS22484. Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills, by Tara Alexandra Rainson. CRS Report RL33005. Information Brokers: Federal and State Laws, by Angie A. Welborn. CRS Report RL33612. Department of Veterans Affairs: Information Security and Information Technology Management Reorganization, by Sidath Viranga Panangala. CRS Report RL31919. Remedies Available to Victims of Identity Theft, by Gina Marie Stevens. CRS Report RS22082. Identity Theft: The Internet Connection (archived), by Marcia S. Smith. ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-RL33199