A Chronology of Data Breaches

Posted April 20, 2005.
Updated December 6, 2006.

 


Search Our Site:
www.privacyrights.org/search.htm
Have a Question?

www.privacyrights.org/preinquiry.html
Web: www.privacyrights.org

    HOME
 

A Chronology of Data Breaches

The data breaches noted below have been reported because the  personal information compromised includes data elements useful to  identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included  the number of records involved in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure  under state laws.

The running total we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals.

We usually update this list twice each week.

For tips on what to do if your personal information has been exposed due to a security breach, read our guide at www.privacyrights.org/fs/fs17b-securitybreach.htm .

The catalyst for reporting data breaches to the affected individuals has been the California law that requires notice of security breaches, the first of its kind in the nation, implemented July 2003.
www.privacyrights.org/ar/SecurityBreach.htm
www.privacy.ca.gov/recommendations/secbreach.pdf

This chronology below begins with ChoicePoint's 2/15/05 announcement of its data breaches because it was a watershed event in terms of disclosure to the affected individuals. Since then, the "best practice" has been to disclose breaches to individuals nationwide -- in a sense, adopting California's notice requirement nationally.

In the meantime, more than half the states have passed laws requiring  that individuals be notified of security breaches. For a list of states enacting security breach and freeze laws, visit the Consumers Union web site here:

Security breach notice laws: www.consumersunion.org/campaigns/Breach_laws_May05.pdf
Chart of security breach notice laws: www.perkinscoie.com/statebreachchart
Security freeze laws: www.consumersunion.org/campaigns//learn_more/003484indiv.html
State security freeze bills pending in 2006: www.consumersunion.org/campaigns//learn_more/002906indiv.html
And visit the PIRG site here: www.pirg.org/consumer/credit/statelaws.htm.

Congress is considering several bills this year in which security breach notices would be mandated nationwide. See http://thomas.loc.gov. See also EPIC's bill-track list, www.epic.org/privacy/bill_track.html.

Here are other sources for security breach information:

Attrition now provides an open source database of its data breach records, called the Data Loss Database - Open Source, or DLDOS. It is a flat comma-separated value file that can be imported into a database or spreadsheet program for your own data analysis. Visit attrition.org/dataloss/dataloss.csv .

Learn about security and privacy protection practices for your workplace. Read the BBB's guide, "Security & Privacy -- Made Simpler." www.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf

See also the NIST Information Security Handbook, http://csrc.nist.gov/publications/nistpubs/800-100/sp800-100.pdf . NIST is the National Institute of Standards and Technology.

  DATE MADE PUBLIC
NAME (Location)
TYPE OF BREACH
NUMBER
OF RECORDS
  Feb. 15, 2005
ChoicePoint
(Alpharetta, GA)
Bogus accounts established by ID thieves. The initial number of affected records was estimated at 145,000 but was later revised to 163,000.
Update (1/26/06): ChoicePoint settled with the Federal Trade Commission for $10 million in civil penalties and $5 million for consumer redress.
Update (12/06/06): The FTC announced that victims of identity theft as a result of the data breach who had out-of-pocket expenses can now be reimbursed. The claims deadline is Feb. 4, 2007.
163,000
  Feb. 25 , 2005
Bank of America
(Charlotte, NC)
Lost backup tape
1,200,000
  Feb. 25, 2005
PayMaxx
(Miramar, FL)
Exposed online
25,000
  March 8, 2005
DSW/Retail Ventures
(Columbus, OH)
Hacking
100,000
  March 10, 2005
LexisNexis
(Dayton, OH)
Passwords compromised
Update (06/30/06): Last week, five men were arrested in connection with this breach.
32,000
  March 11, 2005
Univ. of CA, Berkeley
(Berkeley, CA)
Stolen laptop
98,400
  March 11, 2005
Boston College
(Boston, MA)
Hacking
120,000
  March 12, 2005
NV Dept. of Motor Vehicle
Stolen computer, later recovered.
[8,900]
Not included
in total below
  March 20, 2005 Northwestern Univ.
(Evanston, IL)
Hacking 21,000
  March 20, 2005
Univ. of NV., Las Vegas
(Las Vegas, NV)
Hacking
5,000
  March 22, 2005
Calif. State Univ.
(Chico, CA)
Hacking
59,000
  March 23, 2005
Univ. of CA.
(San Francisco, CA)
Hacking
7,000
  March 28, 2005 Univ. of Chicago Hospital
(Chicago, IL)
Dishonest insider Unknown
  April ?, 2005 Georgia DMV Dishonest insider 465,000
  April 5, 2005 MCI
(Ashburn, VA)
Stolen laptop 16,500
  April 8, 2005 Eastern National Hacker 15,000
  April 8, 2005
San Jose Med. Group
(San Jose, CA)
Stolen computer
185,000
  April 11, 2005
Tufts University
(Boston, MA)
Hacking
106,000
  April 12, 2005
LexisNexis
(Dayton, OH)
Passwords compromised
Update (06/30/06): Last week, five men were arrested in connection with this breach.
Additional
280,000
  April 14, 2005
Polo Ralph Lauren/HSBC
(New York, NY)
Hacking
180,000
  April 14, 2005 Calif. Fastrack Dishonest Insider 4,500
  April 15, 2005 CA Dept. of Health Services Stolen laptop 21,600
  April 18, 2005
DSW/ Retail Ventures
(Columbus, OH)
Hacking
Additional
1,300,000
  April 20, 2005
Ameritrade
(Bellevue, NE)
Lost backup tape
200,000
  April 21, 2005 Carnegie Mellon Univ.
(Pittsburg, PA)
Hacking 19,000
  April 26, 2005 Mich. State Univ's Wharton Center Hacking 40,000
  April 26, 2005 Christus St. Joseph's Hospital
(Houston, TX)
Stolen computer 19,000
  April 28, 2005 Georgia Southern Univ. Hacking "tens of
thousands"
  April 28, 2005 Wachovia,
Bank of America,
PNC Financial Services Group and
Commerce Bancorp
Dishonest insiders 676,000
  April 29, 2005 Oklahoma State Univ. Missing laptop 37,000
  May 2, 2005 Time Warner
(New York, NY)
Lost backup tapes 600,000
  May 4, 2005 CO. Health Dept. Stolen laptop 1,600
(families)
  May 5, 2005 Purdue Univ.
(West Lafayette, IN)
Hacking 11,360
  May 7, 2005 Dept. of Justice
(Washington, D.C.)
Stolen laptop 80,000
  May 11, 2005 Stanford Univ.
(Stanford, CA)
Hacking 9,900
  May 12, 2005 Hinsdale Central High School
(Hinsdale, IL)
Hacking 2,400
  May 16, 2005 Westborough Bank
(Westborough, MA)
Dishonest insider 750
  May 18, 2005 Jackson Comm. College
(MI)
Hacking 8,000
  May 18, 2005 Univ. of Iowa Hacking 30,000
  May 19, 2005 Valdosta State Univ.
(GA)
Hacking 40,000
  May 26, 2005 Duke Univ.
(Durham, NC)
Hacking 5,500
  May 27, 2005 Cleveland State Univ.
(Cleveland, OH).
Stolen laptop
Update (12/24): CSU found the stolen laptop
[44,420]
Not included
in total below
  May 28, 2005 Merlin Data Services
(Kalispell, MT)
Bogus acct. set up 9,000
  May 30, 2005 Motorola Computers stolen Unknown
  June 6, 2005 CitiFinancial Lost backup tapes 3,900,000
  June 10, 2005 Fed. Deposit Insurance Corp. (FDIC) Not disclosed 6,000
  June 16, 2005
CardSystems Hacking 40,000,000
  June 17, 2005 Kent State Univ. Stolen laptop 1,400
  June 18, 2005 Univ. of Hawaii Dishonest Insider 150,000
  June 22, 2005 Eastman Kodak Stolen laptop 5,800
  June 22, 2005 East Carolina Univ. Hacking 250
  June 25, 2005 Univ. of CT (UCONN) Hacking 72,000
  June 28, 2005 Lucas Cty. Children Services (OH) Exposed by email 900
  June 29, 2005 Bank of America Stolen laptop 18,000
  June 30, 2005 Ohio State Univ. Med. Ctr. Stolen laptop 15,000
  July 1, 2005 Univ. of CA, San Diego Hacking 3,300
  July 6, 2005 City National Bank Lost backup tapes Unknown
  July 7, 2005 Mich. State Univ. Hacking 27,000
  July 19, 2005 Univ. of Southern Calif. (USC) Hacking 270,000
possibly accessed; "dozens"exposed
  July 21, 2005 Univ. of Colorado-Boulder Hacking 42,000
  July 30, 2005 San Diego Co. Employees Retirement Assoc. Hacking 33,000
  July 30, 2005 Calif. State Univ., Dominguez Hills Hacking 9,613
  July 31, 2005 Cal Poly-Pomona Hacking 31,077
  Aug. 2, 2005 Univ. of Colorado Hacking 36,000
  Aug. 9, 2005 Sonoma State Univ. Hacking 61,709
  Aug. 9, 2005 Univ. of Utah Hacking 100,000
  Aug. 10, 2005 Univ. of North Texas Hacking 39,000
  Aug. 17, 2005 Calif. State University, Stanislaus Hacking 900
  Aug. 19, 2005 Univ. of Colorado Hacking 49,000
  Aug. 22, 2005 Air Force Hacking 33,300
  Aug. 27, 2005 Univ. of Florida, Health Sciences Center/ChartOne Stolen Laptop 3,851
  Aug. 30, 2005 J.P. Morgan, Dallas Stolen Laptop Unknown
  Aug. 30, 2005 Calif. State University, Chancellor's Office Hacking 154
  Sept. 2, 2006 Iowa Student Loan
(W. Des Moines)
Compact disk containing personal information, including SSNs, was lost when shipped by private courier. 165,000
  Sept. 10, 2005 Kent State Univ. Stolen computers 100,000
  Sept. 15, 2005 Miami Univ. Exposed online 21,762
  Sept. 16, 2005 ChoicePoint 
(2nd notice, see 2/15/05)
(Alpharetta, GA)

ID thieves accessed; also misuse of IDs & passwords.

[Total later revised to 163,000 -- see 2/15/05 above]
  Sept. 17, 2005 North Fork Bank, NY Stolen laptop (7/24/05) with mortgage data 9,000
  Sept. 19, 2005 Children's Health Council, San Jose CA Stolen backup tape 5,000 - 6,000
  Sept. 22, 2005 City University of New York Exposed online 350
 

Sept. 23,
2005

Bank of America Stolen laptop with info of Visa Buxx users (debit cards) Not disclosed
  Sept. 28, 2005 RBC Dain Rauscher Illegitimate access to customer data by former employee 100+ customers' records compromised out of 300,000
  Sept. 29, 2005 Univ. of Georgia Hacking At least 1,600
  Oct. 12, 2005 Ohio State Univ. Medical Center Exposed online. Appointment information including SSN, DOB, address, phone no., medical no., appointment reason, physician.

2,800

 

  Oct. 15, 2005 Montclair State Univ. Exposed online 9,100
  Oct. 21, 2005 Wilcox Memorial Hospital, Hawaii Lost backup tape 130,000
  Nov. 1, 2005 Univ. of Tenn. Medical Center Stolen laptop 3,800
  Nov. 4, 2005 Keck School of Medicine, USC Stolen computer 50,000
  Nov. 5, 2005 Safeway, Hawaii Stolen laptop 1,400 in Hawaii, perhaps more elsewhere
  Nov. 8, 2005 ChoicePoint
(Alpharetta, GA)
Bogus accounts established by ID thieves. Total affected now reaches 163,000
(See Feb. 15 & Sept. 16)
[Total later revised to 163,000 -- see 2/15/05 above]
  Nov. 9, 2005 TransUnion Stolen computer 3,623
  Nov. 11, 2005 Georgia Tech
Ofc. of Enrollment Services
Stolen computer,
Theft 10/16/05
13,000
  Nov. 11, 2005 Scottrade Troy Group Hacking Unknown
  Nov. 19, 2005 Boeing Stolen laptop with HR data incl. SSNs and bank account info.
161,000
  Dec. 1, 2005 Firstrust Bank Stolen laptop 100,000
  Dec. 1, 2005 Univ. of San Diego
(San Diego, CA)
Hacking. Faculty, students and employee tax forms containing SSNs 7,800
  Dec. 2, 2005 Cornell Univ. Hacking. Names, addresses, SSNs, bank names and acct. numbers. 900
  Dec. 6, 2005 WA Employment Security Dept. Stolen laptop. Names, SSNs and earnings of former employees. 530
  Dec. 12, 2005 Sam's Club/Wal-Mart Exposed credit card data at gas stations. Unknown
  Dec. 16, 2005 La Salle Bank, ABN AMRO Mortgage Group
Backup tape with residential mortgage customers lost in shipment by DHL, containing SSNs and account information.
Update (12/20): DHL found the lost tape.
[2,000,000]
Not included in total below.
  Dec. 16, 2005 Colorado Tech. Univ. Email erroneously sent containing names, phone numbers, email addresses, Social Security numbers and
class schedules.
1,200
  Dec. 20, 2005 Guidance Software, Inc. Hacking. Customer credit card numbers 3,800
  Dec. 22, 2005 Ford Motor Co. Stolen computer. Names and SSNs of current and former employees. 70,000
  Dec. 25, 2005 Iowa State Univ. Hacking. Credit card information and Social Security numbers. 5,500
  Dec. 28, 2005 Marriot International Lost backup tape. SSNs, credit card data of time-share owners 206,000
  Late Dec. Ameriprise Stolen laptop containing names and Social Security numbers and in some cases, Ameriprise account information. Unknown
  2005
[Exact Date Unknown]
Dept. of Veterans Affairs
(Washington, D.C.)
A laptop being stored in the trunk of a car was stolen in Minneapolis, Minnesota. 2 people later reported identity fraud problems. 66
  2006 NAME
(Location)
TYPE OF BREACH NUMBER OF RECORDS
  Jan. 1, 2006 University of Pittsburgh Medical Center, Squirrel Hill Family Medicine 6 Stolen computers. Names, Social Security numbers, birthdates 700
  Jan. 2, 2006 H&R Block SSNs exposed in 40-digit number string on mailing label Unknown
  Jan. 9, 2006 Atlantis Hotel - Kerzner Int'l Dishonest insider or hacking. Names, addresses, credit card details, Social Security numbers, driver's licence numbers and/or bank account data. 55,000
  Jan. 12, 2006 People's Bank Lost computer tape containing names, addresses, Social Security numbers, and checking account numbers. 90,000
  Jan. 17, 2006 City of San Diego, Water & Sewer Dept.
(San Diego, CA)
Dishonest employee accessed customer account files, including SSNs, and committed identity theft on some individuals. Unknown
  Jan. 20, 2006 Univ. Place Conference Center & Hotel, Indiana Univ. Hacking. Reservation information including credit card account number compromised. Unknown
  Jan. 21, 2006 California Army National Guard Stolen briefcase with personal information of National Guardsmen including a "seniority roster," Social Security numbers and dates of birth. "hundreds of officers"
  Jan. 23, 2006 Univ. of Notre Dame Hackers accessed Social Security numbers, credit card information and check images of school donors. Unknown
  Jan. 24, 2006 Univ. of WA Medical Center Stolen laptops containing names, Social Security numbers, maiden names, birth dates, diagnoses and other personal data. 1,600
  Jan. 25, 2006 Providence Home Services
(Portland, OR)
Stolen backup tapes and disks containing Social Security numbers, clinical and demographic information. In a small number of cases, patient financial data was stolen.
Update:  (9/26/06)
Providence Health System and the Oregon Attorney General have filed a settlement agreement.  Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach.  The company must also enhance its security programs.
365,000
  Jan. 27, 2006 State of RI web site (www.RI.gov) Hackers obtained credit card information in conjunction with names and addresses.
4,117
  Jan. 31, 2006 Boston Globe and The Worcester Telegram & Gazette Inadvertently exposed. Credit and debit card information along with routing information for personal checks printed on recycled paper used in wrapping newspaper bundles for distribution. 240,000 potentially exposed
  Feb. 1, 2006 Blue Cross and Blue Shield of North Carolina Inadvertently exposed. SSNs of members printed on the mailing labels of envelopes with information about a new insurance plan. 600
  Feb. 4, 2006 FedEx Inadvertently exposed. W-2 forms included other workers' tax information such as SSNs and salaries. 8,500
  Feb. 9, 2006 Unknown retail merchants, apparently OfficeMax and perhaps others. Hacking. Debit card accounts exposed involving bank and credit union accounts nationwide (including CitiBank, BofA, WaMu, Wells Fargo).
[3/13/06 Crime ring arrested.]
200,000, although total number is unknown.
  Feb. 9, 2006 Honeywell International Exposed online. Personal information of current and former employees including Social Security numbers and bank account information posted on an Internet Web site. 19,000
  Feb. 13, 2006 Ernst & Young
(UK)
Laptop stolen from employee's car with customers' personal information including Social Security numbers. 38,000 BP employees in addition to Sun, Cisco and IBM employees.
  Feb. 15, 2006 Dept. of Agriculture Inadvertently exposed Social Security and tax identification numbers in FOIA request. 350,000
  Feb. 15, 2006 Old Dominion Univ. Exposed online. Instructor posted a class roster containing names and Social Security numbers to a web site. 601
  Feb. 16, 2006 Blue Cross and Blue Shield of Florida Contractor sent names and Social Security numbers of current and former employees, vendors and contractors to his home computer in violation of company policies. 27,000
  Feb. 17, 2006 Calif. Dept. of Corrections, Pelican Bay
(Sacramento, CA)
Inmates gained access to files containing employees' Social Security numbers, birth dates and pension account information stored in warehouse. Unknown
  Feb. 17, 2006 Mount St. Mary's Hospital (1 of 10 hospitals with patient info. stolen)
(Lewiston, NY)
Two laptops containing date of birth, address and Social Security numbers of patients was stolen in an armed robbery in the New Jersey. 17,000
  Feb. 18, 2006 Univ. of Northern Iowa Hacking. Laptop computer holding W-2 forms of student employees and faculty was illegally accessed. 6,000
  Feb. 23, 2006 Deloitte & Touche (McAfee employee information) External auditor lost a CD with names, Social Security numbers and stock holdings in McAfee of current and former McAfee employees. 9,290
  Mar. 1, 2006 Medco Health Solutions
(Columbus, OH)
Stolen laptop containing Social Security numbers for State of Ohio employees and their dependents, as well as their birth dates and, in some cases, prescription drug histories. 4,600
  Mar. 1, 2006 OH Secretary of State's Office SSNs, dates of birth, and other personal data of citizens routinely posted on a State web site as part of standard business practice. Unknown
  Mar. 2, 2006 Olympic Funding
(Chicago, IL)
3 hard drives containing clients names, Social Security numbers, addresses and phone numbers stolen during break in. Unknown
  Mar. 2, 2006 Los Angeles Cty. Dept. of Social Services
(Los Angeles, CA)
File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W-2, and date of birth were left unattended and unshredded. [Potentially 2,000,000, but number unknown]
Not included in number below.
  Mar. 2, 2006 Hamilton County Clerk of Courts
(OH)
SSNs, other personal data of residents posted on county Web site, were stolen and used to commit identity theft.
Update (9/28/06): An identity thief was sentenced to 13 years in prison for the crimes. She stole 100 identities and nearly $500,000. The Web site now blocks access to court documents containing personal information.
[1,300,000]
Not included in number below.
  Mar. 3, 2006 Metropolitan State College
(Denver, CO)
Stolen laptop containing names and Social Security numbers of students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester. 93,000
  Mar. 5, 2006 Georgetown Univ.
(Washington, D.C.)
Hacking. Personal information including names, birthdates and Social Security numbers of District seniors served by the Office on Aging. 41,000
  Mar. 8, 2006 Verizon Communications
(New York, NY)
2 stolen laptops containing employees' personal information including Social Security numbers. "Significant number"
  Mar. 8, 2006 iBill
(Deerfield Beach, FL)
Dishonest insider or possibly malicious software linked to iBill used to post names, phone numbers, addresses, e-mail addresses, Internet IP addresses, logins and passwords, credit card types and purchase amount online. Credit card account numbers, expiration dates, security codes, and SSNs were NOT included, but in our opinion the affected individuals could be vulnerable to social engineering to obtain such information. [17,781,462]
Not included in total below.
  Mar. 11, 2006 CA Dept. of Consumer Affairs (DCA)
(Sacramento, CA)
Mail theft. Applications of DCA licensees or prospective licensees for CA state boards and commissions were stolen. The forms include full or partial Social Security numbers, driver's license numbers, and potentially payment checks.
"A small number"
  Mar. 14, 2006 General Motors
(Detroit, MI)
Dishonest insider keep Social Security numbers of co-workers to perpetrate identity theft. 100
  Mar. 14
2006
Buffalo Bisons and Choice One Online
(Buffalo, NY)
Hacker accessed sensitive financial information including credit card numbers names, passwords of customers who ordered items online. Unknown
  Mar. 15,
2006
Ernst & Young
(UK)
Laptop lost containing the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees exposed. Unknown
  Mar. 16,
2006
Bananas.com
(San Rafael, CA)

Hacker accessed names, addresses, phone numbers and credit card numbers of customers.

274
  Mar. 23,
2006
Fidelity Investments
(Boston, MA)
Stolen laptop containing names, addresses, birth dates, Social Security numbers and other information of 196,000 Hewlett Packard, Compaq and DEC retirement account customers was stolen. 196,000
  Mar. 24,
2006
CA State Employment Development Division
(Sacramento, CA)
Computer glitch sends state Employment Development Division 1099 tax forms containing Social Security numbers and income information to the wrong addresses, potentially exposing those taxpayers to identity theft. 64,000
  Mar. 24,
2006
Vermont State Colleges (VT) Laptop stolen containing Social Security numbers and payroll data of students, faculty and staff associated with the five-college system from as long ago as 2000. 14,000
  Mar. 30,
2006
Marines
(Monterey, CA)
Portable drive lost that contains personal information used for research on re-enlistment bonuses. 207,750
 

Mar. 30,
2006

Georgia Technology Authority
(Atlanta, GA)
Hacker exploited security flaw to gain access to confidential information including Social Security numbers and bank-account details of state pensioners. 573,000
  Mar. 30,
2006
Conn. Technical High School System
(Middletown, CT)
Social Security numbers of students and faculty mistakenly distributed via email. 1,250
  April 1, 2006 Con Edison
(New York)
Con Edison shipped 2 cartridge tapes to JPMorgan Chase in upstate Binghamton so it could input data on behalf of the NY Dept. of Taxation and Finance. One tape was apparently lost containing employees' W-2 data, including names, addresses, SSNs, taxes paid and salaries. 15,000 Con Edison employees
  April 6,
2006
Progressive Casualty Insurance
(Mayfield Village, OH)
Dishonest insider accessed confidential information, including names, Social Security numbers, birth dates and property addresses on foreclosure properties she was interested in buying. 13
  April 7,
2006
DiscountDomain
Registry.com
(Brooklyn, NY)
Exposed online. Domain registrants' personal information including usernames, passwords and credit card numbers were accessible online. "thousands of domain name registrations"
  April 9,
2006
University of Medicine and Dentistry of New Jersey
(Newark, NJ)
Hackers accessed Social Security numbers, loan information, and other confidential financial information of students and alumni. 1,850
  April 12,
2006
Ross-Simons
(Providence, RI)
Security breach exposed account and personal information of those who applied for its private label credit card. Information exposed includes private label credit card numbers and other personal information of applicants. Unknown
  April 14,
2006
Univ. of South Carolina
(Columbia, SC)
Social Security numbers of students were mistakenly e-mailed to classmates. 1,400
  April 15, 2006 Scott County, IA The Social Security numbers of people who obtained mortgages in the early 1990s are visible in documents posted on the county's website. The county will redact the information at the individuals' request. Unknown
  April 21,
2006
University of Alaska, Fairbanks
(Fairbanks, AK)
Hacker accessed names, Social Security numbers and partial e-mail addresses of current and former students, faculty and staff. 38,941
  April 21,
2006
Ohio University
Innovation Center
(Athens, OH)
a server containing data including e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes was compromised. Unknown
  April 24,
2006
University of Texas' McCombs School of Business
(Austin, TX)
Hackers accessed records containing names, biographical information and, in some cases, Social Security numbers and dates of birth of current and prospective students, alumni, faculty members, corporate recruiters and staff members. 197,000
  April 24,
2006
Ohio University
(Athens, OH)
Hackers accessed a computer system of the school's alumni relations department that included biographical information and 137,000 Social Security numbers of alum. 300,000
  April 26,
2006
Purdue University
(West Lafayette, IN)
Hacker accessed personal information including Social Security numbers of current and former graduate students, applicants to graduate school, and a small number of applicants for undergraduate scholarships. 1,351
  April 26,
2006
Aetna -- health insurance records for employees of 2 members, including Omni Hotels and the Dept. of Defense NAF
(Hartford, CT)
Laptop containing personal information including names, addresses and Social Security numbers of Dept. of Defense (35,253) and Omni Hotel employees (3,000) was stolen from an Aetna employee's car. 38,000
  April 27,
2006
MasterCard
(Potentially UK only)
Though MasterCard refused to say how the breach occurred, fraudsters stole the credit card details of holders in a major security breach. [2,000]
Not included in total below.
  April 27,
2006
Long Island Rail
Road
(Jamaica, NY)
Data tapes containing personal information including names, addresses, Social Security numbers and salary figures of "virtually everyone" who worked for the agency was lost by delivery contractor Iron Mountain while enroute. Data tapes belonging to the U.S. Department of Veterans Affairs may also have been affected. 17,000
  April 28,
2006
Ohio's Secretary of State
(Cleveland, OH)
The names, addresses, and Social Security numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to 20 political campaign operations for spring primary election races. The records of about 7.7 million registered voters are listed on the CDs, but it's unknown how many records contained SSNs, which were not supposed to have been included on the CDs.
Update (9/15/06): A news report said that some SSNs still remain on the agency's Web site.
"Potentially millions of registered voters"
  April 28,
2006
Dept. of Defense
(Washington, DC)
Hacker accessed a Tricare
Management Activity (TMA) public server containing personal information about military employees.
Unknown
  May 2,
2006
Georgia State Government
(Atlanta, GA)
Government surplus computers that sold before their hard drives were erased contained credit card numbers, birth dates, and Social Security numbers of Georgia citizens. Unknown
  May 4,
2006
Idaho Power Co.
(Boise, ID)
Four company hard drives were sold on eBay containing hundreds of thousands of confidential company documents, employee names and Social Security numbers, and confidential memos to the company's CEO. Unknown
  May 4,
2006
Ohio University
Hudson Health Center
(Athens, OH)
Names, birth dates, Social Security numbers and medical information were accessed in records of students dating back to 2001, plus faculty, workers and regional campus students. 60,000
  May 2006 Ohio University
(Athens, OH)
A breach was discovered on a computer that housed IRS 1099 forms for vendors and independent contractors for calendar years 2004 and 2005. 2,480
  May 2006 Ohio University
(Athens, OH)
A breach of a computer that hosted a variety of Web-based forms, including some that processed on-line business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration. Unknown
  May 5,
2006
Dept. of Veteran Affairs
(Washington, D.C.)
A data tape disappeared from a VA facility in Indianapolis, IN that contained information on legal cases involving U.S. veterans and included veterans' Social Security numbers, dates of birth and legal documents.
Update (10/11/06):
The VA's Office of the General Counsel is offering identity theft protection services to those affected by the missing tape.
16,500
  May 5,
2006
Wells Fargo
(San Francisco, CA)
Computer containing names, addresses, Social Security numbers and mortgage loan deposit numbers of existing and prospective customers may have been stolen while being delivered from one bank facility to another. Unknown
  May 12,
2006
Mercantile Potomac Bank
(Gaithersburg, MD)
Laptop containing confidential information about customers, including Social Security numbers and account numbers was stolen when a bank employee removed it from the premises, in violation of the bank's policies. The computer did not contain customer passwords, personal identification numbers (PIN numbers) or account expiration dates. 48,000
  May 19,
2006
American Institute of Certified Public Accountants (AICPA)
(New York, NY)
An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company.
330,000
[Updated 6/16/06]
  May 19,
2006
Unknown retail merchant Visa, MasterCard, and other debit and credit card numbers from banks across the country were stolen when a national retailer's database was breached. No names, Social Security numbers or other personal identification were taken. Unknown
  May 22,
2006
Dept. of Veterans Affairs
(Washington, DC)
(800) 827-1000
On May 3, data of all American veterans who were discharged since 1975 including names, Social Security numbers, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and computer storage device included data of 26.5 milliion veterans. The data did not contain medical or financial information, but may have disability numerical rankings.
Update: An additional 2.1 million active and reserve service members were added to the total number of affected individuals June 1st.
Update (6/29/06): The stolen laptop computer and the external hard drive were recovered.
Update (7/14/06): FBI claims no data had been taken from stolen computer.
Update (8/5/06): Two teens were arrested in the theft of the laptop.
Update (8/25/06): In an Aug. 25 letter, Secretary Nicholson told veterans of the decision to not offer them credit monitoring services. Rather the VA has contracted with a company to conduct breach analysis to monitor for "patterns of misuse."
28,600,000
  May 23,
2006
Univ. of Delaware
(Newark, DE)
Security breach of a Department of Public Safety computer server potentialy exposes names, Social Security numbers and driver's license numbers. 1,076
  May 23,
2006
M&T Bank
(Buffalo, NY)
Laptop computer, owned by PFPC, a third party company that provides record keeping services for M & T's Portfolio Architect accounts was stolen from a vehicle. The laptop contained clients' account numbers, Social Security numbers, last name and the first two letters of their first name. Unknown
  May 23, 2006 Butler Co. Dept. of Mental Retardation & Developmental Disabilities
(Cincinatti, OH)
Three laptop computers were stolen "last month" from the agency's office. They contained personal information on mental health clients, including SSNs. 100 clients
  May 23, 2006 Mortgage Lenders Network USA
(Middletown, CT)
A former employee was arrested for extortion for attempting to blackmail his former employer for $6.9 million. He threatened to expose company files containing sensitive customer information if the company didn't pay him. He stole the files over the 16 months he worked there. Unknown
  May 24,
2006
Sacred Heart Univ.
(Fairfield, CT)
It was discovered on May 8th that a computer containing personal information including names, addresses and Social Security numbers was breached. Unknown
  May 24,
2006
American Red Cross, St. Louis Chapter
(St. Louis,
Dishonest employee had access to Social Security numbers of donors to call urging them to give blood again. The employee misused the persoal information of at least 3 people to perpetrate identity theft and had access to the personal information of 1 million donors. 1,000,000
  May 25, 2006 Vystar Credit Union
(Jacksonville, FL)
Hacker gained access to member accounts "a few weeks ago" and stole personal information including names, addresses, birth dates, mother's maiden names, SSNs and/or email addresses. Approx. 34,400
("less than 10% of its 344,000 members")
  May 30,
2006
Texas Guaranteed Student Loan Corp.
(Round Rock, TX)
via subcontractor, Hummingbird
(Toronto, Canada)
Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers.
Update (6/16/06): TG now says a total of 1.7 million people's information was compromised, 400,000 more than original estimate of 1.3 million.
1,300,000
plus 400,000
for total of 1,700,000
  May 30,
2006
Florida Int'l Univ.
(Miami, FL)
Hacker accessed a database that contained personal information, such as student and applicant names and Social Security numbers. "thousands"
  May 31, 2006 Humana
(Louisville, KY)
On May 5, 2006, Medicare drug benefit applications were stolen from an insurance agent's unlocked car in Brooklyn Park, MN. Information included applicants' name, address, date of birth, Social Security number, and bank routing information. 268 Minnesota and North Dakota applicants
  June 1,
2006
Miami University
(Oxford, OH)
An employee lost a hand-held personal computer containing personal information of students who were enrolled between July 2001 and May 2006. 851
  June 1,
2006
Ernst & Young
(UK)
A laptop containing names, addresses and credit or debit card information of Hotels.com customers was stolen from an employee's car in Texas. 243,000
  June 1,
2006
Univ. of Kentucky
(Lexington, KY)
Personal information of current and former University of Kentucky employees including Social Security numbers was inadvertently accessible online for 19 days last month. 1,300
  June 2,
2006
Buckeye Community Health Plan
(Columbus, OH)
Four laptop computers containing customer names, Social Security numbers, and addresses were stolen from the Medicaid insurance provider. 72,000
  June 2,
2006
Ahold USA
(Landover, MD)
Parent company of Stop & Shop, Giant stores and Tops stores via subcontractor Electronic Data Systems
(Plano, TX)
An EDS employee lost a laptop computer during a commercial flight that contained pension data of former employees of Ahold's supermarket chains including Social Security numbers, birth dates and benefit amounts. Unknown
  June 2,
2006
YMCA
(Providence, RI)
Laptop computer containing personal information of members was stolen. The information included credit card and debit card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare programs and medical information about the children, such as allergies and the medicine they take, though the type of stolen information about each person varies. 65,000
  June 2,
2006
Humana
(Louisville, KY)
Personal information of Humana customers enrolled in the company's Medicare prescription drug plans could have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file. 17,000 current and former Medicare enrollees
  June 5,
2006
Internal Revenue Service
(Washington, DC)
A laptop computer containing personal information of employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth, was lost during transit on an airline flight 291
  June 6,
2006
Univ. of Texas
(El Paso, TX)
Students demonstrated that student body and faculty elections could be rigged by hacking into student information including Social Security numbers. 4,719
  June 8,
2006
Univ. of Michigan Credit Union
(Ann Arbor, MI)
Paper documents containing personal information of credit union members were stolen from a storage rooms. The documents were supposed to have been digitally imaged and then shredded. Instead, they were stolen and used to perpetrate identity theft. 5,000
  June 11,
2006
Denver Election Commission
(Denver, CO)
Records containing personal information on more than 150,000 voters are missing at city election offices. The microfilmed voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new offices in February. The files contain voters' Social Security numbers, addresses and other personal information. 150,000
  June 12,
2006
U.S. Dept. of Energy
(Washington, D.C.)
Names, Social Security numbers, security clearance levels and place of employment for mostly contract employees who worked for National Nuclear Security Administration may have been compromised when a hacker gained entry to a computer system at a service center in Albuquerque, N.M. eight months ago.
1,502
  June 13,
2006
Minn. State Auditor
(St. Paul, MN)
Three laptops possibly containing Social Security numbers of employees and recipients of housing and welfare benefits along with other personal information of local governments the auditor oversees have gone missing. 493
  June 13,
2006
Oregon Dept. of Revenue
(Salem, OR)
Electronic files containing personal data of Oregon taxpayers may have been compromised by an ex-employee's downloaded a contaminated file from a porn site. The "trojan" attached to the file may have sent taxpayer information back to the source when the computer was turned on. 2,200
  June 13,
2006
U.S. Dept of Energy, Hanford Nucear Reservation
(Richland, WA)
Current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation. 4,000
  June 14,
2006
American Insurance Group (AIG), Midwest Office
(New York, NY)
The computer server was stolen on March 31 containing personal information including names, Social Security numbers and tens of thousands of medical records. 930,000
  June 14,
2006
Western Illinios Univ.
(Macomb, IL)
On June 5th, a hacker compromised a University server that contained names, addresses, credit card numbers and Social Security numbers of people connected to the University.
Update (7/5/06): Number affected reduced from 240,000.
180,000
  June 16,
2006
Union Pacific
(Omaha, NE)
On April 29th, an employee's laptop was stolen that contained data for current and former Union Pacific employees, including names, birth dates and Social Security numbers.
30,000
  June 16,
2006
NY State Controller's Office
(Albany, NY)
State controller data cartridge containing payroll data of employees who work for a variety of state agencies was lost during shipment. The data contained names, salaries, Social Security numbers and home addresses. 1,300
  June 16,
2006
ING
(Miami, FL)

Two ING laptops that carried sensitive data affecting of Jackson Health System hospital workers were stolen in December 2005. The computers, belonging to financial services provider ING, contained information gathered during a voluntary life insurance enrollment drive in December and included names, birth dates and Social Security numbers.

8,500
  June 16,
2006
Univ. of Kentucky
(Lexington, KY)
The personal data of current and former students including classroom rosters names, grades and Social Security numbers was reported stolen on May 26 following the theft of a professor's flash drive.. 6,500
  June 17,
2006
ING
(Washington, D.C.)
Laptop stolen from employee's home containing retirement plan information including Social Security numbers of D.C. city employees. 13,000
  June 17,
2006
Automatic Data Processing (ADP)
(Roseland, NJ)
Personal and payroll information of workers were intended to be faxed between ADP offices and were mistakenly sent to a third party. 80
  June 17,
2006
CA Dept. of Health Services (CDHS)
(Sacramento, CA)

CDHS documents were inappropriately emptied from an employee's cubicle on June 5 and 9 rather than shredded.
The documents contained state employees and other individuals applying for employment with the state including names, addresses, Social Security numbers and home and work telephone numbers. They were mostly expired state employment certification lists, but also included requests for personnel action, copies of e-mail messages and handwritten notes.

1,550
  June 20,
2006
Equifax
(Atlanta, GA)
On May 29, a company laptop containing employee names and partial and full Social Security numbers was stolen from an employee. 2,500
  June 20,
2006
Univ. of Alabama
(Birmingham, AL)
In February a computer was stolen from a locked office of the kidney transplant program at the University of Alabama at Birmingham that contained confidential information of donors, organ recipients and potential recipients including names, Social Security numbers and medical information.
9,800
  June 21,
2006
U.S. Dept. of Agriculture (USDA)
(Washington, D.C.)
During the first week in June, a hacker broke into the Department's computer system and may have obtained names, Social Security numbers and photos of current and former employees and contractors. 26,000
  June 21, 2006 Cape Fear Valley Health System
(Fayetteville, NC)
Portable computer containing personal information of more than 24,000 people was stolen from ambulance of Cumberland Co. Emergency Medical Services on June 8th. It contained information on people treated by the EMS, including names, addresses, and birthdates, plus SSNs of 84% of those listed. 24,350
  June 21, 2006
(Date of letter sent to doctors. Date of news story is July 28, 2006)
Lancaster General Hospital
(Lancaster, PA)
A desktop computer with personal information of hundreds of doctors was stolen from a locked office June 10. The unencrypted data included names, practice addresses, and SSNS of physicians on medical and dental staff. "Hundreds of local physicians" (not included in total below)
  June 22,
2006
Federal Trade Commission (FTC)
(Washington, D.C.)
Two laptop computers containing personal and financial data were stolen from an employee's vehicle. The data included names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers gathered in law enforcement investigations. 110
  June 23,
2006
San Francisco State Univ.
(San Francisco, CA)
a faculty member's laptop was stolen from a car on June 1 that contained personal information of former and current students including Social Security numbers, and names and ins some instance, phone numbers and grade point averages. 3,000
  June 23,
2006
U.S. Navy
(Washington, D.C.)
Navy personnel were notified on June 22 that a civilian web site contained files with personal information of Navy members and dependents including names, birth dates and Social Security numbers. 30,000
  June 23,
2006
CA Dept. of Health Services (CDHS)
(Sacramento, CA)

On June 12, a box of Medi-Cal forms from December 2005 were found in the cubicle of a CDHS employee. The claim forms contained the names, addresses, Social Security numbers and prescriptions for beneficiaries or their family members.

323
  June 23,
2006
Catawba County Schools
(Newton, NC)

On June 22, it was discovered that a web site posted names, Social Security numbers, and test scores of students who had taken a keyboarding and computer applications placement test during the 2001-02 school year.
Update: The web site containing the data has been removed.

619
  June 23,
2006
King County Records, Elections, and Licensing Services Division
(Seattle, WA)
Social Security numbers for potentially thousands of current and former county residents may be exposed on the agency's web site. Residents can request that the image of any document that contains a Social Security number, Mother's Maiden Name or Drivers License be removed. Officials state that they are unable to alter original public documents and cannot choose to not record documents presented for recording. 
Unknown
  June 27,
2006
Gov't Accountability Office (GAO)
(Washington, D.C.)
Data from audit reports on Defense Department travel vouchers from the 1970s were inadvertently posted online and included some service members' names, Social Security numbers and addresses. The agency has subsequently removed the information. "Fewer than 1,000"
[1,000 used in total]
  June 28,
2006
AAAAA Rent-A-Space
(Colma, CA)
Customer's account information including name, address, credit card, and Social Security number was easily accessible due to a security gap in its online payment system. 13,000
  June 29,
2006
AllState Insurance
Huntsville branch
(Huntsville, AL)
Over Memorial Day weekend, a computer containing personal data including images of insurance policies, correspondence and Social Security numbers was stolen. 2,700
  June 29,
2006
Nebraska Treasurer's Office
(Lincoln, NE)
A hacker broke into a child-support computer system and may have obtained names, Social Security numbers and other information such as tax identification numbers for 9,000 businesses. 309,000
  June 29, 2006 Minnesota Dept. of Revenue
(St. Paul, MN)
On May 16, a package containing a data tape used to back up the regional office's computers went missing during delivery. The tape contained personal information including individuals' names, addresses, and Social Security numbers.
Update (7/20/06): The package was reported delivered 2 months later, but apparently had been temporarily lost by the U.S. Postal Service.
50,400
  June 30, 2006

Nat'l Institutes of Health Federal Credit Union
(Rockville, MD)

NIHFCU is investigating with law enforcement the identity theft of some of its 41,000 members. No details given on type of information stolen, or how it was stolen. "Very few" of 41,000 members affected
[not included in total]
  July 1, 2006 American Red Cross, Farmers Branch
(Dallas, TX)
Sometime in May, 3 laptops were stolen, one of them containing encrypted personal information including names, SSNs, dates of birth, and medical information of all regional donors. They also report losing a laptop with encrypted donor information in June 2005. Unknown
  July 5, 2006 Bisys Group Inc.
(Roseland, NJ)

Personal details about 61,000 hedge fund investors were lost when an employee's truck carrying backup tapes was stolen. The data included SSNs of 35,000 individuals. The tapes were being moved from one Bisys facility to another on June 8 when the theft occurred.

61,000
  July 6, 2006 Automated Data Processing (ADP)
(Roseland, NJ)
Payroll service company ADP gave scam-artist names, addresses, and number of shares held of investors, although apparently not SSNs or account numbers. The leak occurred from Nov. '05 to Feb. '06 and involved individual investors with 60 companies including Fidelity, UBS, Morgan Stanley , Bear Stearns, Citigroup, Merrill Lynch. "Hundreds of thousands"
[not included in total]
  July 7, 2006 University of Tennessee
(866) 748-1680
Hacker broke into UT computer containing names, addresses and SSNs of about 36,000 past and current employees. Intruder apparently used computer from Aug. '05 to May '06 to store and transmit movies. 36,000
  July 7, 2006 Nat'l Association of Securities Dealers (NASD)
(Boca Raton, FL)
Ten laptops were stolen on Feb. 25 '06 from NASD investigators. They included SSNs of securities dealers who were the subject of investigations involving possible misconduct. Inactive account numbers of about 1,000 consumers were also contained on laptops. 73
  July 7, 2006 Naval Safety Center SSNs and other personal information of naval and Marine Corps aviators and air crew, both active and reserve, were exposed on Center web site and on 1,100 computer discs mailed to naval commands. "more than 100,000"
  July 7, 2006 Montana Public Health and Human Services Dept.
(Helena, MT)
A state government computer was stolen from the office of a drug dependency program. during a 4th of July break-in. It was not known if sensitive information such as SSNs was compromised. Unknown
  July 7, 2006 City of Hattiesburg
(Hattiesburg, MS)
Video surveillance cameras caught 2 intruders stealing hard drives from 18 computers June 23. Data files contained names, addresses, and SSNs of current and former city employees and registered voters as well as bank account information for employees paid through direct deposit and water system customers who paid bills electronically. "thousands of city workers and contractors"
  July 13, 2006 Moraine Park Technical College
(Beaver Dam, Fond du Lac, & West Bend, WI)
Computer disk (CD) with personal information of 1,500 students was reported missing. Information includes names, addresses, phone numbers & SSNs of apprenticeship students back to 1993. 1,500
  July 14, 2006 Northwestern Univ.
(Evanston, IL)
(888-209-0097)
Files containing names and some personal information including SSNs were on 9 desktop computers that had been accessed by unauthorized persons outside the University. The computers were in the Office of Admissions and Financial Aid Office. "As many as 17,000 individuals' records" exposed
  July 14, 2006 University of Iowa
(Davenport, IA)
Laptop computer containing personal information of current and former MBA students was stolen. Data files included SSNs and some contact info. 280
  July 14, 2006
(Date of letter sent to students. Date of news story is 8/1/06)

California Polytechnic State University (Cal Poly)
(San Luis Obispo, CA)
(Call (805) 756-2226 or (805) 756-2171)

Laptop computer was stolen from the home of a physics department professor July 3. It included names and SSNs of physics and astronomy students from 1994-2004. 3,020 students
  July 14, 2006 Treasurer's computer in Circuit Court Clerk's office
(Hampton, VA)
Public computer in city government building containing taxpayer information was found to display SSNs of many residents -- those who paid personal property and real estate taxes. It was shut down and confiscated by the police on July 12th.
Update: (7/27/2006) Investigation concluded that the data was exposed due to software problem.
"Over 100,000 records"
(The number containing SSNs is not known yet and not included in total below.)
  July 16, 2006 Mississippi Secretary of State
(Jackson, MS)

The state agency's web site listed 2 million+ Uniform Commercial Code (UCC) filings in which thousands of individuals' SSNs were exposed.

Among the 2 million postings are "thousands" containings SSNs
(not included in total)
  July 17, 2006 Vassar Brothers Medical Center
(Poughkeepsie, NY)
(845) 483-6990
Laptop was stolen from the emergency department between June 23-26. It contained information on patients dating back to 2000, including SSNs and dates of birth.
Update (10/5/06) Private investigators determined the laptop did not contain personally identifiable patient information.
[257,800 patients were initially notified, but an analysis by Kroll later determined that the laptop contained no personal information. This number is not included in the total below.]
  July 18, 2006 Nelnet Inc.
(Lincoln, NE)
(800) 552-7925
Computer tape containing personal information of student loan customers and parents, mostly from Colorado, was lost when shipped via UPS. The loans were previously serviced by College Access Network 188,000
  July 18, 2006 CS Stars, subsidiary of insurance company Marsh Inc.
(Chicago, IL)
On May 9, CS Stars lost track of a personal computer containing records of more than a half million New Yorkers who made claims to a special workers' comp fund. The lost data includes SSNs and date of birth but apparently no medical information.
Update (7/26/06): Computer was recovered.
540,000
  July 18, 2006 U.S. Dept. of Agriculture
(Wellington, KS)
Laptop computer and printout containing names, addresses and SSNs of 350 employees was stolen from an employee's car and later recovered. 350
  July 24, 2006 New York City Dept. of Homeless Services The personal information of 8,400 homeless persons, including SSNs, was leaked in an e-mail attachment July 21, when accidentally sent to homeless advocates and city officials. 8,400
  July 25, 2006 Armstrong World Industries
(Lancaster Co., PA)
A laptop containing personal information of current and former employers was stolen. The computer was in the possession of the company's auditor, Deloitte & Touche. Data included names, home addresses, phone numbers, SSNs, employee ID numbers, salary data, and bank account numbers of employees who have their checks directly deposited. 12,000
  July 25, 2006 Belhaven College
(Jackson, MS)
An employee carrying laptop was robbed at gunpoint on July 19 while walking to his car. Computer contained names and SSNs of college employees. 300 employees
  July 25, 2006 Georgetown University Hospital
(Washington, DC)
Patient data was exposed online via the computers of an e-prescription provider, InstantDx. Data included names, addresses, SSNs, and dates of birth, but not medical or prescription data. GUH suspended the trial program with InstantDX. "between 5,600 and 23,000 patients were affected"
(23,000 added to total below)
  July 25, 2006 Old Mutual Capital Inc., subsidiary of United Kingdom-based financial services firm Old Mutual PLC Laptop was stolen sometime in May containing personal information of U.S. clients, including names, addresses, account numbers and some SSNs. 6,500 fund shareholders
  July 25, 2006 Cablevision Systems Corp.
(lost when shipped to Dallas-based ACS)
A tape en route to the company's 401(k) plan record-keeper ACS was lost when shipped by FedEx to Dallas, TX. No customer data was on the tape. 13,700 current and former employees
  July 26, 2006 U.S. Navy recruitment offices
(Trenton, NJ, and Jersey City, NJ)
Two laptop computers with information on Navy recruiters and applicants were stolen in June and July. Also included was information from selective service and school lists. About 4,000 records contained SSNs. Files were password protected. 31,000 records were stolen, with about 4,000 containing SSNs. The latter number is included in the total below.
  July 26, 2006 West Virginia Div. of Rehabilitation Services
(Beckley, WV)
A laptop was stolen July 24 containing clients' names, addresses, SSNs, and phone numbers. Data was password protected. Unknown
  July 27, 2006

Kaiser Permanente Northern Calif. Office
(Oakland, CA)
(866) 453-3934

A laptop was stolen containing names, phone numbers, and the Kaiser number for each HMO member. The data file did not include SSNs. The data was being used to market Hearing Aid Services to Health Plan members. 160,000 records. Because the data file did not include SSNs, this number is not added to the total below.
  July 27, 2006

Los Angeles County
(Los Angeles, CA)

In May, a laptop was stolen from the home of a community and senior services employee. It contained information on LA County employees. Unknown
  July 27, 2006

Los Angeles Co., Community Development Commission (CDC)
(Monterey Park, CA)

Earlier in July, a computer hacker located in Germany gained access to the CDC's computer system, containing personal information on 4,800 public housing residents. 4,800 records. Because it is not clear if SSNs were included, this number is not added to the total below.
  July 27, 2006 Los Angeles County, Adult Protective Services
(Burbank, CA)
Last weekend 11 laptops were stolen from the Burbank office. It is not clear what type of personal information was included. Unknown
  July 28, 2006 Matrix Bancorp Inc.
(Denver, CO)
(877-250-7742)
Two laptop computers were stolen during daytime while staffers were away from their desks. One computer contained customers' account information. The bank says data is encrypted and password protected. Unknown
  July 28, 2006 Riverside, Calif., city employees The SSNs and financial information regarding 401(k) accounts was accidentally e-mailed to 2,300 city employees due to a computer operator's error. The data was intended for the city payroll dept. "nearly 2,000 employees"
  July 29, 2006 Sentry Insurance
(Stevens Point, WI)
Personal information including SSNs on worker's compensation claimants was stolen, some of which was later sold on the Internet. No medical records were included. The thief was a lead programmer-consultant who had access to claimants' data. The consultant was arrested and faces felony charges. Information on 72 claimants was sold on the Internet. Data on an additional 112,198 claimants was also stolen with no evidence of being sold online. .
Total affected is 112,270
  Aug. ?, 2006 CoreLogic for ComUnity Lending
(Sacramento, CA)
(877) 510-3700
identityprotection@
corelogic.com
In early August, CoreLogic notified customers of ComUnity Lending that a computer with customers' data was stolen from its office. Data included names, SSNS, and property addresses related to an existing or anticipated mortgage loan. Unknown
  Aug. 1, 2006 U.S. Bank
(Covington, KT)
A bank employee's briefcase was stolen from the employee's car with documents containing names, phone numbers, and SSNs of customers. "very small" number
  Aug. 1, 2006 Wichita State University
(Wichita, KS)
WSU learned on June 29 that someone gained unauthorized access into 3 computers in its College of Fine Arts box office, containing credit card information for about 2,000 patrons. 2,000
  Aug. 1, 2006 Wichita State University
(Wichita, KS)
An intrusion into a WSU psychology department's server was discovered July 16. It contained information on about 40 applicants to the doctoral program. 40
(not included in total below because it is not known if SSNs were included in breached data)
  Aug. 1, 2006 Dollar Tree
(Carmichael and Modesto, CA, as well as Ashland, OR, and perhaps other locations)
Customers of the discount store have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. Data may have been intercepted by a thief's use of a wireless laptop computer with the thief then creating counterfeit ATM cards and using them to withdraw money.
Update (10/5/06):
Parkev Krmoian was indicted by a federal grand jury for allegedly using phony ATM cards made from gift cards. The case is tied to the Dollar Tree customer bank account thefts.
Total number unknown
  Aug. 4, 2006 Toyota plant
(San Antonio, TX)
Laptop belonging to contractor and containing personal information of job applicants and employees was stolen. Data included names and SSNs. 1,500
  Aug. 4, 2006 PSA HealthCare
(Norcross, GA)
(866) 752-5259
A company laptop was stolen from an employee's vehicle in a public parking lot July 15. It contained names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims. 51,000 current and former patients
  Aug. 6, 2006

American Online (AOL)
(nationwide)

In late July AOL posted on a public web site data on 20 million web queries from 650,000 users. Some search records exposed SSNs, credit card numbers, or other pieces of sensitive information.
Update (9/26/06):
Three individuals whose data were exposed have filed a lawsuit against AOL.
Unknown how many records contain high-risk personal information
  Aug. 7, 2006 Veterans Affairs Dept. through its contractor Unisys Corp.
(Reston, VA)
Computer at contractor's office was reported missing Aug. 3, containing billing records with names, addresses, SSNs, and dates of birth of veterans at 2 Pennsylvania locations.
Update (9/15/06): Law enforcement recovered the computer and arrested an individual who had worked for a company that provides temporary labor to Unisys.
5,000 Philadelphia patients,
11,000 Pittsburgh patients,
2,000 deceased patients,
plus possibly 20,000 more
(18,000 is included in total below)
  Aug. 8, 2006 Virginia Bureau of Insurance
(804) 726-2630
The Bureau has advised insurance agents in the state that their SSN may have been exposed on its web site from June 13 through July 31, 2006, due to a programming error. The SSNs were not shown on any web page, but could have been found by savvy computer users using the source code tool of a web browser. Unknown
  Aug. 8, 2006 Linens 'n Things
(Sterling, VA)
A folder holding about 90 receipts was missing from the store. Receipts included full credit or debit account number and name of the card holder. 90
  Aug. 9, 2006 U.S. Dept. of Transportation
(800) 424-9071
hotline@
oig.dot.gov
The DOT's Office of the Inspector General reported a special agent's laptop was stolen on July 27 from a government-owned vehicle in Miami, FL, parked in a restaurant parking lot. It contained names, addresses, SSNs, and dates of birth for 80,670 persons issued commercial drivers licenses in Miami-Dade County; 42,800 persons in FL with FAA pilot certificates; and 9,000 persons with FL driver's licenses.
Update (11/21/06): A suspect was arrested in the same parking lot where the theft occurred, but the laptop has not been recovered. Investigators found a theft ring operating in the vicinity of the restaurant parking lot.
132,470
  Aug. 11, 2006 Madrona Medical Group
(Bellingham, WA)
On Dec. 17, 2005, a former employee accessed and downloaded patient files onto his laptop computer. Files included name, address, SSN, and date of birth. The former employee has since been arrested. At least 6,000 patients
  Aug. 15, 2006 University of Kentucky

The names and SSNs of 630 students were posted on the University's financial aid web site between Friday and Monday, Aug. 11-14.

630
  Aug. 15, 2006 University of Kentucky About 80 geography students were notified Aug. 14 that their SSNs were inadvertently listed on an e-mail communication they all received telling them who their academic advisor would be for the coming year. 80
  Aug. 15, 2006 U.S. Dept. of Transportation
(Orlando, FL)
On April 24, a DOT employee's laptop computer was stolen from an Orlando hotel conference room. It contained several unencrypted case files. Investigators are determining if it contained sensitive personal information. Unknown
  Aug. 16, 2006 Chevron
(San Ramon, CA)
Chevron informed its U.S. workers Aug. 14 that a laptop was stolen from "an employee of an independent public accounting firm" who was auditing its benefits plans. The theft apparently occurred Aug. 5. Files contained SSNs and sensitive information related to health and disability plans. Total employees affected is unclear. Nearly half of its 59,000 workers are from North America.
  Aug. 17, 2006 Williams-Sonoma
(San Francisco, CA)
On July 10, a laptop was stolen from the Los Angeles home of a Deloitte & Touche employee who was conducting an audit for W-S. Computer contained employees' payroll information and SSNs. 1,200 current and former employees
  Aug. 17, 2006

HCA, Inc.
Hospital Corp. of America
(Nashville, TN)
(800) 354-1036
hcahealthcare.com

 

10 computers containing Medicare and Medicaid billing information and records of employees and physicians from 1996-2006 were stolen from one of the company's regional offices. Some patient names and SSNs were exposed, but details are vague. Records for patients in hospitals in the following states were affected: CO, KS, LA, MS, OK, OR, TS, WA. "thousands of files"
  Aug. 18, 2006 Calif. Dept. of Mental Health
(916) 654-2309
Computer tape with employees' names, addresses, and SSNs has been reported missing. Employees were notified Aug. 17 by e-mail. 9,468 employees
  Aug. 21, 2006 U.S. Dept. of Education via contractor, DTI Associates
(Washington, DC)
Two laptops were stolen from DTI's office in downtown DC containing personal information on 43 grant reviewers for the Teacher Incentive Fund. DTI could not rule out that the data included SSNs. 43
  Aug. 22, 2006 AFLAC
American Family Life Assurance Co.
(Greenville, SC)
(888) 794-2352
A laptop containing customers' personal information was stolen from an agent's car. It contained names, addresses, SSNs, and birth dates of 612 policyholders. They were notified Aug. 11. 612 policyholders
  Aug. 22, 2006 Beaverton School District
(Beaverton, OR)
Time slips revealing personal information were missing and presumed stolen following a July 24 break-in at a storage shed on the administration office's property. The time slips included names and SSNs but not addresses. 1,600 employees
  Aug. 22, 2006 Beaumont Hospital
(Troy, MI)
A vehicle of a home health care nurse was stolen from outside a senior center Aug. 5. Although it was recovered nearby, a laptop left in the rear of the car was not recovered. It contained names, addresses, SSNs, and insurance information of home health care patients.
Update (8/23/06). The laptop was returned Aug. 23 by a woman who said she found it in her yard.
28,400 home care patients
  Aug. 23, 2006 U.S. Dept. of Education, Direct Loan Servicing Online
(Atlanta, GA)
www.dlssonline.com
and
dlservicer.ed.gov
A faulty Web site software upgrade resulted in personal information of 21,000 student loan holders being exposed on the Department's loan Web site. Information included names, birthdates, SSNs, addresses, phone numbers, and in some cases, account information. Affiliated Computer Services Inc. is the contractor responsible for the breach. The breach did not include those whose loans are managed through private companies. 21,000
  Aug. 25, 2006 Dominion Resources
(Richmond, VA)
Two laptops containing employee information were stolen earlier in August. It was not clear what type of data were included. No customer records were on the computers. Dominion operates a gas and electric energy distribution company. Unknown
  Aug. 25, 2006 U.S. Dept. of Transportation, Federal Motor Carrier Safety Administration
(Baltimore, MD)
(800) 832-5660
A laptop that "might contain" personal information of people with commercial driver's licenses was stolen Aug. 22. FMCSA said the data might include names, dates of birth, and commercial driver's license numbers of 193 individuals from 40 trucking companies. 193
(not added to total)
  Aug. 25, 2006 Sovereign Bank
(New Bedford, MA)
Personal data may have been compromised when 3 managers' laptops were stolen from 2 separate locations in early August. Customers were notified Aug. 21. Sovereign serves New England and the Mid-Atlantic. The bank said the data included unspecified customer information, but not account data. "thousands of customers"
  Aug. 26, 2006 PortTix
(Portland, ME)
Credit card information for about 2,000 people who ordered tickets online through PortTix was accessed by someone who hacked into the Web site. PortTix is Merrill Auditorium's ticketing agency. The Web site was secured as of Aug. 24. 2,000
  Aug. 26, 2006 University of South Carolina
(Columbia, SC)
A security audit this summer found that a computer server was hacked in Sept. 2005. A database could have been accessed with names, SSNs, and birthdates of current and former students. 6,000 current and former students
  Aug. 27, 2006 New Mexico Administrative Office of the Courts
(Santa Fe, NM)
For 8 days in late May, an unsecured document was exposed on the agency's FTP site on the state's computer server. It contained names, birth dates, SSNs, home addresses and other personal information of judicial branch employees. The FTP site was shut down June 2 and has since be redesigned. . 1,500 employees
  Aug. 29, 2006
Valley Baptist Medical Center
(Harlingen, TX)
(877) 840-5999
A programming error on the hospital's web site exposed names, birth dates, and SSNs of healthcare workers in late August. The error was fixed but it is not known how long the personal information was compromised. The affected individuals are workers from outside the hospital who provide services and bill the hospital via an online form. Unknown
  Aug. 29, 2006 AT&T
via vendor that operates an order processing computer
(San Francisco, CA)

Computer hackers accessed credit card account data and other personal information of customers who purchased DSL equipment from AT&T's online store. The company is notifying "fewer than 19,000" customers."
Update (9/1/06).
The breach was followed by a bogus phishing e-mail to those customers that attempted to trick them into revealing more info such as SSN and birthdate -- essential for crime of identity theft.

"Fewer than 19,000" customers
  Aug. 29, 2006 Compass Health
(Everett, WA)
(800) 508-0059
Compass Health notified some of its clients that a laptop containing personal information, including SSNs, was stolen June 28. The agency serves people who suffer from mental illness. "A limited number of people"
  Aug. 31, 2006 Labcorp
(Monroe, NJ)
(800) 788-9091 x3925
During a break-in June 4 or 5, a computer was stolen that contained names and SSNs, but according to the company did not have birth dates or lab test results. Unknown
  Aug. 31, 2006 Diebold, Inc.
(Canton, OH)
An employee's laptop was stolen containing employee information, including name, SSN, and if applicable, corporate credit card number. Unknown
  Sept. 1, 2006 Wells Fargo via unnamed auditor
(San Francisco, CA)
In a letter dated Aug. 28, the company notified its employees that a laptop and data disk were stolen from the locked trunk of an unnamed auditor, hired to audit the employees' health plan. Data included names, SSNs, and information about drug claim cost and dates from 2005, but no prescription information said the company. Unknown
  Sept. 1, 2006 Virginia Commonwealth University
(Richmond, VA)
www.ts.vcu.edu
Personal information of freshmen and graduate engineering students from 1998 through 2005 was exposed on the Internet for 8 months (Jan. - Aug.) due to human error. It was discovered by a student who used a search engine to find her name. The data included SSNs and e-mail addresses. 2,100 current and former students
  Sept. 1, 2006 City of Chicago via contractor Nationwide Retirement Solutions, Inc.
(Chicago, IL)
(800) 638-1485
www.chicagofop.org
A laptop was stolen from the home of contractor's employee last April 2005. It was reported to the city July 2006 more than a year later. Data included names, addresses, phone numbers, birthdates and SSNs for those in the city's deferred compensation plan. "Up to 38,443 city employees and retirees"
  Sept. 2, 2006 Lloyd's of London
(Port St. Lucie, FL)
A thief reprogrammed more than 150 Lloyd's of London credit card numbers onto phone cards and used them to withdraw money from an ATM in Port St. Lucie, FL (stealing more than $20,000 over 3 days). Key personal and financial information had been skimmed from the magnetic strip on the victims' cards. Unknown
  Sept. 5, 2006 Transportation Security Administration (TSA) via Accenture
(Washington, DC)
In late August 2006, Accenture, a contractor for TSA mailed documents containing former employees' SSN,, date of birth, and salary information to the wrong addresses due to an administrative error. 1,195 former TSA employees
  Sept. 7, 2006 Florida National Guard
(Bradenton, FL)
A laptop computer was stolen from a soldier's vehicle contained training and administrative records, including Social Security numbers of up to 100 Florida National Guard soldiers. 100
  Sept. 7, 2006 Circuit City and Chase Card Services, a division of JP Morgan Chase & Co.
(Wilmington, DE)
Chase Card Services mistakenly discarded 5 computer data tapes in July containing Circuit City cardholders' personal information. 2.6 million past and current Circuit City credit cardholders
  Sept. 8, 2006 Linden Lab
(San Francisco, CA)
www.secondlife.com
On Sept. 6, Linden Lab discovered that a hacker accessed its Second Life database through web servers. The affected data included unencrypted account names, real life names, and contact information, plus encrypted account passwords and payment information. Second Life is a 3-D virtual world. Unknown
  Sept. 8, 2006 University of Minnesota
(Minneapolis, MN)
On August 14-15 eve, two computers were stolen from the desk of an Institute of Technology employee, containing information on students who were freshmen from 1992-2006 -- including names, birthdates, addresses, phone numbers, high schools attended, student ID numbers, grades, test scores, and, academic probation. SSNs of 603 students were also exposed. 13,084 students including SSNs of 603 students
  Sept. 8, 2006 Berks Co. Sheriff's Office via contractor Canon Technology Solutions
(Reading, PA)
A confidential list of some of the County's 25,000 gun permit holders was exposed on the Web by the contractor that is developing a Web-based computer records program for the Sheriff's Office. Personal information included names, addresses and SSNs.
Update (10/6/06): The Berks County solicitor's office says the entire list of more than 25,000 gun permit holders was exposed.
25,000 gun permit holders exposed, although initially the number was unknown
  Sept. 9, 2006 Cleveland Clinic
(Naples, FL)
(866) 907-0675
A clinic employee stole personal information from electronic files and sold it to her cousin, owner of Advanced Medical Claims, who used it to file fraudulent Medicare claims totaling more than $2.8 million. Information included names, SSNs, birthdates, addresses and other details. Both individuals were indicted. 1,100 patients
  Sept. 11, 2006 Telesource
via Vekstar
(Indianapolis, IN)
Employees discovered their personnel files in a Dumpster after the company had been bought out by another company Vekstar. The files were discarded when the office was being cleaned out and shut down. Files contained SSNs, dates of birth and photocopies of SSN cards and driver's licenses. Unknown
  Sept. 13, 2006 American Family Insurance
(Madison, WI)
The office of an insurance agent was broken into and robbed last July. Among the items stolen was a laptop with customers' names, SSNs, and driver's license numbers. 2,089 customers
  Sept. 14, 2006 Nikon Inc. and Nikon World Magazine
(Melville, NY)
Workers at a Montgomery, AL, camera store discovered that subscription information for the magazine Nikon World was exposed on the Web for at least 9 hours. Data included subscribers' names, addresses and credit card numbers. 3,235 magazine subscribers
  Sept. 14, 2006 Illinois Dept. of Corrections
(Springfield, IL)
A document containing employees' personal information was found outside the agency's premises "where it should not have been." It has since been retrieved. Information included employees' names, SSNs, and salaries. Unknown
  Sept. 15, 2006 Mercy Medical Center
(Merced, CA)
A memory stick containing patient information was found July 18 by a local citizen on the ground at the County Fairgrounds near the hospital's information booth. It was returned to the hospital 4 weeks later. Data included names, SSNs, birthdates, and medical records. 295 patients
  Sept. 15, 2006 Whistle Junction restaurant
(Orlando, FL)
Personnel files of employees of the now-closed restaurant were found in a nearby Dumpster. Papers included names and SSNs of former employees, Unknown
  Sept. 16, 2006 Michigan Dept. of Community Health
(Detroit, MI)
Residents who participated in a scientific study were notified that a flash drive was discovered missing as of Aug. 4, and likely stolen, from an MDCH office.The portable memory device contained names, addresses, phone numbers, dates of birth, and SSNs of participants. The study tracked the long-term exposure to flame retardents ingested by residents in beef and milk. 4,000 Michigan residents
  Sept. 16, 2006 Beaumont Hospital
(Royal Oak, MI)
The hospital mistakenly mailed medical reports on 3 patients to a retired dentist in Texas. Reports included name, test results, date of birth and patient ID numbers. The hospital admitted to both human and computer error. A new computer system mixed similar names, and staff did not catch it.. 3 patients
  Sept. 17, 2006 Direct Loans, part of William D. Ford Federal Direct Loan Program within U.S. Dept. of Education and Federal Student Aid via its IT contractor ACS A security breach exposed private information of student loan borrowers from Aug. 20-22 during a computer software upgrade. Users of the Direct Loans Web site were able to view information other than their own if they used certain options. SSNs were among the data elements exposed online. 21,000 accounts
  Sept. 18, 2006 Howard, Rice, Nemerovski, Canady, Falk & Rabkin law firm
(San Francisco, CA)
via its auditor Morris, Davis & Chan
(Oakland, CA)
A laptop was stolen from the trunk of the car of the law firm's auditor, containing confidential employee pension plan information -- names, SSNs, remaining balances, 401(k) and profit-sharing information. 500 current and former employees
  Sept. 18, 2006 DePaul Medical Center, Radiation Therapy Dept.
(Norfolk, VA)
(757) 889-5945
Two computers were stolen, one on August 28 and the other Sept. 11. Personal data included names, date of birth, treatment information, and some SSNs. "More than 100 patients"
  Sept. 19, 2006 Life Is Good
(Hudson, NH)
Hackers accessed the retailer's database containing customer's credit card numbers. The company said no other personal information was in the database. 9,250 customers' credit card numbers
  Sept. 20, 2006 City of Savannah, Georgia
(912) 651-6565
savannahga.gov
Because of a "hole in the firewall,"a City server exposed personal information online for 7 months. Individuals identified by the Red Light Camera Enforcement Program are affected -- name, address, driver's license number, vehicle identification number, and SSNs of those individuals whose driver's license number is still the SSN. 8,800 individuals whose identities were captured by red-light cameras
  Sept. 20, 2006 Berry College via consultant Financial Aid Services Inc.
(Mount Berry, GA)
(800) 961-4692
www.berry.edu
Student applications for need-based financial aid were misplaced by a consultant -- in both paper and digital form. Data included name, SSN, and reported family income for students and potential students for the 2005-06 academic year. 2,093 students and potential students (of those, 1,322 are currently enrolled)
  Sept. 21, 2006 Pima Co. Health Dept.
(Tucson, AZ)
Vaccination records on 2,500 clients had been left in the trunk of a car that was stolen Sept. 12. The car and records have since been recovered. Records included names, dates of birth and ZIP codes, but no SSNs or addresses. 2,500
(not included in Total below)
  Sept. 21, 2006 U.S. Dept. of Commerce and Census Bureau
(Washington, DC)
The agency reported that 1,137 laptops have been lost or stolen since 2001. Of those, 672 were used by the Census Bureau, with 246 of those containing personal data. Secretary Gutierrez said the computers had "protections to prevent a breach of personal information." Unknown
  Sept. 22, 2006 Purdue University College of Science
(West Lafayette, IN)
(866) 307-8520
www.purdue.edu
A file in a desktop computer in the Chemistry Department may have been accessed illegitimately. The file contained names, SSNs, school, major, and e-mail addresses of people who were students in 2000. 2,482 students from the year 2000
  Sept. 22, 2006 University of Colorado-Boulder, Leeds School of Business
(Boulder, CO)
(303) 492-8741
Two computers had been placed in storage during the school's move to temporary quarters in May. When they were to be retrieved Aug. 28, they were found missing. They had been used by 2 faculty members and included students' names, SSNs, and grades.
Update (9/25/06): One of the computers was found.
1,372 students and former students
  Sept. 22, 2006 Several Indianapolis pharmacies
(Indianapolis, IN)
Earlier this year a local TV reporter from WTHR found that "dozens" of pharmacies disposed of customer records in unsecured garbage bins. Now the Indiana Board of Pharmacy has launched an investigation of 30 pharmacies. Both the Board and the Attorney General say that the pharmacies violated state law. Unknown
  Sept. 23, 2006 An illegal dumping site northwest of Quinlan, TX Investigators found boxes of private medical records containing names and personal information of patients of a doctor who lives in Dallas and who has a Greenville, TX, practice. They had apparently been dumped there by a contractor who was hired to remodel his house. The contractor was indicted on a charge of illegal dumping. Unknown
  Sept. 23, 2006 Erlanger Health System
(Chattanooga, TN)
Records of hospital employees disappeared from a locked office on Sept. 15. They were stored on a USB "jump drive." Information was limited to names and SSNs. Those affected included anyone who went through job "status changes" from Nov. 2003 to Sept. 2006. 4,150 current and former employees
  Sept. 25, 2006

General Electric
(US Corporate HQ: Fairfield , CT )

An employee's laptop computer holding the names and Social Security numbers of approximately 50,000 current and former GE employees was stolen from a locked hotel room while he was traveling for business. 50,000 employees
  Sept. 28, 2006

North Carolina Dept. of Motor Vehicles
(Louisville , NC)
(888) 495-5568

A computer was stolen from a NC Dept. of Motor Vehicles office, reported Sept. 10. It contains names, addresses, driver's license numbers, SSNs, and in some cases immigration visa information of 16,000 people who have been issued licenses in the past 18 months. Most are residents of Franklin County.

16,000
  Sept. 28, 2006 Illinois Dept. of Transportation
(Springfield, IL)

Documents found by state auditors in recycling bins in a hallway contained IDOT employee names and SSNs.

40
  Sept. 28, 2006 Stevens Hospital Emergency Room via dishonest employee of billing company Med Data
(Edmonds, WA)
A manager for the hospital's billing company, Med Data, stole patients' credit card numbers. She gave them to her brother who bought $30,000 worth of clothes and gift cards over the Internet. The woman is scheduled for sentencing in Nov. and her brother's trial is expected Jan. 2007. "about 30 patients"
  Sept. 29, 2006

University of Iowa Dept of Psychology
(Iowa City, IA)

A computer containing SSNs of 14,500 psychology department research study subjects was the object of an automated attack designed to store pirated video files for subsequent distribution. 14,500 individuals who had participated in a research study
  Sept. 29, 2006

Kentucky Personnel Cabinet
(Frankfort, KY)

State employees received letters from the Kentucky Personnel Cabinet with their SSNs visible through the envelope windows.

146,000
  Sept. ??, 2006

Adams State College
(Alamosa, CO)

A laptop computer stolen from a locked closet at Adams State College contained personally identifiable data belonging to 184 high school students who participated in the college's Upward Bound program over the last four years. The theft occurred on August 14, but it was not until late September that staff realized the computer held students' data. 184 Upward Bound students
  Oct. 2, 2006

Port of Seattle
(Seattle, WA)
(888) 902-PORT

Six CDs missing from the ID Badging office at Seattle-Tacoma International Airport hold the personal information of 6,939 airport workers. The data include names, addresses, birth dates, SSNs and driver's license numbers, telephone numbers, employer information, and height/weight. The data on the disks were scanned from paper applications for airport badges. The port learned of the missing disks on September 18 and sent letters to the affected employees on Oct. 2.

6,939 current and former Seattle-Tacoma International Airport employees

  Oct. 3, 2006 Cumberland County, PA

Cumberland County (PA) officials removed salary board meeting minutes from their Web site because they contained the SSNs of 1,200 county employees. The information was included in minutes from meetings prior to 2000. The county no longer uses SSNs as unique identifiers for employees. Employees will be informed of the data breach in a note included with their paychecks.

1,200 employees of the county
  Oct. 3, 2006

Willamette Educational Service District
(Salem, OR)

Seven computers stolen from a Willamette Educational service District office were believed to contain personal information of 4,500 Oregon high school students. Backup tapes indicate the computers hold information about the students' school clubs but do not contain sensitive information.

4,500 Oregon high school students
[not included in total because not thought to contain sensitive info. such as SSNs]
  Oct. 3, 2006

Picatinny Arsenal
(Rockaway Twp., NJ)
(If you have tips, call (973) 989-0652)

28 computers are missing from the Picatinny Arsenal, a Department of Defense Weapons Research Center. The computers were reported lost or stolen over the last two years. None of the computers was encrypted. Officials state the computers did not contain classified information. Unknown
  Oct. 4, 2006 Orange County Controller (FL) A Florida woman discovered her marriage license was visible on the Orange County (FL) controller's Web site with no information blacked out, not even SSNs. She discovered the breach because someone had applied for a loan in her name. The Orange County Comptroller is reportedly paying a vendor $500,000 to black out all SSNs by January 2008. Unknown
  Oct. 5, 2006 San Juan Capistrano Unified School District (CA) Five computers stolen from the HQ of San Juan Capistrano Unified School District likely contain the names, SSNs and dates of birth of district employees enrolled in an insurance program. Unknown
  Oct. 6, 2006

Cleveland Air Route Traffic Control Center
(Oberlin, OH)

A computer hard drive missing from the Cleveland Air Route Traffic Control Center in Oberlin (OH) contains the names and SSNs of at least 400 air traffic controllers. At least 400
  Oct. 6, 2006

Camp Pendleton Marine Corps base via Lincoln B.P. Management
(Camp Pendleton near Oceanside, CA)

A laptop missing from Lincoln B.P. Management Inc. holds personally identifiable data about 2,400 Camp Pendleton residents. 2,400
  Oct. 9, 2006
(Letter mailed Oct. 5, 2006)

Troy Athens High School
(Troy, MI)
(For questions or comments, call (248) 823-4035)

A hard drive stolen from Troy Athens High School in August contained transcripts, test scores, addresses and SSNs of students from the graduating classes of 1994 to 2004. The school district and the superintendent have notified all affected alumni by regular mail.

4,400
  Oct. 10, 2006 Florida Labor Department The names and SSNs of 4,624 Floridians were accessible on the Internet for approximately 18 days in September. The data were not accessible through Web sites, but an individual came across the information when Googling his own name. The agency has asked Google to remove the pages from its cache, and has notified all affected individuals by mail. 4,624 individuals who had registered with Florida 's Agency for Workforce Innovation
  Oct. 11, 2006 Republican National Committee
(Washington, D.C.)

The Republican National Committee (RNC) inadvertently emailed a list of donors' names, SSNs and races to a New York Sun reporter.

76 RNC donors
  Oct. 12, 2006 U.S. Census Bureau

This spring, residents of Travis County, TX helped the Census Bureau test new equipment. When the test period ended, 15 devices were unaccounted for. The Census Bureau and the Commerce Department issued a press release saying the devices held names, addresses and birthdates, but not income or SSNs.

Unknown number of Travis Co., TX, residents
  Oct. 12, 2006 Congressional Budget Office
(Washington, D.C.)

Hackers broke into the Congressional Budget Office's mailing list and sent a phishing e-mail that appeared to come from the CBO.

Unknown number of e-mail addresses
  Oct. 12, 2006 University of Texas at Arlington

Two computers stolen from a University of Texas faculty member's home hold the names, SSNs, grades, e-mail addresses and other information belonging to approximately 2,500 students enrolled in computer science and engineering classes between fall 2000 and fall 2006. The theft occurred on September 29 and was reported on October 2.

2,500 students
  Oct. 13, 2006 Ohio Ethics Committee
(Columbus, OH)
Papers belonging to the Ohio Ethics Commission were found floating on the wind in an alley. The documents are related to state employees' finances and contained SSNs and financial statements. They were supposed to be in the possession of the state archives.

Unknown number of Ohio state employees

  Oct. 13, 2006 Orchard Family Practice (Colorado doctor's patient files dumped in a parking lot)
(Englewood, CO)
When a bankrupt Colorado doctor was evicted from his office, everything in his office was dumped in the parking lot by the landlord and the sheriff's department, including file cabinets containing personal information of his patients. Scavengers were seen carting off some desks and file cabinets, some containing records. The exposed documents were thought to consist of bgusiness records containing names, SSNs, dates of birth, and addresses, but not medical information, which the doctor had previously removed. Unknown
  Oct. 14, 2006

T-Mobile USA Inc.
(Bellvue, WA)

A laptop computer holding personally identifiable information of approximately 43,000 current and former T-Mobile employees disappeared from a T-Mobile employee's checked luggage. T-Mobile has reportedly sent letters to all those affected. The data are believed to include names, addresses, SSNs, dates of birth and compensation information. 43,000 current and former employees
  Oct. 15, 2006

Poulsbo Department of Licensing
(Poulsbo, WA)

An unspecified “storage device” containing personally identifiable data of approximately 2,200 North Kitsap (WA) residents has been lost from the Poulsbo Department of Licensing. The data include names, addresses, photographs and driver's license numbers of individuals who conducted transactions at the Poulsbo branch in late September. 2,200
  Oct. 16, 2006

Germanton Elementary School
(Germanton, NC)

A computer stolen from Germanton Elementary school holds students' SSNs. The data on the computer are encrypted. Unknown
  Oct. 16, 2006 VISA/FirstBank FirstBank sent a letter to an unknown number of customers informing them their FirstTeller Visa Check Card numbers were compromised when someone accessed “a merchant card processor's transaction database.” The FirstBank letter said customers would receive new cards by October 27. Unknown
  Oct. 16, 2006

Dr, Charles Kay of Orchard Family Practice
(Englewood, CO)

Sheriff's deputies evicting Dr. Charles Kay put files from his office in a nearby parking lot. In a news report, Dr. Kay said he had removed the patient files but not the business files. Unknown
  Oct. 17, 2006

City of Visalia, Recreation Division
(Visalia, CA)

Personally identifiable information of approximately 200 current and former Visalia Recreation Department employees was exposed when copies of city documents were found scattered on a city street. 200 current and former employees
  Oct. 19, 2006

Allina Hospitals and Clinics
(Minneapolis-St. Paul, MN)

A laptop stolen from a nurse's car on October 8 contains the names and SSNs of individuals in approximately 17,000 households participating in the Allina Hospitals and Clinics obstetric home-care program since June 2005.

Individuals in 17,000 households
  Oct. 19, 2006 University of Minnesota/Spain In June, a University of Minnesota art department laptop computer stolen from a faculty member while traveling in Spain holds personally identifiable information of 200 students. 200 students (not included in total)
  Oct. 20, 2006 Manhattan Veterans Affairs Medical Center, New York Harbor Health Care System
(New York, NY)
On Sept. 6, an unencrypted laptop computer containing veterans' names, Social Security numbers, and medical diagnosis, was stolen from the hopsital. 1,600 veterans who receive pulmonary care at the facility
  Oct. 21, 2006 Bowling Green Police Dept.
(Bowling Green, OH)
The police dept. accidentally published a report on their website containing personal information on nearly 200 people the police had contact with on Oct. 21. Data included names, Social Security numbers, driver's license numbers, etc . Approx. 200 victims or suspects
  Oct. 23, 2006

Sisters of St. Francis Health Services via Advanced Receivables Strategy (ARS), a Perot Systems Company
(Indianapolis, IN)
(866) 714-7606

On July 28, 2006, a contractor working for Advanced Receivables Strategy, a medical billing records company, misplaced CDs containing the names and SSNs of 266,200 patients, employees, physicians, and boad members of St. Francis hospitals in Indiana and Illinois. Also affected were records of Greater Lafayette Health Services. The disks were inadvertently left in a laptop case that was returned to a store. The purchaser returned the disks. The records were not encrypted even though St. Francis and ARS policies require encryption. 260,000 patients and about 6,200 employees, board members and physicians for a total of 266,200
  Oct. 23, 2006

Chicago Voter Database
(Chicago, IL)

An official from the not-for-profit Illinois Ballot Integrity Project says his organization hacked into Chicago's voter database, compromising the names, SSNs and dates of birth of 1.35 million residents. The Chicago Election Board is reportedly looking into removing SSNs from the database. Election officials have patched the flaw that allowed the intrusion. 1.35 million Chicago residents
  Oct. 24, 2006 Jacobs Neurological Institute
(Buffalo, NY)
The laptop of a research doctor was stolen from her locked office at the Institute. It included records of patients and her research data. Unknown
  Oct. 25, 2006

Transportation Security Administration (TSA)
(Portland, OR)

A thumb drive is missing from the TSA command center at Portland International Airport and believed to contain the names, addresses, phone numbers and Social Security numbers of approximately 900 current and former employees. 900 current and former Oregon TSA employees
  Oct. 25, 2006 Swedish Medical Center, Ballard Campus
(Seattle, WA)
(800) 840-6452
An employee stole the names, birthdates, and Social Security numbers from patients who were hospitalized or had day-surgeries from June 22 to Sept 21. She used 3 patients' information to open multiple credit accounts. Up to 1,100 patients
  Oct. 25, 2006 Tuscarawas County and Warren County
(OH)
The Social Security numbers of some Tuscarawas and Warren County voters were available on the LexisNexis Internet database service.
Update (11/1/06): LexisNexis says it has now removed the SSNs.
Unknown
  Oct. 26, 2006 Akron Children's Hospital
(Akron, OH)
Overseas hackers broke into two computers at Children's Hospital. One contains private patient data (including Social Security numbers) and the other holds billing and banking information. 235,903
  Oct. 26, 2006 Hilb, Rogal & Hobbs
(Plymouth Meeting, PA)
In September 2006, a laptop computer was stolen from the insurance brokerage firm. It contained client information including the names, birthdates, and drivers license numbers of Villanova University students and staff who drive university vehicles. 1,243 Villanova University students and staff
  Oct. 27, 2006 Gymboree
(San Francisco, CA)
A thief stole 3 laptop computers from Gymboree's corporate headquarters. They contained unencrypted human resources data (names and Social Security numbers) of thousands of workers. up to 20,000 employees
  Oct. 27, 2006 Hancock Askew & Co.
(Savannah, GA)
On October 5, 2006, a laptop computer containing 401(k) information for employees of at least one company (Atlantic Plastics, Inc.) was stolen from accounting firm Hancock Askew. Unknown
  Oct. 27, 2006 Hertz Global Holdings, Inc.
(Oklahoma City, OK)
1-888-222-8086
The names and Social Security numbers of Hertz employees dating back to 2002 were discovered on the home computer of a former employee. Unknown
  Oct. 30, 2006 Georgia county clerk of courts' web sites A Georgia TV station reported that SSNs could be found on some records posted on county clerk of court web sites, specifically for individuals with federal tax liens filed against them. At least one county clerk -- Cherokee County -- is now removing SSNs from the web site. Unknown
  Oct. 31, 2006

Avaya
(theft occurred in Maitland, FL, office of company, headquartered in Basking Ridge, NJ)

A laptop stolen from an Avaya employee on October 16 in Florida contained personally identifiable information, including names, addresses, W-2 tax form information and SSNs.

Unknown
  Nov. 1, 2006 U.S. Army Cadet Command
(Fort Monroe, VA)
1-866-423-4474
Email: mydata@
usaac.army.mil
A laptop computer was stolen that contained the names, addresses, telephone numbers, birthdates, Social Security numbers, parent names, and mother's maiden names of applicants for the Army's four-year ROTC college scholarship. 4,600 high school seniors
  Nov. 2, 2006 Colorado Dept. of Human Services via Affiliated Computer Services (ACS)
(Dallas, TX)
For questions, call ACS at (800) 350-0399
On Oct. 14, a desktop computer was stolen from a state contractor who processes Colorado child support payments for the Dept. of Human Services. Computer also contained the state's Directory of New Hires.
Up to 1.4 million
(Not included in total because news stories did not indicate if SSNs were exposed)
  Nov. 2, 2006 Greater Media, Inc.
(Philadelphia, PA)
A laptop computer containing the Social Security numbers of the radio broadcasting company's current and former employees was stolen from their Philadelphia offices.
Unknown
  Nov. 2, 2006

McAlester Clinic and Veteran's Affairs Medical Center
(Muskogee, OK)

Three disks containing billing information, patient names and Social Security numbers, were lost in the mail. 1,400 veterans
  Nov. 2, 2006 Intermountain Health Care
(Salt Lake City, UT)
A computer was purchased at a second-hand store, Deseret Industries, that contained the names, Social Security numbers, employment records, and other personal information about Intermountain Health Care employees. 6,244
  Nov. 2, 2006 Compulinx
(White Plains, NY)
The CEO of Compulinx was arrested for fraudulently using employees' names, addresses, Social Security numbers and other personal information for credit purposes. (It is unclear whether customers' data was also used). Up to 50 Compulinx employees
  Nov. 3, 2006 University of Virginia
(Charlottesville, VA)
Due to a computer programming error, Student Financial Services sent e-mail messages to students containing 632 other students' Social Security numbers. 632 students
  Nov. 3, 2006 West Shore Bank
(Ludington, MI)
Customers' debit cards and possibly credit cards were compromised from a security break last summer at a common MasterCard point-of-purchase provider. About 1,000
  Nov. 3, 2006 Wesco
(Muskegon, MI)
Wesco gas stations experienced a breach in credit card transactions from July 25-Sept. 7 resulting in inaccurate charges to customer accounts. Unknown
  Nov. 3, 2006 Starbucks Corp.
(Seattle, WA)
1-800-453-1048
Starbucks lost track of four laptop computers. Two held employee names, addresses, and Social Security numbers. 60,000 current and former U.S. employees and about 80 Canadian workers and contractors
  Nov. 3, 2006 Several Joliet area motels
(Joliet, IL)
Motel owners and employees allegedly stole and sold customers' credit card numbers. Unknown
  Nov 7, 2006 City of Lubbock
(Lubbock, TX)
Hackers broke into the city's web site and compromised the online job application database, which included Social Security numbers. 5,800
  Nov. 9, 2006 Four ARCO gas stations
(Costa Mesa, CA)
(Westminster, CA)
(Torrance, CA)
From Sept. 29 to Oct. 9, thieves used card skimmers to steal bank account numbers and PIN codes from gas station customers and used the information to fabricate debit cards and make ATM withdrawals.

At least 440

  Nov. 10, 2006 KSL Services, Inc.
(Los Alamos, NM)
A disk containing the personal information of approximately 1,000 KSL employees is missing. KSL is a contractor for Los Alamos National Laboratory. Approximately 1,000
  Nov. 13, 2006 Connors State College
(Warner, OK)
(918) 463-6267
perline@
connorsstate.edu
On Oct. 15, a laptop computer was discovered stolen from the college. (It has since been recovered by law enforcement). The computer contains Social Security numbers and other data for Connors students plus 22,500 high school graduates who qualify for the Oklahoma Higher Learning Access Program scholarships. Considerably more than 22,500
  Nov. 15, 2006 Internal Revenue Service
(Washington, DC)

According to document s obtained under the Freedom of Information Act, 478 laptops were either lost or stolen from the IRS between 2002 and 2006. 112 of the computers held sensitive taxpayer information such as SSNs. .

Unknown
  Nov. 16, 2006

American Cancer Society
(Louisville , KY, offices, HQ in Atlanta , GA)
If you have tips, call (502) 574-5673

An unspecified number of laptop computers were stolen from the Louisville offices of the American Cancer Society. It is not clear what personal information was exposed, if any.

Unknown
  Nov. 16, 2006 Carson City residents
(Carson City, NV)
The Sheriff's Department reported that at least 50 residents had their credit card information stolen by employees of local businesses. The employees apparently sell the account information to international crime rings that produce counterfeit cards. The crime is called "skimming." 50
  Nov. 17, 2006

Jefferson College of Health Sciences
(Roanoke, VA)

 

An email containing the names and SSNs of 143 students intended for one employee was inadvertently sent to the entire student body of 900.

143
  Nov. 17, 2006

Automatic Data Processing (ADP)
(Roseland , NJ)

ADP sent paperwork for a small Wisconsin company to a Cordova, TN coffee house. The paperwork contained names, birth dates, SSNs, addresses, salaries, and bank account and routing numbers Unknown
  Nov. 20, 2006

Administration for Children's Services
(New York , NY)

More than 200 case files from the Emergency Children's Services Unit of ACS were found on the street in a plastic garbage bag. The files contain sensitive information of families, social workers and police officers.

200 case files
(not included in Total because it is not clear if SSNs were exposed)
  Nov. 25, 2006

Indiana State Department of Health via Family Health Center of Clark County
(Jeffersonville, IN)

Two computers stolen from an Indiana state health department contractor contained the names, addresses, birth dates, SSNs and medical and billing information for more than 7,500 women. The data were collected as part of the state's Breast and Cervical Cancer Program.

7,700
  Nov. 27, 2006

Johnston County, NC

Personal data, including SSNs, of thousands of taxpayers, were inadvertently posted on the county web site . The information was removed from the site within an hour after officials became aware of the situation.

Unknown
  Nov. 27, 2006

Greenville County School District
(Greenville, SC)

School district computers sold at auctions between 1999 and early 2006 contained the birth dates, SSNs, driver's license numbers and Department of Juvenile Justice records of approximately 100,000 students. The computers also held sensitive data for more than 1,000 school district employees.

At least 101,000 students and employees
  Nov. 27, 2006

Chicago Public Schools via All Printing & Graphics, Inc.
(Chicago, IL)

A company hired to print and mail health insurance information to former Chicago Public School employees mistakenly included a list of the names, addresses and SSNs of the nearly 1,740 people receiving the mailing. Each received the 125-page list of the 1,740 former employees.

1,740 former Chicago Public School employees

  Nov. 28, 2006 Kaiser Permanente Colorado -- its Skyline and Southwest offices
(Denver, CO)
For members who have questions:
(866) 529-0813
A laptop was stolen from the personal car of a Kaiser employee in California. It contained names, Kaiser ID number, date of birth, gender, and physician information. 38,000
(not included in total, because SSNs were apparently not exposed)
  Nov. 28, 2006 Cal State Los Angeles, Charter College of Education
(Los Angeles, CA)
(800) 883-4029
An employee's USB drive was inside a purse stolen from a car trunk. It contained personal information on 48 faculty members and more than 2,500 students and applicants of a teacher credentialing program. Information included names, SSNs, campus ID numbers, phone numbers, and e-mail addresses. 2,534
  Nov. 30, 2006 Pennsylvania Dept. of Transportation
(Hanover township driver's license facility, Dunmore, PA)
Thieves stole equipment from a driver's license facility late evening Nov. 28, including computers containing personal information on more than 11,000 people. Information included names, addresses, dates of birth, driver's license numbers and both partial and complete SSNs (complete SSNs for 5,348 people). Also stolen were supplies used to create drivers licenses and photo IDs. The state maintains 97 driver's license facilities. 11,384
  Nov. 30, 2006 TransUnion Credit Bureau via Kingman, AZ, court office Four different scam companies downloaded the credit information of more than 1,700 individuals, including their credit histories and SSNs. They were able to illegitimately obtain the password to the TransUnion account held by the Kingman, AZ, court office, which apparently has a subscription to the bureau's services. "more than 1,700 people"
  Dec. 3, 2006 City of Grand Prairie
(Grand Prairie, TX)
Employees of the city of Grand Prairie were notified that personal records were exposed on the city's Web site for at least a year. Included were the names and SSNs of "hundreds of employees." The information has since been removed. The city had been working with a contractor on a proposal for workers' compensation insurance. Along with the proposal, names and SSNs were mistakenly listed. "hundreds of employees"
         
TOTAL number of records containing sensitive personal information involved in security breaches  97,341,840
 
 

HOME        TOP

 

Copyright © 2005-2006. Privacy Rights Clearinghouse/UCAN. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The PRC does not allow any of its documents to be posted on other web sites. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse. This document should be used as an information source and not as legal advice. PRC documents contain information about federal laws as well as some California-specific information. Laws in other states may vary. Overall, our information is applicable to consumers nationwide.

Privacy Rights Clearinghouse, 3100 - 5th Ave., Suite B, San Diego, CA 92103. Web: www.privacyrights.org