1 (888) 400-5530
Toll-Free, No-Cost
Victim Assistance

Identity Theft Consumer Guide

Click to verify BBB accreditation and to see a BBB report.

 

DATA BREACHES

Information management is critically important to all of us - as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

The ITRC breach list is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. This list is updated daily, and published each Tuesday. To qualify, breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers. ITRC follows U.S. Federal guidelines about what combination of personal information comprise a unique individual, and the exposure of which will constitute a data breach.

There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents individual information about data exposure events and running totals for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure. Breaches are broken down into five categories, as follows: business, financial/credit, educational, governmental/military and health care. Other more detailed reports are generated throughout the year and posted on a quarterly basis.

It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted. The ITRC tracks five categories of data loss methods:

  • Data on the Move
  • Accidental Exposure
  • Insider Theft
  • Subcontractors
  • Hacking

Click here to go the recent High Profile Breaches:

Click here for the 2009 ITRC Breach Report (PDF):

Click here for the 2009 ITRC Breach Stats Report (PDF):

Regarding the rules of inclusion, the ITRC has given a considerable amount of thought to the development of the criteria used when assessing breaches and the integrity of its sources. For example, breaches that occurred in any given year or a previous year are included in the year in which the breach was publicized. Each selected incident is required to have been published by a credible media source, such as TV, radio, press, etc. The item will not be included at all if ITRC is not certain that the source is real and credible. Larger breaches often have multiple attributions, and we usually cite more than one source.

We include in each reported data breach item a link or source of the article, and the information presented by that article. Many times, we have attributions from a multitude of media sources and outlets. ITRC adheres to the facts as reported, and does not alter the previously published information. We always attempt to provide live links back to the original article, but these remain good only as long as the source retains the article at that web URL.

When the number of records exposed is not reported, we note that fact. When records are encrypted, we state that we do not (at this time) consider that to be a data exposure. We do, however, consider “password protected” as not sufficient protection under most circumstances, and do post these events as breaches.

As an authority on data breach exposures, the ITRC is frequently asked if there are more security breaches now than ever before. This question is hard to answer. More companies are revealing that they have had a data breach, either due to laws or public pressure. It is the opinion of the ITRC that the criminal population is stealing more data from companies, AND data breaches are being more frequently publicized. ITRC is aware that many breaches go unreported, and we are certain that our ITRC Breach List underreports the problem. One thing we can say with certainty is that this is NOT a new problem.

Click here for 2009 synopsis and reports
Click here for 2008 synopsis and reports
Click here for 2007 synopsis and reports
Click here for 2006 synopsis and reports
Click here for 2005 synopsis and reports

Other websites and resources for data breaches include:

 

The following breach report contains only those high profile breaches recently publicized. This report is updated as necessary. For full annual reports, go to the links above.

High Profile Breaches Report

Breaches Listed in Alphabetical

Full Information on a breach may be found in the ITRC Breach Report by

searching for the ITRC Breach ID#
ITRC Breach Company or Agency

State
Publish Date
Breach Type Breach Category Records Exposed? Records #
________________________________________________________________________________________________________________________
ITRC20081111-02 AIG - Medical Excess LLC

US
10/1/2008
Electronic Medical/Healthcare Yes - Published # 900,000
A special agent for the FBI and other law enforcement officials announced the arrest of a person who stole a computer server with the personal
identifying and health care sensitive information for over 900,000 policy holders and then trying to extort AIG for its return.
________________________________________________________________________________________________________
ITRC20090313-03 Binghamton University

NY
3/10/2009
Paper Data Educational Yes - Unknown # 0
Binghamton University kept payment information for every student, possibly dating back at least ten years in a storage area next to one of the most
trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. The information itself contained social security numbers,
credit card numbers, scans of tax forms, business information (including social security numbers and salary information for employees of students’
parents), asylum records and more, all kept in a haphazard and disorganized fashion, sprawled out in boxes, in unlocked (yet lockable) filing cabinets
and shelving units.
________________________________________________________________________________________________________
ITRC20081017-04 Binghamton University

NY
10/14/2008
Paper Data Educational Yes - Published # 56
Heading by a dumpster on the campus of Binghamton University a news team inadvertently stumbled upon a pile of official Binghamton university
documents containing personal information. All of the files contained Social Security numbers and full names, for fifty-six different people. The ninety-
one documents (totaling almost a hundred and fifty pages) were office files from the German Department in the mid-seventies detailing classes,
grades, assistant stipends and other personal information including birthdays and addresses.
________________________________________________________________________________________________________
ITRC20091005-04 Blue Cross - Blue Shield

US
10/3/2009
Electronic Medical/Healthcare Yes - Published # 850,000
The Blue Cross Blue Shield national office had a laptop stolen from an employee of the national office in August. The breach involves “tens of
thousands’’ of physicians nationwide, although the precise number is unclear, according to a national Blue Cross-Blue Shield spokesman. Thirty-
nine affiliates feed information about providers into a database maintained by the association’s national headquarters. "Jeff Smokler, national Blue
Cross-Blue Shield spokesman, said the insurance giant - roughly 90 percent of physicians nationwide are in its network - encrypts all of its
information on company computers, but an employee who was authorized to have the information violated company rules by downloading an
unencrypted version onto a personal laptop. Smokler said the data breach was perhaps the most serious for Massachusetts physicians and other
providers because they typically use their Social Security number as their tax identification number. Physicians in most other states, he said, choose
separate tax ID numbers."
________________________________________________________________________________________________________
ITRC20091006-02 BlueCross BlueShield

US
10/6/2009
Electronic Medical/Healthcare Yes - Unknown # 0
68 hard drives are missing from the BlueCross BlueShield office in Eastgate, TN. Investigators also want to know why *these* drives might have
been targeted. "We don't know what's on the hard drive files. Only blue cross blue shield does, but as with the medical files and anything else that
contains personal information and social security numbers and financial information, there's always the possibility for identity theft," says Sgt. Weary.
A Blue Cross spokesperson says she doesn't know if the missing drives contain private patient information. But they are cooperating in the event of
possible identity theft.
________________________________________________________________________________________________________
ITRC20090212-08 Federal Aviation Administration (FAA)

US
2/9/2009
Electronic Government/Military Yes - Published # 45,000
A FAA union leader says hackers broke into the Federal Aviation Administration's computer system last week, accessing the names and Social
Security numbers of 45,000 employees and retirees as of Feb. 2006. The FAA said the hackers hijacked 48 files, two containing sensitive personal
information that could expose the employees and retirees to identity theft.
________________________________________________________________________________________________________
ITRC20091006-01 Federal Reserve

NY
10/6/2009
Electronic Banking/Credit/Financial Yes - Unknown # 0
A federal bank information analyst from Elm Park has admitted he stole his fellow employees’ identities so he and his brother could apply for more
than $1 million in student and boat loans. Curtis Wiltshire, 34, committed the fraud from 2006 and 2008, while he was working as an information and
technical analyst at the Federal Reserve Bank of New York in lower Manhattan. He had access to computer files with other employees’ names, dates
of birth, social security numbers and photographs.
________________________________________________________________________________________________________
ITRC20081021-05 FEMA

TX
10/16/2008
Electronic Government/Military Yes - Published # 1,000
As many as 1,000 hurricane victims may have had their personal information exposed to a stranger. FEMA says an error by its mailing subcontractor
placed one person's aid application under a cover page addressed to another person and each subsequent envelope in the batch was improperly
stuffed.
FEMA plans to offer monitoring to anyone whose most private data, including social security numbers, bank account numbers, insurance policy
numbers and even annual income, was mistakenly sent to another applicant .
________________________________________________________________________________________________________
ITRC20081223-01 FEMA - Katrina

LA
12/22/2008
Electronic Government/Military Yes - Published # 17,000
FEMA says 16,857 names, Social Security & telephone numbers and other private information were publicly posted on 2 websites last week. The
names belonged to applicants from Hurricane Katrina who'd evacuated to Texas, but now live all across the Gulf Coast. FEMA's Acting press
secretary Terry Monrad says when the agency found out, the names were immediately removed. As of 3/35/09, those affected are just now being
notified
________________________________________________________________________________________________________
ITRC20080110-06 Florida Department of Children and Families

FL
1/4/2008
Electronic Government/Military Yes - Unknown # 0
Thousands of Central Florida day-care-center workers could be at risk of identity theft after burglars stole state computers containing personal
information. Although the theft occurred two months ago, the Florida Department of Children and Families is just now notifying about 1,200 day-care
providers that their employees, as well as center operations, may be at risk. Social Security numbers, birth dates and other information about day-care
workers in Orange, Seminole and Osceola counties were among the data on five laptop computers that were stolen from the DCF office near
Orlando Fashion Square mall in Orlando on Nov. 7-8.
________________________________________________________________________________________________________
ITRC20090224-01 Govtrip.com

DC
2/18/2009
Electronic Government/Military Yes - Unknown # 0
Govtrip.com, which handles travel reservations for at least a dozen U.S. government agencies, last week was infected with a virus that tried to install
malicious software when users visited the site, causing some agencies to block employees from accessing it, Security Fix has learned. Sometime on
Feb. 11, hackers changed the Govtrip.com Web site to redirect visitors to a site that installed malicious software. A number of agencies, including
the departments of Agriculture, Energy, Health & Human Services, Interior, Transportation, and Treasury, use the site exclusively to book travel
arrangements. Govtrip.com also is used to reimburse workers via direct deposit, which means that many federal employees' checking account
information is stored there as well.
________________________________________________________________________________________________________
ITRC20080110-07 Health Net

CA
1/4/2008
Electronic Business Yes - Unknown # 0
Thousands of Health Net employees in Connecticut and other states have been notified that their names and Social Security numbers were on a
laptop computer that was stolen more than a month ago from a company vendor. The laptop had information on about 5,000 employees companywide
and an undisclosed number of health-care providers outside the Northeast. The company has about 1,600 employees in Connecticut. The laptop did
not contain information on employees hired after Jan. 1, 2005.
________________________________________________________________________________________________________
ITRC20090122-02 Heartland Payment Systems

US
1/20/2009
Electronic Banking/Credit/Financial Yes - Published # 130,000,000
Hundreds of credit and debit card holders appear to have been victims of a nationwide data theft carried out against Heartland Payment Systems,
which processes cards for 250,000 restaurants, retailers and other businesses. Several Maine credit unions have been told by Visa and MasterCard
that fraudulent charges were placed on members' cards between May 16 and August 19, 2008, according to Jon Paradise, a spokesman for the
Maine Credit Union League. Many of the charges were tallied at Wal-Mart stores in Texas, he said. According to the Washington Post (Brian
Krebs), tens of millions of people may be affected. Baldwin said Heartland does not know how long the malicious software was in place, how it got
there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates. "The
transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we
don't know the magnitude of what was grabbed."
Update: As of the end of May 2009, more than 656 institutions have been impacted As of October the number of records seems to have stabilized at
130 million. ITRC wants to remind all readers: the number of records does not mean number of people
________________________________________________________________________________________________________
ITRC20090520-01 National Archives

US
5/20/2009
Electronic Government/Military Yes - Published # 100,000
An external hard drive containing 1 terabyte of data from the Clinton Administration is missing from the National Archives and Recording
Administration. The information includes more than 100,000 SSNs and home addresses of people who visited or worked at the White House. The
drive also contained details on the security procedures used by the Secret Service at the White House, as well as event logs, social gathering logs,
political records and other information from the Clinton administration. Rep. Darrell Issa, (R-Calif.), ranking member of the House Committee on
Oversight and Government Reform, in a statement yesterday said that the loss is believed to have occurred between October 2008 and March 2009.
According to Issa, the Archives was in the process of converting information from the drive to a digital records system when it apparently
disappeared. The hard drive was apparently removed from a secure storage area to a workplace where at least 100 "badge-holders" had access to it,
Issa noted. In addition to those with official access to the area, the IG said that janitors, visitors, interns and others passed through the area, Issa
said.
________________________________________________________________________________________________________
ITRC20090902-02 Naval Hospital Pensacola

US
9/2/2009
Electronic Government/Military Yes - Published # 38,000
Naval Hospital Pensacola will be notifying thousands of beneficiaries who use its pharmacy services, following the disappearance of a laptop
computer August 18. The computer's database contains 38,000 pharmacy service customers' names, Social Security numbers and dates of birth on
all patients that used the pharmacy in the last year.
________________________________________________________________________________________________________
ITRC20090304-01 New York Police Department (NYPD) - Pension

NY
3/4/2009
Electronic Government/Military Yes - Published # 80,000
A civilian official of the NYPD’s pension fund has been charged with stealing the identities of 80,000 current and retired cops, sources said. Anthony
Bonelli allegedly got into a secret backup-data warehouse on Staten Island last month and walked out with eight tapes packed with Social Security
numbers, direct-deposit information for bank accounts, and other sensitive material. Bonelli was the fund's director of communications.
________________________________________________________________________________________________________
ITRC20090313-02 Norm Coleman Campaign

MN
3/11/2009
Electronic Business Yes - Published # 4,721
Wikileaks published information to substantiate a rumor that sensitive information belonging to thousands of Coleman's supporters had been floating
around the Internet since Jan. 28 "as a result of sloppy handling by the campaign."
Wikileaks said the decision to publish the information was prompted by claims from Coleman's campaign that no data been compromised and by its
failure to apologize for the "initial leak" or its subsequent "cover-up." The statement said that Coleman's campaign had known about the breach since
January but had failed to notify anyone of the potential compromise of their personal data. Wikileaks claimed that the senator collected detailed
information on every supporter and Web site visitor and retained unencrypted credit card information from donors, including their security codes, on
the campaign's Web site.
________________________________________________________________________________________________________
ITRC20090427-04 Oklahoma Department of Human Services

OK
4/23/2009
Electronic Government/Military Yes - (Password) 1,000,000
Officials with the Department of Human Services said a computer was stolen from a worker's car on April 3. The machine had names, Social Security
numbers and birthdates of people who receive state assistance. Those affected include clients who receive aid from Medicaid, Child Care
Assistance, Temporary Assistance to Needy Families, Aid to the Aged, Blind and Disabled and the Supplemental Nutrition Assistance Program.
________________________________________________________________________________________________________
ITRC20081224-01 RBS WorldPay

US
12/23/2008
Electronic Banking/Credit/Financial Yes - Published # 1,500,000
RBS WorldPay (formerly RBS Lynk), the U.S. payment processing arm of The Royal Bank of Scotland Group, today announced that its computer
system had been improperly accessed by an unauthorized party. Pre-paid cardholders and other individuals were affected and identified on November
10. RBS WorldPay's internal security professionals and outside experts are working with federal and state law enforcement authorities in an
investigation of this event. The affected pre-paid cards include payroll cards and open-loop gift cards. The fraud that has been identified to-date is
associated with RBS WorldPay's computer system supporting its U.S. pre-paid and open-loop gift card issuing business. Actual fraud has been
committed on approximately 100 cards. Cardholders will not be responsible for unauthorized activity associated with this event. Certain personal
information of approximately 1.5 million cardholders and other individuals may have been affected and, of this group, Social Security numbers of 1.1
million people may have been accessed.
________________________________________________________________________________________________________
ITRC20081231-08 Science Applications International Corporation

CA
12/9/2008
Electronic Business Yes - Unknown # 0
Science Applications International Corporation (”SAIC”), recipient of a number of large government contracts, notified the New Hampshire Attorney
General on December 9th of a security breach involving malware. The specific malware was not named, but was described as “designed to provide
backdoor access.”
The breach was detected on October 28th. In its letter to an unspecified number of affected individuals, SAIC wrote: This letter is to notify you of a
potential compromise of your personal information, including your name and social security number, date of birth, home address, home phone number
and clearance level and possibly other personal information necessary to complete government security clearance questionnaires (e.g., SF-8SP or
SF-86).
________________________________________________________________________________________________________
ITRC20090312-01 Sprint

US
3/11/2009
Electronic Business Yes - Unknown # 0
Sprint is warning several thousand customers that a former employee sold or otherwise provided their account data without permission between Dec.
2008 and Jan 2009. The information that may have been compromised includes your name, address, wireless phone number, Sprint account number,
the answer to your security question, and the name of the authorized point of contact on your account."
________________________________________________________________________________________________________
ITRC20071221-10 SunGard Higher Education

PA
3/19/2007
Electronic Business Yes - (Password) 0
A thief stole a laptop from a parked SunGard employee's vehicle. Names, SSNs, bank transfer ABA numbers and account number and/or credit card
information may have been on the laptop. SunGard is an information technology service company and does data management for some New York
colleges. Multiple colleges have reported being affected by this theft. A final total is not known.
________________________________________________________________________________________________________
ITRC20070308-02 TJX

US
1/17/2007
Electronic Business Yes - Published # 94,000,000
TJX Cos reporter that intruders broke into computers sometime in mid December and stolen an unknown amount of customer data including credit
card, debit card, check and merchandise return transactions for TJ Maxx, Marshalls, HomeGoods and AJ Wright stores in the US. TJX's Bob's
Stores and TK MAX stores are also involved. In addition, Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, said at least eight
banks have been affected by a similar breach of information, related to debit cards they issued. The breach may have started as early as 2003. A
multi-state and FBI investigation is underway.
Update: March- the number of affected consumers revealed in a filing with the SEC is 45.7 million customer records. TJX also reported in the filing
that another 455,000 customers who returned merchandise without receipts had their personal data stolen, including drivers' license numbers.
Update: A settlement has been reached based on info from VISA and Mastercard. Total records updated to 94 million.
________________________________________________________________________________________________________
ITRC20061009-01 Troy Athens High School

MI
10/9/2006
Electronic Educational Yes - Unknown # 0
– “Alumni of Troy Athens High School learned on Friday that their identity may be at risk. The Troy School District and Superintendent mailed out a
letter to former students of the high school who graduated from 1994 to present indicating that a hard drive that was inside a guidance room was
stolen. The hard drive was stolen from a computer that was having technical work done Officials made the discovery of the stolen hard drive in mid-
August but failed to inform those affected because, as stated in the letter, they weren’t sure what specific information was stored on the drive.
Through an investigation, the school learned that students’ transcripts, test scores, addresses and Social Security numbers were saved on the stolen
drive.” (, October 9, 2006)
________________________________________________________________________________________________________
ITRC20090219-01 University of Florida - Grove

FL
2/19/2009
Electronic Educational Yes - Published # 97,200
On January 14, 2009, the University of Florida discovered that a server was accessed by an unauthorized intruder from outside UF. This server
contained a file with names, and Social Security Numbers (SSNs) for 97,200 people that used the "Grove" system between 1996 and 2009. Although
no evidence was found that this information was accessed, there is no absolute certainty that it was not.
________________________________________________________________________________________________________
ITRC20090925-02 University of North Carolina Chapel Hill, Dept.

NC
9/25/2009
Electronic Medical/Healthcare Yes - Published # 163,000
A hacker has infiltrated a computer server housing the personal data of 236,000 women enrolled in a UNC-Chapel Hill research study. Among the
information exposed: the Social Security numbers of 163,000 study participants." Though the intrusion was detected in late July, computer forensics
experts say it may have happened two years ago, said Matthew Mauro, chairman of the UNC-CH Department of Radiology. The medical school will
send letters to all 236,000 study participants about the security breach. School officials said they held off on notifying participants until they had
completed their investigation and would be able to field questions."
________________________________________________________________________________________________________
ITRC20071231-01 US Air Force

US
12/28/2007
Electronic Government/Military Yes - Published # 10,501
On November 18, a laptop belonging to an Air Force band member at Bolling Air Force Base in DC turned up missing. The information included
SSNs, birth dates, and telephone numbers of active and retired Air Force members. The Air Force tells WSFA 12 News it was intended to be used
for an Air Force Band Historical Documentation.
________________________________________________________________________________________________________
ITRC20091002-02 US Military

US
10/1/2009
Electronic Government/Military Yes - Published # 76,000,000
The Inspector General of the National Archives and Records Administration is looking into a potential data breach of millions of records about US
military veterans. The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data.
The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions
of Social Security numbers dating to 1972. The Pentagon requires that old drives be degaussed (de-magnified) or physically destroyed.
________________________________________________________________________________________________________
ITRC20090410-01 Vavrinek, Trine, Day and Co.

CA
4/10/2009
Electronic Banking/Credit/Financial Yes - (Password) 0
The theft of six laptop computers from an auditing firm has led the Borrego Springs Bank to send warning letters to all of its customers saying their
personal financial information may be in the hands of criminals. The bank released this brief statement: “Borrego Springs Bank is promptly
responding to an isolated incident involving customer information provided to a contracted third party accounting firm. The computer files contain
sensitive personal financial information including account name, number and balance.” Update: More than 50 banks now involved. "There was some
information, I would say 99.9 percent of it is information someone could get off of your check," said bank president Darrell Lautaret. "It was just name,
account number and balances as of August 31, (2008)."
________________________________________________________________________________________________________
ITRC20080110-02 Wisconsin Department of Health and Family

WI
1/8/2008
Paper Data Government/Military Yes - Published # 260,000
Social Security numbers were printed on about 260,000 informational brochures sent by a vendor hired by the state to recipients of SeniorCare and
other state programs. The mailing was first reported by WKOW on January 8. The state Department of Health and Family Services issued a
statement saying the mistake was the fault of EDS, a private vendor for state Medicaid services. Karen Timberlake, deputy secretary of the state
department, said the mailing went to about 260,000 Medicaid, SeniorCare, and BadgerCare members.
________________________________________________________________________________________________________

Copyright 2009 Identity Theft Resource Center

 

| TOP |

Contact Us | Privacy Policy | Legal Notice | Site Map  
Copyright © Identity Theft Resource Center. All rights reserved.
Web design by Savvy Sites.