1 (888) 400-5530
Toll-Free, No-Cost
Victim Assistance

Identity Theft Consumer Guide

Click to verify BBB accreditation and to see a BBB report.

 

DATA BREACHES

Information management is critically important to all of us - as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

The ITRC breach list is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. This list is updated daily, and published each Tuesday. To qualify, breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers. ITRC follows U.S. Federal guidelines about what combination of personal information comprise a unique individual, and the exposure of which will constitute a data breach.

What is a breach?  A breach is defined as an event in which an individual name plus Social Security Number (SSN), driver’s license number, medical record or a financial record/credit/debit card is potentially put at risk – either in electronic or paper format.

There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents individual information about data exposure events and running totals for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure. Breaches are broken down into five categories, as follows: business, financial/credit, educational, governmental/military and health care. Other more detailed reports are generated throughout the year and posted on a quarterly basis.

It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted. The ITRC tracks five categories of data loss methods:

  • Data on the Move
  • Accidental Exposure
  • Insider Theft
  • Subcontractors
  • Hacking

Click here to go the recent High Profile Breaches:

Click here for the 2010 ITRC Breach Report (PDF):

Click here for the 2010 ITRC Breach Stats Report (PDF):

Click here for the 2009 ITRC Breach Report (PDF):

Click here for the 2009 ITRC Breach Stats Report (PDF):

Regarding the rules of inclusion, the ITRC has given a considerable amount of thought to the development of the criteria used when assessing breaches and the integrity of its sources. For example, breaches that occurred in any given year or a previous year are included in the year in which the breach was publicized. Each selected incident is required to have been published by a credible media source, such as TV, radio, press, etc. The item will not be included at all if ITRC is not certain that the source is real and credible. Larger breaches often have multiple attributions, and we usually cite more than one source.

We include in each reported data breach item a link or source of the article, and the information presented by that article. Many times, we have attributions from a multitude of media sources and outlets. ITRC adheres to the facts as reported, and does not alter the previously published information. We always attempt to provide live links back to the original article, but these remain good only as long as the source retains the article at that web URL.

When the number of records exposed is not reported, we note that fact. When records are encrypted, we state that we do not (at this time) consider that to be a data exposure. We do, however, consider “password protected” as not sufficient protection under most circumstances, and do post these events as breaches.

As an authority on data breach exposures, the ITRC is frequently asked if there are more security breaches now than ever before. This question is hard to answer. More companies are revealing that they have had a data breach, either due to laws or public pressure. It is the opinion of the ITRC that the criminal population is stealing more data from companies, AND data breaches are being more frequently publicized. ITRC is aware that many breaches go unreported, and we are certain that our ITRC Breach List underreports the problem. One thing we can say with certainty is that this is NOT a new problem.

Click here for 2009 synopsis and reports
Click here for 2008 synopsis and reports
Click here for 2007 synopsis and reports
Click here for 2006 synopsis and reports
Click here for 2005 synopsis and reports

Other websites and resources for data breaches include:

 

The following breach report contains only those high profile breaches recently publicized. This report is updated as necessary. For full annual reports, go to the links above.


High Profile Breaches Report

Breaches Listed in Alphabetical

Full Information on a breach may be found in the ITRC Breach Report by searching for the ITRC Breadch !D#
ITRC Breach # Company or Agency

State
Publish Date
Breach Type Breach Category Records Exposed? Records #
_____________________________________________________________________________________________________________
ITRC20091111-01 ^TD Ameritrade (advisory only)

US
10/27/2009
Electronic Business None - Other 0
In September 2007, Ameritrade announced that the names, addresses, phone numbers and trading information of potentially all of its
more than 6 million retail and institutional customers at that time had been compromised by an intrusion into one of its databases. The
stolen information was later used to spam those customers. Consistently the company has said that while SSNs were in that same
database they have investigated the situation and has affirmed that SSNs were not compromised.
ITRC has confirmed with a source that worked with Ameritrade on this breach that SSNs were not breached. This is not a breach by
ITRC criteria but is listed as an advisory only due to media attention.
_________________________________________________________________________________________________
ITRC20091123-09 ACORN

CA
11/23/2009
Paper Data Business Yes - Unknown # 0
A private investigator in San Diego found thousands of sensitive documents dumped outside a California ACORN (Association of
Community Organizations for Reform Now) office on October 9, just days after the state attorney general announced an inquiry into
the community organizing group. "We're talking people's driver's license numbers, dates of birth, Social Security numbers, credit card
numbers, bank account numbers, tax returns, credit reports" — all tossed in public view in the Dumpster, the investigator said.
_________________________________________________________________________________________________
ITRC20081111-02 AIG - Medical Excess LLC

US
10/1/2008
Electronic Medical/Healthcare Yes - Published # 900,000
A special agent for the FBI and other law enforcement officials announced the arrest of a person who stole a computer server with
the personal identifying and health care sensitive information for over 900,000 policy holders and then trying to extort AIG for its
_________________________________________________________________________________________________
ITRC20090313-03 Binghamton University

NY
3/10/2009
Paper Data Educational Yes - Unknown # 0
Binghamton University kept payment information for every student, possibly dating back at least ten years in a storage area next to
one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. The information itself
contained social security numbers, credit card numbers, scans of tax forms, business information (including social security numbers
and salary information for employees of students’ parents), asylum records and more, all kept in a haphazard and disorganized
fashion, sprawled out in boxes, in unlocked (yet lockable) filing cabinets and shelving units.
_________________________________________________________________________________________________
ITRC20091005-04 BlueCross BlueShield Association - Highmark

US
10/3/2009
Electronic Business Yes - Published # 850,000
The Blue Cross Blue Shield national office had a laptop stolen from an employee of the national office in August. The breach involves
“tens of thousands’’ of physicians nationwide, although the precise number is unclear, according to a national Blue Cross-Blue Shield
spokesman. Thirty-nine affiliates feed information about providers into a database maintained by the association’s national
headquarters. "Jeff Smokler, national Blue Cross-Blue Shield spokesman, said the insurance giant - roughly 90 percent of physicians
nationwide are in its network - encrypts all of its information on company computers, but an employee who was authorized to have
the information violated company rules by downloading an unencrypted version onto a personal laptop. Smokler said the data breach
was perhaps the most serious for Massachusetts physicians and other providers because they typically use their Social Security
number as their tax identification number. Physicians in most other states, he said, choose separate tax ID numbers."
Update: Highmark is also notifying 50,000 doctors, mainly in PA that their information may have been on the laptop also.
_________________________________________________________________________________________________
ITRC20091006-02 BlueCross BlueShield - TN

US
10/6/2009
Electronic Business Yes - Published # 1,000,000
57 hard drives are missing from the BlueCross BlueShield office in Eastgate, TN. "We don't know what's on the hard drive files.
Only blue cross blue shield does, but as with the medical files and anything else that contains personal information and social
security numbers and financial information, there's always the possibility for identity theft," says Sgt. Weary.
Update: BCBS announced that the theft affects about 2 million clients. However, a call from ITRC to BCBS TN headquarters has led
to more confusion beyond several variations from published articles. The information is encoded, not encrypted: a public generally
understood and low overhead method. Another time we were told that specialized equipment would be needed to read the disks which
lowers risk factor. Another source said the alarm was set off leading us to question if the hard drives were pulled from a server and
not just in a box. All details probably won't be known until a prosecution is underway. 4/13- an additional 448,000 are being notified.
_________________________________________________________________________________________________
ITRC20090911-03 Chase Bank, JPMorgan Chase

US
8/18/2009
Electronic Banking/Credit/Financi None - Other 0
Chase Bank is notifying customers that a tape used as a backup for system information is missing at a secure offsite storage unit.
It may have included name, address and SSN. The information "can be read only with special equipment and software…"
_________________________________________________________________________________________________
ITRC20100226-01 CitiGroup

US
2/24/2010
Paper Data Banking/Credit/Financi Yes - Published # 600,000
About 600,000 Citigroup (C: 3.395, -0.005, -0.15%) customers got a shock earlier this month when they received their annual tax
documents - with their Social Security numbers printed on the outside of the envelope. Citi says in a separate letter/statement that
the SSN were surrounded by other numbers and letters "that resembled a mailing routing number." ITRC has seen this statement
though it is not publicly available. More than 50 customers have called to complain to Citi as of 2/24 so clearly they were able to
identify the SSN on the letter front.
_________________________________________________________________________________________________
ITRC20100209-02 D.C. Office of Tax and Revenue

DC
2/5/2010
Electronic Government/Military Yes - Published # 76
A mentally ill woman exploited a loophole in D.C. tax office online systems to gain unauthorized access to taxpayer accounts,
establish herself as the owner of dozens of businesses and file returns on their behalf. The woman electronically filed FR-500 forms,
a document establishing change of ownership or authorized agent, for 114 existing and fictitious businesses between Oct. 13 and Dec.
22, according to the BDO report. Through the FR-500 process she was able to establish herself as the owner of the businesses and
gain access, within 48 hours, to 76 taxpayer business accounts.
_________________________________________________________________________________________________
ITRC20090511-01 D.C. Office of the State Superintendent of Education

DC
5/11/2009
Electronic Government/Military Yes - Published # 2,400
The D.C. Office of the State Superintendent of Education that handles college financial aid requests accidentally e-mailed personal
information from 2,400 student applicants to more than 1,000 of those applicants.
The OSSE said the breach occurred when an employee of the agency’s Higher Education Financial Services Program inadvertently
attached an Excel spreadsheet to an e-mail. The information released included student names, e-mail and home addresses, phone and
Social Security numbers and dates of birth.
_________________________________________________________________________________________________
ITRC20100329-04 Educational Credit Management Corp

US
3/27/2010
Electronic Business Yes - Published # 3,300,000
Educational Credit Management Corp., said Friday a portable media device was stolen and included names, addresses, dates of birth
and Social Security number of 3.3 million students. No bank account or other financial information was included in the data. Only
employees had card access to the company. Officials at the company, ECMC, say it could be one of the biggest cases of student
identity theft in the nation, affecting 5 percent of all students with federal loans in the United States. Congressional sources said the
data were stored on discs contained in a safe. The 3.3 million social security numbers that were stolen from ECMC represent 8.9
million loans, Mr. Kelash said. One borrower may take out multiple loans.
Update: The safe was found in a police evidence room, where it had been since 3/22 and no one realized it connected to this crime. It
appears no information was compromised.
_________________________________________________________________________________________________
ITRC20091006-01 Federal Reserve Bank of New York

NY
10/6/2009
Electronic Banking/Credit/Financi Yes - Unknown # 0
A federal bank information analyst from Elm Park has admitted he stole his fellow employees’ identities so he and his brother could
apply for more than $1 million in student and boat loans. Curtis Wiltshire, 34, committed the fraud from 2006 and 2008, while he was
working as an information and technical analyst at the Federal Reserve Bank of New York in lower Manhattan. He had access to
computer files with other employees’ names, dates of birth, social security numbers and photographs.
Update: 2 men were sentenced for their roles in this crime. 2/12/10
_________________________________________________________________________________________________
ITRC20090306-02 FEMA

IN
3/6/2009
Electronic Government/Military Yes - (Password) 50
A password protected FEMA laptop containing SSNs of dozens of victims of last September's floods was stolen from a housing
inspector's car on Nov 4. representatives from the Federal Emergency Management Agency said Thursday they are alerting "roughly
50" flood victims from Gary, Hammond, Highland, Griffith and Munster whose information was stored in the laptop after they applied
for federal disaster assistance.
_________________________________________________________________________________________________
ITRC20081021-05 FEMA

TX
10/16/2008
Electronic Government/Military Yes - Published # 1,000
As many as 1,000 hurricane victims may have had their personal information exposed to a stranger. FEMA says an error by its
mailing subcontractor placed one person's aid application under a cover page addressed to another person and each subsequent
envelope in the batch was improperly stuffed.
FEMA plans to offer monitoring to anyone whose most private data, including social security numbers, bank account numbers,
insurance policy numbers and even annual income, was mistakenly sent to another applicant .
_________________________________________________________________________________________________
ITRC20081223-01 FEMA - Katrina

LA
12/22/2008
Electronic Government/Military Yes - Published # 17,000
FEMA says 16,857 names, Social Security & telephone numbers and other private information were publicly posted on 2 websites last
week. The names belonged to applicants from Hurricane Katrina who'd evacuated to Texas, but now live all across the Gulf Coast.
FEMA's Acting press secretary Terry Monrad says when the agency found out, the names were immediately removed. As of
3/35/09, those affected are just now being notified
_________________________________________________________________________________________________
ITRC20090224-01 Govtrip.com

DC
2/18/2009
Electronic Government/Military Yes - Unknown # 0
Govtrip.com, which handles travel reservations for at least a dozen U.S. government agencies, last week was infected with a virus
that tried to install malicious software when users visited the site, causing some agencies to block employees from accessing it,
Security Fix has learned. Sometime on Feb. 11, hackers changed the Govtrip.com Web site to redirect visitors to a site that installed
malicious software. A number of agencies, including the departments of Agriculture, Energy, Health & Human Services, Interior,
Transportation, and Treasury, use the site exclusively to book travel arrangements. Govtrip.com also is used to reimburse workers
via direct deposit, which means that many federal employees' checking account information is stored there as well.
_________________________________________________________________________________________________
ITRC20100409-02 H&R Block

NY
4/9/2010
Electronic Business Yes - Published # 20
There is a class action lawsuit and an investigation that has shown that at least 20 customers of a H&R Block office in the Bronx had
employees that used the clients information to get tax returns.
_________________________________________________________________________________________________
ITRC20091123-04 Health Net

US
11/19/2009
Electronic Medical/Healthcare Yes - Published # 1,500,000
A hard drive with seven years of personal and medical information on about 1.5 million Health Net customers was lost six months ago
and was first reported Wednesday. A portable, external hard drive with Social Security numbers and medical records “disappeared”
and is still missing from the insurer’s Northeast headquarters in Shelton, a Health Net spokeswoman said Wednesday. The hard drive
contains Social Security numbers, medical records and health information dating to 2002 for 1.5 million customers — past and present
— in Arizona, Connecticut, New Jersey and New York, the spokeswoman said. State AG's are very upset.
_________________________________________________________________________________________________
ITRC20090122-02 Heartland Payment Systems

US
1/20/2009
Electronic Business Yes - Published # 130,000,000
Hundreds of credit and debit card holders appear to have been victims of a nationwide data theft carried out against Heartland
Payment Systems, which processes cards for 250,000 restaurants, retailers and other businesses. Several Maine credit unions have
been told by Visa and MasterCard that fraudulent charges were placed on members' cards between May 16 and August 19, 2008,
according to Jon Paradise, a spokesman for the Maine Credit Union League. Many of the charges were tallied at Wal-Mart stores in
Texas, he said. According to the Washington Post (Brian Krebs), tens of millions of people may be affected. Baldwin said Heartland
does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised.
The stolen data includes names, credit and debit card numbers and expiration dates. "The transactional data crossing our platform, in
terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we don't know the magnitude of
what was grabbed."
Update: As of the end of May 2009, more than 656 institutions have been impacted As of October the number of records seems to
_________________________________________________________________________________________________
ITRC20081208-14 Highmark, Inc.

US
10/6/2008
Electronic Business Yes - Unknown # 0
An encrypted Excel file was sent to the wrong Highmark Inc. customer and then told to delete the file and destroy any paper copies
of the same. It contained names, SSNS, and group billing information.
_________________________________________________________________________________________________
ITRC20100517-03 Mellow Mushroom in Warner Robins

GA
5/15/2010
Electronic Business Yes - Published # 2,000
Quote: A security breach that has compromised the credit and debit cards of recent customers at the Mellow Mushroom in Warner
Robins is believed to have occurred outside the restaurant, police and the restaurant’s lawyer said Friday.
“The breach happened either with the computing end of it or at the payment processing center. That’s what the (U.S.) Secret Service
is going to work to figure out,” said attorney Kelly Burke, who has been hired to represent the restaurant. Two banks have been
notifying customers to not use their cards.
_________________________________________________________________________________________________
ITRC20090520-01 National Archives

US
5/20/2009
Electronic Government/Military Yes - Published # 250,000
An external hard drive containing 1 terabyte of data from the Clinton Administration is missing from the National Archives and
Recording Administration. The information includes more than 100,000 SSNs and home addresses of people who visited or worked at
the White House. The drive also contained details on the security procedures used by the Secret Service at the White House, as well
as event logs, social gathering logs, political records and other information from the Clinton administration. Rep. Darrell Issa, (R-
Calif.), ranking member of the House Committee on Oversight and Government Reform, in a statement yesterday said that the loss
is believed to have occurred between October 2008 and March 2009. According to Issa, the Archives was in the process of converting
information from the drive to a digital records system when it apparently disappeared. The hard drive was apparently removed from
a secure storage area to a workplace where at least 100 "badge-holders" had access to it, Issa noted. In addition to those with official
access to the area, the IG said that janitors, visitors, interns and others passed through the area, Issa said.
Update: now updated to 250,000 records
_________________________________________________________________________________________________
ITRC20090902-02 Naval Hospital Pensacola

US
9/2/2009
Electronic Government/Military Yes - Published # 38,000
Naval Hospital Pensacola will be notifying thousands of beneficiaries who use its pharmacy services, following the disappearance of
a laptop computer August 18. The computer's database contains 38,000 pharmacy service customers' names, Social Security
numbers and dates of birth on all patients that used the pharmacy in the last year.
_________________________________________________________________________________________________
ITRC20090427-04 Oklahoma Department of Human Services

OK
4/23/2009
Electronic Government/Military Yes - (Password) 1,000,000
Officials with the Department of Human Services said a computer was stolen from a worker's car on April 3. The machine had names,
Social Security numbers and birthdates of people who receive state assistance. Those affected include clients who receive aid from
Medicaid, Child Care Assistance, Temporary Assistance to Needy Families, Aid to the Aged, Blind and Disabled and the Supplemental
Nutrition Assistance Program.
_________________________________________________________________________________________________
ITRC20100611-13 Our Lady of Peace Hospital

KY
6/10/2010
Electronic Medical/Healthcare Yes - Published # 24,600
Our Lady of Peace Hospital
State: Kentucky
Approx. # of Individuals Affected: 24,600
Date of Breach: 3/31/10
Type of Breach: Theft, Loss
Location of Breached Information: Portable Electronic Device, Other
_________________________________________________________________________________________________
ITRC20091222-10 P2P networks

US
12/8/2009
Electronic Business Yes - Unknown # 0
Jeffrey Steven Girandola and Kajohn Phommavong have been charged in a previously sealed 16-count indictment with Conspiracy,
Computer Fraud, Access Device Fraud and Aggravated Identity Theft. According to the indictment, which was handed up by a federal
grand jury in San Diego, the defendants installed peer-to-peer file sharing software on computers under their control and searched the
available peer-to-peer file sharing networks for account login information and passwords inadvertently exposed to the file sharing
network by other users of the peer-to-peer file sharing software. They then used account information they found for their own
_________________________________________________________________________________________________
ITRC20091016-01 PayChoice

US
10/16/2009
Electronic Business Yes - Unknown # 0
Payroll services provider PayChoice took its Web-based service offline for the second time in a month in response to yet another
data breach caused by hackers. PayChoice, provides direct payroll processing services and licenses its online employee payroll
management product to at least 240 other payroll processing firms, serving 125,000 organizations. The company sent a notice to its
customers saying it had closed onlineemployer.com - the portal for PayChoice's online payroll service -- after some clients began
noticing bogus employees being added to their payroll.
_________________________________________________________________________________________________
ITRC20100309-03 Priceline.com

US
3/1/2010
Electronic Business Yes - Unknown # 0
Priceline.com reported that an unauthorized individual may have accessed customer data, including names, addresses, email
addresses, credit card through its third party call center (unnamed)
_________________________________________________________________________________________________
ITRC20100128-01 PricewaterhouseCoopers - Alaska state

AK
1/28/2010
Electronic Government/Military Yes - Published # 77,000
A state contractor learned that the names, birth dates and Social Security numbers of 77,000 people were lost and the information
could be in the wrong hands. The people affected were in the PERS and TRS system in 2003-04 as active or inactive employees or
retirees. Attorney General Dan Sullivan announced today that the State of Alaska has reached a settlement with
PricewaterhouseCoopers LLP to provide credit protection for about 77,000 former and current public employees whose names and
confidential information were misplaced by the professional services firm.
_________________________________________________________________________________________________
ITRC20091130-08 Radiant Systems, Aloha POS System - various restaurants

US
11/27/2009
Electronic Business Yes - Unknown # 0
The seven restaurateurs, who filed suit in a Louisiana state court in March, are suing Radiant Systems of Alpharetta and Computer
World, a Louisiana retailer that sold Radiant’s payment processing program called “Aloha.” This software has caused a number of
breaches throughout the US and some were listed in 2008 breach list including the "Spicy Pickle." The suit alleges the Aloha program
illegally stored all the magnetic strip information after the card was swiped. Storage of card information violates the security
standards with Visa, MasterCard, American Express and Discover.
_________________________________________________________________________________________________
ITRC20090819-01 Radisson Hotel

US
8/19/2009
Electronic Business Yes - Unknown # 0
Radisson Hotels & Resorts said Wednesday its computer systems for a part of its chain were accessed without authorization,
affecting an unknown number of people between last November and May. Radisson said in a statement it has informed customers of
the situation and that guest information may have been accessed, including credit card numbers. Social security numbers were not
_________________________________________________________________________________________________
ITRC20081224-01 RBS WorldPay

US
12/23/2008
Electronic Banking/Credit/Financi Yes - Published # 1,500,000
RBS WorldPay (formerly RBS Lynk), the U.S. payment processing arm of The Royal Bank of Scotland Group, today announced that
its computer system had been improperly accessed by an unauthorized party. Pre-paid cardholders and other individuals were
affected and identified on November 10. RBS WorldPay's internal security professionals and outside experts are working with federal
and state law enforcement authorities in an investigation of this event. The affected pre-paid cards include payroll cards and open-
loop gift cards. The fraud that has been identified to-date is associated with RBS WorldPay's computer system supporting its U.S.
pre-paid and open-loop gift card issuing business. Actual fraud has been committed on approximately 100 cards. Cardholders will not
be responsible for unauthorized activity associated with this event. Certain personal information of approximately 1.5 million
cardholders and other individuals may have been affected and, of this group, Social Security numbers of 1.1 million people may
_________________________________________________________________________________________________
ITRC20090312-01 Sprint

US
3/11/2009
Electronic Business Yes - Unknown # 0
Sprint is warning several thousand customers that a former employee sold or otherwise provided their account data without permission
between Dec. 2008 and Jan 2009. The information that may have been compromised includes your name, address, wireless phone
number, Sprint account number, the answer to your security question, and the name of the authorized point of contact on your
_________________________________________________________________________________________________
ITRC20070308-02 TJX

US
1/17/2007
Electronic Business Yes - Published # 94,000,000
TJX Cos reporter that intruders broke into computers sometime in mid December and stolen an unknown amount of customer data
including credit card, debit card, check and merchandise return transactions for TJ Maxx, Marshalls, HomeGoods and AJ Wright
stores in the US. TJX's Bob's Stores and TK MAX stores are also involved. In addition, Bruce Spitzer, a spokesman for the
Massachusetts Bankers Association, said at least eight banks have been affected by a similar breach of information, related to debit
cards they issued. The breach may have started as early as 2003. A multi-state and FBI investigation is underway.
Update: March- the number of affected consumers revealed in a filing with the SEC is 45.7 million customer records. TJX also
reported in the filing that another 455,000 customers who returned merchandise without receipts had their personal data stolen,
including drivers' license numbers.
Update: A settlement has been reached based on info from VISA and Mastercard. Total records updated to 94 million.
_________________________________________________________________________________________________
ITRC20100309-14 T-Mobile

MD
3/1/2010
Electronic Business Yes - Unknown # 0
In Sept. T-Mobile reported to the MD AG that some Maryland residents were involved in the unauthorized access of information
including SSNs. The criminals are being prosecuted by the US DOJ. Maryland was not listed among the states in March of this year.
22 residents in MD may be affected.
_________________________________________________________________________________________________
ITRC20091201-03 U.S. Department of Defense

US
11/20/2009
Electronic Government/Military Yes - Published # 72,000
According to GAO Report 10-56 to Congress, 72,000 Post Deployment Health Reassessment forms (PDHRA) are unaccounted for
from 72,000 service members who returned from deployment to Iraq or Afghanistan between Jan 1, 2007 to May 31, 2008. ITRC has
examined said forms which are filed electronically and clearly ask for the service member's SSN,. Name, date of birth. While
disclosure of any item is voluntary, they are "encouraged to answer each question." (in bold print). Quote: The discovery "suggests
either that not all of these service members filled out the questionnaire or that questionnaires were filled out, but were not incorporated
into Defense's central repository," wrote Randall Williamson, director of health care at the Government Accountability Office in a
_________________________________________________________________________________________________
ITRC20091113-01 US Army Corps of Engineers

US
11/13/2009
Electronic Government/Military Yes - Published # 60,000
The Corps of Engineers is investigating the recent loss of an external hard drive that had names and Social Security numbers, on a
number of current and former soldiers and some civilian employees, according to information provided by the Southwest Division,
which is where the drive was stored. Most of the affected population includes soldiers whose files went before the Fiscal 2008
sergeant first class and 2008 master sergeant promotion boards, and the 2007 colonel promotion board and the 2009 lieutenant colonel
_________________________________________________________________________________________________
ITRC20091002-02 US Military

US
10/1/2009
Electronic Government/Military Yes - Published # 76,000,000
The Inspector General of the National Archives and Records Administration is looking into a potential data breach of millions of
records about US military veterans. The issue involves a defective hard drive the agency sent back to its vendor for repair and
recycling without first destroying the data. The drive was part of a RAID array of six drives containing an Oracle database that held
detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972. The Pentagon requires that old
drives be degaussed (de-magnified) or physically destroyed.
_________________________________________________________________________________________________
ITRC20090410-01 Vavrinek, Trine, Day and Co.

CA
4/10/2009
Electronic Business Yes - (Password) 0
The theft of six laptop computers from an auditing firm has led the Borrego Springs Bank to send warning letters to all of its
customers saying their personal financial information may be in the hands of criminals. The bank released this brief statement:
“Borrego Springs Bank is promptly responding to an isolated incident involving customer information provided to a contracted third
party accounting firm. The computer files contain sensitive personal financial information including account name, number and
balance.” Update: More than 50 banks now involved. "There was some information, I would say 99.9 percent of it is information
someone could get off of your check," said bank president Darrell Lautaret. "It was just name, account number and balances as of
_________________________________________________________________________________________________
ITRC20100611-09 Veteran Affairs North Texas Health Care System

TX
6/10/2010
Paper Data Medical/Healthcare Yes - Published # 4,083
VA North Texas Health Care System
State: Texas
Approx. # of Individuals Affected: 4,083
Date of Breach: 5/04/10
Type of Breach: Improper Disposal
Location of Breached Information: Paper Records
_________________________________________________________________________________________________
ITRC20100517-05 Veterans Affairs Department

US
5/13/2010
Electronic Government/Military Yes - Published # 644
The VA reported the theft of the laptop from an unidentified contractor's car on April 22 to the committee on April 28 and informed
members the computer contained personally identifiable information on 644 veterans, including data from some VA medical centers’
records, according to a letter Rep. Steve Buyer, R-Ind., sent to VA Secretary Eric Shenseki. This is just the beginning of a long
investigation - starting with the award of a contract to install data encryption software and develop security measures that has not
_________________________________________________________________________________________________
ITRC20100319-08 Veterans Affairs Department - Atlanta Veterans Affairs Medical Center

US
3/11/2010
Electronic Government/Military Yes - Unknown # 0
The Veterans Affairs Department is investigating reports that a former VA physician's assistant stored unauthorized personal patient
data on a personal laptop. The data breach occurred at the Atlanta Veterans Affairs Medical Center, VA spokeswoman Katie Roberts
said. In a written statement, Roberts said protecting patient privacy is one of VA's top priorities.
_________________________________________________________________________________________________
ITRC20081231-16 Wyndham Hotel Group

US
12/23/2008
Electronic Business Yes - Published # 21,000
A data security incident at the Wyndham Hotels may have caused customers' names, credit or debit card information to be exposed.
This might have occurred in October. Notices are being sent out. Update: As of 2/16 the Florida AG said that this breach may have
put up to 21,000 Florida residents in jeopardy.
Update 8/11/2009= there may have been a second hacking while fixing the problems from the first hacking. It seems to be contained
to credit transactions only and customers were notified.
_________________________________________________________________________________________________
ITRC20100226-02 Wyndham Hotels

US
2/24/2010
Electronic Business Yes - Unknown # 0
In late January, 2010, Wyndham discovered that a sophisticated hacker penetrated the computer systems of one of the Wyndham
Hotels and Resorts (WHR) data centers. By going through the centralized network connections, the hacker was then able to access
and download information from several, but not all, of the WHR hotels and remove payment card information of a small percentage
of our WHR customers. Potentially exposed through this breach are guest and/or cardholder names and card numbers, expiration
dates and other data from the card's magnetic stripe.
_________________________________________________________________________________________________

Copyright 2010 Identity Theft Resource Center

| TOP |

Contact Us | Privacy Policy | Legal Notice | Site Map  
Copyright © Identity Theft Resource Center. All rights reserved.
Web design by Savvy Sites.