[Senate Report 110-70]
[From the U.S. Government Publishing Office]
Calendar No. 168
110th Congress Report
SENATE
1st Session 110-70
======================================================================
PERSONAL DATA PRIVACY AND SECURITY ACT OF 2007
_______
May 23, 2007.--Ordered to be printed
_______
Mr. Leahy, from the Committee on Judiciary, submits the following
R E P O R T
together with
ADDITIONAL VIEWS
[To accompany S. 495]
[Including cost estimate of the Congressional Budget Office]
The Committee on the Judiciary, to which was referred the
bill (S. 495), to prevent and mitigate identity theft, to
ensure privacy, to provide notice of security breaches, and to
enhance criminal penalties, law enforcement assistance, and
other protections against security breaches, fraudulent access,
and misuse of personally identifiable information, reports
favorably thereon with amendments, and recommends that the
bill, with amendments, do pass.
CONTENTS
Page
I. Purpose of the Personal Data Privacy and Security Act of 2007....2
II. History of the Bill and Committee Consideration..................7
III. Section-by-Section Summary of the Bill..........................10
IV. Cost Estimate...................................................18
V. Regulatory Impact Evaluation....................................25
VI. Conclusion......................................................25
VII. Additional Views................................................26
VIII.Changes in Existing Law Made by the Bill as Reported............32
I. Purpose of the Personal Data Privacy and Security Act of 2007
A. SUMMARY
Advanced technologies, combined with the realties of the
post-
9/11 digital era, have created strong incentives and
opportunities for collecting and selling personal information
about ordinary Americans. Today, private sector and
governmental entities alike routinely traffic in billions of
electronic personal records about Americans. Americans rely on
this data to facilitate financial transactions, provide
services, prevent fraud, screen employees, investigate crimes,
and find loved ones. The government also relies upon this
information to enhance national security and to combat crime.
The growing market for personal information has also become
a treasure trove that is both valuable and vulnerable to
identity thieves. As a result, the consequences of a data
security breach can be quite serious. For Americans caught up
in the endless cycle of watching their credit unravel, undoing
the damage caused by security breaches and identity theft can
become a time-consuming and life-long endeavor. In addition,
while identity theft is a major privacy concern for most
Americans, the use and collection of personal data by
government agencies can have an even greater impact on
Americans' privacy. The loss or theft of government data can
potentially expose ordinary citizens, government employees and
members of the armed services alike to national security and
personal security threats.
Despite these well-known dangers, the Nation's privacy laws
lag far behind the capabilities of technology and the cunning
of identity thieves. The Personal Data Privacy and Security Act
of 2007 is a comprehensive, bipartisan privacy bill that seeks
to close this privacy gap, by establishing meaningful national
standards for providing notice of data security breaches, and
addressing the underlying problem of lax data security, to make
it less likely for data security breaches to occur in the first
place.
B. THE GROWING PROBLEM OF DATA SECURITY BREACHES AND IDENTITY THEFT
According to the Privacy Rights Clearinghouse, more than
150 million records containing sensitive personal information
have been involved in data security breaches since 2005.\1\
Since the Personal Data Privacy and Security Act was first
reported by the Judiciary Committee in November 2005, there
have been at least 436 data security breaches in the United
States, effecting millions of American consumers.\2\ For
example, in January 2007, mega retailer TJX disclosed that it
suffered the largest data breach in U.S. history--effecting at
least 45.7 million credit and debit cards.\3\ The TJX data
breach follows many other commercial data breaches,
collectively effecting millions of Americans, including data
security breaches at ChoicePoint and Lexis Nexis.\4\
---------------------------------------------------------------------------
\1\ See Privacy Rights Clearinghouse Chronology of Data Breaches,
www.privacyrights.org. A copy of this chronology appears in the
Appendix to this report.
\2\ Id.
\3\ ``Breach of data at TJX is called the biggest ever, Stolen
numbers put at 45.7 million,'' Boston Globe, March 29, 2007.
\4\ See generally, Appendix.
---------------------------------------------------------------------------
Federal government agencies have also suffered serious data
security breaches. In May 2006, the Department of Veterans
Affairs lost an unsecured laptop computer hard drive containing
the health records and other sensitive personal information of
approximately 26.5 million veterans and their spouses.\5\ In
April 2007, the United States Department of Agriculture
(``USDA'') admitted that it posted personal identifying
information on about 63,000 grant recipients on an agency
website and acknowledged that as many as 150,000 people whose
personal details were entered into a federal government
database over the past 26 years could have been exposed by that
website.\6\ And, in May, 2007, the Transportation Security
Administration (``TSA'') reported that the personal and
financial records of 100,000 TSA employees were lost after a
computer hard drive was reported missing from the agency's
headquarters, exposing the Department of Homeland Security to
potential national security risks. \7\
---------------------------------------------------------------------------
\5\ See Testimony of the Honorable James Nicholson, Secretary of
Veterans Affairs, before the House Committee on Government Reform, June
8, 2006.
\6\ See ``USDA has data breach,'' Government Computer News, April
23, 2007.
\7\ See ``TSA seeks hard drive, personal data for 100,000.'' USA
Today, May 5, 2007; see also, the Federal Times, ``Union Sues TSA over
loss of data on employees,'' May 9, 2007.
---------------------------------------------------------------------------
The steady wave of data security breaches in recent years
is a window into a broader, more challenging trend. Insecure
databases are now low-hanging fruit for hackers looking to
steal identities and commit fraud.
The current estimates of the incidence of identity theft in
the United States vary, but they are all disturbingly high.
According to a recent report on identity theft by the Federal
Trade Commission, annual monetary losses due to identity theft
are in the billions of dollars.\8\ In fact, American consumers
collectively spend billions of dollars to recover from the
effects of identity theft, according to the FTC.\9\ Identity
theft also has a significant negative impact on our Nation's
businesses. The FTC recently found that businesses suffer the
most direct financial harm due to this illegal conduct, because
consumers are often not held personally responsible for
fraudulent charges.\10\
---------------------------------------------------------------------------
\8\ See The President's Identity Theft Task Force, Combating
Identity Theft: A Strategic Plan, April 2007, at page 11.
\9\ Id.
\10\ Id.
---------------------------------------------------------------------------
Because data security breaches adversely affect many
segments of the American community, a meaningful solution to
this growing problem must carefully balance the interests and
needs of consumers, business and the government.
C. THE PERSONAL DATA PRIVACY AND SECURITY ACT OF 2007
The Personal Data Privacy and Security Act of 2007 takes
several meaningful and important steps to balance the interests
and needs of consumers, business and the government in order to
better protect Americans sensitive personal data. This
legislation is supported by a wide range of consumer, business
and government organizations, including, the American
Federation of Government Employees, Business Software Alliance,
the Center for Democracy & Technology, Consumer Federation of
America, Consumers Union, Cyber Security Industry Alliance,
Microsoft, the National Association of Credit Management,
Vontu, TraceSecurity and the United States Secret Service.
1. Access and Correction
First, to provide consumers with tools that enable them to
guard against identity theft, S. 495 gives consumers the right
to know what sensitive personal information commercial data
brokers have about them. In addition, S. 495 extends the
protections afforded under the Fair and Accurate Credit
Transactions Act (``FACTA''), by allowing consumers to correct
their personal information if it is inaccurate. Under
circumstances where a business entity makes an adverse decision
based on information provided to it by a data broker, S. 495
also requires that the business entity notify the consumer of
the adverse decision and provide the consumer with the
information needed to contact the data broker and correct the
information. The right of consumers to access and correct their
own sensitive personal data is a simple matter of fairness. The
principles of access and correction incorporated in S. 495 have
precedent in the credit reporting industry context and these
principles have been adapted to the data broker industry.
2. Data Security Program
Second, the bill recognizes that, in the Information Age,
any company that wants to be trusted by the public must earn
that trust by vigilantly protecting the information that it
uses and collects. The bill takes important steps to accomplish
this goal, by requiring that companies that have databases with
sensitive personal information on more than 10,000 Americans
establish and implement a data privacy and security program.
There are exemptions to this requirement for companies already
subject to data security requirements under the Gramm-Leach-
Bliley Act and the Health Information Portability and
Accountability Act.
3. Notice
Third, because American consumers should know when they are
at risk of identity theft, or other harms, because of a data
security breach, the bill also requires that business entities
and federal agencies promptly notify affected individuals and
law enforcement when a data security breach occurs. Armed with
such knowledge, consumers can take steps to protect themselves,
their families, and their personal and financial well-being.
The trigger for notice to individuals is ``significant risk of
harm,'' and this trigger includes appropriate checks and
balances to prevent over-notification and underreporting of
data security breaches.
In this regard, S. 495 recognizes that there are harms
other than identity theft that can result from a data security
breach, including harm from other financial crimes, stalking
and other criminal activity. Consequently the bill adopts a
trigger of ``significant risk of harm,'' rather than a weaker
trigger of ``significant risk of identity theft,'' for the
notice to individuals requirement in the legislation.\11\ There
are exemptions to the notice requirements for individuals for
national security and law enforcement reasons, as well as an
exemption to this requirement for credit card companies that
have effective fraud-prevention programs.\12\
---------------------------------------------------------------------------
\11\ A notice trigger based uopn ``significant risk of identity
theft'' would weaken the notice provisions in S. 495 and such a
standard would also fail to adequately protect consumers. First, the
weaker ``significant risk of identity theft'' standard only requires
notification of consumers when a business entity or federal agency
affirmatively finds that there is a significant risk of the specific
crime of identity theft. In addition, as discussed above, there are
other harms that could result from data security breaches, such as
stalking, physical harm, or threats to national security, that are not
addressed or covered under a notice standard based solely on the risk
of identity theft.
\12\ In his additional views, Senator Sessions incorrectly states
that S. 495 will result in over notification of consumers and in a lack
of clarity for business. To the contrary, the bill contains meaningful
checks and balances, including the risk assessment and financial fraud
provisions in Section 312, to prevent over-notification and the
underreporting of data security breaches. The risk assessment provision
in Section 312(b), furthermore, provides businesses with an opportunity
to fully evalaute data security breaches when they occur, to determine
whether notice should be provided to consumers. In addition, the bill
compliments and properly builds upon other federal statutes governing
data privacy and security to ensure clarity for business in this area.
For example, to avoid conflicting obligations regarding the bill's data
security program requirements, Section 301(c) specifically exempts
financial institutions that are already subject to, and complying with,
the data privacy and security requirements under GLB, as well as HIPPA-
regulated entities. The bill also builds upon existing federal laws and
guidance, such as the data security protections established by the
Office of the Comptroller of the Currency for financial institutions
and the access and correction provisions in the Fair Credit Reporting
Act and the Fair and Accurate Credit Transactions Act, to clarify the
obligations of business.
---------------------------------------------------------------------------
In addition, to strengthen the tools available to law
enforcement to investigate data security breaches and to combat
identity theft, S. 495 also requires that business entities and
federal agencies notify the Secret Service of a data security
breach within 14 days of the occurrence of the breach. This
notice will provide law enforcement with a valuable head start
in pursuing the perpetrators of cyber intrusions and identity
theft. The bill also empowers the Secret Service to obtain
additional information about the data breach from business
entities and federal agencies to determine whether notice of
the breach should be given to consumers and other law
enforcement agencies. This mechanism gives businesses and
agencies certainty as to their legal obligation to provide
notice and prevents them from sending notices when they are
unnecessary, which overtime, could result in consumers ignoring
such notices.
Since 1984, Congress has provided statutory authority for
the Secret Service to investigate a wide range of financial
crimes, including offenses under 18 U.S.C. Sec. 1028 (false
identification fraud), Sec. 1029 (access device fraud) and
Sec. 1030 (computer fraud). In the last two decades, the Secret
Service has conducted more than 733,000 financial fraud and
identity theft investigations involving these statutes, leading
to the prosecution of more than 116,000 individuals.\13\
Pursuant to the notice requirements in the bill, the Secret
Service's Criminal Intelligence Section would analyze,
coordinate and monitor all data breach investigations reported
to it by victim companies. When the Criminal Intelligence
Section receives notification of a data breach, this section
would immediately analyze the information and refer the case to
the appropriate field office and/or electronic/financial crimes
task force, for investigation and prosecution. Throughout this
process, the Criminal Intelligence Section would further stand
ready to support the victim company, investigating field office
or task force, and prosecuting U.S. Attorney's Office as
needed. The Criminal Intelligence Section would also coordinate
with the Computer Crime and Intellectual Property Sections
(``CCIPS'') of the Department of Justice to ensure proper and
timely response through the federal judicial system, regardless
of where the data breach occurred. In addition, the Criminal
Intelligence Section would have the additional responsibility
of notifying federal law enforcement and state attorneys
general as mandated by the legislation.
---------------------------------------------------------------------------
\13\ See Secret Service White Paper, ``Data Broker Legislation--S.
495,'' May 2007.
---------------------------------------------------------------------------
The bill also recognizes the benefits of separating the
notice obligations of owners of personally identifiable
information and third parties who use and manage personally
identifiable information on the owner's behalf. The bill
imposes an obligation on third parties that suffer a data
security breach to notify the owners or licensees of the
personally identifiable information, who would, in turn, notify
consumers. If the owner or licensee of the data gives notice of
the breach to the consumer, then the breached third party does
not have to give notice. The bill also states that it does not
abrogate any agreement between a breached entity and a data
owner or licensee to provide the required notice in the event
of a breach. Separating the notice obligations between data
owners and licensees, and third parties, will encourage data
owners and licensees to address the notice obligation in
agreements with third parties and will help to ensure that
consumers will receive timely notice from the entity with which
they have a direct relationship and would recognize upon
receiving such notice, in the event of a data security breach.
However, this notice can only be effective if the entity which
suffers the breach, and any other third parties, provide to the
entity who will give the notice complete and timely information
about the nature and scope of the breach and the identity of
the entity breached.
4. Enforcement
Fourth, this legislation also establishes tough, but fair,
enforcement provisions to punish those who fail to notify
consumers of a data security breach, or to maintain a data
security program. The bill makes it a crime for any individual,
who knows of the obligation to provide notice of a security
breach, and yet, intentionally and willfully conceals the
breach, and the breach causes economic harm to consumers.
Violators of this provision are subject to a criminal fine
under Title 18, or imprisonment of up to 5 years, or both. This
provision is no more onerous than criminal provisions for other
types of fraudulent conduct which causes similar harm to
individuals.
The bill also contains strong civil enforcement provisions.
The bill authorizes the Federal Trade Commission (``FTC'') to
bring a civil enforcement action for violations of the data
security program requirements in the bill and to recover a
civil penalty of not more than $5,000 per violation, per day
and a maximum penalty of $500,000 per violation.\14\ In
addition, the bill authorizes State Attorneys General, or the
U.S. Attorney General, to bring a civil enforcement action
against violators of the notice requirements in the bill and to
recover a civil penalty of not more than $1,000 per individual,
per day and a maximum penalty of $1,000,000 per violation,
unless the violation is willful or intentional.
---------------------------------------------------------------------------
\14\ Double penalties may be recovered for intentional or willful
violations of this provision.
---------------------------------------------------------------------------
5. Preemption
The legislation also carefully balances the need for
federal uniformity in certain data privacy laws and the
important role of States as leaders on privacy issues. Section
304 of the bill (relation to other laws) preempts state laws
with respect to requirements for administrative, technical, and
physical safeguards for the protection of sensitive personally
identifying information. These requirements, which are referred
to in this Section, are the same requirements set forth in
Section 302 of the bill.
Section 319 of the bill (effect on federal and state laws)
also preempts state laws on breach notification. However, in
recognition of the important role that the States have played
in developing breach notification, the bill carves out an
exception to preemption for state laws regarding providing
consumers with information about victim protection assistance
that is provided for by the State.
In addition, Section 319 of the bill provides that the
notice requirements in S. 495 supersede ``any provision of law
of any State relating to notification of a security breach,
except as provided in Section 314(b) of the bill.'' The bill's
subtitle on security breach notification applies to ``any
agency, or business entity engaged in interstate commerce,''
and the term ``agency'' is defined in the bill by referencing
section 551 of title 5, United States Code, which pertains to
federal governmental entities. As a result, the security breach
notification requirements in the bill have no application to
State and local government entities, and the Committee does not
intend for this provision to preempt or displace state laws
that address obligations of State and local government entities
to provide notice of a security breach.
6. Government Use
Finally, the bill establishes important new checks on the
government's use of personal data. In April 2007, the
Government Accountability Office (``GAO'') released a new
report on government data breaches that highlighted the
importance of protecting government computer equipment
containing personally identifiable information and of federal
agencies responding effectively to data security breaches that
pose privacy risks.\15\ To address these concerns, the bill
requires that federal agencies consider whether data brokers
can be trusted with government contracts that involve sensitive
information about Americans before awarding government
contracts. The bill also requires that Federal agencies audit
and evaluate the information security practices of government
contractors and third parties that support the information
technology systems of government agencies. In addition, the
bill requires that Federal agencies adopt regulations that
specify the personnel allowed to access government data bases
containing personally identifiable information and adopt
regulations that establish the standards for ensuring, among
other things, the legitimate government use of sensitive
personal information.
---------------------------------------------------------------------------
\15\ See GAO Report on ``Privacy: Lessons Learned About Data Breach
Notification,'' April 2007.
---------------------------------------------------------------------------
II. History of the Bill and Committee Consideration
A. HEARINGS
1. April 13, 2005
On April 13, 2005, the Judiciary Committee held a hearing
on ``Securing Electronic Personal Data: Striking a Balance
between Privacy and Commercial and Governmental Use.'' This
hearing examined the practices and weaknesses of the rapidly
growing data broker industry and, in particular, how data
brokers were handling the most sensitive personal information
about Americans. The hearing also explored how Congress could
establish a sound legal framework for future data privacy
legislation that would ensure that privacy, security, and civil
liberties will not be pushed aside in the new Digital Age.
The following witnesses testified at this hearing: Deborah
Platt Majoras, Chairman of the Federal Trade Commission; Chris
Swecker, Assistant Director for the Criminal Investigative
Division at the Federal Bureau of Investigation; Larry D.
Johnson, Special Agent in Charge of the Criminal Investigative
Division of the U.S. Secret Service; William H. Sorrell,
President of the National Association of Attorneys General;
Douglas C. Curling, President, Chief Operating Office, and
Director of ChoicePoint, Inc.; Kurt P. Sanford, President & CEO
of the U.S. Corporate & Federal Markets LexisNexis Group;
Jennifer T. Barrett, Chief Privacy Officer of Acxiom Corp.;
James X. Dempsey, Executive Director of the Center for
Democracy & Technology; and Robert Douglas, CEO of
PrivacyToday.com.
2. March 21, 2007
On March 21, 2007, the Judiciary Committee's Subcommittee
on Terrorism, Technology and Homeland Security held a hearing
on ``Identity Theft: Innovative Solutions for an Evolving
Problem.'' This hearing examined the problem of identity theft
and legislative solutions to this problem, and discussed the
need for federal legislation on data breach notification. The
following witnesses testified at this hearing: Ronald Tenpas,
Associate Deputy Attorney General, United States Department of
Justice; Lydia Parnes, Director Bureau of Consumer Protection
Federal Trade Commission; James Davis, Chief Information
Officer and Vice Chancellor for Information Technology,
University of California, Los Angeles; Joanne McNabb, Chief
California Office of Privacy Protection; and Chris Jay
Hoofnagle, Senior Staff Attorney, Samuelson Law, Technology &
Public Policy Clinic, School of Law (Boalt Hall) University of
California, Berkeley.
B. LEGISLATION
Chairman Patrick Leahy and Ranking Member Arlen Specter
introduced the Personal Data Privacy and Security Act of 2007
on February 6, 2007. This bipartisan, comprehensive privacy
bill is cosponsored by Senators Schumer, Feingold, Cardin,
Sanders and Brown.
This legislation is very similar to the Personal Data
Privacy and Security Act of 2005, S. 1789, which then-Chairman
Specter and Ranking Member Leahy introduced on September 29,
2005. The Judiciary Committee favorably reported that
legislation on November 17, 2005, by a bipartisan vote of 13 to
5.
On April 25, 2007, S. 495 was placed on the Judiciary
Committee's agenda. The Committee considered this legislation
on May 3, 2007.
During the Committee's consideration of S. 495, six
amendments to the bill were offered and five of those
amendments were adopted by the Committee:
First, the Committee adopted, without objection, a
bipartisan manager's amendment to S. 495 which Chairman Leahy
offered on behalf of himself and Senator Specter. The manager's
amendment adds several additional privacy enhancements to the
bill, including: (1) a definition of encryption and provision
to encourage business entities to utilize encryption technology
to protect personal data by establishing a presumption that no
significant risk of harm exists when sensitive personal data is
encrypted with appropriate safeguards; (2) a provision to
expressly exempt debit cards and other financial account
records from the financial fraud prevention exemption in the
bill, to address the TJX data security breach situation where
millions of debit card numbers were stolen and consumers had no
right to force their financial institutions to immediately
restore any funds stolen from the checking and savings accounts
linked to these debit cards; (3) a provision to clarify that
notice of the occurrence of a security breach must be given to
the Secret Service within 14 days of the breach and that the
Secret Service has 10 business days to review any certification
seeking an exemption from the notice to individuals
requirements under the bill to enhance the ability of law
enforcement to investigate data security breaches; and (4) a
provision requiring that the GAO provide a follow-up report to
its April 2006 report to Congress on the federal agency use of
data brokers.
The Committee also adopted, without objection, an amendment
offered by Senator Feinstein to (1) narrow the exemption for
public records under the bill to ensure that notice to
individuals is provided for data security breaches involving
harvested data; (2) broaden the notice provisions under the
bill to cover hard copy or paper data; and (3) to require that
the Secret Service must review any certification by a business
entity (and may review any certification by an agency) to use
the national security exemption to the notice requirements
under the bill and to give the Secret Service more authority to
obtain additional information before approving this exemption;
(4) changing the threshold for providing advance notice to
consumer credit reporting agencies following a data security
breach to breaches affecting more than 5,000 individuals; and
(5) clarifying that the bill's notice provisions only preempt
state laws that apply to entities that are actually covered by
the bill.
The Committee also adopted, without objection, two
amendments offered by Senator Schumer. The first amendment
creates an Office of Federal Identity Theft Protection within
the FTC, to provide direct assistance to victims of identity
theft. The Office of Federal Identity Theft Protection will,
among other things, help consumers to restore their credit and
access remedies under State and Federal laws and provide
consumers with a uniform certification to establish that they
have been victims of identity theft and are eligible for
assistance. The second amendment requires that data brokers
must be able to track who has access to records containing
sensitive personal information and to verify that their
customers who seek to access sensitive personal information are
accessing this information for a legal purpose.
In addition, the Committee adopted, without objection, an
amendment offered by Senator Cardin to require that companies
that use information provided by a data broker, and then take
an adverse action based upon that information, notify the
consumer adversely affected by the information and provide the
consumer with an opportunity to access and correct the
information. This amendment is based upon similar requirements
in the Fair Credit Reporting Act.
The Committee rejected by voice vote an amendment offered
by Senator Coburn which would change the trigger for
notification in S. 495 from ``significant risk of harm'' to
``significant risk of identity theft.''
Lastly, the Committee adopted, by voice vote, an amendment
offered by Senator Whitehouse to exempt bankruptcy debtors from
Section 707(b)(2) means testing under the Bankruptcy Abuse
Prevention and Consumer Protection Act, if the debtor's
financial problems were caused by identity theft. The narrowly-
tailored amendment requires that, to be eligible for this
exemption, the identity theft must result in at least $20,000
in debt in one year, 50 percent of the debtor's bankruptcy
claims, or 25 percent of the debtor's gross income for a 12-
month period.
The Committee favorably reported S. 495, as amended, by
voice vote.
III. Section-by-Section Summary of the Bill
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS
OF DATA PRIVACY AND SECURITY
Section 101--Organized criminal activity in connection with
unauthorized access to personally identifiable information
Section 101 amends 18 U.S.C. Sec. 1961(1) to add
intentionally accessing a computer without authorization to the
definition of racketeering activity.
Section 102--Concealment of security breaches involving personally
identifiable information
Section 102 makes it a crime for a person who knows of a
security breach requiring notice to individuals under Title III
of this Act, and of the obligation to provide such notice, to
intentionally and willfully conceal the fact of, or information
related to, that security breach. Punishment is either a fine
under Title 18, or imprisonment of up to 5 years, or both.
Section 103--Review and amendment of federal sentencing guidelines
related to fraudulent access to or misuse of digitized or
electronic personally identifiable information
Section 103 requires the U.S. Sentencing Commission to
review and, if appropriate, amend the federal sentencing
guidelines for persons convicted of using fraud to access, or
to misuse, digitized or electronic personally identifiable
information, including sentencing guidelines for the offense of
identity theft or any offense under 18 U.S.C. Sec. Sec. 1028,
1028A, 1030, 1030A, 2511 and 2701.
Section 104--Effects of identity theft on bankruptcy proceedings
Section 104 amends 11 U.S.C. Sec. Sec. 101 and 707(b) to
exempt debtors from Section 707(b)(2) means testing under the
Bankruptcy Abuse Prevention and Consumer Protection Act, if the
debtor's financial problems were caused by identity theft. This
Section requires that, to be eligible for this exemption, the
identity theft must result in at least $20,000 in debt in one
year, 50 percent of the debtor's bankruptcy claims, or 25
percent of the debtor's gross income for a 12-month period. The
purpose of this provision is to ensure that victims who incur
debts due to identity theft have all available protections
under the bankruptcy code.
TITLE II--DATA BROKERS
Title II addresses the data brokering industry that has
come of age, prompted by technology developments and changes in
marketplace incentives. Data brokers collect and sell billions
of private and public records about individuals, including
personal, financial, insurance, medical and ``lifestyle'' data,
as well as other sensitive information, such as details on
neighbors and relatives, or even digital photographs of
individuals. Companies like ChoicePoint, LexisNexis and Acxiom,
which are generally regarded as leaders in this industry, use
this information to provide a variety of products and services,
including fraud prevention, identity verification, background
screening, risk assessments, individual digital dossiers and
tools for analyzing data.
Although some of the products and services offered by data
brokers are subject to existing privacy and security
protections aimed at credit reporting agencies and the
financial industry under the Fair Credit Reporting Act
(``FCRA'') and Gramm-Leach-Bliley (``GLB''), many are not
subject to such protections. In addition, there has been
insufficient oversight of the industry's practices, including
the accuracy and handling of sensitive data. These concerns
have been highlighted by numerous reports of harm caused by
inaccurate data records. This Title draws from the principles
in FCRA and GLB to close these loopholes.
Section 201--Transparency and accuracy of data collection
Section 201 applies disclosure and accuracy requirements to
data brokers that engage in interstate commerce and offer any
product or service to third parties that allows access to, or
use, compilation, distribution, processing, analyzing or
evaluating of personally identifiable information. Section 201
requirements are not applicable to products and services
already subject to similar disclosure and accuracy provisions
under FCRA and GLB, and implementing regulations.
Section 201 requires data brokers to disclose to
individuals, upon their request and for a reasonable fee, all
personal electronic records pertaining to that individual that
the data broker maintains for disclosure to third parties.
Section 201 also requires data brokers to establish a fair
process for individuals to dispute, flag or correct
inaccuracies in any information that was not obtained from a
licensor or public record. Modeled after Section 611 of FCRA,
Section 201 requires data brokers to: (1) investigate disputed
information within 30 days; (2) notify any data furnishers who
provided disputed information and identify such data furnishers
to the individual disputing the information; (3) provide notice
to individuals on dispute resolution procedures and the status
of dispute investigations, including whether the dispute was
determined to be frivolous or irrelevant, whether the disputed
information was confirmed to be accurate, or whether the
disputed information was deleted as inaccurate; and (4) allow
individuals to include a statement of dispute in the electronic
records containing the disputed personal information. If the
information was obtained from a licensor or public record, the
data broker must provide the individual with contact
information for the source of the data.
Section 201 also provides that, under circumstances where a
person or business takes an adverse action regarding a
consumer, which is based in whole or in part on data maintained
by a data broker, the person or business must notify the
consumer in writing of the adverse action and provide contact
information for the data broker that furnished the information,
a copy of the information at no cost and the procedures for
correcting such information.
Section 202--Enforcement
A data broker that violates the access and correction
provisions of Section 201 is subject to penalties of $1,000 per
violation per day with a maximum penalty of $250,000 per
violation. A data broker that intentionally or willfully
violates these provisions is subject to additional penalties of
$1,000 per violation per day, with a maximum of an additional
penalty of $250,000 per violation.
The Federal Trade Commission (``FTC'') will enforce Section
202 and may bring an enforcement action to recover penalties
under this provision. States have the right to bring civil
actions under this Section on behalf of their residents in U.S.
district courts, and this section requires that States provide
advance notice of such court proceedings to the FTC, where
practicable. The FTC also has the right to stay any state
action brought under this Section and to intervene in a state
action.
Section 203--Relation to State laws
Section 203 preempts State laws with respect to the access
and correction of personal electronic records held by data
brokers.
Section 204--Effective date
Section 204 provides that Title II will take effect 180
days after the date of the enactment of the Personal Data
Privacy and Security Act.
TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION
SUBTITLE A--A DATA PRIVACY AND SECURITY PROGRAM
Section 301--Purpose and applicability of data privacy and security
program
Section 301 addresses the data privacy and security
requirements of Section 302 for business entities that compile,
access, use, process, license, distribute, analyze or evaluate
personally identifiable information in electronic or digital
form on 10,000 or more U.S. persons. Section 301 exempts from
the data privacy and security requirements of Section 302
businesses already subject to, and complying with, similar data
privacy and security requirements under GLB and implementing
regulations, as well as examination for compliance by Federal
functional regulators as defined in GLB, and HIPPA regulated
entities.
Section 302--Requirements for a data privacy and security program
Section 302 requires covered business entities to create a
data privacy and security program to protect and secure
sensitive data. The requirements for the data security program
are modeled after those established by the Office of the
Comptroller of the Currency for financial institutions in its
Interagency Guidelines Establishing Standards for Safeguarding
Customer Information, 12 C.F.R. Sec. 30.6 Appendix B (2005).
A data privacy and security program must be designed to
ensure security and confidentiality of personal records,
protect against anticipated threats and hazards to the security
and integrity of personal electronic records, protect against
unauthorized access and use of personal records, and ensure
proper back-up storage and disposal of personally identifiable
information. In addition, Section 302 requires a covered
business entity to: (1) regularly assess, manage and control
risks to improve its data privacy and security program; (2)
provide employee training to implement its data privacy and
security program; (3) conduct tests to identify system
vulnerabilities; (4) ensure that overseas service providers
retained to handle personally identifiable information, but
which are not covered by the provisions of this Act, take
reasonable steps to secure that data; and (5) periodically
assess its data privacy and security program to ensure that the
program addresses current threats. Section 302 also requires
that the data security program include measures that allow the
data broker (1) to track who has access to sensitive personally
identifiable information maintained by the data broker and (2)
to ensure that third parties or customers who are authorized to
access this information have a valid legal reason for accessing
or acquiring the information.
Section 303--Enforcement
Section 303 gives the FTC the right to bring an enforcement
action for violations of Sections 301 and 302 in Subtitle A.
Business entities that violate sections 301 and 302 are subject
to a civil penalty of not more than $5,000 per violation, per
day and a maximum penalty of $500,000 per violation.
Intentional and willful violations of these sections are
subject to an additional civil penalty of $5,000 per violation,
per day and an additional maximum penalty of $500,000 per
violation. This section also grants States the right to bring
civil actions on behalf of their residents in U.S. district
courts, and requires States to give advance notice of such
court proceedings to the FTC, where practicable. There is no
private right of action under this subtitle.
Section 304--Relation to other laws
Section 304 preempts state laws relating to administrative,
technical, and physical safeguards for the protection of
sensitive personally identifying information. The requirements
referred to in this Section are the same requirements set forth
in Section 302.
SUBTITLE B--SECURITY BREACH NOTIFICATION
Section 311--Notice to individuals
Section 311 requires that a business entity or federal
agency give notice to an individual whose sensitive personally
identifiable information has been, or is reasonably believed to
have been, compromised, following the discovery of a data
security breach. The notice required under Section 311 must be
made without unreasonable delay. Section 311(b) requires that a
business entity or federal agency that does not own or license
the information compromised as a result of a data security
breach notify the owner or licensee of the data. The owner or
licensee of the data would then provide the notice to
individuals as required under this Section. However, agreements
between owners, licensees and third parties regarding the
obligation to provide notice under Section 311 are preserved.
Section 312--Exemptions
Section 312 allows a business entity or federal agency to
delay notification by providing a written certification to the
U.S. Secret Service that providing such notice would impede a
criminal investigation, or damage national security. This
provision further requires that the Secret Service must review
all certifications from business entities (and may review
certifications from agencies) seeking an exemption from the
notice requirements based upon national security or law
enforcement, to determine if the exemption sought has merit.
The Secret Service has 10 business days to conduct this review,
which can be extended by the Secret Service if additional
information is needed. Upon completion of the review, the
Secret Service must provide written notice of its determination
to the agency or business entity that provided the
certification. If the Secret Service determines that the
exemption is without merit, the exemption will not apply.
Section 312 also prohibits federal agencies from providing a
written certification to delay notice, to conceal violations of
law, prevent embarrassment or restrain competition.
Section 312(b) exempts a business entity or agency that
conducts a risk assessment after a data breach occurs, and
finds no significant risk of harm to the individuals whose
sensitive personally identifiable information has been
compromised, from the notice requirements of Section 311,
provided that: (1) the business entity or federal agency
notifies the Secret Service of the results of the risk
assessment within 45 days of the security breach and (2) the
Secret Service does not determine within 10 business days of
receipt the notification that a significant risk of harm does
in fact exist and that notice of the breach should be given.
Under Section 312(b) a rebuttable presumption exists that the
use of encryption technology, or other technologies that render
the sensitive personally identifiable information
indecipherable, and thus, that there is no significant risk of
harm.
Section 312(c) also provides a financial fraud prevention
exemption from the notice requirement, if a business entity has
a program to block the fraudulent use of information--such as
credit card numbers--to avoid fraudulent transactions. Debit
cards and other financial instruments are not covered by this
exemption.
Section 313--Methods of notice
Section 313 provides that notice to individuals may be
given in writing to the individual's last known address, by
telephone or via email notice, if the individual has consented
to email notice. Media notice is also required if the number of
residents in a particular state whose information was, or is
reasonably believed to have been compromised exceeds 5,000
individuals.
Section 314--Content of notification
Section 314 requires that the notice detail the nature of
the personally identifiable information that has been
compromised by the data security breach, a toll free number to
contact the business entity or federal agency that suffered the
breach, and the toll free numbers and addresses of major credit
reporting agencies. Section 314 also preserves the right of
States to require that additional information about victim
protection assistance be included in the notice.
Section 315--Coordination of notification with credit reporting
agencies
Section 315 requires that, for situations where notice of a
data security breach is required for 5,000 or more individuals,
a business entity or federal agency must also provide advance
notice of the breach to consumer reporting agencies.
Section 316--Notice to law enforcement
Section 316 requires that business entities and federal
agencies notify the Secret Service of the fact that a security
breach occurred within 14 days of the breach, if the data
security breach involves: (1) more than 10,000 individuals; (2)
a database that contains information about more than 1 million
individuals; (3) a federal government database; or (4)
individuals known to be government employees or contractors
involved in national security or law enforcement. The Secret
Service is responsible for notifying other federal law
enforcement agencies, including the FBI, and the relevant State
Attorneys General within 14 days of receiving notice of a data
security breach.
Section 317--Enforcement
Section 317 allows the Attorney General to bring a civil
action to recover penalties for violations of the notification
requirements in Subtitle B. Violators are subject to a civil
penalty of up to $1,000 per day, per individual and a maximum
penalty of $1 million per violation, unless the violation is
willful or intentional.
Section 318--Enforcement by State Attorneys General
Section 318 allows State Attorneys General to bring a civil
action in U.S. district court to enforce Subtitle B. The
Attorney General may stay, or intervene in, any state action
brought under this subtitle.
Section 319--Effect on Federal and State law
Section 319 preempts state laws on breach notification,
with the exception of state laws regarding providing consumers
with information about victim protection assistance that is
available to consumers in a particular State. Because the
breach notification requirements in the bill do not apply to
state and local government entities, this provision does not
preempt state or local laws regarding the obligations of state
and local government entities to provide notice of a data
security breach.
Section 320--Authorization of appropriations
Section 320 authorizes funds for the Secret Service as may
be necessary to carry out investigations and risk assessments
of security breaches under the requirements of Subtitle B.
Section 321--Reporting on risk assessment exemptions
Section 321 requires that the Secret Service report to
Congress on the number and nature of data security breach
notices invoking the risk assessment exemption and the number
and nature of data security breaches subject to the national
security and law enforcement exemptions.
Section 322--Effective date
Subtitle B takes effect 90 days after the date of enactment
of the Personal Data Privacy and Security Act.
SUBTITLE C--OFFICE OF FEDERAL IDENTITY PROTECTION
Section 331--Office of Federal Identity Protection
Section 331 establishes an Office of Federal Identity
Protection within the FTC, to assist consumers with identity
theft issues and concerns, including helping consumers correct
their personal information and retrieve stolen information. The
Office of Federal Identity Protection's activities will also
include, providing a website dedicated to assisting consumers
with identity theft matters, providing a toll free number to
assist consumers, providing guidance and information on
obtaining pro bono legal services for victims of identity
theft, and issuing certifications to victims of identity theft
that can be used to, among other things, establish eligibility
for fraud alert and reporting protections under the Fair Credit
Reporting Act.
TITLE IV--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA
Section 401--General Services Administration review of government
contracts
Section 401 requires the General Services Administration
(GSA), when issuing contracts for more than $500,000, to review
and consider government contractors' programs for securing the
privacy and security of personally identifiable information,
contractors' compliance with such programs, and any data
security breaches of contractors' systems and the responses to
those breaches.
In addition, GSA is required to include penalties in
contracts involving personally identifiable information for (1)
failure to comply with Subtitle A (Data Privacy and Security
Programs) and Subtitle B (Security Breach Notification) of
Title III of this Act and (2) knowingly providing inaccurate
information. Section 401 also requires that GSA include a
contract requirement that government contractors exercise due
diligence in selecting service providers that handle personally
identifiable information and that government contractors take
reasonable steps to select service providers that maintain
appropriate data privacy and security safeguards.
Section 402--Requirement to audit information security practices of
contractors and third party business entities
Section 402 amends 44 U.S.C. Sec. 3544 to require that
federal agencies audit and evaluate the information security
practices of government contractors and third parties that
support the information technology systems of government
agencies.
Section 403--Privacy impact assessment of Government use of commercial
information services containing personally identifiable
information
Section 403(a) updates the E-Government Act of 2002 to
require federal departments and agencies that purchase or
subscribe to personally identifiable information from a
commercial entity, to conduct privacy impact assessments on the
use of those services. In addition, Section 403(b) requires
federal departments and agencies that use such services to
publish a description of the database, the name of the provider
and the contract amount.
Section 403 also requires that federal departments and
agencies adopt regulations that specify the personnel allowed
to access government databases containing personally
identifiable information and the standards for ensuring, among
other things, the legitimate government use of such
information, the retention and disclosure of such information,
and the accuracy, relevance, completeness and timeliness of
such information. Section 403 further provides that federal
departments and agencies must include in contracts for more
than $500,000 and agreements with commercial data services,
penalty provisions for circumstances where a data broker
delivers personally identifiable information that it knows to
be inaccurate, or has been informed is inaccurate and is in
fact inaccurate. Section 403(c) also requires that data brokers
that engage service providers, who are not subject to the data
security program requirements of the bill, exercise due
diligence in retaining these service providers to ensure that
adequate safeguards for personally identifiable information are
in place.
Section 403(d) directs the Government Accountability Office
to conduct a follow-up study and report to Congress on federal
agency use of commercial databases, including the impact of
such use on privacy and security, sufficiency of privacy and
security protections, and the extent to which commercial data
providers are penalized for privacy and security failures.
Section 404--Implementation of Chief Privacy Officer requirements
Section 522 of the Transportation, Treasury, Independent
Agencies, and General Government Appropriations Act, 2005
requires each agency to create a Chief Privacy Officer. Section
404 facilitates the efficient and effective implementation of
this requirement by directing the Department of Justice to
implement this provision by designating a Department-wide Chief
Privacy Officer, whose primary role is to fulfill the duties
and responsibilities of Chief Privacy Officer. In addition, the
DOJ Chief Privacy Officer will report directly to the Deputy
Attorney General.
Section 404 also stipulates responsibilities for the DOJ
Chief Privacy Officer that are tailored to the mission of the
Department and the requirements of this Act. Specifically, this
Section directs the Chief Privacy Officer to: (1) oversee DOJ's
implementation of the privacy impact assessment requirement
under Section 402; (2) promote the use of law enforcement
technologies that sustain, rather than erode, privacy
protections and ensure technologies relating to the use,
collection and disclosure of personally identifiable
information preserve privacy and security; and (3) coordinate
implementation with the Privacy and Civil Liberties Oversight
Board, established in the Intelligence Reform and Terrorism
Prevention Act of 2004.
IV. Congressional Budget Office Cost Estimate
May 17, 2007.
Hon. Patrick J. Leahy,
Chairman, Committee on the Judiciary,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 495, the Personal
Data Privacy and Security Act of 2007.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Susan Willie.
Sincerely,
Peter R. Orszag.
Enclosure.
S. 495--Personal Data Privacy and Security Act of 2007
Summary: S. 495 would establish new federal crimes relating
to the unauthorized access of sensitive personal information.
The bill also would require most government agencies or
business entities that collect, transmit, store, or use
personal information to notify any individuals whose
information has been unlawfully accessed. In addition, S. 495
would require data brokers to allow individuals access to their
electronic records and publish procedures for individuals to
respond to inaccuracies. Finally, the bill would establish the
Office of Federal Identity Protection (OFIP) within the Federal
Trade Commission (FTC) to assist victims of identity theft to
restore the accuracy of their personal information.
Assuming appropriation of the necessary amounts, CBO
estimates that implementing the provisions of S. 495 would cost
$30 million in 2008 and $335 million over the 2008-2012 period.
Enacting S. 495 could increase civil and criminal penalties and
thus could affect federal revenues and direct spending, but CBO
estimates that such effects would not be significant in any
year. Further, enacting S. 495 could affect direct spending by
agencies not funded through annual appropriations. CBO
estimates, however, that any changes in net spending by those
agencies would be negligible.
S. 495 contains intergovernmental mandates as defined in
the Unfunded Mandates Reform Act (UMRA), but CBO estimates that
the cost of complying with the requirements would be small and
would not exceed the threshold established in UMRA ($66 million
in 2007, adjusted annually for inflation).
S. 495 would impose several private-sector mandates as
defined in UMRA. The bill would impose data security standards
and procedures, and notification requirements on certain
private-sector entities. In addition, it would require data
brokers to provide individuals with their personally
identifiable information if requested, and to change the
information if it is incorrect. Finally, the bill would require
any entity taking an adverse action against an individual based
on information maintained by a data broker to notify the
individual of that action. Because of uncertainty about the
number of entities that are already in compliance with the data
security and notification mandates, CBO cannot estimate the
incremental cost of complying with those mandates. Further, the
number of requests for information and the incidence of adverse
actions that would occur under the bill are uncertain.
Consequently, CBO cannot determine whether the aggregate direct
cost of mandates in the bill would exceed the annual threshold
established by UMRA for private-sector mandates ($131 million
in 2007, adjusted annually for inflation).
Estimated cost to the Federal Government: The estimated
budgetary impact of S. 495 is shown in the following table. The
costs of this legislation fall within budget functions 370
(commerce and housing credit), 750 (administration of justice),
and 800 (general government).
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
--------------------------------------------
2008 2009 2010 2011 2012
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
FTC Office of Federal Identity Protection:
Estimated Authorization Level.................................. 33 66 69 73 76
Estimated Outlays.............................................. 30 63 69 72 76
Other Provisions:
Estimated Authorization Level.................................. 3 5 7 7 7
Estimated Outlays.............................................. 1 3 7 7 7
Total Changes:
Estimated Authorization Level.............................. 36 71 76 80 83
Estimated Outlays.......................................... 31 66 76 79 83
----------------------------------------------------------------------------------------------------------------
Basis of Estimate: For this estimate, CBO assumes that the
bill will be enacted during fiscal year 2007, that the
necessary amounts will be provided each year, and that spending
will follow historical patterns for similar programs.
Spending subject to appropriation
S. 495 would require most government agencies or business
entities that collect, transmit, store, or use personal
information to notify any individuals whose information has
been unlawfully accessed. The bill also would establish the
Office of Federal Identity Protection within the FTC to help
victims of identity theft correct their personal records. CBO
estimates that implementing the provisions of S. 495 would cost
$335 million over the 2008-2012 period, assuming appropriation
of the necessary amounts.
Security Breach Notification. In the event of a security
breach of government information likely to involve personal
information, S. 495 would require government agencies to notify
an individual whose information may have been compromised. The
legislation defines personal information as a combination of a
person's name or financial information with any additional
unique identifier. Notification would be in the form of
individual notice (written notice to a home mailing address or
via e-mail) as well as through the mass media and credit-
reporting agencies if the security breach affects more than
5,000 individuals. The legislation also would require the
agency to provide affected individuals with a description of
the accessed information, a toll-free number to contact the
agency, the names and toll-free telephone numbers of the major
credit-reporting agencies, and information regarding state
victim assistance protections.
The Federal Information Security Management Act of 2002
sets requirements for securing the federal government's
information systems, including the protection of personal
privacy. The National Institute of Standards and Technology
develops information security standards and guidelines for
other federal agencies, and the Office of Management and Budget
(OMB) oversees information technology security policies and
practices. OMB estimates that federal agencies spend around
$5.5 billion a year to secure the government's information
systems.
S. 495 would codify the current practices of the federal
government regarding data security and security breach
notification procedures. While existing laws generally do not
require agencies to notify affected individuals of data
breaches, agencies that have experienced security breaches have
generally provided such notification. Therefore, CBO expects
that codifying this practice would probably not lead to a
significant increase in spending. Nonetheless, the federal
government is also one of the largest providers, collectors,
consumers, and disseminators of personnel information in the
United States. Although, CBO cannot anticipate the number of
security breaches, a significant breach of security involving a
major collector of personnel information, such as the Internal
Revenue Service or the Social Security Administration, could
involve millions of individuals and there would be significant
costs to notify individuals of such a security breach.
S. 495 also would require a business entity or agency--
under certain circumstances-to notify the Secret Service that a
security breach has occurred. The bill also would permit
entities or agencies to apply to the Secret Service for
exemption from the bill's notice requirements if the personal
data was encrypted or similarly protected or if notification
would threaten national security. Based on information from the
Secret Service, CBO estimates that any additional investigative
or administrative costs to that agency would likely be less
than $500,000 annually, subject to the availability of
appropriated funds.
Federal Trade Commission. The bill would establish the
Office of Federal Identity Protection (OFIP) within the FTC.
The OFIP would be responsible for providing individuals with
information and assistance when their personal information has
been stolen or compromised. Individuals would be able to
request assistance that would include accessing remedies
available under federal law, restoring the accuracy of personal
information, and retrieving stolen information. FTC would be
required to develop regulations to enable the OFIP to help
restore stolen or otherwise compromised information.
Under current law, the FTC provides general assistance to
individuals who call a toll-free number with questions about
identity theft or who believe they are the victim of identity
theft. Counselors are trained to provide information regarding
steps consumers must take to restore the accuracy of their
personal information; FTC has entered into a contract with an
independent call center to provide assistance and be reimbursed
based on the time of each call. This toll-free system received
approximately 200,000 complaints in 2006, as well as about
90,000 calls for general information.
By requiring the FTC to develop customer-service teams to
provide a higher level of assistance than is offered under
current law, CBO expects that the amount of time counselors
spend with each individual would increase significantly. Under
the bill, counselors, rather than the individual, would be
expected to take the necessary steps to restore the accuracy of
an individual's personal information and any records containing
that information that were stolen or compromised. To accomplish
this, counselors would spend more time on the phone with
individuals collecting relevant information and make additional
calls to creditors and credit-reporting agencies to alert them
to the compromised information in their records. Currently,
counselors spend an average of eight minutes per call answering
questions and suggesting follow-up actions the individual must
take to correct his or her personal information. The FTC has
estimated that S. 495 would increase the amount of time
counselors spend on the phone from eight minutes to more than
two hours (including calls to an individual and calls to
creditors and credit-reporting agencies). CBO expects that call
volume also would increase as individuals become aware of the
additional assistance available. Assuming appropriation of the
necessary amounts, CBO estimates that the additional time
counselors spend on the phone with individuals, creditors, and
credit-reporting agencies would cost about $30 million in 2008
and $310 million over the 2008-2012 period.
Other provisions of the bill would require the FTC to
develop and enforce provisions that would require data brokers
to allow individuals to access their personal information and
provisions that would require companies to assess the
vulnerability of their data systems. FTC would be authorized to
collect civil penalties for violations of those new
regulations. CBO estimates that implementing those provisions
would have no significant effect on spending.
Other Provisions. S. 495 also would require several reports
to the Congress by federal agencies concerning data security
issues. The legislation would require agencies to conduct
additional privacy impact assessments on commercially purchased
private-sector data that contains personally identifiable
information. Under the bill, the Government Accountability
Office would report to the Congress on federal agencies' use of
private-sector information. In addition, the General Services
Administration (GSA) would provide additional security
assessments for certain government contracts involving
personally identifiable information. This would largely involve
payroll processing, emergency response and recall, and medical
data. Based on information from OMB and GSA, CBO estimates that
the additional staff to fulfill those tasks and reporting
requirements under the legislation would cost $7 million
annually when fully implemented. For this estimate, we assume
that the implementation process would take about three years.
Direct spending and revenues
S. 495 would establish new federal crimes relating to the
unauthorized access of sensitive personal information. Enacting
the bill could increase collections of civil and criminal fines
for violations of the bill's provisions. CBO estimates that any
additional collections would not be significant because of the
relatively small number of additional cases likely to be
affected. Civil fines are recorded as revenues. Criminal fines
are recorded as revenues, deposited in the Crime Victims Fund,
and subsequently spent without further appropriation.
Estimated impact on state, local, and tribal governments:
S. 495 contains intergovernmental mandates as defined in UMRA.
Specifically, S. 495 would:
Preempt state laws in 35 states regarding
the treatment of personal information;
Place certain procedural requirements and
limitations on state attorneys general and state
insurance authorities; and
Preempt state or local law by requiring
state and local jurisdictions to accept a certification
by the Office of Federal Identity Protection to grant
individuals access to business records used in
fraudulent transactions.
The preemptions would impose no costs on states. CBO
estimates that the costs to attorneys general of complying with
the procedural requirements would be small and would not exceed
the threshold established in UMRA ($66 million in 2007,
adjusted annually for inflation).
Estimated impact on the private sector: S. 495 would impose
several private-sector mandates as defined in UMRA. The bill
would:
Require certain entities to establish and
maintain a data privacy and security program;
Require entities engaged in interstate
commerce to notify individuals if a security breach
occurs in which such individuals' sensitive, personally
identifiable information is compromised;
Require data brokers to provide individuals
with their personally identifiable information and to
change the information if it is incorrect; and,
Require any entity taking an adverse action
against an individual based on information obtained
from a database maintained by a data broker to the
individual of that action.
Because of uncertainty about the number of entities that
are already in compliance with the data security and
notification mandates, CBO cannot estimate the incremental cost
of complying with those mandates. Further, the number of
requests for information and the incidence of adverse actions
that would occur under the bill are uncertain. Consequently,
CBO cannot determine whether the aggregate direct cost of
mandates in the bill would exceed the annual threshold
established by UMRA for private-sector mandates ($131 million
in 2007, adjusted annually for inflation).
Data privacy and security requirements
Subtitle A of title III would require certain business
entities engaging in interstate commerce that involves
collecting, accessing, transmitting, using, storing, or
disposing of sensitive, personally identifiable information in
electronic or digital form on more than 10,000 individuals to
establish and maintain a data privacy and security program. The
bill would direct the FTC to develop rules that identify
privacy and security requirements for business entities.
Business entities would be required to conduct risk assessments
to identify possible security risks in establishing the
program. They also would have to conduct periodic vulnerability
testing on their programs. Additionally, entities would have to
train their employees.
Some entities would be exempt from the requirements of
subtitle A. These include certain financial institutions that
are subject to the data security requirements under the Gramm-
Leach-Bliley Act and entities that are subject to the data
security requirements of the Health Insurance Portability and
Accountability Act.
The per-entity cost of the data privacy and security
requirements would depend on the rules to be established by the
FTC, the size of the entity, and the amount of sensitive,
personally identifiable information maintained by the entity.
According to industry and government sources, many states
already have laws requiring business entities to utilize data
security programs, and moreover, it is the current practice of
many businesses to use security measures to protect sensitive
data. However, because of uncertainty about the number of
entities that are already in compliance with the data security
mandates, CBO cannot estimate the incremental cost of complying
with those mandates.
Security breach notification
Subtitle B of title III would require certain business
entities engaged in interstate commerce that use, access,
transmit, store, dispose of, or collect sensitive personally
identifiable information to notify individuals in the event of
a security breach if the individuals' sensitive, personally
identifiable information is compromised. Entities would be able
to notify individuals using written letters, the telephone, or
email under certain circumstances. The bill also would require
those entities to notify the owner or licensee of any such
information that the entity does not own or license. The bill,
however, would exempt business entities from the notification
requirements under certain circumstances.
Business entities would be required to notify other
entities and agencies in the event of a large security breach.
The additional notification requirements are:
If more than 5,000 individuals are affected
by a security breach, the entities would be required to
notify appropriate consumer reporting agencies that
compile and maintain files on consumers on a nationwide
basis.
If more than 5,000 individuals are affected
by a security breach in a state, the entity would be
required to notify major media outlets serving that
state or jurisdiction.
Entities would be required to notify the
Secret Service if:
--More than 10,000 individuals are affected
by a security breach.
--A security breach involves a database that
contains sensitive, personally identifiable
information on more than one million people.
--A security breach involves databases owned
by the federal government.
--A security breach involves sensitive,
personally identifiable information of
employees or contractors of the federal
government involved in national security or law
enforcement.
According to industry and government sources, millions of
individuals' sensitive personally identifiable information is
illegally accessed every year. However, according to those
sources, 38 states already have laws requiring notification in
the event of a security breach. In addition, it is the current
practice of many business entities to notify individuals in the
event of a security breach. Because of uncertainty about the
number of entities that are already in compliance with the
notification mandates, CBO cannot estimate the incremental cost
of complying with the notification requirement under the bill.
Requirements for data brokers
Section 201 would require certain data brokers to disclose
all personal electronic records relating to an individual that
are kept primarily for third parties if requested by the
individual. The bill defines a data broker as a business entity
which for monetary fees or dues regularly engages in the
practice of collecting, transmitting, or providing access to
sensitive, personally identifiable information on more than
5,000 individuals who are not the customers or employees of
that business entity or affiliate primarily for the purposes of
providing such information to nonaffiliated third parties on an
interstate basis.
Additionally, if an individual disputes the accuracy of the
information that is contained in the data brokers' records, the
data brokers would be required to change the information or
provide the individual with contact information for the source
from which they obtained the individual's information. Data
brokers could determine that some requests to change an
individual's information are frivolous. However, the data
brokers would be required to notify any individual requesting a
change of information of the action taken.
The cost of providing records upon request depends on the
costs of gathering and distributing the information to
individuals and the number of individuals requesting their
information. Under the bill, data brokers would be allowed to
charge a reasonable fee for this service. Data brokers would
likely be able to cover their costs of providing individuals
with their personal information with the fee they could charge.
The cost to data brokers of having to change individuals'
information and notifying the individuals could be large.
According to information from industry sources, however, some
data brokers already correct information based on the
individual requests. Because of uncertainty about the number of
individuals who would request information under the bill and as
a result of those requests, the amount of information that
would need to changed, CBO cannot estimate the cost of this
mandate.
Adverse actions using information from data brokers
The section also would require any entity taking an adverse
action with respect to an individual based on information
contained in a personal electronic record maintained, updated,
owned, or possessed by a data broker to notify the individual
of the adverse action. The notification can be written or
electronic and must include certain information about the data
broker. While the per-individual cost of notification would be
small, the cost of complying with the mandate would depend on
the number of adverse actions that would be taken against
individuals by entities. CBO does not have enough information
about the incidence of such actions to determine the direct
cost of complying with the mandate.
Estimate prepared by: Federal costs: Federal Agencies--
Matthew Pickford; Federal Trade Commission--Susan Willie; U.S.
Secret Service--Mark Grabowicz. Impact on state, local, and
tribal governments: Elizabeth Cove. Impact on the private
sector: Paige Piper/Bach.
Estimate approved by: Peter H. Fontaine, Deputy Assistant
Director for Budget Analysis.
V. Regulatory Impact Evaluation
In compliance with rule XXVI of the Standing Rules of the
Senate, the Committee finds that no significant regulatory
impact will result from the enactment of S. 495.
VI. Conclusion
The Personal Data Privacy and Security Act of 2007, S. 495,
provides greatly-needed privacy protections to American
consumers, to ensure that all Americans have the tools
necessary to protect themselves from identity theft and other
data security risks. This legislation will also ensure that the
most effective mechanisms and technologies for dealing with the
underlying problem of lax data security are implemented by the
Nation's businesses to help prevent data breaches from
occurring in the first place. The passage and enactment of this
important privacy legislation is long overdue.
VII. Additional Views
ADDITIONAL VIEWS OF SENATOR SESSIONS
This legislation deals with two issues that are very
important to me and to the citizens of Alabama: data security
and identity theft. I commend my colleague, Senator Shelby, for
his efforts to address this issue through the Senate Banking
Committee. In fact, as discussed in greater detail below, some
of the items that S. 495 addresses fall within the jurisdiction
of the Senate Banking Committee, and are inappropriate topics
for Senate Judiciary Committee legislation.
I fully support many of the purported goals of this
legislation: the protection of sensitive personal information
by entities that have custody of it; and providing consumers
with the ability to protect themselves in the event that a data
breach could lead to a significant risk of identity theft. I
believe this risk-based standard is essential if we are to
avoid defeating the purpose for which the legislation has been
designed to address. Unfortunately, I cannot support S. 495 and
fear that it not only strays too far from these core
objectives, but the manner in which it is crafted will likely
have significant negative impacts on the consumer, and
eventually the economy at large.
While I commend the Chairman's efforts in this area, I feel
that S. 495 is not the most effective, well drafted effort from
the Judiciary Committee on this issue. This legislation not
only contains a number of potentially harmful policy decisions,
but it also has some significant drafting flaws as well. These
problems will reduce protections for consumers, increasing
their chances of becoming victims of identity theft by
undermining fraud detection and authentication tools, making
them less reliable. Additionally, they will lead to over-
notification of consumers when data breaches occur, thereby
diluting the effectiveness of consumer notice. Finally, I
believe S. 495 creates internally inconsistent and confusing
burdens on companies, with no quantifiable benefit to the
consumer.
BACKGROUND
Identity theft is a very important issue facing America
today, and both business and government has spent a tremendous
amount of time and effort to understand and combat this crime.
For instance, law enforcement at the federal, state and local
levels have started to cooperate more with each other, and with
international law enforcement, to pursue the perpetrators of
these crimes. Similarly, as noted in detail by the President's
Identity Theft Task Force Report, released after 10 months of
study on April 11, 2007, the business community, which
ultimately bears the major financial cost of credit fraud
associated with identity theft,\16\ has spent literally
billions of dollars enhancing data security, building better
ways to detect and stop fraud and identity theft before it
occurs, and working with victims. These efforts are starting to
pay off. Consider the following:
---------------------------------------------------------------------------
\16\ President's ID Theft Task Force Report: Combating Identity
Theft, A Strategic Plan, p. 11a.
---------------------------------------------------------------------------
Identity theft complaints were down 3.7% in
2006, and credit card complaints have been declining,
as well, down 18.75% between 2003 and 2005. Fraudulent
new account openings for credit cards have decreased
most significantly since the first year that the FTC
gathered statistics, down 19.17% between 2003 and 2005.
FTC survey data shows a downward trend in
total victims from 10.1 million in 2002 to 8.9 million
in 2005, an 11.9% reduction; and
FTC data show that complaints in a variety
of key categories have held steady or dropped between
2003 and 2005.
While the problems of identity theft are still too big, and
need to be addressed, progress is being made. The goal of
legislation to address these issues, therefore, should be to
build upon the success that consumers, law enforcement and
business have already started to achieve, not to undermine that
progress.
Therefore, the first step in addressing this issue is to
ensure that consumers have the tools to protect themselves in
the event of a data breach. Americans need to know that when
information pertaining to them is compromised in a way that may
jeopardize their identities, they will be notified. Without
such a risk-based notice, they will be aware that they need to
take steps to protect their identities after a data breach
occurs. This straddle between the occurrences of a breach and
when consumers should be notified is a critical issue that
needed to be effectively addressed through legislation, and yet
it did not happen. We know from the experience of the Gramm-
Leach-Bliley Act (GLBA) that over-notification leads to
consumer apathy, with the results that consumers are exposed to
increasing risks. This problem, however, was not adequately
addressed by S. 495.
In addition, Congress should build upon the statutes
already in place to ensure that companies who hold sensitive
personal data take reasonable steps to protect that data. In
this respect, I commend the Chairman for extending the GLBA
Safeguards Rule to non-financial entities. Consumers deserve to
have data that pertains to them protected, no matter whether
the custodian is a financial institution, a retailer, or a non-
profit. Adoption of a targeted bill aimed at data security and
consumer notification is the proper solution. S. 495 goes far
beyond that and lessens the likelihood that legislation will
pass and that consumers will be better protected.
S. 1326, THE NOTIFICATION OF RISK TO PERSONAL DATA ACT (109TH CONGRESS)
REINTRODUCED AS
S. 1202, THE PERSONAL DATA PROTECTION ACT (110TH CONGRESS)
I first introduced legislation to address this issue in
2005 in response to massive data security breaches at major
companies, and the potential injury those breaches generated.
That bill, the Notification of Risk to Personal Data Act (S.
1326), was reported by the Senate Judiciary Committee by
unanimous consent on October 20, 2005. Once reported by the
Committee, however, no floor action was taken in the 109th
Congress on that or any other bill which addressed data
security. Part of the reason was the presence of several bills
that sought to go well beyond the problem of data security and
notification. With the reporting of S. 495 and the defeat of S.
1202 because, according to the Chairman, it did not hold
industry ``accountable enough,'' we are running the risk of a
repeat of that political gridlock, and consumers will doubtless
suffer from our inaction. The need for legislation in this area
has not abated. Indeed, with the publicity of recent breaches,
it has only increased.
On April 24, 2007, I introduced the Personal Data
Protection Act (S. 1202), which would effectively combat the
problems of security breaches in three ways. First, the bill
requires all companies, regardless of industry, to install
security procedures and practices, so that sensitive personal
information is protected--if a company is going to hold
sensitive personal information, it has the duty to protect it.
Second, it provides consumers with a uniform, risk-based notice
and standard in the event of a security breach, balancing the
need to notify consumers when a breach has occurred with the
very real possibility that over-notification may desensitize
consumers from real threats. National standards for security
procedures and notification procedures are imperative both for
consumers and the businesses that have to comply with those
standards. Third, it contains reasonable compliance standards.
An entity that discovers a security breach must send
individuals a clear and conspicuous description of the
information disclosed and provide a toll-free number for
customers to call to obtain further information. The
notification would have to have been in writing, or via phone
or email, with a few exceptions exist (if sufficient contact
information does not exist; if notice would cost more than
$250,000; or if more than 500,000 customers must be contacted).
We want people to take it seriously when they receive
notice of a breach. We know from experience that sending too
many notices will lead to public immunization. People will stop
heeding the warnings they receive and fail to take proper steps
if they are told too many times that they are the victims of a
security breach. This result can be avoided by imposing a risk-
based notification requirement only when there is a
``significant risk of identity theft.'' Under S. 1202, entities
must disclose a security breach when there is a ``significant
risk of identity theft to an individual'' caused by the
unauthorized disclosure of computerized data.
Unlike bills introduced by my colleagues, such as S. 495,
my bill does not require notification if the data that is
jeopardized could not lead to a significant risk of identity
theft. For example, if the data that is stolen cannot be
accessed, there is no risk to any individual, and thus no need
to require notification. Or, if information stolen is
information that is otherwise publicly available, no notice is
required. I believe an essential part of preventing harm from
these breaches is making consumers aware of the problem.
Consumers who find that data pertaining to them has been
jeopardized should be alerted so that they can monitor their
financial accounts for the risk of identity theft. No one will
monitor the situation as thoroughly as the person who would be
most affected by having their financial information
compromised--the victim themselves.
S. 495, THE PERSONAL DATA PRIVACY AND SECURITY ACT
Though I support many of the stated goals of this
legislation, I have concerns that S. 495 may create a
convoluted framework for companies which may result in more
harm to consumers than good.
1. The Notice provisions will result in over-notification
As a result of the way in which the bill is drafted, I
believe over-notification to individuals of non-harmful data
breaches is inevitable. Furthermore although the bill attempts
to establish a ``safe harbor'' for encrypted or unusable data,
the confusing parallel tracks of Sections 311 and 312 will not
provide companies with much confidence that the safe harbor
will be available to them.
Specifically, Section 311(a) requires notification upon the
``discovery'' of a breach, and does not provide a company with
the opportunity to determine if the data is in any way causes
``harm'' to consumers. The term ``harm'' is potentially very
broad, and the bill does not define it. In fact, when Senator
Feinstein was asked during markup what it meant, she was unable
to say. Does it mean economic loss? Increased anxiety? Mere
inconvenience? We do not know, and neither will the entities
who will be obligated to comply with the statute if it should
become law. But the potential liability will be substantial.
When enacting the law, I believe it is our duty and our
responsibility to be precise, and this amorphous term invites
abuse and over-application.
Further, it is by definition unreasonable to impose a
``risk assessment'' as a precondition to taking advantage of
the ``Safe Harbor,'' because the result will be illusory
protection. This will result in a flood of notices for data
breaches where there is virtually no risk. This will be
detrimental to consumers who will inevitably become
desensitized to notice and ignore them altogether.
2. The legislation should specifically and completely exempt entities
regulated by other federal laws from the provisions of this Act
Consumer reporting agencies (CRAs) are already fully
regulated under requirements under the Fair Credit Reporting
Act (FCRA), and financial institutions are regulated under the
Gramm-Leach-Bliley Act. Companies that are already regulated
under the FCRA and Gramm-Leach-Bliley (GLB) should be
specifically exempt from this Act, and from the definition of
``data broker'' because they are already subject to rigorous
data safeguard requirements under these statutes.
The Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.)
is a time-tested statute that has received frequent and
thoughtful review by Congress, and was most recently updated in
2003, with extensive changes implemented by the FACT Act (Pub.
L. 108-159).\17\
---------------------------------------------------------------------------
\17\ That Act contained a number of significant provisions designed
to protect consumers and combat identity theft, and I again complement
Senator Shelby for his work on that legislation as the then-Chairman of
the Senate Banking Committee.
---------------------------------------------------------------------------
The requirements laid out in this legislation would create
a host of conflicting, inconsistent, unworkable and potentially
negative impacts on FCRA-regulated entities, and could have
significant negative effects on consumers.
Compliance with parallel provisions under the FCRA and the
GLBA should constitute compliance with the bill. The bill's
requirements for information security already closely track the
provisions of the Safeguards Rule.
Further, assuming that it was the Committee's intent to
exempt FCRA and GLB covered entities from the scope of some
provisions of this Act, the exemption crafted by the Judiciary
Committee is far from perfect, and would in many cases subject
FCRA regulated entities to duplicative and conflicting
standards. Rather than having the Judiciary Committee attempt
to craft those exemptions, we should defer to the Banking
Committee, which has the expertise to determine that the
exemptions are as complete as intended.
3. The legislation should fully preempt all state and local laws
regarding these issues
As a general matter, I believe that there is no reason for
the Congress to act in this area if it does not effectively
preempt the growing number of state laws now in effect and give
protection to consumers in states not now covered by any state
law. In this instance, the preemption provisions contained in
S. 495 are too narrow. The U.S. has a national economy, and
more than half the states have enacted various data security,
breach notification and other requirements. Adding a confusing
federal standard that is inconsistent not only with state and
federal laws, would make compliance very difficult.
Accordingly, the preemption standards in this legislation
should explicitly preempt all state laws relating to any
activity covered under this Act: I would urge replacing this
approach with one that preempts ``. . . the subject matter
regulated by this Act'' to obtain as broad a preemptive
standard as possible.
4. Other issues
Before concluding, I would like to comment on a couple of
the other provisions in S. 495 that I believe to be
inappropriate for a data security and notification bill, and
which add, as I mentioned earlier, unnecessary baggage that
might be politically attractive to their advocates but which do
not ultimately serve the interests of the consumers we are
pledged to protect.
The first such language appears in the form of the data
broker language in Title II of S. 495. Notwithstanding the
exemptions incorporated into this title, the Committee makes
the definition of who is, or is not, a data broker far too
broad, and in so doing risks covering a range of entities not
contemplated by the bill. And the result of this inclusion will
inevitably be that its sponsors will contribute to increased
fraud.
It's a fact that fraud detection tools are used by much of
the business community, from financial institutions (who
understandably use them most frequently) to journalists who use
them to locate sources, attorneys to locate witnesses, and
parents who use them to conduct background checks on childcare
providers. If databases are opened up, as S. 495 envisions, it
will be just a matter of time before those databases are
accessed by criminals, and the absence, over time, of
``negative'' information, these tools will become less
reliable.
A second additional element of the bill is Sen. Ben
Cardin's amendment, offered for the first time at mark-up and
never fully vetted, which requires that any adverse action
resulting from information provided by a data broker must
require a notification of that adverse action followed by the
opportunity to ``access and correct'' that information. This
amendment will cause tumult in the business community and has
no place in this bill.
Last, Sen. Whitehouse used S. 495 as an opportunity to
amend the Bankruptcy Abuse Prevention and Consumer Protection
Act (Bankruptcy Act), so carefully crafted by this Committee
sometime ago. His amendment would adjust the ``means test'' in
that statute to exempt debtors who are the victims of identity
theft. It is not only non-germane to data security and
notification, thus even more baggage the bill will have to
carry, but it is also structurally unnecessary. As the lead
sponsor of the Bankruptcy Act, Sen. Charles Grassley, so
eloquently noted during the markup, the ``special
circumstances'' language already contained in the Bankruptcy
Act contemplates just this kind of situation, obviating the
need for this language but inviting further amendments to
adjust the Bankruptcy Act on the Senate Floor.
CONCLUSION
For these reasons, I dissent from the views and policy
represented by S. 495, and I would urge my colleagues to
revisit many of the policy and drafting problems created by
this bill.
Jeff Sessions.
VIII. Changes in Existing Law Made by the Bill as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, the Committee finds that it is
necessary to dispense with the requirement of paragraph 12 to
expedite the business of the Senate.
APPENDIX
PRIVACY RIGHTS CLEARINGHOUSE CHRONOLOGY OF DATA BREACHES AS OF MAY 21,
2007
CHRONOLOGY OF DATA BREACHES
[Go to Breaches for 2005, 2006, or 2007]
----------------------------------------------------------------------------------------------------------------
Date made public Name (Location) Type of breach Number of records
----------------------------------------------------------------------------------------------------------------
2005
----------------------------------------------------------------------------------------------------------------
Jan. 10, 2005........................ George Mason University Names, photos, and 32,000
(Fairfax, VA). Social Security
numbers of 32,000
students and staff
were compromised
because of a hacker
attack on the
university's main ID
server.
Jan. 18, 2005........................ Univ. of CA, San Diego A hacker breached the 3,500
(San Diego, CA). security of two
University computers
that stored the Social
Security numbers and
names of students and
alumni of UCSD
Extension.
Jan. 22, 2005........................ University of Northern A hard drive was 30,000
Colorado (Greeley, CO). apparently stolen. It
contained information
on current and former
University employees
and their
beneficiaries--name,
date of birth, SSN,
address, bank account
and routing number.
Feb. 12, 2005........................ Science Applications On Jan. 25 thieves 45,000 employees.
International Corp. broke into a SAIC
(SAIC) (San Diego, CA). facility and stole
computers containing
names, SSNs, and other
personal information
of past and current
employees. Stolen
information included
names, NNS, addresses,
phone numbers and
records of financial
transactions.
Feb. 15, 2005........................ ChoicePoint Bogus accounts 163,000
(Alpharetta, GA). established by ID
thieves. The initial
number of affected
records was estimated
at 145,000 but was
later revised to
163,000.
UPDATE (1/26/06):......
ChoicePoint settled
with the Federal Trade
Commission for $10
million in civil
penalties and $5
million for consumer
redress.
UPDATE (12/06/06): The
FTC announced that
victims of identity
theft as a result of
the data breach who
had out-of-pocket
expenses can now be
reimbursed. The claims
deadline is Feb. 4,
2007.
Feb. 18, 2005........................ Univ. of Chicago Dishonest insider...... 85
Hospital (Chicago, IL).
Feb. 25 , 2005....................... Bank of America Lost backup tape....... 1,200,000
(Charlotte, NC).
Feb. 25, 2005........................ PayMaxx (Miramar, FL).. Exposed online......... 25,000
March 8, 2005........................ DSW/Retail Ventures Hacking................ 100,000
(Columbus, OH).
March 10, 2005....................... LexisNexis (Dayton, OH) Passwords compromised.. 32,000
UPDATE (06/30/06): Last
week, five men were
arrested in connection
with this breach.
March 11, 2005....................... Univ. of CA, Berkeley Stolen laptop.......... 98,400
(Berkeley, CA).
March 11, 2005....................... Kaiser Permanente A disgruntled employee 140
(Oakland, CA). posted informaton on
her blog noting that
Kaiser Permanente
included private
patient information on
systems diagrams
posted on the Web.
UPDATE (6/21/2005): The
California Department
of Managed Health Care
fined Kaiser $200,000
for exposing the
confidential health
information.
March 11, 2005....................... Boston College (Boston, Hacking................ 120,000
MA).
March 12, 2005....................... NV Dept. of Motor Stolen computer........ [8,900] Not included in
Vehicle. UPDATE: The computer total below.
was later recovered.
March 20, 2005....................... Northwestern Univ. Hacking................ 21,000
(Evanston, IL).
March 20, 2005....................... Univ. of NV, Las Vegas Hacking................ 5,000
(Las Vegas, NV).
March 22, 2005....................... Calif. State Univ. Hacking................ 59,000
(Chico, CA).
March 23, 2005....................... Univ. of CA. (San Hacking................ 7,000
Francisco, CA).
March 25, 2005....................... Purdue University (West Computers in the 1,200 (not included in
Lafayette, IN). College of Liberal total because news
Arts' Theater Dept. stories are not clear
were hacked, exposing if SSNs or financial
personal information information were
of employees, exposed).
students, graduates,
and business
affiliates.
April ?, 2005........................ Georgia DMV............ Dishonest insider...... 465,000
April 5, 2005........................ MCI (Ashburn, VA)...... Stolen laptop.......... 16,500
April 5, 2005........................ Univ. of CA, Davis The names and Social 1,100
(Davis, CA). Security numbers of
students, faculty,
visiting speakers and
staff may have been
compromised when a
hacker accessed a main
computer.
April 6, 2005........................ University of A server in the 7,000
California, San accounting and
Francisco. personnel departments
was hacked. It
contained information
on 7,000 students,
faculty, and staff
members. The affected
individuals were
notified March 23.
April 8, 2005........................ Eastern National....... Hacker................. 15,000
April 8, 2005........................ San Jose Med. Group Stolen computer........ 185,000
(San Jose, CA).
April 11, 2005....................... Tufts University Hacking................ 106,000
(Boston, MA).
April 12, 2005....................... LexisNexis (Dayton, OH) Passwords compromised.. Additional 280,000.
UPDATE (06/30/06): Last
week, five men were
arrested in connection
with this breach.
April 14, 2005....................... Polo Ralph Lauren/HSBC Hacking................ 180,000
(New York, NY).
April 14, 2005....................... Calif. Fastrack........ Dishonest Insider...... 4,500
April 15, 2005....................... CA Dept. of Health Stolen laptop.......... 21,600
Services.
April 18, 2005....................... DSW/ Retail Ventures Hacking................ Additional 1,300,000.
(Columbus, OH).
April 20, 2005....................... Ameritrade (Bellevue, Lost backup tape....... 200,000
NE).
April 21, 2005....................... Carnegie Mellon Univ. Hacking................ 19,000
(Pittsburg, PA).
April 26, 2005....................... Mich. State Univ's Hacking................ 40,000
Wharton Center.
April 26, 2005....................... Christus St. Joseph's Stolen computer........ 19,000
Hospital (Houston, TX).
April 28, 2005....................... Georgia Southern Univ.. Hacking................ ``tens of thousands''.
April 28, 2005....................... Wachovia, Bank of Dishonest insiders..... 676,000
America, PNC Financial
Services Group and
Commerce Bancorp.
April 29, 2005....................... Oklahoma State Univ.... Missing laptop......... 37,000
May 2, 2005.......................... Time Warner (New York, Lost backup tapes...... 600,000
NY).
May 4, 2005.......................... CO. Health Dept........ Stolen laptop.......... 1,600 (families).
May 5, 2005.......................... Purdue Univ. (West Hacking................ 11,360
Lafayette, IN).
May 7, 2005.......................... Dept. of Justice Stolen laptop.......... 80,000
(Washington, D.C.).
May 11, 2005......................... Stanford Univ. Hacking................ 9,900
(Stanford, CA).
May 12, 2005......................... Hinsdale Central High Hacking................ 2,400
School (Hinsdale, IL).
May 16, 2005......................... Westborough Bank Dishonest insider...... 750
(Westborough, MA).
May 18, 2005......................... Jackson Comm. College Hacking................ 8,000
(MI).
May 18, 2005......................... Univ. of Iowa.......... Hacking................ 30,000
May 19, 2005......................... Valdosta State Univ. Hacking................ 40,000
(GA).
May 25, 2005......................... North Carolina Div. of On Feb. 10, an employee None.
Motor Vehicles downloaded addresses
(Greensboro, NC). of 3.8 million people
but was detected and
stopped before being
able to retrieve more
sensitive information
such as driver's
license numbers.
May 26, 2005......................... Duke Univ. (Durham, NC) Hacking................ 5,500
May 27, 2005......................... Cleveland State Univ. Stolen laptop.......... [44,420] Not included
(Cleveland, OH). UPDATE (12/24): CSU in total below.
found the stolen
laptop.
May 28, 2005......................... Merlin Data Services Bogus acct. set up..... 9,000
(Kalispell, MT).
May 30, 2005......................... Motorola............... Computers stolen....... Unknown.
June 6, 2005......................... CitiFinancial.......... Lost backup tapes...... 3,900,000
June 10, 2005........................ Fed. Deposit Insurance Not disclosed.......... 6,000
Corp. (FDIC).
June 16, 2005........................ CardSystems............ Hacking................ 40,000,000
June 17, 2005........................ Kent State Univ........ Stolen laptop.......... 1,400
June 18, 2005........................ Univ. of Hawaii........ Dishonest Insider...... 150,000
June 22, 2005........................ Eastman Kodak.......... Stolen laptop.......... 5,800
June 22, 2005........................ East Carolina Univ..... Hacking................ 250
June 25, 2005........................ Univ. of CT (UCONN).... Hacking................ 72,000
June 28, 2005........................ Lucas Cty. Children Exposed by email....... 900
Services (OH).
June 29, 2005........................ Bank of America........ Stolen laptop.......... 18,000
June 30, 2005........................ Ohio State Univ. Med. Stolen laptop.......... 15,000
Ctr..
July 1, 2005......................... Univ. of CA, San Diego. Hacking................ 3,300
July 6, 2005......................... City National Bank..... Lost backup tapes...... Unknown.
July 7, 2005......................... Mich. State Univ....... Hacking................ 27,000
July 19, 2005........................ Univ. of Southern Calif Hacking................ 270,000 possibly
(USC). accessed; ``dozens''
exposed.
July 21, 2005........................ Univ. of Colorado-- Hacking................ 49,000
Boulder. UPDATE (08/20/2005):
The number of students
affected was increased
from an estimate of
42,000 to 49,000.
July 30, 2005........................ San Diego Co. Employees Hacking................ 33,000
Retirement Assoc..
July 30, 2005........................ Calif. State Univ., Hacking................ 9,613
Dominguez Hills.
July 31, 2005........................ Cal Poly-Pomona........ Hacking................ 31,077
Aug. 2, 2005......................... Univ. of Colorado...... Hacking................ 36,000
Aug. 9, 2005......................... Sonoma State Univ...... Hacking................ 61,709
Aug. 9, 2005......................... Univ. of Utah.......... Hacking................ 100,000
Aug. 10, 2005........................ Univ. of North Texas... Hacking................ 39,000
Aug. 17, 2005........................ Calif. State Hacking................ 900
University, Stanislaus.
Aug. 19, 2005........................ Univ. of Colorado...... Hacking................ 49,000
Aug. 22, 2005........................ Air Force.............. Hacking................ 33,300
Aug. 27, 2005........................ Univ. of Florida, Stolen Laptop.......... 3,851
Health Sciences Center/
ChartOne.
Aug. 30, 2005........................ J.P. Morgan Chase & Co. Stolen laptop (Aug. 8) Unknown.
(Dallas, TX). containing personal
and financial account
information of
customers of its
private bank.
Aug. 30, 2005........................ Calif. State Hacking................ 154
University,
Chancellor's Office.
Sept. 2, 2006........................ Iowa Student Loan (W. Compact disk containing 165,000
Des Moines). personal information,
including SSNs, was
lost when shipped by
private courier.
Sept. 10, 2005....................... Kent State Univ........ Stolen computers....... 100,000
Sept. 15, 2005....................... Miami Univ............. Exposed online......... 21,762
Sept. 16, 2005....................... ChoicePoint (2nd ID thieves accessed; [Total later revised to
notice, see 2/15/05) also misuse of IDs & 163,000--see 2/15/05
(Alpharetta, GA). passwords. above]
Sept. 17, 2005....................... North Fork Bank, NY.... Stolen laptop (7/24/05) 9,000
with mortgage data.
Sept. 19, 2005....................... Children's Health Stolen backup tape..... 5,000-6,000
Council, San Jose CA.
Sept. 22, 2005....................... City University of New Exposed online......... 350
York.
Sept. 23, 2005....................... Bank of America........ Stolen laptop with info Not disclosed
of Visa Buxx users
(debit cards).
Sept. 28, 2005....................... RBC Dain Rauscher...... Illegitimate access to 100+ customers' records
customer data by compromised out of
former employee. 300,000
Sept. 29, 2005....................... Univ. of Georgia....... Hacking................ At least 1,600
Oct. 12, 2005........................ Ohio State Univ. Exposed online. 2,800
Medical Center. Appointment
information including
SSN, DOB, address,
phone no., medical
no., appointment
reason, physician.
Oct. 15, 2005........................ Montclair State Univ... Exposed online......... 9,100
Oct. 21, 2005........................ Wilcox Memorial Lost backup tape....... 130,000
Hospital, Hawaii.
Nov. 1, 2005......................... Univ. of Tenn. Medical Stolen laptop.......... 3,800
Center.
Nov. 4, 2005......................... Keck School of Stolen computer........ 50,000
Medicine, USC.
Nov. 5, 2005......................... Safeway, Hawaii........ Stolen laptop.......... 1,400 in Hawaii,
perhaps more elsewhere
Nov. 8, 2005......................... ChoicePoint Bogus accounts [Total later revised to
(Alpharetta, GA). established by ID 163,000--see 2/15/05
thieves. Total above]
affected now reaches
163,000 (See Feb. 15 &
Sept. 16).
Nov. 9, 2005......................... TransUnion............. Stolen computer........ 3,623
Nov. 11, 2005........................ Georgia Tech Ofc. of Stolen computer, Theft 13,000
Enrollment Services. 10/16/05.
Nov. 11, 2005........................ Scottrade Troy Group... Hacking................ Unknown.
Nov. 19, 2005........................ Boeing................. Stolen laptop with HR 161,000
data incl. SSNs and
bank account info.
Dec. 1, 2005......................... Firstrust Bank......... Stolen laptop.......... 100,000
Dec. 1, 2005......................... Univ. of San Diego (San Hacking. Faculty, 7,800
Diego, CA). students and employee
tax forms containing
SSNs.
Dec. 2, 2005......................... Cornell Univ........... Hacking. Names, 900
addresses, SSNs, bank
names and acct.
numbers.
Dec. 6, 2005......................... WA Employment Security Stolen laptop. Names, 530
Dept. SSNs and earnings of
former employees.
Dec. 7, 2005......................... Idaho State University, ISU discovered a Unknown.
Office of security breach in a
Institutional Research server containing
(Pocatello, ID). archival information
Contact Information about students,
Technology Services, faculty, and staff,
(208) 282-2872. including names, SSNs,
birthdates, and grades.
Dec. 12, 2005........................ Sam's Club/Wal-Mart.... Exposed credit card Unknown.
data at gas stations.
Dec. 16, 2005........................ La Salle Bank, ABN AMRO Backup tape with [2,000,000] Not
Mortgage Group. residential mortgage included in total
customers lost in below
shipment by DHL,
containing SSNs and
account information.
UPDATE (12/20/05): DHL
found the lost tape.
Dec. 16, 2005........................ Colorado Tech. Univ.... Email erroneously sent 1,200
containing names,
phone numbers, email
addresses, Social
Security numbers and
class schedules.
Dec. 20, 2005........................ Guidance Software, Inc. Hacking. Customer 3,800
credit card numbers.
UPDATE (4/3/07): The
FTC came to a
settlement agreement
and final consent
order against Guidance
Software.
Dec. 22, 2005........................ Ford Motor Co.......... Stolen computer. Names 70,000
and SSNs of current
and former employees.
Dec. 25, 2005........................ Iowa State Univ........ Hacking. Credit card 5,500
information and Social
Security numbers.
Dec. 25, 2005........................ Ameriprise Financial A laptop was stolen 260,000
Inc. (Minneapolis, from an employee's car
MN), (877) 267-7408. Christmas eve. It
contained customers'
names and Social
Security numbers and
in some cases,
Ameriprise account
information.
UPDATE (08/06): The
laptop was recovered
by local law
enforcement in the
community where it was
stolen.
UPDATE (12/11/06): The
company settled with
the Massachusetts
securities regulator
in the office of the
Secretary of State.
Ameriprise agreed to
hire an independent
consultant to review
its policies and
procedures for
employees' and
contractors' use of
laptops containing
personal information.
Ameriprise will pay
the state regulator
$25,000 for the cost
of the investigation.
2005 [Exact date unknown]............ U.S. Dept. of Veteran's A laptop being stored 66
Affairs (Washington, in the trunk of a car
D.C.). was stolen in
Minneapolis,
Minnesota. 2 people
later reported
identity fraud
problems.
----------------------------------------------------------------------------------------------------------------
2006
----------------------------------------------------------------------------------------------------------------
Jan. 1, 2006......................... University of 6 Stolen computers. 700
Pittsburgh Medical Names, Social Security
Center, Squirrel Hill numbers, birthdates.
Family Medicine.
Jan. 2, 2006......................... H&R Block.............. SSNs exposed in 40- Unknown.
digit number string on
mailing label.
Jan. 9, 2006......................... Atlantis Hotel--Kerzner Dishonest insider or 55,000
Int'l. hacking. Names,
addresses, credit card
details, Social
Security numbers,
driver's licence
numbers and/or bank
account data.
Jan. 12, 2006........................ People's Bank.......... Lost computer tape 90,000
containing names,
addresses, Social
Security numbers, and
checking account
numbers.
Jan. 17, 2006........................ City of San Diego, Dishonest employee Unknown.
Water & Sewer Dept. accessed customer
(San Diego, CA). account files,
including SSNs, and
committed identity
theft on some
individuals.
Jan. 20, 2006........................ Univ. Place Conference Hacking. Reservation Unknown.
Center & Hotel, information including
Indiana Univ.. credit card account
number compromised.
Jan. 21, 2006........................ California Army Stolen briefcase with ``hundreds of
National Guard. personal information officers''
of National Guardsmen
including a
``seniority roster,''
Social Security
numbers and dates of
birth.
Jan. 23, 2006........................ Univ. of Notre Dame.... Hackers accessed Social Unknown.
Security numbers,
credit card
information and check
images of school
donors.
Jan. 24, 2006........................ Univ. of WA Medical Stolen laptops 1,600
Center. containing names,
Social Security
numbers, maiden names,
birth dates, diagnoses
and other personal
data.
Jan. 25, 2006........................ Providence Home Stolen backup tapes and 365,000
Services (Portland, disks containing
OR). Social Security
numbers, clinical and
demographic
information. In a
small number of cases,
patient financial data
was stolen.
UPDATE (9/26/06):
Providence Health
System and the Oregon
Attorney General have
filed a settlement
agreement. Providence
will provide affected
patients with free
credit monitoring,
offer credit
restoration to
patients who are
victims of identity
fraud, and reimburse
patients for direct
losses that result
from the data breach.
The company must also
enhance its security
programs.
Jan. 27, 2006........................ State of RI web site Hackers obtained credit 4,117
(www.RI.gov). card information in
conjunction with names
and addresses.
Jan. 31, 2006........................ Boston Globe and The Inadvertently exposed. 240,000 potentially
Worcester Telegram & Credit and debit card exposed
Gazette. information along with
routing information
for personal checks
printed on recycled
paper used in wrapping
newspaper bundles for
distribution.
Feb. 1, 2006......................... Blue Cross and Blue Inadvertently exposed. 600
Shield of North SSNs of members
Carolina. printed on the mailing
labels of envelopes
with information about
a new insurance plan.
Feb. 4, 2006......................... FedEx.................. Inadvertently exposed. 8,500
W-2 forms included
other workers' tax
information such as
SSNs and salaries.
Feb. 9, 2006......................... Unknown retail Hacking. Debit card 200,000, although total
merchants, apparently accounts exposed number is unknown
OfficeMax and perhaps involving bank and
others. credit union accounts
nationwide (including
CitiBank, BofA, WaMu,
Wells Fargo). [3/13/06
Crime ring arrested.].
Feb. 9, 2006......................... Honeywell International Exposed online. 19,000
Personal information
of current and former
employees including
Social Security
numbers and bank
account information
posted on an Internet
Web site.
Feb. 13, 2006........................ Ernst & Young (UK)..... Laptop stolen from 38,000 BP employees in
employee's car with addition to Sun, Cisco
customers' personal and IBM employees
information including
Social Security
numbers.
Feb. 15, 2006........................ Dept. of Agriculture... Inadvertently exposed 350,000
Social Security and
tax identification
numbers in FOIA
request.
Feb. 15, 2006........................ Old Dominion Univ...... Exposed online. 601
Instructor posted a
class roster
containing names and
Social Security
numbers to a web site.
Feb. 16, 2006........................ Blue Cross and Blue Contractor sent names 27,000
Shield of Florida. and Social Security
numbers of current and
former employees,
vendors and
contractors to his
home computer in
violation of company
policies.
Feb. 17, 2006........................ Calif. Dept. of Inmates gained access Unknown.
Corrections, Pelican to files containing
Bay (Sacramento, CA). employees' Social
Security numbers,
birth dates and
pension account
information stored in
warehouse.
Feb. 17, 2006........................ Mount St. Mary's Two laptops containing 17,000
Hospital (1 of 10 date of birth, address
hospitals with patient and Social Security
info. stolen) numbers of patients
(Lewiston, NY). was stolen in an armed
robbery in the New
Jersey.
Feb. 18, 2006........................ Univ. of Northern Iowa. Hacking. Laptop 6,000
computer holding W-2
forms of student
employees and faculty
was illegally accessed.
Feb. 23, 2006........................ Deloitte & Touche External auditor lost a 9,290
(McAfee employee CD with names, Social
information). Security numbers and
stock holdings in
McAfee of current and
former McAfee
employees.
Mar. 1, 2006......................... Medco Health Solutions Stolen laptop 4,600
(Columbus, OH). containing Social
Security numbers for
State of Ohio
employees and their
dependents, as well as
their birth dates and,
in some cases,
prescription drug
histories.
Mar. 1, 2006......................... OH Secretary of State's SSNs, dates of birth, Unknown.
Office. and other personal
data of citizens
routinely posted on a
State web site as part
of standard business
practice.
Mar. 2, 2006......................... Olympic Funding 3 hard drives Unknown.
(Chicago, IL). containing clients
names, Social Security
numbers, addresses and
phone numbers stolen
during break in.
Mar. 2, 2006......................... Los Angeles Cty. Dept. File boxes containing [Potentially 2,000,000,
of Social Services names, dependents, but number unknown]
(Los Angeles, CA). Social Security Not included in number
numbers, telephone below
numbers, medical
information, employer,
W-2, and date of birth
were left unattended
and unshredded.
Mar. 2, 2006......................... Hamilton County Clerk SSNs, other personal [1,300,000] Not
of Courts (OH). data of residents included in number
posted on county Web below.
site, were stolen and
used to commit
identity theft.
UPDATE (9/28/06): An
identity thief was
sentenced to 13 years
in prison for the
crimes. She stole 100
identities and nearly
$500,000. The Web site
now blocks access to
court documents
containing personal
information.
Mar. 3, 2006......................... Metropolitan State Stolen laptop 93,000
College (Denver, CO). containing names and
Social Security
numbers of students
who registered for
Metropolitan State
courses between the
1996 fall semester and
the 2005 summer
semester.
Mar. 5, 2006......................... Georgetown Univ. Hacking. Personal 41,000
(Washington, D.C.). information including
names, birthdates and
Social Security
numbers of District
seniors served by the
Office on Aging.
Mar. 8, 2006......................... Verizon Communications 2 stolen laptops ``Significant number''
(New York, NY). containing employees'
personal information
including Social
Security numbers.
Mar. 8, 2006......................... iBill (Deerfield Beach, Dishonest insider or [17,781,462] Not
FL). possibly malicious included in total
software linked to below
iBill used to post
names, phone numbers,
addresses, e-mail
addresses, Internet IP
addresses, logins and
passwords, credit card
types and purchase
amount online. Credit
card account numbers,
expiration dates,
security codes, and
SSNs were NOT
included, but in our
opinion the affected
individuals could be
vulnerable to social
engineering to obtain
such information.
Mar. 11, 2006........................ CA Dept. of Consumer Mail theft. ``A small number''
Affairs (DCA) Applications of DCA
(Sacramento, CA). licensees or
prospective licensees
for CA state boards
and commissions were
stolen. The forms
include full or
partial Social
Security numbers,
driver's license
numbers, and
potentially payment
checks.
Mar. 14, 2006........................ General Motors Dishonest insider kept 100
(Detroit, MI). Social Security
numbers of co-workers
to perpetrate identity
theft.
Mar. 14 2006......................... Buffalo Bisons and Hacker accessed Unknown.
Choice One Online sensitive financial
(Buffalo, NY). information including
credit card numbers
names, passwords of
customers who ordered
items online.
Mar. 15, 2006........................ Ernst & Young (UK)..... Laptop lost containing Unknown.
the names, dates of
birth, genders, family
sizes, Social Security
numbers and tax
identifiers for
current and previous
IBM, Sun Microsystems,
Cisco, Nokia and BP
employees exposed.
Mar. 16, 2006........................ Bananas.com (San Hacker accessed names, 274
Rafael, CA). addresses, phone
numbers and credit
card numbers of
customers.
Mar. 23, 2006........................ Fidelity Investments Stolen laptop 196,000
(Boston, MA). containing names,
addresses, birth
dates, Social Security
numbers and other
information of 196,000
Hewlett Packard,
Compaq and DEC
retirement account
customers was stolen.
Mar. 24, 2006........................ CA State Employment Computer glitch sends 64,000
Development Division state Employment
(Sacramento, CA). Development Division
1099 tax forms
containing Social
Security numbers and
income information to
the wrong addresses,
potentially exposing
those taxpayers to
identity theft.
Mar. 24, 2006........................ Vermont State Colleges Laptop stolen 14,000
(VT). containing Social
Security numbers and
payroll data of
students, faculty and
staff associated with
the five-college
system from as long
ago as 2000.
Mar. 30, 2006........................ Marines (Monterey, CA). Portable drive lost 207,750
that contains personal
information used for
research on re-
enlistment bonuses.
Mar. 30, 2006........................ Georgia Technology Hacker exploited 573,000
Authority (Atlanta, security flaw to gain
GA). access to confidential
information including
Social Security
numbers and bank-
account details of
state pensioners.
Mar. 30, 2006........................ Conn. Technical High Social Security numbers 1,250
School System of students and
(Middletown, CT). faculty mistakenly
distributed via email.
April 1, 2006........................ Con Edison (New York).. Con Edison shipped 2 15,000 Con Edison
cartridge tapes to employees.
JPMorgan Chase in
upstate Binghamton so
it could input data on
behalf of the NY Dept.
of Taxation and
Finance. One tape was
apparently lost
containing employees'
W-2 data, including
names, addresses,
SSNs, taxes paid and
salaries.
April 6, 2006........................ Progressive Casualty Dishonest insider 13
Insurance (Mayfield accessed confidential
Village, OH). information, including
names, Social Security
numbers, birth dates
and property addresses
on foreclosure
properties she was
interested in buying.
April 7, 2006........................ DiscountDomainRegistry. Exposed online. Domain ``thousands of domain
com (Brooklyn, NY). registrants' personal name registrations''.
information including
usernames, passwords
and credit card
numbers were
accessible online.
April 9, 2006........................ University of Medicine Hackers accessed Social 1,850
and Dentistry of New Security numbers, loan
Jersey (Newark, NJ). information, and other
confidential financial
information of
students and alumni.
April 12, 2006....................... Ross-Simons Security breach exposed Unknown.
(Providence, RI). account and personal
information of those
who applied for its
private label credit
card. Information
exposed includes
private label credit
card numbers and other
personal information
of applicants.
April 14, 2006....................... NewTech Imaging Records containing the 40,000
(Honolulu, HI). names, Social Security
numbers and birth
dates of more than
40,000 members of
Voluntary Employees
Benefit Association of
Hawaii were illegally
reproduced at a
copying business
before they were to be
put onto a compact
disc for the State.
Police later found the
data on a computer
that had been
confiscated as part of
a drug investigation.
April 14, 2006....................... Univ. of South Carolina Social Security numbers 1,400
(Columbia, SC). of students were
mistakenly e-mailed to
classmates.
April 15, 2006....................... Scott County, IA....... The Social Security Unknown.
numbers of people who
obtained mortgages in
the early 1990s are
visible in documents
posted on the county's
website. The county
will redact the
information at the
individuals' request.
April 21, 2006....................... University of Alaska, A hacker accessed 38,941
Fairbanks (Fairbanks, names, Social Security
AK). numbers, and partial e-
mail addresses of
current and former
students, faculty, and
staff.
April 21, 2006....................... Boeing (Seattle, WA)... A laptop was taken from 3,600 current and
a Boeing human former employees
resources employee at
Sea-Tac airport. It
contained SSNs and
other personal
information, including
personnel information
from the 2000
acquisition of Hughes
Space and
Communications.
April 21, 2006....................... Ohio University A server containing Unknown.
Innovation Center data including e-
(Athens, OH). mails, patent and
intellectual property
files, and 35 Social
Security numbers
associated with
parking passes was
compromised.
April 24, 2006....................... University of Texas' Hackers accessed 197,000
McCombs School of records containing
Business (Austin, TX). names, biographical
information and, in
some cases, Social
Security numbers and
dates of birth of
current and
prospective students,
alumni, faculty
members, corporate
recruiters and staff
members.
April 24, 2006....................... Ohio University Hackers accessed a 300,000
(Athens, OH). computer system of the
school's alumni
relations department
that included
biographical
information and
137,000 Social
Security numbers of
alum.
April 26, 2006....................... Purdue University (West Hacker accessed 1,351
Lafayette, IN). personal information
including Social
Security numbers of
current and former
graduate students,
applicants to graduate
school, and a small
number of applicants
for undergraduate
scholarships.
April 26, 2006....................... Aetna--health insurance Laptop containing 38,000
records for employees personal information
of 2 members, including names,
including Omni Hotels addresses and Social
and the Dept. of Security numbers of
Defense NAF (Hartford, Dept. of Defense
CT). (35,253) and Omni
Hotel employees
(3,000) was stolen
from an Aetna
employee's car.
April 27, 2006....................... MasterCard (Potentially Though MasterCard [2,000] Not included in
UK only). refused to say how the total below
breach occurred,
fraudsters stole the
credit card details of
holders in a major
security breach.
April 27, 2006....................... Long Island Rail Road Data tapes containing 17,000
(Jamaica, NY). personal information
including names,
addresses, Social
Security numbers and
salary figures of
``virtually everyone''
who worked for the
agency was lost by
delivery contractor
Iron Mountain while
enroute. Data tapes
belonging to the U.S.
Department of
Veteran's Affairs may
also have been
affected.
April 28, 2006....................... Ohio's Secretary of The names, addresses, ``Potentially millions
State (Cleveland, OH). and Social Security of registered voters''
numbers of potentially
millions of registered
voters in Ohio were
included on CD-ROMs
distributed to 20
political campaign
operations for spring
primary election
races. The records of
about 7.7 million
registered voters are
listed on the CDs, but
it's unknown how many
records contained
SSNs, which were not
supposed to have been
included on the CDs.
UPDATE (9/15/06): A
news report said that
some SSNs still remain
on the agency's Web
site.
April 28, 2006....................... Dept. of Defense Hacker accessed a Unknown.
(Washington, DC). Tricare Management
Activity (TMA) public
server containing
personal information
about military
employees.
May 2, 2006.......................... Georgia State Government surplus Unknown.
Government (Atlanta, computers that sold
GA). before their hard
drives were erased
contained credit card
numbers, birth dates,
and Social Security
numbers of Georgia
citizens.
May 4, 2006.......................... Idaho Power Co. (Boise, Four company hard Unknown.
ID). drives were sold on
eBay containing
hundreds of thousands
of confidential
company documents,
employee names and
Social Security
numbers, and
confidential memos to
the company's CEO.
May 4, 2006.......................... Ohio University Hudson Names, birth dates, 60,000
Health Center (Athens, Social Security
OH). numbers and medical
information were
accessed in records of
students dating back
to 2001, plus faculty,
workers and regional
campus students.
May 2006............................. Ohio University A breach was discovered 2,480
(Athens, OH). on a computer that
housed IRS 1099 forms
for vendors and
independent
contractors for
calendar years 2004
and 2005.
May 2006............................. Ohio University A breach of a computer Unknown.
(Athens, OH). that hosted a variety
of Web-based forms,
including some that
processed on-line
business transactions.
Although this computer
was not set up to
store personal
information,
investigators did
discover files that
contained fragments of
personal information,
including Social
Security numbers. The
data is fragmentary
and it is not certain
if the compromised
information can be
traced to individuals.
Also found on the
computer were 12
credit card numbers
that were used for
event registration.
May 5, 2006.......................... U.S. Dept. of Veteran's A data tape disappeared 16,500
Affairs (Washington, from a VA facility in
D.C.). Indianapolis, IN that
contained information
on legal cases
involving U.S.
veterans and included
veterans' Social
Security numbers,
dates of birth and
legal documents.
UPDATE (10/11/06): The
VA's Office of the
General Counsel is
offering identity
theft protection
services to those
affected by the
missing tape.
May 5, 2006.......................... Wells Fargo (San Computer containing Unknown.
Francisco, CA). names, addresses,
Social Security
numbers and mortgage
loan deposit numbers
of existing and
prospective customers
may have been stolen
while being delivered
from one bank facility
to another.
May 12, 2006......................... Mercantile Potomac Bank Laptop containing 48,000
(Gaithersburg, MD). confidential
information about
customers, including
Social Security
numbers and account
numbers was stolen
when a bank employee
removed it from the
premises, in violation
of the bank's
policies. The computer
did not contain
customer passwords,
personal
identification numbers
(PIN numbers) or
account expiration
dates.
May 19, 2006......................... American Institute of An unencrypted hard 330,000 [Updated 6/16/
Certified Public drive containing 06]
Accountants (AICPA) names, addresses and
(New York, NY). Social Security
numbers of AICPA
members was lost when
it was shipped back to
the organization by a
computer repair
company.
May 19, 2006......................... Unknown. retail Visa, MasterCard, and Unknown.
merchant. other debit and credit
card numbers from
banks across the
country were stolen
when a national
retailer's database
was breached. No
names, Social Security
numbers or other
personal
identification were
taken.
May 22, 2006......................... U.S. Dept. of Veteran's On May 3, data of all 28,600,000
Affairs (Washington, American veterans who
DC) (800) 827-1000. were discharged since
1975 including names,
Social Security
numbers, dates of
birth and in many
cases phone numbers
and addresses, were
stolen from a VA
employee's home. Theft
of the laptop and
computer storage
device included data
of 26.5 milliion
veterans. The data did
not contain medical or
financial information,
but may have
disability numerical
rankings.
UPDATE: An additional
2.1 million active and
reserve service
members were added to
the total number of
affected individuals
June 1st.
UPDATE (6/29/06): The
stolen laptop computer
and the external hard
drive were recovered.
UPDATE (7/14/06): FBI
claims no data had
been taken from stolen
computer.
UPDATE (8/5/06): Two
teens were arrested in
the theft of the
laptop.
UPDATE (8/25/06): In an
Aug. 25 letter,
Secretary Nicholson
told veterans of the
decision to not offer
them credit monitoring
services. Rather the
VA has contracted with
a company to conduct
breach analysis to
monitor for ``patterns
of misuse.''.
May 23, 2006......................... Univ. of Delaware Security breach of a 1,076
(Newark, DE). Department of Public
Safety computer server
potentialy exposes
names, Social Security
numbers and driver's
license numbers.
May 23, 2006......................... M&T Bank (Buffalo, NY). Laptop computer, owned Unknown.
by PFPC, a third party
company that provides
record keeping
services for M & T's
Portfolio Architect
accounts was stolen
from a vehicle. The
laptop contained
clients' account
numbers, Social
Security numbers, last
name and the first two
letters of their first
name.
May 23, 2006......................... Butler Co. Dept. of Three laptop computers 100 clients
Mental Retardation & were stolen ``last
Developmental month'' from the
Disabilities agency's office. They
(Cincinatti, OH). contained personal
information on mental
health clients,
including SSNs.
May 23, 2006......................... Mortgage Lenders A former employee was 231,000
Network USA arrested for extortion
(Middletown, CT). for attempting to
blackmail his former
employer for $6.9
million. He threatened
to expose company
files containing
sensitive customer
information--including
customers' names,
addressess, Social
Security numbers, loan
numbers, and loan
types--if the company
didn't pay him. He
stole the files over
the 16 months he
worked there.
May 24, 2006......................... Sacred Heart Univ. It was discovered on Unknown.
(Fairfield, CT). May 8th that a
computer containing
personal information
including names,
addresses and Social
Security numbers was
breached.
May 24, 2006......................... American Red Cross, St. Dishonest employee had 1,000,000
Louis Chapter (St. access to Social
Louis, MO). Security numbers of
donors to call urging
them to give blood
again. The employee
misused the persoal
information of at
least 3 people to
perpetrate identity
theft and had access
to the personal
information of 1
million donors.
May 25, 2006......................... Vystar Credit Union Hacker gained access to Approx. 34,400 (``less
(Jacksonville, FL). member accounts ``a than 10% of its
few weeks ago'' and 344,000 members'')
stole personal
information including
names, addresses,
birth dates, mother's
maiden names, SSNs and/
or email addresses.
May 30, 2006......................... Texas Guaranteed Texas Guaranteed (TG) 1,300,000 plus 400,000
Student Loan Corp. was notified by for total of
(Round Rock, TX) via subcontractor 1,700,000.
subcontractor, Hummingbird that on
Hummingbird (Toronto, May 24, an employee
Canada). had lost a piece of
equipment containing
names and Social
Security numbers of TG
borrowers.
UPDATE (6/16/06): TG
now says a total of
1.7 million people's
information was
compromised, 400,000
more than original
estimate of 1.3
million.
May 30, 2006......................... Florida Int'l Univ. Hacker accessed a ``thousands''.
(Miami, FL). database that
contained personal
information, such as
student and applicant
names and Social
Security numbers.
May 31, 2006......................... Humana (Louisville, KY) On May 5, 2006, 268 Minnesota and North
Medicare drug benefit Dakota applicants
applications were
stolen from an
insurance agent's
unlocked car in
Brooklyn Park, MN.
Information included
applicants' name,
address, date of
birth, Social Security
number, and bank
routing information.
June 1, 2006......................... Miami University An employee lost a hand- 851
(Oxford, OH). held personal computer
containing personal
information of
students who were
enrolled between July
2001 and May 2006.
June 1, 2006......................... Ernst & Young (UK)..... A laptop containing 243,000
names, addresses and
credit or debit card
information of
Hotels.com customers
was stolen from an
employee's car in
Texas.
June 1, 2006......................... Univ. of Kentucky Personal information of 1,300
(Lexington, KY). current and former
University of Kentucky
employees including
Social Security
numbers was
inadvertently
accessible online for
19 days last month.
June 2, 2006......................... Buckeye Community Four laptop computers 72,000
Health Plan (Columbus, containing customer
OH). names, Social Security
numbers, and addresses
were stolen from the
Medicaid insurance
provider.
June 2, 2006......................... Ahold USA (Landover, An EDS employee lost a Unknown.
MD) Parent company of laptop computer during
Stop & Shop, Giant a commercial flight
stores and Tops stores that contained pension
via subcontractor data of former
Electronic Data employees of Ahold's
Systems (Plano, TX). supermarket chains
including Social
Security numbers,
birth dates and
benefit amounts.
June 2, 2006......................... YMCA (Providence, RI).. Laptop computer 65,000
containing personal
information of members
was stolen. The
information included
credit card and debit
card numbers, checking
account information,
Social Security
numbers, the names and
addresses of children
in daycare programs
and medical
information about the
children, such as
allergies and the
medicine they take,
though the type of
stolen information
about each person
varies.
June 2, 2006......................... Humana (Louisville, KY) Personal information of 17,000 current and
Humana customers former Medicare
enrolled in the enrollees
company's Medicare
prescription drug
plans could have been
compromised when an
insurance company
employee called up the
data through a hotel
computer and then
failed to delete the
file.
June 5, 2006......................... Internal Revenue A laptop computer 291
Service (Washington, containing personal
DC). information of
employees and job
applicants, including
fingerprints, names,
Social Security
numbers, and dates of
birth, was lost during
transit on an airline
flight.
June 6, 2006......................... Univ. of Texas (El Students demonstrated 4,719
Paso, TX). that student body and
faculty elections
could be rigged by
hacking into student
information including
Social Security
numbers.
June 8, 2006......................... Univ. of Michigan Paper documents 5,000
Credit Union (Ann containing personal
Arbor, MI). information of credit
union members were
stolen from a storage
room. The documents
were supposed to have
been digitally imaged
and then shredded.
Instead, they were
stolen and used to
perpetrate identity
theft.
June 11, 2006........................ Denver Election Records containing 150,000
Commission (Denver, personal information
CO). on more than 150,000
voters are missing at
city election offices.
The microfilmed voter
registration files
from 1989 to 1998 were
in a 500-pound cabinet
that disappeared when
the commission moved
to new offices in
February. The files
contain voters' Social
Security numbers,
addresses and other
personal information.
June 12, 2006........................ U.S. Dept. of Energy Names, Social Security 1,502
(Washington, D.C.). numbers, security
clearance levels and
place of employment
for mostly contract
employees who worked
for National Nuclear
Security
Administration may
have been compromised
when a hacker gained
entry to a computer
system at a service
center in Albuquerque,
N.M. eight months ago.
June 13, 2006........................ Minn. State Auditor Three laptops possibly 493
(St. Paul, MN). containing Social
Security numbers of
employees and
recipients of housing
and welfare benefits
along with other
personal information
of local governments
the auditor oversees
have gone missing.
June 13, 2006........................ Oregon Dept. of Revenue Electronic files 2,200
(Salem, OR). containing personal
data of Oregon
taxpayers may have
been compromised by an
ex-employee's
downloaded a
contaminated file from
a porn site. The
``trojan'' attached to
the file may have sent
taxpayer information
back to the source
when the computer was
turned on.
June 13, 2006........................ U.S. Dept of Energy, Current and former 4,000
Hanford Nuclear workers at the Hanford
Reservation (Richland, Nuclear Reservation
WA). that their personal
information may have
been compromised,
after police found a
1996 list with
workers' names and
other information in a
home during an
unrelated
investigation.
June 14, 2006........................ American Insurance The computer server was 930,000
Group (AIG), Indiana stolen on March 31
Office of Medical containing personal
Excess, LLC (New York, information including
NY). names, Social Security
numbers, birth dates,
and some medical and
disability information.
June 14, 2006........................ Western Illinios Univ. On June 5th, a hacker 180,000
(Macomb, IL). compromised a
University server that
contained names,
addresses, credit card
numbers and Social
Security numbers of
people connected to
the University.
UPDATE (7/5/06): Number
affected reduced from
240,000.
June 16, 2006........................ Union Pacific (Omaha, On April 29th, an 30,000
NE). employee's laptop was
stolen that contained
data for current and
former Union Pacific
employees, including
names, birth dates and
Social Security
numbers.
June 16, 2006........................ NY State Controller's State controller data 1,300
Office (Albany, NY). cartridge containing
payroll data of
employees who work for
a variety of state
agencies was lost
during shipment. The
data contained names,
salaries, Social
Security numbers and
home addresses.
June 16, 2006........................ ING (Miami, FL)........ Two ING laptops that 8,500
carried sensitive data
affecting Jackson
Health System hospital
workers were stolen in
December 2005. The
computers, belonging
to financial services
provider ING,
contained information
gathered during a
voluntary life
insurance enrollment
drive in December and
included names, birth
dates and Social
Security numbers.
June 16, 2006........................ Univ. of Kentucky The personal data of 6,500
(Lexington, KY). current and former
students including
classroom rosters
names, grades and
Social Security
numbers was reported
stolen on May 26
following the theft of
a professor's flash
drive.
June 17, 2006........................ ING (Washington, D.C.). Laptop stolen from 13,000
employee's home
containing retirement
plan information
including Social
Security numbers of
D.C. city employees.
June 17, 2006........................ Automatic Data Personal and payroll 80
Processing (ADP) information of workers
(Roseland, NJ). were intended to be
faxed between ADP
offices and were
mistakenly sent to a
third party.
June 17, 2006........................ CA Dept. of Health CDHS documents were 1,550
Services (CDHS) inappropriately
(Sacramento, CA). emptied from an
employee's cubicle on
June 5 and 9 rather
than shredded.
The documents contained
state employees and
other individuals
applying for
employment with the
state including names,
addresses, Social
Security numbers and
home and work
telephone numbers.
They were mostly
expired state
employment
certification lists,
but also included
requests for personnel
action, copies of e-
mail messages and
handwritten notes.
June 20, 2006........................ Equifax (Atlanta, GA).. On May 29, a company 2,500
laptop containing
employee names and
partial and full
Social Security
numbers was stolen
from an employee.
June 20, 2006........................ Univ. of Alabama In February a computer 9,800
(Birmingham, AL). was stolen from a
locked office of the
kidney transplant
program at the
University of Alabama
at Birmingham that
contained confidential
information of donors,
organ recipients and
potential recipients
including names,
Social Security
numbers and medical
information.
June 21, 2006........................ U.S. Dept. of During the first week 26,000
Agriculture (USDA) in June, a hacker
(Washington, D.C.). broke into the
Department's computer
system and may have
obtained names, Social
Security numbers and
photos of current and
former employees and
contractors.
June 21, 2006........................ Cape Fear Valley Health Portable computer 24,350
System (Fayetteville, containing personal
NC). information of more
than 24,000 people was
stolen from ambulance
of Cumberland Co.
Emergency Medical
Services on June 8th.
It contained
information on people
treated by the EMS,
including names,
addresses, and
birthdates, plus SSNs
of 84% of those listed.
June 21, 2006 (Date of letter sent to Lancaster General A desktop computer with ``Hundreds of local
doctors. Date of news story is July Hospital (Lancaster, personal information physicians'' (not
28, 2006). PA). of hundreds of doctors included in total
was stolen from a below)
locked office June 10.
The unencrypted data
included names,
practice addresses,
and SSNs of physicians
on medical and dental
staff.
June 22, 2006........................ Federal Trade Two laptop computers 110
Commission (FTC) containing personal
(Washington, D.C.). and financial data
were stolen from an
employee's vehicle.
The data included
names, addresses,
Social Security
numbers, dates of
birth, and in some
instances, financial
account numbers
gathered in law
enforcement
investigations.
June 23, 2006........................ San Francisco State A faculty member's 3,000
Univ. (San Francisco, laptop was stolen from
CA). a car on June 1 that
contained personal
information of former
and current students
including Social
Security numbers, and
names and in some
instance, phone
numbers and grade
point averages.
June 23, 2006........................ U.S. Navy (Washington, Navy personnel were 30,000
D.C.). notified on June 22
that a civilian web
site contained files
with personal
information of Navy
members and dependents
including names, birth
dates and Social
Security numbers.
June 23, 2006........................ CA Dept. of Health On June 12, a box of 323
Services (CDHS) Medi-Cal forms from
(Sacramento, CA). December 2005 were
found in the cubicle
of a CDHS employee.
The claim forms
contained the names,
addresses, Social
Security numbers and
prescriptions for
beneficiaries or their
family members.
June 23, 2006........................ Catawba County Schools On June 22, it was 619
(Newton, NC). discovered that a web
site posted names,
Social Security
numbers, and test
scores of students who
had taken a
keyboarding and
computer applications
placement test during
the 2001-02 school
year.
UPDATE: The web site
containing the data
has been removed.
June 23, 2006........................ King County Records, Social Security numbers Unknown.
Elections, and for potentially
Licensing Services thousands of current
Division (Seattle, WA). and former county
residents may be
exposed on the
agency's web site.
Residents can request
that the image of any
document that contains
a Social Security
number, Mother's
Maiden Name or Drivers
License be removed.
Officials state that
they are unable to
alter original public
documents and cannot
choose to not record
documents presented
for recording.
June 27, 2006........................ Gov't Accountability Data from audit reports ``Fewer than 1,000''
Office (GAO) on Defense Department [1,000 used in total]
(Washington, D.C.). travel vouchers from
the 1970s were
inadvertently posted
online and included
some service members'
names, Social Security
numbers and addresses.
The agency has
subsequently removed
the information.
June 28, 2006........................ AAAAA Rent-A-Space Customer's account 13,000
(Colma, CA). information including
name, address, credit
card, and Social
Security number was
easily accessible due
to a security gap in
its online payment
system.
June 29, 2006........................ AllState Insurance Over Memorial Day 2,700
Huntsville branch weekend, a computer
(Huntsville, AL). containing personal
data including images
of insurance policies,
correspondence and
Social Security
numbers was stolen.
June 29, 2006........................ Nebraska Treasurer's A hacker broke into a 309,000
Office (Lincoln, NE). child-support computer
system and may have
obtained names, Social
Security numbers and
other information such
as tax identification
numbers for 9,000
businesses.
June 29, 2006........................ Minnesota Dept. of On May 16, a package 50,400
Revenue (St. Paul, MN). containing a data tape
used to back up the
regional office's
computers went missing
during delivery. The
tape contained
personal information
including individuals'
names, addresses, and
Social Security
numbers.
UPDATE (7/20/06): The
package was reported
delivered 2 months
later, but apparently
had been temporarily
lost by the U.S.
Postal Service.
June 30, 2006........................ Nat'l Institutes of NIHFCU is investigating ``Very few'' of 41,000
Health Federal Credit with law enforcement members affected [not
Union (Rockville, MD). the identity theft of included in total]
some of its 41,000
members. No details
given on type of
information stolen, or
how it was stolen.
July 1, 2006......................... American Red Cross, Sometime in May, 3 Unknown.
Farmers Branch laptops were stolen,
(Dallas, TX). one of them containing
encrypted personal
information including
names, SSNs, dates of
birth, and medical
information of all
regional donors. They
also report losing a
laptop with encrypted
donor information in
June 2005.
July 5, 2006......................... Bisys Group Inc. Personal details about 61,000
(Roseland, NJ). 61,000 hedge fund
investors were lost
when an employee's
truck carrying backup
tapes was stolen. The
data included SSNs of
35,000 individuals.
The tapes were being
moved from one Bisys
facility to another on
June 8 when the theft
occurred.
July 6, 2006......................... Automated Data Payroll service company ``Hundreds of
Processing (ADP) ADP gave scam-artist thousands'' [not
(Roseland, NJ). names, addresses, and included in total]
number of shares held
of investors, although
apparently not SSNs or
account numbers. The
leak occurred from
Nov. '05 to Feb. '06
and involved
individual investors
with 60 companies
including Fidelity,
UBS, Morgan Stanley ,
Bear Stearns,
Citigroup, Merrill
Lynch.
July 7, 2006......................... University of Tennessee Hacker broke into UT 36,000
(866) 748-1680. computer containing
names, addresses and
SSNs of about 36,000
past and current
employees. Intruder
apparently used
computer from Aug. '05
to May '06 to store
and transmit movies.
July 7, 2006......................... Nat'l Association of Ten laptops were stolen 73
Securities Dealers on Feb. 25 '06 from
(NASD) (Boca Raton, NASD investigators.
FL). They included SSNs of
securities dealers who
were the subject of
investigations
involving possible
misconduct. Inactive
account numbers of
about 1,000 consumers
were also contained on
laptops.
July 7, 2006......................... Naval Safety Center.... SSNs and other personal ``more than 100,000''
information of naval
and Marine Corps
aviators and air crew,
both active and
reserve, were exposed
on Center web site and
on 1,100 computer
discs mailed to naval
commands.
July 7, 2006......................... Montana Public Health A state government Unknown.
and Human Services computer was stolen
Dept. (Helena, MT). from the office of a
drug dependency
program during a 4th
of July break-in. It
was not known if
sensitive information
such as SSNs was
compromised.
July 7, 2006......................... City of Hattiesburg Video surveillance ``thousands of city
(Hattiesburg, MS). cameras caught 2 workers and
intruders stealing contractors''
hard drives from 18
computers June 23.
Data files contained
names, addresses, and
SSNs of current and
former city employees
and registered voters
as well as bank
account information
for employees paid
through direct deposit
and water system
customers who paid
bills electronically.
July 13, 2006........................ Moraine Park Technical Computer disk (CD) with 1,500
College (Beaver Dam, personal information
Fond du Lac, & West of 1,500 students was
Bend, WI). reported missing.
Information includes
names, addresses,
phone numbers & SSNs
of apprenticeship
students back to 1993.
July 14, 2006........................ Northwestern Univ. Files containing names ``As many as 17,000
(Evanston, IL) (888- and some personal individuals' records''
209-0097). information including exposed.
SSNs were on 9 desktop
computers that had
been accessed by
unauthorized persons
outside the
University. The
computers were in the
Office of Admissions
and Financial Aid
Office.
July 14, 2006........................ University of Iowa Laptop computer 280
(Davenport, IA). containing personal
information of current
and former MBA
students was stolen.
Data files included
SSNs and some contact
info.
July 14, 2006 (Date of letter sent to California Polytechnic Laptop computer was 3,020 students
students. Date of news story is 8/1/ State University (Cal stolen from the home
06). Poly) (San Luis of a physics
Obispo, CA) (Call department professor
(805) 756-2226 or July 3. It included
(805) 756-2171). names and SSNs of
physics and astronomy
students from 1994-
2004.
July 14, 2006........................ Treasurer's computer in Public computer in city ``Over 100,000
Circuit Court Clerk's government building records'' (The number
office (Hampton, VA). containing taxpayer containing SSNs is not
information was found known yet and not
to display SSNs of included in total
many residents--those below.)
who paid personal
property and real
estate taxes. It was
shut down and
confiscated by the
police on July 12th.
UPDATE (7/27/2006):
Investigation
concluded that the
data was exposed due
to software problem.
July 16, 2006........................ Mississippi Secretary The state agency's web Among the 2 million
of State (Jackson, MS). site listed 2 million+ postings are
Uniform Commercial ``thousands''
Code (UCC) filings in containing SSNs (not
which thousands of included in total)
individuals' SSNs were
exposed.
July 17, 2006........................ Vassar Brothers Medical Laptop was stolen from [257,800 patients were
Center (Poughkeepsie, the emergency initially notified,
NY) (845) 483-6990. department between but an analysis by
June 23-26. It Kroll later determined
contained information that the laptop
on patients dating contained no personal
back to 2000, information. This
including SSNs and number is not included
dates of birth. in the total below.]
UPDATE (10/5/06):
Private investigators
determined the laptop
did not contain
personally
identifiable patient
information.
July 18, 2006........................ Nelnet Inc. (Lincoln, Computer tape 188,000
NE) (800) 552-7925. containing personal
information of student
loan customers and
parents, mostly from
Colorado, was lost
when shipped via UPS.
The loans were
previously serviced by
College Access Network.
July 18, 2006........................ CS Stars, subsidiary of On May 9, CS Stars lost 540,000
insurance company track of a personal
Marsh Inc. (Chicago, computer containing
IL). records of more than a
half million New
Yorkers who made
claims to a special
workers' comp fund.
The lost data includes
SSNs and date of birth
but apparently no
medical information.
UPDATE (7/26/06):
Computer was recovered.
UPDATE (04/26/07): The
New York Attorney
General's office found
that CS Stars violated
the state's security
breach law. CS Stars
must pay the Attorney
General's office
$60,000 for
investigation costs.
It was determined that
the computer had been
stolen by an employee
of a cleaning
contractor, the
missing computer was
located and recovered,
and that the data on
the missing computer
had not been
improperly accessed.
July 18, 2006........................ U.S. Dept. of Laptop computer and 350
Agriculture printout containing
(Wellington, KS). names, addresses and
SSNs of 350 employees
was stolen from an
employee's car and
later recovered.
July 24, 2006........................ New York City Dept. of The personal 8,400
Homeless Services. information of 8,400
homeless persons,
including SSNs, was
leaked in an e-mail
attachment July 21,
when accidentally sent
to homeless advocates
and city officials.
July 25, 2006........................ Armstrong World A laptop containing 12,000
Industries (Lancaster personal information
Co., PA). of current and former
employers was stolen.
The computer was in
the possession of the
company's auditor,
Deloitte & Touche.
Data included names,
home addresses, phone
numbers, SSNs,
employee ID numbers,
salary data, and bank
account numbers of
employees who have
their checks directly
deposited.
July 25, 2006........................ Belhaven College An employee carrying 300 employees
(Jackson, MS). laptop was robbed at
gunpoint on July 19
while walking to his
car. Computer
contained names and
SSNs of college
employees.
July 25, 2006........................ Georgetown University Patient data was ``between 5,600 and
Hospital (Washington, exposed online via the 23,000 patients were
DC). computers of an e- affected'' (23,000
prescription provider, added to total below)
InstantDx. Data
included names,
addresses, SSNs, and
dates of birth, but
not medical or
prescription data. GUH
suspended the trial
program with InstantDX.
July 25, 2006........................ Old Mutual Capital Laptop was stolen 6,500 fund shareholders
Inc., subsidiary of sometime in May
United Kingdom-based containing personal
financial services information of U.S.
firm Old Mutual PLC. clients, including
names, addresses,
account numbers and
some SSNs.
July 25, 2006........................ Cablevision Systems A tape en route to the 13,700 current and
Corp. (lost when company's 401(k) plan former employees
shipped to Dallas- record-keeper ACS was
based ACS). lost when shipped by
FedEx to Dallas, TX.
No customer data was
on the tape.
July 26, 2006........................ U.S. Navy recruitment Two laptop computers 31,000 records were
offices (Trenton, NJ, with information on stolen, with about
and Jersey City, NJ). Navy recruiters and 4,000 containing SSNs.
applicants were stolen The latter number is
in June and July. Also included in the total
included was below
information from
selective service and
school lists. About
4,000 records
contained SSNs. Files
were password
protected.
July 26, 2006........................ West Virginia Div. of A laptop was stolen Unknown.
Rehabilitation July 24 containing
Services (Beckley, WV). clients' names,
addresses, SSNs, and
bphone numbers. Data
was password protected.
July 27, 2006........................ Kaiser Permanente A laptop was stolen 160,000 records.
Northern Calif. Office containing names, Because the data file
(Oakland, CA) (866) phone numbers, and the did not include SSNs,
453-3934. Kaiser number for each this number is not
HMO member. The data added to the total
file did not include below
SSNs. The data was
being used to market
Hearing Aid Services
to Health Plan members.
July 27, 2006........................ Los Angeles County (Los In May, a laptop was Unknown.
Angeles, CA). stolen from the home
of a community and
senior services
employee. It contained
information on LA
County employees.
July 27, 2006........................ Los Angeles Co., Earlier in July, a 4,800 records. Because
Community Development computer hacker it is not clear if
Commission (CDC) located in Germany SSNs were included,
(Monterey Park, CA). gained access to the this number is not
CDC's computer system, added to the total
containing personal below
information on 4,800
public housing
residents.
July 27, 2006........................ Los Angeles County, Last weekend 11 laptops Unknown.
Adult Protective were stolen from the
Services (Burbank, CA). Burbank office. It is
not clear what type of
personal information
was included.
July 28, 2006........................ Matrix Bancorp Inc. Two laptop computers Unknown.
(Denver, CO) (877-250- were stolen during
7742). daytime while staffers
were away from their
desks. One computer
contained customers'
account information.
The bank says data is
encrypted and password
protected.
July 28, 2006........................ Riverside, Calif., city The SSNs and financial ``nearly 2,000
employees. information regarding employees''
401(k) accounts was
accidentally e-mailed
to 2,300 city
employees due to a
computer operator's
error. The data was
intended for the city
payroll dept.
July 29, 2006........................ Sentry Insurance Personal information Information on 72
(Stevens Point, WI). including SSNs on claimants was sold on
worker's compensation the Internet. Data on
claimants was stolen, an additional 112,198
some of which was claimants was also
later sold on the stolen with no
Internet. No medical evidence of being sold
records were included. online.
The thief was a lead Total affected is
programmer-consultant 112,270
who had access to
claimants' data. The
consultant was
arrested and faces
felony charges.
Aug. ?, 2006......................... CoreLogic for ComUnity In early August, Unknown.
Lending (Sacramento, CoreLogic notified
CA) (877) 510-3700 customers of ComUnity
identityprotection@ Lending that a
corelogic.com. computer with
customers' data was
stolen from its
office. Data included
names, SSNs, and
property addresses
related to an existing
or anticipated
mortgage loan.
Aug. 1, 2006......................... U.S. Bank (Covington, A bank employee's ``very small'' number
KT). briefcase was stolen
from the employee's
car with documents
containing names,
phone numbers, and
SSNs of customers.
Aug. 1, 2006......................... Wichita State WSU learned on June 29 2,000
University (Wichita, that someone gained
KS). unauthorized access
into 3 computers in
its College of Fine
Arts box office,
containing credit card
information for about
2,000 patrons.
Aug. 1, 2006......................... Wichita State An intrusion into a WSU 40 (not included in
University (Wichita, psychology total below because it
KS). department's server is not known if SSNs
was discovered July were included in
16. It contained breached data)
information on about
40 applicants to the
doctoral program.
Aug. 1, 2006......................... Dollar Tree (Carmichael Customers of the Total number unknown
and Modesto, CA, as discount store have
well as Ashland, OR, reported money stolen
and perhaps other from their bank
locations). accounts due to
unauthorized ATM
withdrawals. Data may
have been intercepted
by a thief's use of a
wireless laptop
computer with the
thief then creating
counterfeit ATM cards
and using them to
withdraw money.
UPDATE (10/5/06):
Parkev Krmoian was
indicted by a federal
grand jury for
allegedly using phony
ATM cards made from
gift cards. The case
is tied to the Dollar
Tree customer bank
account thefts.
Aug. 1, 2006......................... Ron Tonkin Nissan Several months ago the Up to 16,000 affected
(Portland, OR) car dealership
Questions? Call: (503) experienced a security
251-3349. breach affecting the
personal information
of those who bought
cars or applied for
credit between 2001
and March 2006.
Aug. 4, 2006......................... Toyota plant (San Laptop belonging to 1,500
Antonio, TX). contractor and
containing personal
information of job
applicants and
employees was stolen.
Data included names
and SSNs.
Aug. 4, 2006......................... PSA HealthCare A company laptop was 51,000 current and
(Norcross, GA) (866) stolen from an former patients.
752-5259. employee's vehicle in
a public parking lot
July 15. It contained
names, addresses,
SSNs, and medical
diagnostic and
treatment information
used in reimbursement
claims.
Aug. 6, 2006......................... American Online (AOL) In late July AOL posted Unknown how many
(nationwide). on a public web site records contain high-
data on 20 million web risk personal
queries from 650,000 information.
users. Some search
records exposed SSNs,
credit card numbers,
or other pieces of
sensitive information.
UPDATE (9/26/06): Three
individuals whose data
were exposed have
filed a lawsuit
against AOL.
Aug. 7, 2006......................... U.S. Dept. of Veteran's Computer at 5,000 Philadelphia
Affairs through its contractor's office patients, 11,000
contractor Unisys was reported missing Pittsburgh patients,
Corp. (Reston, VA). Aug. 3, containing 2,000 deceased
billing records with patients, plus
names, addresses, possibly 20,000 more
SSNs, and dates of (18,000 is included in
birth of veterans at 2 total below).
Pennsylvania locations.
UPDATE (9/15/06): Law
enforcement recovered
the computer and
arrested an individual
who had worked for a
company that provides
temporary labor to
Unisys.
Aug. 8, 2006......................... Virginia Bureau of The Bureau has advised Unknown.
Insurance (804) 726- insurance agents in
2630. the state that their
SSN may have been
exposed on its web
site from June 13
through July 31, 2006,
due to a programming
error. The SSNs were
not shown on any web
page, but could have
been found by savvy
computer users using
the source code tool
of a web browser.
Aug. 8, 2006......................... Linens 'n Things A folder holding about 90
(Sterling, VA). 90 receipts was
missing from the
store. Receipts
included full credit
or debit account
number and name of the
card holder.
Aug. 9, 2006......................... U.S. Dept. of The DOT's Office of the 132,470
Transportation (800) Inspector General
424-9071 reported a special
[email protected]. agent's laptop was
stolen on July 27 from
a government-owned
vehicle in Miami, FL,
parked in a restaurant
parking lot. It
contained names,
addresses, SSNs, and
dates of birth for
80,670 persons issued
commercial drivers
licenses in Miami-Dade
County; 42,800 persons
in FL with FAA pilot
certificates; and
9,000 persons with FL
driver's licenses.
UPDATE (11/21/06): A
suspect was arrested
in the same parking
lot where the theft
occurred, but the
laptop has not been
recovered.
Investigators found a
theft ring operating
in the vicinity of the
restaurant parking lot.
Aug. 11, 2006........................ Madrona Medical Group On Dec. 17, 2005, a At least 6,000
(Bellingham, WA). former employee patients.
accessed and
downloaded patient
files onto his laptop
computer. Files
included name,
address, SSN, and date
of birth. The former
employee has since
been arrested.
Aug. 15, 2006........................ University of Kentucky. The names and SSNs of 630
630 students were
posted on the
University's financial
aid web site between
Friday and Monday,
Aug. 11-14.
Aug. 15, 2006........................ University of Kentucky. About 80 geography 80
students were notified
Aug. 14 that their
SSNs were
inadvertently listed
on an e-mail
communication they all
received telling them
who their academic
advisor would be for
the coming year.
Aug. 15, 2006........................ U.S. Dept. of On April 24, a DOT Unknown.
Transportation employee's laptop
(Orlando, FL). computer was stolen
from an Orlando hotel
conference room. It
contained several
unencrypted case files
Investigators are
determining if it
contained sensitive
personal information.
Aug. 16, 2006........................ Chevron (San Ramon, CA) Chevron informed its Total employees
U.S. workers Aug. 14 affected is unclear.
that a laptop was Nearly half of its
stolen from ``an 59,000 workers are
employee of an from North America.
independent public
accounting firm'' who
was auditing its
benefits plans. The
theft apparently
occurred Aug. 5. Files
contained SSNs and
sensitive information
related to health and
disability plans.
Aug. 17, 2006........................ Williams-Sonoma (San On July 10, a laptop 1,200 current and
Francisco, CA). was stolen from the former employees.
Los Angeles home of a
Deloitte & Touche
employee who was
conducting an audit
for W-S. Computer
contained employees'
payroll information
and SSNs.
Aug. 17, 2006........................ HCA, Inc. Hospital 10 computers containing ``thousands of files''.
Corp. of America Medicare and Medicaid
(Nashville, TN) (800) billing information
354-1036 and records of
hcahealthcare.com. employees and
physicians from 1996-
2006 were stolen from
one of the company's
regional offices. Some
patient names and SSNs
were exposed, but
details are vague.
Records for patients
in hospitals in the
following states were
affected: CO, KS, LA,
MS, OK, OR, TS, WA.
Aug. 18, 2006........................ Calif. Dept. of Mental Computer tape with 9,468 employees.
Health (916) 654-2309. employees' names,
addresses, and SSNs
has been reported
missing. Employees
were notified Aug. 17
by e-mail.
Aug. 21, 2006........................ U.S. Dept. of Education Two laptops were stolen 43
via contractor, DTI from DTI's office in
Associates downtown DC containing
(Washington, DC). personal information
on 43 grant reviewers
for the Teacher
Incentive Fund. DTI
could not rule out
that the data included
SSNs.
Aug. 22, 2006........................ AFLAC American Family A laptop containing 612 policyholders.
Life Assurance Co. customers' personal
(Greenville, SC) (888) information was stolen
794-2352. from an agent's car.
It contained names,
addresses, SSNs, and
birth dates of 612
policyholders. They
were notified Aug. 11.
Aug. 22, 2006........................ Beaverton School Time slips revealing 1,600 employees.
District (Beaverton, personal information
OR). were missing and
presumed stolen
following a July 24
break-in at a storage
shed on the
administration
office's property. The
time slips included
names and SSNs but not
addresses.
Aug. 22, 2006........................ Beaumont Hospital A vehicle of a home 28,400 home care
(Troy, MI). health care nurse was patients.
stolen from outside a
senior center Aug. 5.
Although it was
recovered nearby, a
laptop left in the
rear of the car was
not recovered. It
contained names,
addresses, SSNs, and
insurance information
of home health care
patients.
UPDATE (8/23/06): The
laptop was returned
Aug. 23 by a woman who
said she found it in
her yard.
Aug. 23, 2006........................ U.S. Dept. of A faulty Web site 21,000
Education, Direct Loan software upgrade
Servicing Online resulted in personal
(Atlanta, GA) information of 21,000
www.dlssonline.com and student loan holders
dlservicer.ed.gov. being exposed on the
Department's loan Web
site. Information
included names,
birthdates, SSNs,
addresses, phone
numbers, and in some
cases, account
information.
Affiliated Computer
Services Inc. is the
contractor responsible
for the breach. The
breach did not include
those whose loans are
managed through
private companies.
Aug. 25, 2006........................ Dominion Resources Two laptops containing Unknown.
(Richmond, VA). employee information
were stolen earlier in
August. It was not
clear what type of
data were included. No
customer records were
on the computers.
Dominion operates a
gas and electric
energy distribution
company.
Aug. 25, 2006........................ U.S. Dept. of A laptop that ``might 193 (not added to
Transportation, contain'' personal total).
Federal Motor Carrier information of people
Safety Administration with commercial
(Baltimore, MD) (800) driver's licenses was
832-5660. stolen Aug. 22. FMCSA
said the data might
include names, dates
of birth, and
commercial driver's
license numbers of 193
individuals from 40
trucking companies.
Aug. 25, 2006........................ Sovereign Bank (New Personal data may have ``thousands of
Bedford, MA). been compromised when customers''.
3 managers' laptops
were stolen from 2
separate locations in
early August.
Customers were
notified Aug. 21.
Sovereign serves New
England and the Mid-
Atlantic. The bank
said the data included
unspecified customer
information, but not
account data.
Aug. 26, 2006........................ PortTix (Portland, ME). Credit card information 2,000
for about 2,000 people
who ordered tickets
online through PortTix
was accessed by
someone who hacked
into the Web site.
PortTix is Merrill
Auditorium's ticketing
agency. The Web site
was secured as of Aug.
24.
Aug. 26, 2006........................ University of South A security audit this 6,000 current and
Carolina (Columbia, summer found that a former students.
SC). computer server was
hacked in Sept. 2005.
A database could have
been accessed with
names, SSNs, and
birthdates of current
and former students.
Aug. 27, 2006........................ New Mexico For 8 days in late May, 1,500 employees.
Administrative Office an unsecured document
of the Courts (Santa was exposed on the
Fe, NM). agency's FTP site on
the state's computer
server. It contained
names, birth dates,
SSNs, home addresses
and other personal
information of
judicial branch
employees. The FTP
site was shut down
June 2 and has since
been redesigned.
Aug. 29, 2006........................ Valley Baptist Medical A programming error on Unknown.
Center (Harlingen, TX) the hospital's web
(877) 840-5999. site exposed names,
birth dates, and SSNs
of healthcare workers
in late August. The
error was fixed but it
is not known how long
the personal
information was
compromised. The
affected individuals
are workers from
outside the hospital
who provide services
and bill the hospital
via an online form.
Aug. 29, 2006........................ AT&T via vendor that Computer hackers ``Fewer than 19,000''
operates an order accessed credit card customers.
processing computer account data and other
(San Francisco, CA). personal information
of customers who
purchased DSL
equipment from AT&T's
online store. The
company is notifying
``fewer than 19,000''
customers''.
UPDATE (9/1/06): The
breach was followed by
a bogus phishing e-
mail to those
customers that
attempted to trick
them into revealing
more info such as SSN
and birthdate--
essential for crime of
identity theft.
Aug. 29, 2006........................ Compass Health Compass Health notified ``A limited number of
(Everett, WA) (800) some of its clients people''.
508-0059. that a laptop
containing personal
information, including
SSNs, was stolen June
28. The agency serves
people who suffer from
mental illness.
Aug. 31, 2006........................ Labcorp (Monroe, NJ) During a break-in June Unknown.
(800) 788-9091 x3925. 4 or 5, a computer was
stolen that contained
names and SSNs, but
according to the
company did not have
birth dates or lab
test results.
Aug. 31, 2006........................ Diebold, Inc. (Canton, An employee's laptop Unknown.
OH). was stolen containing
employee information,
including name, SSN,
and if applicable,
corporate credit card
number.
Sept. 1, 2006........................ Wells Fargo via unnamed In a letter dated Aug. Unknown.
auditor (San 28, the company
Francisco, CA). notified its employees
that a laptop and data
disk were stolen from
the locked trunk of an
unnamed auditor, hired
to audit the
employees' health
plan. Data included
names, SSNs, and
information about drug
claim cost and dates
from 2005, but no
prescription
information said the
company.
Sept. 1, 2006........................ Virginia Commonwealth Personal information of 2,100 current and
University (Richmond, freshmen and graduate former students.
VA) www.ts.vcu.edu. engineering students
from 1998 through 2005
was exposed on the
Internet for 8 months
(Jan.-Aug.) due to
human error. It was
discovered by a
student who used a
search engine to find
her name. The data
included SSNs and e-
mail addresses.
Sept. 1, 2006........................ City of Chicago via A laptop was stolen ``Up to 38,443 city
contractor Nationwide from the home of employees and
Retirement Solutions, contractor's employee retirees''.
Inc. (Chicago, IL) last April 2005. It
(800) 638-1485 was reported to the
www.chicagofop.org. city July 2006 more
than a year later.
Data included names,
addresses, phone
numbers, birthdates
and SSNs for those in
the city's deferred
compensation plan.
Sept. 2, 2006........................ Lloyd's of London (Port A thief reprogrammed Unknown.
St. Lucie, FL). more than 150 Lloyd's
of London credit card
numbers onto phone
cards and used them to
withdraw money from an
ATM in Port St. Lucie,
FL (stealing more than
$20,000 over 3 days).
Key personal and
financial information
had been skimmed from
the magnetic strip on
the victims' cards.
Sept. 5, 2006........................ Transportation Security In late August 2006, 1,195 former TSA
Administration (TSA) Accenture, a employees.
via Accenture contractor for TSA
(Washington, DC). mailed documents
containing former
employees' SSNs, date
of birth, and salary
information to the
wrong addresses due to
an administrative
error.
Sept. 7, 2006........................ Florida National Guard A laptop computer was 100
(Bradenton, FL). stolen from a
soldier's vehicle
contained training and
administrative
records, including
Social Security
numbers of up to 100
Florida National Guard
soldiers.
Sept. 7, 2006........................ Circuit City and Chase Chase Card Services 2.6 million past and
Card Services, a mistakenly discarded 5 current Circuit City
division of JP Morgan computer data tapes in credit cardholders.
Chase & Co. July containing
(Wilmington, DE). Circuit City
cardholders' personal
information.
Sept. 8, 2006........................ Linden Lab (San On Sept. 6, Linden Lab Unknown.
Francisco, CA) discovered that a
www.secondlife.com. hacker accessed its
Second Life database
through web servers.
The affected data
included unencrypted
account names, real
life names, and
contact information,
plus encrypted account
passwords and payment
information. Second
Life is a 3-D virtual
world.
Sept. 8, 2006........................ University of Minnesota On August 14-15 eve, 13,084 students
(Minneapolis, MN). two computers were including SSNs of 603
stolen from the desk students.
of an Institute of
Technology employee,
containing information
on students who were
freshmen from 1992-
2006--including names,
birthdates, addresses,
phone numbers, high
schools attended,
student ID numbers,
grades, test scores,
and, academic
probation. SSNs of 603
students were also
exposed.
Sept. 8, 2006........................ Berks Co. Sheriff's A confidential list of 25,000 gun permit
Office via contractor some of the County's holders exposed,
Canon Technology 25,000 gun permit although initially the
Solutions (Reading, holders was exposed on number was unknown.
PA). the Web by the
contractor that is
developing a Web-based
computer records
program for the
Sheriff's Office.
Personal information
included names,
addresses and SSNs.
UPDATE (10/6/06): The
Berks County
solicitor's office
says the entire list
of more than 25,000
gun permit holders was
exposed.
Sept. 9, 2006........................ Cleveland Clinic A clinic employee stole 1,100 patients.
(Naples, FL) (866) 907- personal information
0675. from electronic files
and sold it to her
cousin, owner of
Advanced Medical
Claims, who used it to
file fraudulent
Medicare claims
totaling more than
$2.8 million.
Information included
names, SSNs,
birthdates, addresses
and other details.
Both individuals were
indicted.
Sept. 11, 2006....................... Telesource via Vekstar Employees discovered Unknown.
(Indianapolis, IN). their personnel files
in a Dumpster after
the company had been
bought out by another
company Vekstar. The
files were discarded
when the office was
being cleaned out and
shut down. Files
contained SSNs, dates
of birth and
photocopies of SSN
cards and driver's
licenses.
Sept. 13, 2006....................... American Family The office of an 2,089 customers.
Insurance (Madison, insurance agent was
WI). broken into and robbed
last July. Among the
items stolen was a
laptop with customers'
names, SSNs, and
driver's license
numbers.
Sept. 14, 2006....................... Nikon Inc. and Nikon Workers at a 3,235 magazine
World Magazine Montgomery, AL, camera subscribers.
(Melville, NY). store discovered that
subscription
information for the
magazine Nikon World
was exposed on the Web
for at least 9 hours.
Data included
subscribers' names,
addresses and credit
card numbers.
Sept. 14, 2006....................... Illinois Dept. of A document containing Unknown.
Corrections employees' personal
(Springfield, IL). information was found
outside the agency's
premises ``where it
should not have
been.'' It has since
been retrieved.
Information included
employees' names,
SSNs, and salaries.
Sept. 15, 2006....................... Mercy Medical Center A memory stick 295 patients.
(Merced, CA). containing patient
information was found
July 18 by a local
citizen on the ground
at the County
Fairgrounds near the
hospital's information
booth. It was returned
to the hospital 4
weeks later. Data
included names, SSNs,
birthdates, and
medical records.
Sept. 15, 2006....................... Whistle Junction Personnel files of Unknown.
restaurant (Orlando, employees of the now-
FL). closed restaurant were
found in a nearby
Dumpster. Papers
included names and
SSNs of former
employees.
Sept. 16, 2006....................... Michigan Dept. of Residents who 4,000 Michigan
Community Health participated in a residents.
(Detroit, MI). scientific study were
notified that a flash
drive was discovered
missing as of Aug. 4,
and likely stolen,
from an MDCH
office.The portable
memory device
contained names,
addresses, phone
numbers, dates of
birth, and SSNs of
participants. The
study tracked the long-
term exposure to flame
retardants ingested by
residents in beef and
milk.
Sept. 16, 2006....................... Beaumont Hospital The hospital mistakenly 3 patients.
(Royal Oak, MI). mailed medical reports
on 3 patients to a
retired dentist in
Texas. Reports
included name, test
results, date of birth
and patient ID
numbers. The hospital
admitted to both human
and computer error. A
new computer system
mixed similar names,
and staff did not
catch it.
Sept. 17, 2006....................... Direct Loans, part of A security breach 21,000 accounts.
William D. Ford exposed private
Federal Direct Loan information of student
Program within U.S. loan borrowers from
Dept. of Education and Aug. 20-22 during a
Federal Student Aid computer software
via its IT contractor upgrade. Users of the
ACS. Direct Loans Web site
were able to view
information other than
their own if they used
certain options. SSNs
were among the data
elements exposed
online.
Sept. 18, 2006....................... Howard, Rice, A laptop was stolen 500 current and former
Nemerovski, Canady, from the trunk of the employees.
Falk & Rabkin law firm car of the law firm's
(San Francisco, CA) auditor, containing
via its auditor confidential employee
Morris, Davis & Chan pension plan
(Oakland, CA). information--names,
SSNs, remaining
balances, 401(k) and
profit-sharing
information.
Sept. 18, 2006....................... DePaul Medical Center, Two computers were ``More than 100
Radiation Therapy stolen, one on August patients''.
Dept. (Norfolk, VA) 28 and the other Sept.
(757) 889-5945. 11. Personal data
included names, date
of birth, treatment
information, and some
SSNs.
Sept. 19, 2006....................... Life Is Good (Hudson, Hackers accessed the 9,250 customers' credit
NH). retailer's database card numbers.
containing customer's
credit card numbers.
The company said no
other personal
information was in the
database.
Sept. 20, 2006....................... City of Savannah, Because of a ``hole in 8,800 individuals whose
Georgia (912) 651-6565 the firewall,'' a City identities were
savannahga.gov. server exposed captured by red-light
personal information cameras.
online for 7 months.
Individuals identified
by the Red Light
Camera Enforcement
Program are affected--
name, address,
driver's license
number, vehicle
identification number,
and SSNs of those
individuals whose
driver's license
number is still the
SSN.
Sept. 20, 2006....................... Berry College via Student applications 2,093 students and
consultant Financial for need-based potential students (of
Aid Services Inc. financial aid were those, 1,322 are
(Mount Berry, GA) misplaced by a currently enrolled).
(800) 961-4692 consultant--in both
www.berry.edu. paper and digital
form. Data included
name, SSN, and
reported family income
for students and
potential students for
the 2005-06 academic
year.
Sept. 21, 2006....................... Pima Co. Health Dept. Vaccination records on 2,500 (not included in
(Tucson, AZ). 2,500 clients had been Total below).
left in the trunk of a
car that was stolen
Sept. 12. The car and
records have since
been recovered.
Records included
names, dates of birth
and ZIP codes, but no
SSNs or addresses.
Sept. 21, 2006....................... U.S. Dept. of Commerce The agency reported Unknown.
and Census Bureau that 1,137 laptops
(Washington, DC). have been lost or
stolen since 2001. Of
those, 672 were used
by the Census Bureau,
with 246 of those
containing personal
data. Secretary
Gutierrez said the
computers had
``protections to
prevent a breach of
personal information''.
Sept. 22, 2006....................... Purdue University A file in a desktop 2,482 students from the
College of Science computer in the year 2000.
(West Lafayette, IN) Chemistry Department
(866) 307-8520 may have been accessed
www.purdue.edu. illegitimately. The
file contained names,
SSNs, school, major,
and e-mail addresses
of people who were
students in 2000.
Sept. 22, 2006....................... University of Colorado- Two computers had been 1,372 students and
Boulder, Leeds School placed in storage former students.
of Business (Boulder, during the school's
CO) (303) 492-8741. move to temporary
quarters in May. When
they were to be
retrieved Aug. 28,
they were found
missing. They had been
used by 2 faculty
members and included
students' names, SSNs,
and grades.
UPDATE (9/25/06): One
of the computers was
found.
Sept. 22, 2006....................... Several Indianapolis Earlier this year a Unknown.
pharmacies local TV reporter from
(Indianapolis, IN). WTHR found that
``dozens'' of
pharmacies disposed of
customer records in
unsecured garbage
bins. Now the Indiana
Board of Pharmacy has
launched an
investigation of 30
pharmacies. Both the
Board and the Attorney
General say that the
pharmacies violated
state law.
Sept. 23, 2006....................... An illegal dumping site Investigators found Unknown.
northwest of Quinlan, boxes of private
TX. medical records
containing names and
personal information
of patients of a
doctor who lives in
Dallas and who has a
Greenville, TX,
practice. They had
apparently been dumped
there by a contractor
who was hired to
remodel his house. The
contractor was
indicted on a charge
of illegal dumping.
Sept. 23, 2006....................... Erlanger Health System Records of hospital 4,150 current and
(Chattanooga, TN). employees disappeared former employees.
from a locked office
on Sept. 15. They were
stored on a USB ``jump
drive.'' Information
was limited to names
and SSNs. Those
affected included
anyone who went
through job ``status
changes'' from Nov.
2003 to Sept. 2006.
Sept. 25, 2006....................... Movie Gallery A large number of Movie Unknown.
(Gastonia, NC). Gallery's files and
videos were found in a
dumpster. The files
contained personal
information of people
employed by Movie
Gallery and people
applying for jobs at
the video store as
well as people
applying for movie
rental membership.
Movie Gallery has
agreed to pay $50,000
to the State of NC.
Sept. 25, 2006....................... General Electric (US An employee's laptop 50,000 employees.
Corporate HQ: computer holding the
Fairfield, CT). names and Social
Security numbers of
approximately 50,000
current and former GE
employees was stolen
from a locked hotel
room while he was
traveling for business.
Sept. 28, 2006....................... North Carolina Dept. of A computer was stolen 16,000
Motor Vehicles from a NC Dept. of
(Louisville, NC) (888) Motor Vehicles office,
495-5568. reported Sept. 10. It
contains names,
addresses, driver's
license numbers, SSNs,
and in some cases
immigration visa
information of 16,000
people who have been
issued licenses in the
past 18 months. Most
are residents of
Franklin County.
Sept. 28, 2006....................... Illinois Dept. of Documents found by 40
Transportation state auditors in
(Springfield, IL). recycling bins in a
hallway contained IDOT
employee names and
SSNs.
Sept. 28, 2006....................... Stevens Hospital A manager for the ``about 30 patients''.
Emergency Room via hospital's billing
dishonest employee of company, Med Data,
billing company Med stole patients' credit
Data (Edmonds, WA). card numbers. She gave
them to her brother
who bought $30,000
worth of clothes and
gift cards over the
Internet. The woman is
scheduled for
sentencing in Nov. and
her brother's trial is
expected Jan. 2007.
Sept. 29, 2006....................... University of Iowa Dept A computer containing 14,500 individuals who
of Psychology (Iowa SSNs of 14,500 had participated in a
City, IA). psychology department research study.
research study
subjects was the
object of an automated
attack designed to
store pirated video
files for subsequent
distribution.
Sept. 29, 2006....................... Kentucky Personnel State employees 146,000
Cabinet (Frankfort, received letters from
KY). the Kentucky Personnel
Cabinet with their
SSNs visible through
the envelope windows.
Sept. ??, 2006....................... Adams State College A laptop computer 184 Upward Bound
(Alamosa, CO). stolen from a locked students.
closet at Adams State
College contained
personally
identifiable data
belonging to 184 high
school students who
participated in the
college's Upward Bound
program over the last
four years. The theft
occurred on August 14,
but it was not until
late September that
staff realized the
computer held
students' data.
Oct. 2, 2006......................... Port of Seattle Six CDs missing from 6,939 current and
(Seattle, WA) (888) the ID Badging office former Seattle-Tacoma
902-PORT. at Seattle-Tacoma International Airport
International Airport employees.
hold the personal
information of 6,939
airport workers. The
data include names,
addresses, birth
dates, SSNs and
driver's license
numbers, telephone
numbers, employer
information, and
height/weight. The
data on the disks were
scanned from paper
applications for
airport badges. The
port learned of the
missing disks on
September 18 and sent
letters to the
affected employees on
Oct. 2.
Oct. 3, 2006......................... Cumberland County, PA.. Cumberland County (PA) 1,200 employees of the
officials removed county.
salary board meeting
minutes from their Web
site because they
contained the SSNs of
1,200 county
employees. The
information was
included in minutes
from meetings prior to
2000. The county no
longer uses SSNs as
unique identifiers for
employees. Employees
will be informed of
the data breach in a
note included with
their paychecks.
Oct. 3, 2006......................... Willamette Educational Seven computers stolen 4,500 Oregon high
Service District from a Willamette school students [not
(Salem, OR). Educational service included in total
District office were because not thought to
believed to contain contain sensitive
personal information info. such as SSNs].
of 4,500 Oregon high
school students.
Backup tapes indicate
the computers hold
information about the
students' school clubs
but do not contain
sensitive information.
Oct. 3, 2006......................... Picatinny Arsenal 28 computers are Unknown.
(Rockaway Twp., NJ) missing from the
(If you have tips, Picatinny Arsenal, a
call (973) 989-0652). Department of Defense
Weapons Research
Center. The computers
were reported lost or
stolen over the last
two years. None of the
computers was
encrypted. Officials
state the computers
did not contain
classified information.
Oct. 4, 2006......................... Orange County A Florida woman Unknown.
Controller (FL). discovered her
marriage license was
visible on the Orange
County (FL)
controller's Web site
with no information
blacked out, not even
SSNs. She discovered
the breach because
someone had applied
for a loan in her
name. The Orange
County Comptroller is
reportedly paying a
vendor $500,000 to
black out all SSNs by
January 2008.
Oct. 5, 2006......................... San Juan Capistrano Five computers stolen Unknown.
Unified School from the HQ of San
District (CA). Juan Capistrano
Unified School
District likely
contain the names,
SSNs and dates of
birth of district
employees enrolled in
an insurance program.
Oct. 6, 2006......................... Cleveland Air Route A computer hard drive At least 400.
Traffic Control Center missing from the
(Oberlin, OH). Cleveland Air Route
Traffic Control Center
in Oberlin (OH)
contains the names and
SSNs of at least 400
air traffic
controllers.
Oct. 6, 2006......................... Camp Pendleton Marine A laptop missing from 2,400
Corps base via Lincoln Lincoln B.P.
B.P. Management (Camp Management Inc. holds
Pendleton near personally
Oceanside, CA). identifiable data
about 2,400 Camp
Pendleton residents.
Oct. 9, 2006 (Letter mailed Oct. 5, Troy Athens High School A hard drive stolen 4,400
2006). (Troy, MI) (For from Troy Athens High
questions or comments, School in August
call (248) 823-4035). contained transcripts,
test scores, addresses
and SSNs of students
from the graduating
classes of 1994 to
2004. The school
district and the
superintendent have
notified all affected
alumni by regular mail.
Oct. 10, 2006........................ Florida Labor The names and SSNs of 4,624 individuals who
Department. 4,624 Floridians were had registered with
accessible on the Florida's Agency for
Internet for Workforce Innovation.
approximately 18 days
in September. The data
were not accessible
through Web sites, but
an individual came
across the information
when Googling his own
name. The agency has
asked Google to remove
the pages from its
cache, and has
notified all affected
individuals by mail.
Oct. 11, 2006........................ Republican National The Republican National 76 RNC donors.
Committee (Washington, Committee (RNC)
D.C.). inadvertently emailed
a list of donors'
names, SSNs and races
to a New York Sun
reporter.
Oct. 12, 2006........................ U.S. Census Bureau..... This spring, residents Unknown number of
of Travis County, TX Travis Co., TX,
helped the Census residents.
Bureau test new
equipment. When the
test period ended, 15
devices were
unaccounted for. The
Census Bureau and the
Commerce Department
issued a press release
saying the devices
held names, addresses
and birthdates, but
not income or SSNs.
Oct. 12, 2006........................ Congressional Budget Hackers broke into the Unknown number of e-
Office (Washington, Congressional Budget mail addresses.
D.C.). Office's mailing list
and sent a phishing e-
mail that appeared to
come from the CBO.
Oct. 12, 2006........................ University of Texas at Two computers stolen 2,500 students.
Arlington. from a University of
Texas faculty member's
home hold the names,
SSNs, grades, e-mail
addresses and other
information belonging
to approximately 2,500
students enrolled in
computer science and
engineering classes
between fall 2000 and
fall 2006. The theft
occurred on September
29 and was reported on
October 2.
Oct. 13, 2006........................ Ohio Ethics Committee Papers belonging to the Unknown number of Ohio
(Columbus, OH). Ohio Ethics Commission state employees.
were found floating on
the wind in an alley.
The documents are
related to state
employees' finances
and contained SSNs and
financial statements.
They were supposed to
be in the possession
of the state archives.
Oct. 13, 2006........................ Orchard Family Practice When a bankrupt Unknown.
(Englewood, CO). Colorado doctor was
evicted from his
office, the landlord
with help from the
sheriff's dept. dumped
everything from his
office in the parking
lot, including file
cabinets containing
personal information
of his patients.
Scavengers were seen
carting off desks and
file cabinets, some
containing records.
The exposed documents
were thought to
consist of business
records containing
names, SSNs, dates of
birth, and addresses,
but not medical
information, which the
doctor had previously
removed.
Oct. 14, 2006........................ T-Mobile USA Inc. A laptop computer 43,000 current and
(Bellvue, WA). holding personally former employees.
identifiable
information of
approximately 43,000
current and former T-
Mobile employees
disappeared from a T-
Mobile employee's
checked luggage. T-
Mobile has reportedly
sent letters to all
those affected. The
data are believed to
include names,
addresses, SSNs, dates
of birth and
compensation
information.
Oct. 15, 2006........................ Poulsbo Department of An unspecified 2,200
Licensing (Poulsbo, ``storage device''
WA). containing personally
identifiable data of
approximately 2,200
North Kitsap (WA)
residents has been
lost from the Poulsbo
Department of
Licensing. The data
include names,
addresses, photographs
and driver's license
numbers of individuals
who conducted
transactions at the
Poulsbo branch in late
September.
Oct. 16, 2006........................ Germanton Elementary A computer stolen from Unknown.
School (Germanton, NC). Germanton Elementary
school holds students'
SSNs. The data on the
computer are encrypted.
Oct. 16, 2006........................ VISA/FirstBank......... FirstBank sent a letter Unknown.
to an unknown number
of customers informing
them their FirstTeller
Visa Check Card
numbers were
compromised when
someone accessed ``a
merchant card
processor's
transaction
database.'' The
FirstBank letter said
customers would
receive new cards by
October 27.
Oct. 16, 2006........................ Dr. Charles Kay of Sheriff's deputies Unknown.
Orchard Family evicting Dr. Charles
Practice (Englewood, Kay put files from his
CO). office in a nearby
parking lot. In a news
report, Dr. Kay said
he had removed the
patient files but not
the business files.
Oct. 17, 2006........................ City of Visalia, Personally identifiable 200 current and former
Recreation Division information of employees.
(Visalia, CA). approximately 200
current and former
Visalia Recreation
Department employees
was exposed when
copies of city
documents were found
scattered on a city
street.
Oct. 19, 2006........................ Allina Hospitals and A laptop stolen from a Individuals in 17,000
Clinics (Minneapolis- nurse's car on October households.
St. Paul, MN). 8 contains the names
and SSNs of
individuals in
approximately 17,000
households
participating in the
Allina Hospitals and
Clinics obstetric home-
care program since
June 2005.
Oct. 19, 2006........................ University of Minnesota/ In June, a University 200 students (not
Spain. of Minnesota art included in total).
department laptop
computer stolen from a
faculty member while
traveling in Spain
holds personally
identifiable
information of 200
students.
Oct. 20, 2006........................ Manhattan Veteran's On Sept. 6, an 1,600 veterans who
Affairs Medical unencrypted laptop receive pulmonary care
Center, New York computer containing at the facility.
Harbor Health Care veterans' names,
System (New York, NY). Social Security
numbers, and medical
diagnosis, was stolen
from the hopsital.
Oct. 21, 2006........................ Bowling Green Police The police dept. Approx. 200 victims or
Dept. (Bowling Green, accidentally published suspects.
OH). a report on their
website containing
personal information
on nearly 200 people
the police had contact
with on Oct. 21. Data
included names, Social
Security numbers,
driver's license
numbers, etc.
Oct. 23, 2006........................ Sisters of St. Francis On July 28, 2006, a 260,000 patients and
Health Services via contractor working for about 6,200 employees,
Advanced Receivables Advanced Receivables board members and
Strategy (ARS), a Strategy, a medical physicians for a total
Perot Systems Company billing records of 266,200.
(Indianapolis, IN) company, misplaced CDs
(866) 714-7606. containing the names
and SSNs of 266,200
patients, employees,
physicians, and boad
members of St. Francis
hospitals in Indiana
and Illinois. Also
affected were records
of Greater Lafayette
Health Services. The
disks were
inadvertently left in
a laptop case that was
returned to a store.
The purchaser returned
the disks. The records
were not encrypted
even though St.
Francis and ARS
policies require
encryption.
Oct. 23, 2006........................ Chicago Voter Database An official from the 1.35 million Chicago
(Chicago, IL). not-for-profit residents.
Illinois Ballot
Integrity Project says
his organization
hacked into Chicago's
voter database,
compromising the
names, SSNs and dates
of birth of 1.35
million residents. The
Chicago Election Board
is reportedly looking
into removing SSNs
from the database.
Election officials
have patched the flaw
that allowed the
intrusion.
Oct. 24, 2006........................ Jacobs Neurological The laptop of a Unknown.
Institute (Buffalo, research doctor was
NY). stolen from her locked
office at the
Institute. It included
records of patients
and her research data.
Oct. 25, 2006........................ Transportation Security A thumb drive is 900 current and former
Administration (TSA) missing from the TSA Oregon TSA employees.
(Portland, OR). command center at
Portland International
Airport and believed
to contain the names,
addresses, phone
numbers and Social
Security numbers of
approximately 900
current and former
employees.
Oct. 25, 2006........................ Swedish Medical Center, An employee stole the Up to 1,100 patients.
Ballard Campus names, birthdates, and
(Seattle, WA) (800) Social Security
840-6452. numbers from patients
who were hospitalized
or had day-surgeries
from June 22 to Sept
21. She used 3
patients' information
to open multiple
credit accounts.
Oct. 25, 2006........................ Tuscarawas County and The Social Security Unknown.
Warren County (OH). numbers of some
Tuscarawas and Warren
County voters were
available on the
LexisNexis Internet
database service.
UPDATE (11/1/06):
LexisNexis says it has
now removed the SSNs.
Oct. 26, 2006........................ Akron Children's Overseas hackers broke 235,903
Hospital (Akron, OH). into two computers at
Children's Hospital.
One contains private
patient data
(including Social
Security numbers) and
the other holds
billing and banking
information.
Oct. 26, 2006........................ Empire Equity Group Mortgage files that Unknown.
(Charlotte, NC). included personal
financial details
about loan applicants
were found in a
dumpster. Empire
Equity will pay
$12,500 to the State
of NC.
Oct. 26, 2006........................ LimeWire (Denver, CO).. The Denver Police Dept. 75
reports that
LimeWire's file-
sharing program was
exploited to access
personal and financial
information from
approximately 75
different individual
and business account
names from all over
the country. The
information, which
included tax records,
bank account
information, online
bill paying records
and other material,
appears to have been
stolen directly from
computers that were
using LimeWire's
filesharing software
program.
Oct. 26, 2006........................ Hilb, Rogal & Hobbs In September 2006, a 1,243 Villanova
(Plymouth Meeting, PA). laptop computer was University students
stolen from the and staff.
insurance brokerage
firm. It contained
client information
including the names,
birthdates, and
drivers license
numbers of Villanova
University students
and staff who drive
university vehicles.
Oct. 27, 2006........................ Gymboree (San A thief stole 3 laptop up to 20,000 employees.
Francisco, CA). computers from
Gymboree's corporate
headquarters. They
contained unencrypted
human resources data
(names and Social
Security numbers) of
thousands of workers.
Oct. 27, 2006........................ Hancock Askew & Co. On October 5, 2006, a Unknown.
(Savannah, GA). laptop computer
containing 401(k)
information for
employees of at least
one company (Atlantic
Plastics, Inc.) was
stolen from accounting
firm Hancock Askew.
Oct. 27, 2006........................ Hertz Global Holdings, The names and Social Unknown.
Inc. (Oklahoma City, Security numbers of
OK) 1-888-222-8086. Hertz employees dating
back to 2002 were
discovered on the home
computer of a former
employee.
Oct. 30, 2006........................ Georgia county clerk of A Georgia TV station Unknown.
courts' web sites. reported that SSNs
could be found on some
records posted on
county clerk of court
web sites,
specifically for
individuals with
federal tax liens
filed against them. At
least one county
clerk--Cherokee
County--is now
removing SSNs from the
web site.
Oct. 30, 2006........................ Nissan Motor Co., Ltd. The Japanese weekly 5,379,909 customers
(Tokyo, Japan). magazine ``The Weekly (not included in total
Asahi'' reported that because data
Nissan experienced the apparently does not
leak of a database contain financial
containing customers' account information or
personal information SSNs).
sometime between May
2003 and February
2004. The data
includes the customer
name, gender, birth
date, address,
telephone number,
vehicle model owned
(including base and
class), and license
plate number.
Oct. 31, 2006........................ Avaya (theft occurred A laptop stolen from an Unknown.
in Maitland, FL, Avaya employee on
office of company, October 16 in Florida
headquartered in contained personally
Basking Ridge, NJ). identifiable
information, including
names, addresses, W-2
tax form information
and SSNs.
Nov. 2006............................ Home Finance Mortgage, Company dumped files Unknown.
Inc. (Cornelius, NC). containing names,
addresses, Social
Security numbers,
credit card numbers,
and bank account
numbers of people who
had applied for
mortgage loans. Home
Finance and its owners
have agreed to pay the
State of NC $3,000 for
their violations.
Nov. 1, 2006......................... U.S. Army Cadet Command A laptop computer was 4,600 high school
(Fort Monroe, VA) 1- stolen that contained seniors.
866-423-4474 Email: the names, addresses,
mydata@ usaac.army.mil. telephone numbers,
birthdates, Social
Security numbers,
parent names, and
mother's maiden names
of applicants for the
Army's four-year ROTC
college scholarship.
Nov. 2, 2006......................... Colorado Dept. of Human On Oct. 14, a desktop Up to 1.4 million.
Services via computer was stolen
Affiliated Computer from a state
Services (ACS) contractor who
(Dallas, TX). For processes Colorado
questions, call ACS at child support payments
(800) 350-0399. for the Dept. of Human
Services. Computer
also contained the
state's Directory of
New Hires.
UPDATE (12/07/2006):
When initially posted
to this list, the
number 1.4 million was
not added to the total
because we could not
confirm if SSNs were
exposed. The PRC was
contacted by an
affected individual
today who confirmed
that names, addresses,
SSNs and dates of
birth were exposed.
Nov. 2, 2006......................... Greater Media, Inc. A laptop computer Unknown.
(Philadelphia, PA). containing the Social
Security numbers of
the radio broadcasting
company's current and
former employees was
stolen from their
Philadelphia offices.
Nov. 2, 2006......................... McAlester Clinic and Three disks containing 1,400 veterans.
Veteran's Affairs billing information,
Medical Center patient names and
(Muskogee, OK). Social Security
numbers, were lost in
the mail.
Nov. 2, 2006......................... Intermountain Health A computer was 6,244
Care (Salt Lake City, purchased at a second-
UT). hand store, Deseret
Industries, that
contained the names,
Social Security
numbers, employment
records, and other
personal information
about Intermountain
Health Care employees
employed there in 1999-
2000.
Nov. 2, 2006......................... Compulinx (White The CEO of Compulinx Up to 50 Compulinx
Plains, NY). was arrested for employees.
fraudulently using
employees' names,
addresses, Social
Security numbers and
other personal
information for credit
purposes. (It is
unclear whether
customers' data was
also used).
Nov. 3, 2006......................... University of Virginia Due to a computer 632 students.
(Charlottesville, VA). programming error,
Student Financial
Services sent e-mail
messages to students
containing 632 other
students' Social
Security numbers.
Nov. 3, 2006......................... West Shore Bank Customers' debit cards About 1,000.
(Ludington, MI). and possibly credit
cards were compromised
from a security break
last summer at a
common MasterCard
point-of-purchase
provider.
Nov. 3, 2006......................... Wesco (Muskegon, MI)... Wesco gas stations Unknown.
experienced a breach
in credit card
transactions from July
25-Sept. 7 resulting
in inaccurate charges
to customer accounts.
Nov. 3, 2006......................... Starbucks Corp. Starbucks lost track of 60,000 current and
(Seattle, WA) 1-800- four laptop computers. former U.S. employees
453-1048. Two held employee and about 80 Canadian
names, addresses, and workers and
Social Security contractors.
numbers.
Nov. 3, 2006......................... Several Joliet area Motel owners and Unknown.
motels (Joliet, IL). employees allegedly
stole and sold
customers' credit card
numbers.
Nov 7, 2006.......................... City of Lubbock Hackers broke into the 5,800
(Lubbock, TX). city's web site and
compromised the online
job application
database, which
included Social
Security numbers.
Nov. 9, 2006......................... Four ARCO gas stations From Sept. 29 to Oct. At least 440.
(Costa Mesa, CA) 9, thieves used card
(Westminster, CA) skimmers to steal bank
(Torrance, CA). account numbers and
PIN codes from gas
station customers and
used the information
to fabricate debit
cards and make ATM
withdrawals.
Nov. 10, 2006........................ KSL Services, Inc. (Los A disk containing the Approximately 1,000.
Alamos, NM). personal information
of approximately 1,000
KSL employees is
missing. KSL is a
contractor for Los
Alamos National
Laboratory.
Nov. 13, 2006........................ Connors State College On Oct. 15, a laptop Considerably more than
(Warner, OK) (918) 463- computer was 22,500.
6267 discovered stolen from
[email protected] the college. (It has
du. since been recovered
by law enforcement).
The computer contains
Social Security
numbers and other data
for Connors students
plus 22,500 high
school graduates who
qualify for the
Oklahoma Higher
Learning Access
Program scholarships.
Nov. 15, 2006........................ Internal Revenue According to 2,359
Service (Washington, document(s) obtained
DC). under the Freedom of
Information Act, 478
laptops were either
lost or stolen from
the IRS between 2002
and 2006. 112 of the
computers held
sensitive taxpayer
information such as
SSNs.
UPDATE (04/05/07): A
report by the Treasury
Inspector General for
Tax Administration
noted that at least
490 IRS computers have
been stolen or lost
since 2003 in 387
security breach
incidents that
potentially
jeopardized tax
payers' personal
information.
UPDATE (04/17/07): The
Inspector General's
assessment of 20
buildings in 10 cities
discovered four
separate locations at
which hackers could
have easily gained
access to IRS
computers and taxpayer
data using wireless
technology.
Nov. 16, 2006........................ American Cancer Society An unspecified number Unknown.
(Louisville, KY, of laptop computers
offices, HQ in were stolen from the
Atlanta, GA) If you Louisville offices of
have tips, call (502) the American Cancer
574-5673. Society. It is not
clear what personal
information was
exposed, if any.
Nov. 16, 2006........................ Carson City residents The Sheriff's 50
(Carson City, NV). Department reported
that at least 50
residents had their
credit card
information stolen by
employees of local
businesses. The
employees apparently
sell the account
information to
international crime
rings that produce
counterfeit cards. The
crime is called
``skimming.''.
Nov. 17, 2006........................ Jefferson College of An email containing the 143
Health Sciences names and SSNs of 143
(Roanoke, VA). students intended for
one employee was
inadvertently sent to
the entire student
body of 900.
Nov. 17, 2006........................ Automatic Data ADP sent paperwork for Unknown.
Processing (ADP) a small Wisconsin
(Roseland, NJ). company to a Cordova,
TN coffee house. The
paperwork contained
names, birth dates,
SSNs, addresses,
salaries, and bank
account and routing
numbers.
Nov. 20, 2006........................ Administration for More than 200 case 200 case files (not
Children's Services files from the included in Total
(New York, NY). Emergency Children's because it is not
Services Unit of ACS clear if SSNs were
were found on the exposed).
street in a plastic
garbage bag. The files
contain sensitive
information of
families, social
workers and police
officers.
Nov. 25, 2006........................ Indiana State Two computers stolen 7,700
Department of Health from an Indiana state
via Family Health health department
Center of Clark County contractor contained
(Jeffersonville, IN). the names, addresses,
birth dates, SSNs and
medical and billing
information for more
than 7,500 women. The
data were collected as
part of the state's
Breast and Cervical
Cancer Program.
Nov. 27, 2006........................ Johnston County, NC.... Personal data, Unknown.
including SSNs, of
thousands of
taxpayers, were
inadvertently posted
on the county web
site. The information
was removed from the
site within an hour
after officials became
aware of the situation.
Nov. 27, 2006........................ Greenville County School district At least 101,000
School District computers sold to the students and
(Greenville, SC). WH Group at auctions employees.
between 1999 and early
2006 contained the
birth dates, SSNs,
driver's license
numbers and Department
of Juvenile Justice
records of
approximately 100,000
students. The
computers also held
sensitive data for
more than 1,000 school
district employees.
UPDATE (12/10/06): A
judge ordered the WH
Group to return the
computers and the
confidential data on
them to the school
district.
Nov. 27, 2006........................ Chicago Public Schools A company hired to 1,740 former Chicago
via All Printing & print and mail health Public School
Graphics, Inc. insurance information employees.
(Chicago, IL). to former Chicago
Public School
employees mistakenly
included a list of the
names, addresses and
SSNs of the nearly
1,740 people receiving
the mailing. Each
received the 125-page
list of the 1,740
former employees.
Nov. 28, 2006........................ Kaiser Permanente A laptop was stolen 38,000 (not included in
Colorado--its Skyline from the personal car total, because SSNs
and Southwest offices of a Kaiser employee were apparently not
(Denver, CO) For in California on Oct. exposed).
members who have 4. It contained names,
questions: (866) 529- Kaiser ID number, date
0813. of birth, gender, and
physician information.
The data did not
include SSNs.
Nov. 28, 2006........................ Cal State Los Angeles, An employee's USB drive 2,534
Charter College of was inside a purse
Education (Los stolen from a car
Angeles, CA) (800) 883- trunk. It contained
4029. personal information
on 48 faculty members
and more than 2,500
students and
applicants of a
teacher credentialing
program. Information
included names, SSNs,
campus ID numbers,
phone numbers, and e-
mail addresses.
Nov. 30, 2006........................ Pennsylvania Dept. of Thieves stole equipment 11,384
Transportation from a driver's
(Hanover township license facility late
driver's license evening Nov. 28,
facility, Dunmore, PA) including computers
Affected individuals containing personal
can call (800) PENNDOT information on more
if you have questions. than 11,000 people.
Call PA Crimestoppers Information included
if you have tips, names, addresses,
(800) 4PATIPS, reward dates of birth,
offered. driver's license
numbers and both
partial and complete
SSNs (complete SSNs
for 5,348 people).
Also stolen were
supplies used to
create drivers
licenses and photo
IDs. The state
maintains 97 driver's
license facilities.
Nov. 30, 2006........................ TransUnion Credit Four different scam ``more than 1,700
Bureau via Kingman, companies downloaded people''.
AZ, court office. the credit information
of more than 1,700
individuals, including
their credit histories
and SSNs. They were
able to illegitimately
obtain the password to
the TransUnion account
held by the Kingman,
AZ, court office,
which apparently has a
subscription to the
bureau's services.
Dec. 1, 2006......................... TD Ameritrade According to a letter about 300 current and
(Bellevue, NE) (201) sent to employees, a former employees.
369-8373. laptop was removed
(presumably stolen)
from the office Oct.
18, 2006, that
contained unencrypted
information including
names, addresses,
birthdates, and SSNs.
Dec. 2, 2006......................... Gundersen Lutheran A Medical Center Unknown.
Medical Center employee used patient
(LaCrosse, WI). information, including
SSNs and dates of
birth, to apply for
credit cards in their
names. As patient
liaison, her duties
included insurance
coverage,
registration, and
scheduling
appointments. She was
arrested for 37 counts
of identity theft, and
was convicted of
identity theft and
uttering forged
writing, according to
the criminal complaint.
Dec. 3, 2006......................... City of Grand Prairie Employees of the city ``hundreds of
(Grand Prairie, TX). of Grand Prairie were employees''.
notified that personal
records were exposed
on the city's Web site
for at least a year.
Included were the
names and SSNs of
``hundreds of
employees.'' The
information has since
been removed. The city
had been working with
a contractor on a
proposal for workers'
compensation
insurance. Along with
the proposal, names
and SSNs were
mistakenly listed.
Dec. 5, 2006......................... Army National Guard A laptop was stolen Unknown.
130th Airlift Wing from a member of the
(Charleston, WV). unit while he was
attending a training
course. It contained
names, SSNs, and birth
dates of everyone in
the 130th Airlift Wing.
Dec. 5, 2006......................... Nassau Community A printout is missing 21,000 students.
College (Garden City, that contans
NY). information about each
of NCC's 21,000
students, including
names, SSNs,
addresses, and phone
numbers. It
disappeared from a
desk in the Student
Activities Office.
Dec. 5, 2006......................... H&R Block.............. Many past and present Unknown.
customers received
unsolicited copies of
the program TaxCut
that displayed their
SSN on the outside.
Dec. 6, 2006......................... Premier Bank (Columbia, A report was stolen the 1,800 customers.
MO, with HQ in evening of Nov. 16
Jefferson City, MO). from the car of the
bank's VP and CFO
while employees were
celebrating an award
received by the bank.
The document contained
names and account
numbers of customers,
but reportedly no SSNs.
Dec. 8, 2006......................... Segal Group of New Names and SSNs of ``several hundred,
York, via web site of ``several hundred'' likely more'' health
Vermont state agency physicians, care providers.
used to call for bids psychologists and UPDATE (1/14/07): SSNs
on state contracts other health care of ``more than 1,100
(Montpelier, VT). providers were doctors,
mistakenly posted psychotherapists and
online by Segal Group, other health
a contractor hired by professionals'' were
the state to put its exposed.
health management
contract out for bid.
The information was
posted from May 12 to
June 19. It was
discovered when a
doctor found her own
SSN online.
Dec. 9, 2006......................... Virginia Commonwealth Personal information of 561 students.
University (Richmond, 561 students was
VA). inadvertently sent as
attachments on Nov. 20
in an e-mail,
including names, SSNs,
local and permanent
addresses and grade-
point averages. The e-
mail was sent to 195
students to inform
them of their
eligibility for
scholarships.
Dec. 12, 2006........................ University of Hacker(s) gained access 800,000
California--Los to a UCLA database
Angeles (Los Angeles, containing personal
CA) Affected information on current
individuals can call and former students,
UCLA at (877) 533- current and former
8082. faculty and staff,
www.identityalert.ucla parents of financial
.edu. aid applicants, and
student applicants,
including those who
did not attend.
Exposed records
contained names, SSNs,
birth dates, home
addresses, and contact
information. About
3,200 of those
notified are current
or former staff and
faculty of UC Merced
and current and former
staff of UC's Oakland
headquarters.
Dec. 12, 2006........................ University of Texas-- The University 35,000 current and
Dallas (Dallas, TX) discovered that former students,
Affected individuals personal information faculty, staff, and
can call (972) 883- of current and former others.
4325. www.utdallas.edu/ students, faculty
datacompromise/ members, and staff may
form.html. have been exposed by a
computer network
intrusion--including
names, SSNs, home
addresses, phone
numbers and e-mail
addresses.
UPDATE (12/14/06): The
number of people
affected was first
thought to be 5,000,
but was increased to
6,000.
UPDATE (01/19/07):
Officials now say
35,000 individuals may
have been exposed.
Dec. 12, 2006........................ Aetna/Nationwide/ A lockbox holding 130,000 plus 42,000
Wellpoint Group Health personal information reported later plus
Plans via Concentra of health insurance 28,279 reported later.
Preferred Systems customers was stolen
(Dayton, OH). Oct. 26. Thieves broke
into an office
building occupied by
insurance company
vendor, Concentra
Preferred Systems. The
lockbox contained
computer backup tapes
of medical claim data
for Aetna and other
Concentra health plan
clients. Exposed data
includes member names,
hospital codes, and
either SSNs or Aetna
member ID numbers.
SSNs of 750 medical
professionals were
also exposed.
Officials downplay the
risk by stating that
the tapes cannot be
used on a standard PC.
UPDATE (12/23/06): The
lockbox also contained
tapes with personal
information of 42,000
NY employees insured
by Group Health
Insurance Inc.).
UPDATE (1/24/07):
Personal data of
28,279 Nationwide's
Ohio customers were
also compromised.
Dec. 13, 2006........................ Boeing (Seattle, WA)... In early December, a 382,000 current and
laptop was stolen from former employees.
an employee's car.
Files contained names,
salary information,
SSNs, home addresses,
phone numbers and
dates of birth of
current and former
employees.
UPDATE (12/14/06):
Boeing fired the
employee whose laptop
was stolen.
UPDATE (1/26/07): The
laptop was recovered.
NOTE:................................ The 100 million mark Click here for a news Please note: The number
was reached Dec. 13, story in IDG about refers to *records,*
2006. this dubious NOT persons. Many
milestone. And read individuals have
Poulsen and Singel in experienced more than
Wired Blogs. Here is one breach. For a
an article from commentary by
VNUnet, and another PogoWasRight on this
from Washington Post. matter, click here.
Read also the NY Times
and GovExec.
The major source for
the breaches reported
in this list is the
list-serve and web
site of Attrition.org.
Dec. 14, 2006........................ Electronic Registry On Nov. 23, 2006, two More than 63,000
Systems affecting computers (one patients.
Emory University desktop, one laptop)
(Emory Hospital, Emory were stolen from
Crawford Long Electronic Registry
Hospital, Grady Systems, a business
Memorial Hospital), contractor in suburban
Geisinger Health Springdale, OH, that
System (Pennyslvania), provides cancer
Williamson Medical patient registry data
Center (Nashville, TN). processing services.
It contained the
personal information
(name, date of birth,
Social Security
number, address,
medical record number,
medical data and
treatment information)
of cancer patients
from hospitals in
Pennsylvania ,
Tennessee , Ohio and
Georgia , dating back
to 1977 at some
hospitals.
UPDATE (1/14/07): The
number of affected
patients was increased
from 25,000 to 63,000.
Dec. 14, 2006........................ Riverside High School Two students discovered ``thousands of school
(Durham, NC). a breach in the employees''.
security of a Durham
Public Schools
computer as part of a
class assignment. They
reported to school
officials that they
were able to access a
database containing
SSNs and other
personal information
of thousands of school
employees. The home of
one student was
searched by Sheriff's
deputies and the
family computer was
seized.
Dec. 14, 2006........................ St. Vrain Valley School Paper records 600 students.
District (Longmont, containing student
CO). information were
stolen, along with a
laptop, from a nurse's
car Nov. 20. Personal
information included
students' names, dates
of birth, names of
their schools, what
grade they are in,
their Medicaid number
(presumably SSNs), and
their parents' names.
The laptop contained
no personal data.
Dec. 14, 2006........................ Bank of America A former contractor for Unknown.
(Charlotte, NC). Bank of America
unauthorizedly
accessed the personal
information (name,
address, phone number,
Social Security
number) of an
undisclosed number of
customers, for the
purpose of committing
fraud.
Dec. 15, 2006........................ University of Colorado-- A server in the 17,500
Boulder, Academic Academic Advising
Advising Center Center was the subject
(Boulder, CO) of a hacking attack.
www.colorado.edu. Personal information
exposed included names
and SSNs for
individuals who
attended orientation
sessions from 2002-
2004. CU-Boulder has
since ceased using
SSNs as identifiers
for students, faculty,
staff, and
administrators.
Dec. 15, 2006........................ City of Wickliffe Hackers breached 125 employees.
(Wickliffe, OH). security in one of the
city's three computer
servers containing
personal information
on some city
employees, including
names and SSNs.
Dec. 19, 2006........................ Mississippi State SSNs and other personal 2,400 students and
University (Jackson, information were emplolyees.
MS). ``inadvertently''
posted on a publicly
accessible MSU Web
site. The breach was
discovered ``last
week'' and the
information has since
been removed.
Dec. 20, 2006........................ Lakeland Library Personal information of 15,000 library users.
Cooperative--serving 15,000 library users
80 libraries in 8 in West Michigan was
counties (Grand displayed on the
Rapids, MI). Cooperative's Web site
due to a technical
problem. Information
exposed included
names, phone numbers,
e-mail addresses,
street addresses, and
library card numbers.
Children's names were
also listed along with
their parents' names
on a spreadsheet
document. The
information has since
been removed.
Dec. 20, 2006........................ Big Foot High School Personal information 87 current and former
(Walworth, WI). was accidentally employees.
exposed on the High
School's Web site for
a short time, perhaps
for about 36 minutes,
according to a report.
Information included
last names, SSNs, and
birthdates.
Dec. 20, 2006........................ Lake County residents, A Chicago man 27 residents of Lake
plus Major League apparently removed County plus about 90
Baseball players documents from a trash current and retired
(Northbrook, IL). bin outside SFX Major League Baseball
Baseball Inc., a players for a total of
sports agency that 117 individuals.
deals with Major
League Baseball. He
used information found
on those documents to
commit identity theft
on at least 27 Lake
County residents.
Information found
during a search of the
thief's home included
SSNs, birthdates,
canceled paychecks,
obituaries, and infant
death records.
Dec. 20, 2006........................ Deb Shops, Inc. A hacker illegally Unknown.
(Philadelphia, PA) accessed company Web
(800) 460-9704. pages and a related
data base used for
Internet-based
purchases. The
intruder may have
accessed customers'
credit card
information including
names on cards and
credit card numbers.
Dec. 21, 2006........................ Santa Clara County A computer stolen from 2,500
employment agency the agency holds the
(Santa Clara County, SSNs of approximately
CA). 2,500 individuals.
Dec. 22, 2006........................ Texas Woman's A document containing 15,000 students.
University (Dallas, names, addresses and
Denton, and Houston, SSNs of 15,000 TWU
TX). students was
transmitted over a non-
secure connection.
Dec. 27, 2006........................ Montana State A student working in 259 students.
University (Bozeman, the loan office
MT). mistakenly sent
packets containing
lists of student
names, Social Security
numbers, and loan
information to other
students.
Dec. 28, 2006........................ U.S. State Department.. A bag containing 700 (not included in
approximately 700 total.)
completed passport
applications was
reported missing on
December 1. The bag,
which was supposed to
be shipped to
Charlotte, NC, was
found later in the
month at Los Angeles
International Airport.
Dec. 30, 2006........................ KeyCorp (Cleveland, OH) A laptop computer 9,300
stolen from a KeyCorp
vendor contains
personally
identifiable
information, including
SSNs, of 9,300
customers in six
states.
----------------------------------------------------------------------------------------------------------------
2007
----------------------------------------------------------------------------------------------------------------
Jan. 1, 2007......................... Wisconsin Dept. of Tax forms were mailed 171,000 taxpayers.
Revenue via Ripon to taxpayers in which
Printers (Madison, WI) SSNs were
(608) 224-5163 inadvertently printed
www.privacy.wi.gov. on the front of some
Form 1 booklets. Some
were retrieved before
they were mailed.
Jan. 2, 2007......................... Deaconess Hospital A computer missing from 128 patients.
(Evansville, IN). the hospital holds
personal information,
including SSNs, of 128
respiratory therapy
patients.
Jan. 2, 2007......................... Notre Dame University A University Director's Unknown.
(Notre Dame, IN, South laptop was stolen
Bend, IN). before Christmas. It
contained personal
information of
employees, including
names, SSNs, and
salary information.
Jan. 2, 2007......................... News accounts are not About 40 boxes of Unknown.
clear as to source, financial paperwork,
but thought to be a thought to be from
realty office (Las loan applications, was
Vegas, NV). found in a dumpster.
One of the boxes
visible to news
reporters was said to
contain paperwork with
bank account details,
photocopies of
driver's licenses,
SSNs and ``other
private information.''.
Jan. 4, 2007......................... Selma, NC, Water A laptop stolen from Unknown.
Treatment Plant the water treatment
(Johnston County, NC). facility holds the
names and SSNs of
Selma volunteer
firefighters.
Jan. 4, 2007......................... Unnamed medical center, An individual found Unknown.
via Newark Recycling unshredded medical
Center (Stockton, CA). records in 36 boxes at
the Newark Recycling
Center.
Jan. 5, 2007......................... Dr. Baceski's office, A hard drive was stolen ``hundreds of
internal medicine containing personal patients''.
(Somerset, PA). information on
``hundreds of
patients.''.
Jan. 9, 2007......................... Altria, the parent 5 laptops were stolen 18,000 past and present
company of Philip from Towers Perrin, employees, presumably
Morris (Kraft Foods), allegedly by a former of Altria (total
also United employee. The theft number of affected
Technologies, via occurred Nov. 27, individuals is
benefits consultant, 2006. The computers unknown).
Towers Perrin. (New contain names, SSNs,
York, NY). and other pension-
related information,
presumably of several
companies, although
news reports are not
clear.
UPDATE (1/11/07): NY
police arrested ``a
junior-level
administrative
employee'' of the
company in the theft
of the laptops.
Jan. 10, 2007........................ University of Arizona Breaches occurred in Unknown.
(Tucson, AZ). November and December
2006 that affected
services with UA
Student Unions,
University Library,
and UA Procurement and
Contracting Services.
Some services were
shut down for several
days.
Jan. 11, 2007........................ University of Idaho, Over Thanksgiving 70,000
Advancement Services weekend, 3 desktop
office (Moscow, ID) computers were stolen
(866) 351-1860 from the Advancement
www.identityalert. Services office
uidaho.edu. containing personal
information of alumni,
donors, employees, and
students. 331,000
individuals may have
been exposed, with as
many as 70,000 records
containing SSNs, names
and addresses.
Jan. 12, 2007........................ MoneyGram International MoneyGram, a payment 79,000
(Minneapolis, MN). service provider,
reported that a
company server was
unlawfully accessed
over the Internet last
month. It contained
information on about
79,000 bill payment
customers, including
names, addresses,
phone numbers, and in
some cases, bank
account numbers.
Jan. 13, 2007........................ North Carolina Dept. of A laptop computer 30,000 taxpayers.
Revenue (Raleigh, NC). containing taxpayer
data was stolen from
the car of a NC Dept.
of Revenue employee in
mid-December. The
files included names,
SSNs or federal
employer ID numbers,
and tax debt owed to
the state.
Jan. 16, 2007........................ University of New At least 3 computers Unknown.
Mexico (Albuquerque, and 4 monitors were
NM). stolen from the
associate provost's
office overnight
between Jan. 2 and 3.
They may have included
faculty members' names
and SSNs.
Jan. 17, 2007........................ TJ stores (TJX), The TJX Companies Inc. 45,700,000 credit and
including TJMaxx, experienced an debit card account
Marshalls, Winners, ``unauthorized numbers.
HomeSense, AJWright, intrusion'' into its 455,000 merchandise
TKMaxx, and possibly computer systems that return records
Bob's Stores in U.S. & process and store containing customer
Puerto Rico--Winners customer transactions names and driver's
and HomeGoods stores including credit card, license numbers.
in Canada--and debit card, check, and
possibly TKMaxx stores merchandise return
in UK and Ireland transactions. It
(Framingham, Mass.) discovered the
U.S.: Call (866) 484- intrusion mid-December
6978 Canada: (866) 903- 2006. Transaction data
1408 U.K. & Ireland: from 2003 as well as
0800 77 90 15 mid-May through
www.tjx.com. December 2006 may have
been accessed.
According to its Web
site, TJX is ``the
leading off-price
retailer of apparel
and home fashions in
the U.S. and
worldwide.''.
UPDATE (2/22/07): TJX
said that while it
first thought the
intrusion took place
from May 2006 to
January 2007, it now
thinks its computer
system was also hacked
in July 2005 and on
``various subsequent
dates'' that year.
UPDATE (3/21/07):
Information stolen
from TJX's systems was
being used
fraudulently in
November 2006 in an $8
million gift card
scheme, one month
before TJX officials
said they learned of
the breach, according
to Florida law
enforcement officials.
UPDATE (3/29/07): The
company reported in
its SEC filing that
45.7 million credit
and debit card numbers
were hacked, along
with 455,000
merchandise return
records containing
customers' driver's
license numbers,
Military ID numbers or
Social Security
numbers.
UPDATE (4/22/07):
Initially, TJX said
the break-in started
seven months before it
was discovered. Then,
on Feb. 18, the
company noted the
perpetrators had
access to data for 17
months, and apparently
began in July 2005.
UPDATE (04/26/07):
Three states' banking
associations (MA, CT,
and ME) filed a class
action lawsuit against
TJX to recover the
costs of damages
totaling ``tens of
millions of dollars''
incurred for replacing
customers' debit and
credit cards.
UPDATE (05/04/07): An
article in the WSJ
notes that because TJX
had an outdated
wireless security
encryption system, had
failed to install
firewalls and data
encryption on
computers using the
wireless network, and
had not properly
install another layer
of security software
it had bought, thieves
were able to access
data streaming between
hand-held price-
checking devices, cash
registers and the
store's computers. 21
U.S. and Canadian
lawsuits seek damages
from the retailer for
reissuing compromised
cards.
Jan. 17, 2007........................ Rincon del Diablo 2 computers were stolen 500 customers.
Municipal Water from the district
District (Escondido, office. One included
CA, plus names and credit card
unincorporated numbers of customers.
neighborhoods outside
the city, and parts of
San Marcos and San
Diego, CA) (760) 745-
5522.
Jan. 18, 2007........................ KB Home (Charleston, A computer was stolen 2,700
SC). from one of the home
builder's offices. It
likely contained
names, addresses, and
SSNs of people who had
visited the sales
office for Foxbank
Plantation in Berkeley
County near Charleston.
Jan. 19, 2007........................ U.S. Internal Revenue 26 IRS computer tapes Unknown.
Service via City of containing taxpayer
Kansas City (Kansas information were
City, MO). reported missing after
they were delivered to
City Hall. They
potentially contain
taxpayers' names,
SSNs, bank account
numbers, or employer
information. The 26
tapes were the entire
shipment received by
the City last August.
The disappearance was
noticed late December
2006.
Jan. 22, 2007........................ U.S. Dept. of Veteran's Folders of veterans' Unknown.
Affairs (Seattle, WA). personal information
were stolen from a
locked car in
Bremerton, WA. News
stories are not clear
on the type of
information contained
in the folders.
Jan. 22, 2007........................ Chicago Board of About 100 computer 1.3 million voters.
Elections (Chicago, discs (CDs) with 1.3
IL). million Chicago
voters' SSNs were
mistakenly distributed
to aldermen and ward
committeemen. CDs also
contain birth dates
and addresses.
Jan. 23, 2007........................ Rutgers-Newark An associate 200 students.
University, Political professor's laptop was
Science Dept. (Newark, stolen, containing
NJ). names and SSNs of 200
students. Rutgers no
longers uses SSNs as
student IDs, but
student IDs from past
years are still SSNs.
Jan. 25, 2007........................ Clay High School A former high school Unknown.
(Oregon, OH). student obtained
sensitive staff and
student information
through an apparent
security breach. The
data was copied onto
an iPod and included
names, birth dates,
SSNs, addresses, and
phone numbers.
Jan. 25, 2007........................ Ohio Board of Nursing The agency's Web site 3,031 newly licensed
(Columbus, OH). posted names and SSNs nurses.
of newly licensed
nurses twice in the
past 2 months. SSNs
were supposed to have
been removed before
posting.
Jan. 25, 2007........................ Washiawa Women, Infants A WIC employee 11,500 current and
and Children program apparently stole the former clients.
(WIC) (Honolulu, HI) personal information
(808) 586-8080 of agency clients,
www.hawaii.gov. including SSNs, and
committed identity
theft on at least 3
families and perhaps 2
more. The Health
Director said the
agency will no longer
use SSNs in its data
base.
Jan. 26, 2007........................ Indiana Dept. of The names and SSNs of 4,000 employees.
Transportation INDOT employees were
(Indianapolis, IN). inadvertently posted
on an internal network
computer drive
sometime between Sept.
6 and Dec. 4, 2006.
Jan. 26, 2007........................ Vanguard University On Jan. 16, 2 computers 5,015 financial aid
(Costa Mesa, CA) (800) were discovered stolen applicants for 2005-
920-7312 from the financial aid 2006 and 2006-2007
www.identityalert. office. Data included school years.
vanguard.edu. names, SSNs, dates of
birth, phone numbers,
driver's license
numbers, and lists of
assets.
Jan. 26, 2007........................ WellPoint's Anthem Blue Cassette tapes 196,000 customers.
Cross Blue Shield containing customer
(Virginia) (800) 284- information were
9779. stolen from a lock box
held by one of its
vendors. Data included
names and SSNs.
Jan. 26, 2007........................ Chase Bank and the A Bossier woman bought 4,100 current and
former Bank One, now a used desk from a former employees
merged (Shreveport, furniture store. She ``from all over
LA). discovered a 165-page Louisiana.''
spread sheet in a
drawer that included
names and SSNs of bank
employees. The
document was returned
to the bank.
Jan. 26, 2007........................ Eastern Illinois A desktop computer was 1,400 currently
University stolen from the enrolled students.
(Charleston, IL). Student Life office
containing membership
rosters--including
SSNs, birthdates, and
addresses--of the
University's 23
fraternities and
sororities. A hard
drive and memory from
2 other computers were
also stolen.
Jan. 29, 2007........................ Mendoza College of A file of individuals Unknown.
Business, Notre Dame who took the GMAT test
University (Notre (Graduate Management
Dame, IN, South Bend, Admissions Test) was
IN). mistakenly left on a
computer that was
decommissioned. The
computer was later
reactivated and
plugged into the
Internet. Its files
were available through
a file-sharing
program. Data included
names, scores, SSNs
and demographic
information from 2001.
Feb. 2, 2007......................... Massachusetts Dept. of A former state 1,200 people who
Industrial Accidents contractor allegedly submitted claims.
(Boston, MA) (800) 323- accessed a workers'
3249 ext. 560 compensation data file
www.mass.gov/dia. and stole personal
information, including
SSNs. The thief used
the data to commit
identity theft on at
least 3 individuals.
Feb. 2, 2007......................... Indian Consulate via Visa applications and Unknown.
Haight Ashbury other sensitive
Neighborhood Council documents were
recycling center (San accessible for more
Francisco, CA). than a month in an
open yard of a
recycling center.
Information included
applicants' names,
addresses, phone
numbers, birthdates,
professions,
employers, passport
numbers, and photos. A
sampling of documents
indicated that the
paperwork included
everyone who applied
in the Western states
from 2002-2005.
Applicants were
current and former
executives of major
Bay Area companies
that have operations
in India.
Feb. 2, 2007......................... Wisconsin Assembly A document containing 109 Assembly members
(Madison, WI). personal information and aides.
of Wisconsin Assembly
members was stolen
from a legislative
employee's car while
she was exercising at
a local gym. It
contained names,
addresses, and SSNs.
Feb. 2, 2007......................... University of Missouri, A hacker broke into a 3,799
Research Board Grant UM computer server mid-
Application System January and might have
(Columbia, MO). accessed personal
information, including
SSNs, of 1,220
researchers on 4
campuses. The
passwords of 2,579
individuals might also
have been exposed.
Feb. 2, 2007......................... New York Dept. of State The agency's Web site Unknown.
(Albany, NY). posted commercial loan
documents that
mistakenly contained
SSNs. The forms are
posted to let lenders
know the current
financial status of
loan recipients.
Feb. 2, 2007......................... U.S. Dept. of Veteran's An employee reported a 48,000 veterans
Affairs, VA Medical portable hard drive UPDATE (2/10/07): VA
Center (Birmingham, stolen or missing that increases number of
AL) (877) 894-2600. might contain personal affected veterans to
information about 535,000, included in
veterans including the total below
Social Security UPDATE (2/12/07): VA
numbers. reported that billing
UPDATE (3/19/07): The information for 1.3
VA's Security million doctors was
Operations Center has also exposed,
referred 250 incidents including names and
since July 2006 to its Medicare billing
inspector general, codes, not included in
which has led to 46 the total below.
separate
investigations.
Feb. 3, 2007......................... CTS Tax Service The computer and hard 800
(Cassopolis, MI). drive of a tax
preparation company
were stolen. Data
included names, bank
account numbers,
routing numbers,
birthdates, SSNs, and
addresses.
Feb. 6, 2007......................... NY Dept. of Labor Laptop computer 537
(Glenn Falls, NY). containing personal
information for people
who were employed by
13 Capital Region
businesses stolen from
state tax auditor's
apartment.
Feb. 6, 2007......................... Metro Credit Services Files of the defunct ``thousands.''
(Hurst, TX). bill collection
company containing
medical records, phone
bills and Social
Security numbers were
found in a trash bin.
Feb. 7, 2007......................... University of Nebraska An employee 72
(Lincoln, NE). accidentally posted
SSNs of 72 students,
professors, and staff
on UNL's public Web
site where they
remained for 2 years.
They have since been
removed.
Feb. 7, 2007......................... Johns Hopkins Johns Hopkins reported 52,000 past and present
University and Johns the disappearance of 9 employees plus 83,000
Hopkins Hospital backup computer tapes patients.
(Baltimore, MD). containing personal
information of
employees and
patients, Eight of the
tapes contained
payroll information on
52,000 past and
present employees,
including SSNs and in
some cases bank
account numbers. The
9th tape contained
``less sensitive''
information about
83,000 hospital
patients.
Feb. 7, 2007......................... Front Range Ski Shop The shop's Web site was 15,000 customers.
(Denver, CO). broken into and
customer information
including credit card
account data may have
been accessed.
Feb. 7, 2007......................... A Toronto, Ontario, Credit card data for The number is not
residence (Canada). more than 35,000 included in the total
individuals from below because it is
across North America not known how many of
were discovered by the affected
police when they individuals are from
executed a search the U.S.
warrant at a Toronto
residence. A man has
since been arrested on
fraud and
counterfeiting charges.
Feb. 7, 2007......................... Central Connecticut Social Security numbers 750 students.
State University (New of about 750 CCSU
Britain, CT). students were exposed
in the name and
address window on
envelopes mailed to
them. The envelopes
were not folded
correctly. They
contained IRS 1098T
forms.
Feb. 8, 2007......................... Piper Jaffrey W-2s sent to current ``more than 1,000
(Minneapolis, MN). and former employees employees''.
in January included
employees' Social
Security numbers on
the outside of the
envelope. Though the
numbers were not
identified as Social
Security numbers, they
followed the standard
XXX-XX-XXXX format.
Executives indicated
the mishap was an
error by a third-party
vendor.
Feb. 8, 2007......................... St. Mary's Hospital A laptop was stolen in 130,000
(Leonardtown, MD). December that
contained names, SSNs,
and birthdates for
many of the Hospital's
patients.
Feb. 9, 2007......................... East Carolina A programming error 65,000 students,
University resulted in personal alumni, and staff
(Greenville, NC) information of 65,000 members.
www.ecu.edu/incident/ individuals being
877-328-6660. exposed on the
University's Web site.
The data has since
been removed. Included
were names, addresses,
SSNs, and in some
cases credit card
numbers.
Feb. 9, 2007......................... Radford University, A computer security 2,400 children.
Waldron School of breach exposed the
Health and Human personal information,
Services (Radford, VA). including SSNs, of
children enrolled in
the FAMIS program,
Family Access to
Medical Insurance
Security.
Feb. 10, 2007........................ Official Indiana State A hacker gained access 5,600 individuals and
Web site www.IN.gov to the State Web site businesses and 71,000
(888) 438-8397 Email: and obtained credit health-care workers.
security;concerns@www. card numbers of
IN.gov. individuals who had
used the site's online
services and gained
access to Social
Security numbers for
71,000 health-care
workers.
UPDATE (3/22/07):
Investigators have
identified a teen they
believe hacked into
the IN.gov as a prank.
Feb. 14, 2007........................ Kaiser Medical Center A doctor's laptop was 22,000 patients, but
(Oakland, CA) (866) stolen from the apparently only 500
529-0779. Medical Center records contained SSNs
containing medical (the latter number is
information of 22,000 included in total
patients. But only 500 below).
records contained SSNs.
Feb. 14, 2007........................ Iowa Dept. of Education Up to 600 files of 600
G.E.D. recipients were
viewed when the online
database was hacked.
Files included names,
addresses, birthdates,
and SSNs of G.E.D.
graduates from 1965 to
2002.
Feb. 14, 2007........................ Conn. Office of the Personal information of 1,753
State Comptroller state employees
(Hartford, CT). including names and
Social Security
numbers was
inadvertently posted
on the Internet in a
spreadsheet of vendors
used by the state.
Feb. 15, 2007........................ City College of San Names, grades, and SSNs 11,000 students.
Francisco (San were posted on an
Francisco, CA) (800) unprotected Web site
436-0108 www.ccsf.edu. after summer session
in 1999. CCSF stopped
using SSNs as studens
IDs in 2002.
Feb. 19, 2007........................ Seton Healthcare A laptop with uninsured 7,800
Network (North Austin, patients' names, birth
TX). dates and Social
Security numbers was
stolen last week from
the Seton hospital
system. The uninsured
patients had gone to
Seton emergency rooms
and city health
clinics since July 1,
2005.
Feb. 19, 2007........................ Clarksville-Montgomery Staff and faculty 633
County middle and high Social Security
schools (Clarksville, numbers, used as
TN). employee
identification
numbers, were embedded
in file photos by the
company that took
yearbook pictures and
inadvertently placed
in a search engine on
school system's Web
site.
Feb. 19, 2007........................ Stop & Shop Credit and debit card Unknown.
Supermarkets (Rhode account information
Island and Southern including PIN numbers
MA) 877-366-2668. was stolen by high-
tech thieves who
apparently broke into
checkout-line card
readers and PIN pads
and tampered with them.
Feb. 19, 2007........................ Social Security Admin. Files of disability 13
(Milwaukee, WI). applicants containing
Social Security
numbers, addresses,
phone numbers of
family members, dates
of birth and work
history, and detailed
medical information
were lost/stolen when
a telecommuting
employee abandoned
them in a locked
filing cabinet at home
after a threat of
domestic violence.
Several of the files
were mailed back to
the local SSA office
months later; others
were found in a
dumpster recently, and
four were never
recovered.
Feb. 20, 2007........................ Back and Joint 20 boxes containing ``hundreds''.
Institute of Texas Social Security
(San Antonio, TX). numbers, photocopies
of driver's license
numbers, addresses,
phone numbers and
private medical
history of
chiropractic patients
were found in a
dumpster.
Feb. 21, 2007........................ Georgia Institute of Personal information of 3,000
Technology (Atlanta, former employees
GA) 404-894-2499 mostly in the School
[email protected]. of Electrical and
Computer Engineering
including names,
addresses, Social
Security number, other
sensitive information,
and about 400 state
purchasing card
numbers was
compromised by
unauthorized access to
a Georgia Tech
computer account.
Feb. 22, 2007........................ Speedmark (Woodlands, Thieves stole several 35,000
TX). computers, one of
which contained a
database with
personally identifying
information including
names, addresses, e-
mail accounts, and
Social Security
numbers of Speedmark's
mystery shopper
employees and
contractors.
Feb. 23, 2007........................ Rabun Apparel Inc., Names and Social 1,006
former subsidiary of Security numbers of
Fruit of the Loom former employees were
(Rabun Gap, GA). accessible on the
Internet from Jan. 15
until Feb. 20.
Feb. 28, 2007........................ Gulf Coast Medical Patient information 9,900
Center (Nashville, TN including names and
& Tallahassee, FL). Social Security
numbers was
compromised when two
computers went
missing. 1,900
individuals were
affected by a theft in
Nashville, TN in
November and 8,000
when another computer
was stolen in
Tallahassee in
February.
Mar. 1, 2007......................... Westerly Hospital Patient names, Social 2,242
(Westerly, RI). Security numbers,
contact information as
well as insurance
information were
posted on a publicly-
accessible Web site.
Mar. 2, 2007......................... Calif. Dept. of Health Benefit notification 54
Services (Sacramento, letters containing
CA). names addresses,
Medicare Part D plan
names and premium
payment amounts of
some individuals
enrolled in the
California AIDS Drug
Assistance Program
(ADAP) were mailed to
another enrollee.
Mar. 3, 2007......................... Metropolitan State A faculty member's 988
College of Denver laptop computer that
(Denver, CO) 866-737- contained the names
6622. and Social Security
numbers of former
students was stolen
from its docking
station on campus.
Mar. 3, 2007......................... Johnny's Selected Seeds Hacker accessed credit 11,500
(Winslow, ME). card account
information of online
customers. About 20
credit cards have been
used fraudulently.
Mar. 7, 2007......................... Los Rios Community Student information 2,000
College (Northern including Social
Calif.). Security numbers were
accessible on the
Internet after the
school used actual
data to test a new
onine application
process in October.
Mar. 7, 2007......................... U.S. Census Bureau Personal information of 302 households.
(Washington, D.C.). 302 households
including names,
addresses, phone
numbers, birth dates
and family income
ranges were posted on
a public Internet site
multiple times over a
five-month period from
October 2006 to Feb.
15, 2007 when Census
employees working from
home tested new
software records.
Mar. 9, 2007......................... California National A computer hard drive 1,300
Guard (Sacramento, CA). containing Social
Security numbers, home
addresses, birth dates
and other identifying
information of
California National
Guard troops deployed
to the U.S.-Mexico
border was stolen.
Mar. 10, 2007........................ University of Idaho A data file posted to 2,700
(Moscow, ID) the school's Web site
www.vandalidentity.net contained personal
888-900-3783. information including
names, birthdates and
Social Security
numbers of University
employees.
Mar. 12, 2007........................ Dai Nippon (Tokyo, A former contract Unknown.
Japan). worker of a Japanese
commercial printing
company stole nearly 9
million pieces of
private data on
customers from 43
clients. The stolen
data includes
confidential
information such as
names, addresses and
credit card numbers
intended for use in
direct mailing and
other printing
services. Customers of
U.S.-based American
Home Assurance Co. and
Toyota Motor were
affected.
Mar. 13, 2007........................ U.S. Dept. of A total of 95 USDA Unknown.
Agriculture computers were lost or
(Washington, D.C.). stolen between Oct. 1,
2005, and May 31,
2006. Some may have
contained personal
information such as
names, addresses,
Social Security
numbers and payment
information. Two-
thirds of the
computers contained
unencrypted data.
Mar. 14, 2007........................ Wellpoint's Empire Blue An unencrypted disc 75,000
Cross and Blue Shield containing patient's
unit in NY names, Social Security
(Indianapolis, IN) 800- numbers, health plan
293-3443. identification numbers
and description of
medical services back
to 2003 was lost en
route to a
subcontractor.
UPDATE (3/14/07): The
subcontrator reported
that the CD that was
reported missing on
Feb. 9 has been found.
Mar. 16, 2007........................ Ohio State Auditor A laptop containing 1,950
(Springfield, OH) personal information
www.spr.k12.oh.us of current and former
Click on Notification employees of
of Data Theft. Springfield City
Schools including
their names and Social
Security numbers was
stolen from a state
auditor employee's
vehicle while parked
at home in a garage.
Mar. 19, 2007........................ Science Applications Barrels filled with Unknown.
International Corp. thousands of sensitive
(SAIC) (Boise, ID). documents including
printed copies of e-
mail and performance
evaluations along with
documents marked
``internal use only--
not for public
release'' and ``for
official use only''
were found on the curb
outside of SAIC's
local office.
Mar. 20, 2007........................ Health Resources, Inc. From Jan 24, 2007 to 2,031
(Evansville, IN). Feb 6, 2007, a Web
site glitch allowed
employers with access
to private health
information to obtain
the name, address,
Social Security
number, dependent
names and birthdates
of other patients.
Mar. 20, 2007........................ Tax Service Plus (Santa Thieves stole the 4,000
Rosa, CA). company's backup
computer, which
contained financial
data on thousands of
tax returns dating
back three years.
Mar. 23, 2007........................ Group Health Two laptops containing 31,000
Cooperative Health names, addresses,
Care System (Seattle, Social Security
WA). numbers and Group
Health ID numbers of
local patients and
employees have been
reported missing.
Mar. 23, 2007........................ Swedish Urology Group Three computer hard ``hundreds''.
(Seattle, WA). drives with personal
files on hundreds of
local patients
including was stolen.
Mar. 26, 2007........................ Fort Monroe (Fort A laptop computer 16,000
Monroe, VA). containing the names,
Social Security
numbers and payroll
information for as
many as 16,000
civilian employees was
stolen from an
employee's personal
vehicle. Bank account
and bank routing
information were not
included.
Mar. 27, 2007........................ St. Mary Parish Personal information 380
(Centerville, LA). including Social
Security numbers of
St. Mary Parish public
school employees was
available on the
Internet when a
Yahoo!Web crawler
infiltrated the server
of the school's
technology department.
Mar. 28, 2007........................ RadioShack (Portland, 20 boxes of discarded Unknown.
TX). records including
sales receipts with
credit card numbers
spanning from 2001 to
2005 and personal
information of store
employees were found
in a dumpster.
UPDATE (04/03/07): The
Texas Attorney
General's Office filed
an action against the
Radio Shack store for
violating the state's
2005 Identity Theft
Enforcement and
Protection Act.
Mar. 28, 2007........................ TJX Companies--TJ Maxx See initial Jan. 17, See 1/17/07 posting.
and Marshalls. 2007 posting for
updated numbers and
summary of breach
information--45.7
million credit and
debit card numbers and
455,000 customer
return records.
Mar. 30 2007......................... Los Angeles County Three laptops 243,000
Child Support Services containing personal
(Los Angeles, CA). information including
about 130,500 Social
Security numbers--most
without names, 12,000
individuals' names and
addresses, and more
than 101,000 child
support case numbers
were apparently stolen
from the department's
office.
Mar. 30, 2007........................ Naval Station San Three laptops were Unknown.
Diego's Navy College reported missing that
Office (San Diego, CA) may contain Sailors'
(866) U-ASK-NPC. names, rates and
[email protected] ratings, Social
Security numbers, and
college course
information. The
compromise could
impact Sailors and
former Sailors
homeported on San
Diego ships from
January 2003 to
October 2005 and who
were enrolled in the
Navy College Program
for Afloat College
Education.
Mar. 30, 2007........................ Univ. of Montana-- A computer disk 400
Western (Dillon, MT). containing students'
Social Security
numbers, names, birth
dates, addresses and
other personal
information was stolen
from a professor's
office. The stolen
information belonged
to students enrolled
in the TRIO Student
Support Services
program, which offers
financial and personal
counseling and other
assistance.
Apr. 4, 2007......................... UC San Francisco (San An unauthorized party 46,000
Francisco, CA) (415) may have accesed the
353-8100) personal information
[email protected] including names,
http://oaais.ucsf.edu/ Social Security
notice. numbers, and bank
account numbers of
students, faculty, and
staff associated with
UCSF or UCSF Medical
Center over the past
two years by
compromising the
security of a campus
server.
Apr. 5, 2007......................... DCH Health Systems An encrypted disc and 6,000
(Tuscaloosa, AL). hardcopy documents
containing retirement
benefit information
including Social
Security numbers and
other personal
information were lost.
Tracking data
indicates the package
was delivered to the
addressee's building,
but the intended
recipient never
received the package.
Apr. 5, 2007......................... Security Title Agency Hackers defamed the Unknown.
(Phoenix, AZ). company's Web site and
may have accessed
customer information
which is stored on the
same server as the
site.
Apr. 6, 2007......................... Hortica (Edwardsville, A locked shipping case Unknown.
IL) (800) 851-7740 of backup tapes
securedata@hortica- containing personal
insurance.com. information including
names, Social Security
numbers, drivers'
license numbers, and
bank account numbers
is missing.
Apr. 6, 2007......................... Chicago Public Schools Two laptop computers 40,000
(Chicago, IL) (773) contain the names and
553-1142. Social Security
numbers of current and
former employees was
stolen from Chicago
Public Schools
headquarters.
Apr. 9, 2007......................... Turbo Tax.............. Using Turbo Tax online Unknown.
to access previous
returns, a Nebraska
woman was able to
access tax returns for
other Turbo Tax
customers in different
parts of the country.
The returns contained
personal information
needed to e-file
including bank account
numbers with routing
digits and Social
Security numbers.
Apr. 10, 2007........................ Georgia Dept. of A computer disk 2,900,000
Community Health containing personal
(Atlanta, GA) (866) information including
213-3969. addresses, birthdates,
dates of eligibility,
full names, Medicaid
or children's health
care recipient
identification
numbers, and Social
Security numbers went
missing from a private
vendor, Affiliated
Computer Services
(ACS), contracted to
handle health care
claims for the state.
Apr. 11, 2007........................ New Horizons Community A laptop computer that 9,000
Credit Union (Denver, contained personal
CO). information of members
who had loans with the
credit union was
stolen from Protiviti,
a consultant employed
by Bellco Credit Union
conducting due
diligence to prepare a
possible acquisition
bid.
Apr. 11, 2007........................ ChildNet (Ft. An organization 12,000
Lauderdale, FL). responsible for
managing Broward
County's child welfare
system believe a
dishonest former
employee stole a
laptop from the
agency's office. It
contains personal
information of
adoptive and foster-
care parents including
financial and credit
data, Social Security
numbers, driver's
license data and
passport numbers.
Apr. 11, 2007........................ Black Hills State Univ. Names and Social 56
(Spearfish, SD) (605) Security numbers of
642-6215. scholarship winners
were inadvertently
posted and publicly
available on the
university's web site.
Apr. 12, 2007........................ Bank of America A laptop containing ``limited'' number of
(Charlotte, NC). personal information people.
of current, former and
retired employees
including names,
addresses, dates of
birth and Social
Security numbers was
stolen when an
employee was a
``victim of a recent
break-in.''.
Apr. 12, 2007........................ Univ. of Pittsburgh, Personal information 88
Med. Center including names,
(Pittsburgh, PA). Social Security
numbers, and radiology
images of patients
were previously
included in two
medical symposium
presentations that
were posted on UPMC's
Web site. Though the
presentation was later
removed in 2005, the
presentations were
apparently
inadvertently re-
posted on the site and
only recently removed
again.
Apr. 12, 2007........................ GA Secretary of State 30 boxes of Fulton 75,000
(Atlanta, GA). County voter
registration cards
that contain names,
addresses and Social
Security numbers were
found in a trash bin.
Apr. 15, 2007........................ CVS Pharmacy (Liberty, The Attorney General of ``hundreds''.
TX). Texas filed a
complaint against CVS
Pharmacy for illegally
disposing of personal
information including
active debit and
credit card numbers,
complete with
expiration dates and
medical prescription
forms with customer's
name, address, date of
birth, issuing
physician and the
types of medication
prescribed. The
information was found
in a dumpster behind a
store that apparently
was being vacated.
Apr. 18, 2007........................ Ohio State Univ. A hacker accessed the 17,500
(Columbus, OH). names, Social Security
numbers, employee ID
numbers and birth
dates of 14,000
current and former
staff members. In a
separate incident, the
names, Social Security
numbers and grades of
3,500 former chemistry
students were on class
rosters housed on two
laptop computers
stolen from a
professor's home in
late February.
Apr. 18, 2007........................ Univ. of CA, San A computer file server 3,000
Francisco (San containing names,
Francisco, CA) (866) contact information,
485-8777 www.ucsf.edu/ and Social Security
alert. numbers for study
subjects and potential
study subjects related
to studies on causes
and cures for
different types of
cancer was stolen from
a locked UCSF office.
For some individuals,
the files also
included personal
health information.
Apr. 19, 2007........................ New Mexico State Univ. The names and Social 5,600
(Las Cruces, NM). Security numbers of
students who
registered online to
attend their
commencement
ceremonies from 2003
to 2005 were
accidentally posted on
the school's Web site
when an automated
program moved what was
supposed to be a
private file into a
public section of the
Web site.
Apr. 20, 2007........................ Los Alamos National The names and Social 550
Laboratory Security numbers of
(Alburquerque, NM). lab workers were
posted on a Web site
run by a subcontractor
working on a security
system.
Apr. 20, 2007........................ U.S. Agriculture Dept. The Social Security 37,000
(Washington, DC). numbers of people who
received loans or
other financial
assistance from two
Agriculture Department
programs were
disclosed since 1996
in a publicly
available database
posted on the Internet.
Apr. 21, 2007........................ Albertsons (Save Mart Credit and debit card 81
Supermarkets) numbers were stolen
(Alameda, CA) (510) using bogus checkout-
337-8340. line card readers
resulting in card
numbers processed at
those terminals being
captured and some to
be misused.
Apr. 23, 2007........................ Fed. Emergency Social Security numbers 2,300
Management Agency of Disaster Assistance
(FEMA) (Washington, Employees were printed
DC). on the outside address
labels of
reappointment letters.
Apr. 24, 2007........................ Purdue Univ. (West Personal information 175
Lafayette, IN) (866) including names and
307-8513. Social Security
numbers of students
who were enrolled in a
freshman engineering
honors course was on a
computer server
connected to the
Internet that had been
indexed by Internet
search engines and
consequently was
available to
individuals searching
the Web.
Apr. 24, 2007........................ Baltimore County Dept. A laptop containing 6,000
of Health (Baltimore, personal information
MD). including names, date
of birth, Social
Security numbers,
telephone numbers and
emergency contact
information of
patients who were seen
at the clinic between
Jan. 1, 2004 and April
12 was stolen.
Apr. 25, 2007........................ Neiman Marcus Group Computer equipment in 160,000
(Dallas, TX) (800) 456- the possession of a
7019. pension consultant
containing files with
sensitive information
including name,
address, Social
Security number, date
of birth, period of
employment and salary
information of Neiman
Marcus Group's current
and former employees
and their spouses was
stolen.
Apr. 26, 2007........................ Ceridian Corp. A former employee had 150
(Minneapolis, MN). data containing the
personal information
of employees including
``ID'' and bank-
account data and then,
accidentally posted it
on a personal Web site.
Apr. 27, 2007........................ Google Ads (Mountain Top sponsored Google Unknown.
View, CA). ads linked to 20
popular search terms
were found to install
a malware program on
users' computers to
capture personal
information and used
to access online
accounts for 100
different banks.
Apr. 27, 2007........................ Caterpillar, Inc. A laptop computer Unknown.
(Peoria, IL). containing personal
data of employees
including Social
Security numbers,
banking information
and addresses was
stolen from a benefits
consultant that works
with the company.
Apr. 28, 2007........................ Couriers on Demand Personal information of ``Hundreds''.
(Dallas, TX). job applicants was
accidentally published
to the Internet.
Apr. 29, 2007........................ Univ. of New Mexico Employees' personal [3,000] (Not included
(Alburquerque, NM). information including in Total below because
names, e-mail and home SSNs were apparently
addresses, UNM ID not compromised).
numbers and net pay
for a pay period for
staff, faculty and a
few graduate students
may have been stored
on a laptop computer
stolen from the San
Francisco office of an
outside consultant
working on UNM's human
resource and payroll
systems.
May 1, 2007.......................... Healing Hands Medical records ``Hundreds''.
Chiropractic containing the
(Sterling, CO). personal information
of chiropractic
patients including
records, Social
Security numbers,
birth dates, addresses
and, in some cases,
credit card
information wee thrown
in a dumpster ``due to
lack of office space''.
May 1, 2007.......................... J. P. Morgan (New York, Documents containing Unknown.
NY). personal financial
data of customers
including names,
addresses and Social
Security numbers were
found in garbage bags
outside five branch
offices in New York.
May 1, 2007.......................... Maine State Lottery Documents containing Unknown.
Commission (Hallowell, personal information
ME). such as names, Social
Security numbers,
references to workers
compensation claim
records, psychiatric
and other medical
records, and police
background checks were
found in a dumpster.
May 1, 2007.......................... Champaign Police The names and Social 139
Officers (Champaign, Security numbers of
IL). Champaign police
officers were left on
a computer donated to
charity.
May 1, 2007.......................... J. P. Morgan (Chicago, A computer tape 47,000
IL). containing personal
information of wealthy
bank clients and some
employees was
delivered to a secure
off-site facility for
storage but was later
reported missing.
May 3, 2007.......................... Maryland Dept. of Personal information of 1,433
Natural Resources current and retired
(Annapolis, MD). employees including
names and Social
Security numbers was
downloaded to a
``thumb drive'' by an
employee who wanted to
work at home but was
lost en route.
May 3, 2007.......................... Louisiana State Univ., A laptop stolen from a 750
E.J. Ourso College of faculty member's home
Business (Baton Rogue, contained personally
LA). identifiable
information including
may have included
students' Social
Security numbers, full
names and grades of
University students.
May 3, 2007.......................... Montgomery College..... A new employee posted Unknown.
the personal
information of all
graduating seniors
including names,
addresses and Social
Security numbers on a
computer drive that is
publicly accessible on
all campus computers.
May 5, 2007.......................... Transportation Security A computer hard drive 100,000
Administration. containing payroll
data from January 2002
to August 2005
including employee
names, Social Security
numbers, birth dates,
bank account and
routing information of
current and former
workers including
airport security
officers and federal
air marshals was
stolen.
UPDATE (5/14/07); The
American Federation of
Government Employees
is suing the TSA for
the loss of the hard
drive. It calls the
breach a violation of
the Privacy Act.
May 7, 2007.......................... Indiana Dept. of An employee uploaded a ``dozens'' to ``no more
Administration list of certified than a couple
(Indianapolis, IN). women and minority hundred''.
business enterprises
to the department's
Web site and
inadvertently included
their tax
identification
numbers, which for
some businesses and
sole proprietorships
is the owner's Social
Security number.
May 8, 2007.......................... TX Health and Human Computer tapes ``millions''.
Services Commission containing employment
(Austin, TX). information used to
verify Medicaid claims
including Social
Security numbers and
wages were missing for
more than two weeks
before being found.
May 8, 2007.......................... Univ. of Missouri A hacker accessed a 22,396
(Columbia, MO) (866) computer database
241-5619. containing the names
and Social Security
numbers of employees
of any campus within
the University system
in 2004 who were also
current or former
students of the
Columbia campus.
May 11, 2007......................... Univ. Calif. Irvine About 1,600 file boxes 287
Medical Center stored in an off-site
(Irvine, CA). university warehouse
were discovered
missing. Some of the
files included
patients' names,
addresses, Social
Security numbers and
medical record numbers.
May 11, 2007......................... Highland Hospital Two laptop computers, 13,000
(Rochester, NY) one containing patient
HighlandHospitalAdmin@ information including
urmc.rochester.edu Social Security
(866) 917-5034. numbers, were stolen
from a business
office. The computers
were sold on eBay, and
the one containing
personal information
was recovered.
May 12, 2007......................... Goshen College (Goshen, A hacker accessed a 7,300
IN) [email protected] college computer that
(866) 877-3055. contained the names,
addresses, birth
dates, Social Security
numbers and phone
numbers of students
and information on
some parents with the
suspected motivation
of using the system to
send spam e-mails.
May 12, 2007......................... Doctor and dentist A local TV news Unknown.
(Leon Valley, TX). reporter exposed that
a medical office
disposed of patient
records without
shredding them.
Included were SSNs and
dates of birth, as
well as medical
information.
May 14, 2007......................... Community College of A virus attacked a 197,000
Southern Nevada (North computer server and
Las Vegas, NV). could have allowed a
hacker to access
students' personal
information including
names, Social Security
numbers and dates of
birth, but the school
is not certain whether
anything was actually
stolen from the
school's computer
system.
May 15, 2007......................... IBM (Armonk, NY)....... An unnamed IBM vendor Unknown.
lost computer tapes
containing information
on IBM employees--
mostly ex-workers--
including SSNs, dates
of birth, and
addresses. They went
missing in transit
from a contractor's
vehicle.
May 17, 2007......................... Detroit Water and A laptop containing 3,000 (not included in
Sewerage Department City employee Total below because it
(Detroit, MI). information was stolen is not known if the
from the vehicle of an data included SSNs).
insurance company
employee.
May 17, 2007......................... Georgia Div. of Public The GA Dept. of Human 140,000
Health (statewide). Resources notified
parents of infants
born between 4/1/06
and 3/16/07 that paper
records containing
parents' SSNs and
medical histories--but
not names or
addresses--were
discarded without
shredding.
May 18, 2007......................... Alcatel-Lucent (Murray The telecom and Unknown.
Hill, NJ). networking equipment
maker notified
employees that a
computer disk
containing personal
information was lost
in transit to Aon
Corp., another vendor.
It contained names,
addresses, SSNs, birth
dates, and salary
information of current
and former employees.
----------------------------------------------------------------------------------------------------------------
Total number of records containing sensitive personal information involved in security 154,329,881
breaches.
----------------------------------------------------------------------------------------------------------------