|
|
|
1 (888) 400-5530
Toll-Free, No-Cost
Victim Assistance


|
|
DATA BREACHES
Information management is critically important to all of us - as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.
The ITRC breach list is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. This list is updated daily, and published each Tuesday. To qualify, breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers. ITRC follows U.S. Federal guidelines about what combination of personal information comprise a unique individual, and the exposure of which will constitute a data breach.
There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents individual information about data exposure events and running totals for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure. Breaches are broken down into five categories, as follows: business, financial/credit, educational, governmental/military and health care. Other more detailed reports are generated throughout the year and posted on a quarterly basis.
It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted. The ITRC tracks five categories of data loss methods:
- Data on the Move
- Accidental Exposure
- Insider Theft
- Subcontractors
- Hacking
Click here to go the recent High Profile Breaches:
Click here for the 2009 ITRC Breach Report (PDF):
Click here for the 2009 ITRC Breach Stats Report (PDF):
Regarding the rules of inclusion, the ITRC has given a considerable amount of thought to the development of the criteria used when assessing breaches and the integrity of its sources. For example, breaches that occurred in any given year or a previous year are included in the year in which the breach was publicized. Each selected incident is required to have been published by a credible media source, such as TV, radio, press, etc. The item will not be included at all if ITRC is not certain that the source is real and credible. Larger breaches often have multiple attributions, and we usually cite more than one source.
We include in each reported data breach item a link or source of the article, and the information presented by that article. Many times, we have attributions from a multitude of media sources and outlets. ITRC adheres to the facts as reported, and does not alter the previously published information. We always attempt to provide live links back to the original article, but these remain good only as long as the source retains the article at that web URL.
When the number of records exposed is not reported, we note that fact. When records are encrypted, we state that we do not (at this time) consider that to be a data exposure. We do, however, consider “password protected” as not sufficient protection under most circumstances, and do post these events as breaches.
As an authority on data breach exposures, the ITRC is frequently asked if there are more security breaches now than ever before. This question is hard to answer. More companies are revealing that they have had a data breach, either due to laws or public pressure. It is the opinion of the ITRC that the criminal population is stealing more data from companies, AND data breaches are being more frequently publicized. ITRC is aware that many breaches go unreported, and we are certain that our ITRC Breach List underreports the problem. One thing we can say with certainty is that this is NOT a new problem.
Click here for 2009 synopsis and reports
Click here for 2008 synopsis and reports
Click here for 2007 synopsis and reports
Click here for 2006 synopsis and reports
Click here for 2005 synopsis and reports
Other websites and resources for data breaches include:
The following breach report contains only those high profile breaches recently publicized. This report is updated as necessary. For full annual reports, go to the links above.
| High Profile Breaches Report |
| Breaches Listed in Alphabetical |
| Full Information on a breach may be found in the ITRC Breach Report by |
| searching for the ITRC Breach ID# |
| ITRC Breach |
Company or Agency |
| State |
| Publish Date |
| Breach Type |
Breach Category |
Records Exposed? |
Records # |
| ________________________________________________________________________________________________________________________ |
| ITRC20081111-02 |
AIG - Medical Excess LLC |
| US |
| 10/1/2008 |
| Electronic |
Medical/Healthcare |
Yes - Published # |
900,000 |
| A special agent for the FBI and other law enforcement officials announced the arrest of a person who stole a computer server with the personal |
| identifying and health care sensitive information for over 900,000 policy holders and then trying to extort AIG for its return. |
| ________________________________________________________________________________________________________ |
| ITRC20090313-03 |
Binghamton University |
| NY |
| 3/10/2009 |
| Paper Data |
Educational |
Yes - Unknown # |
0 |
| Binghamton University kept payment information for every student, possibly dating back at least ten years in a storage area next to one of the most |
| trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. The information itself contained social security numbers, |
| credit card numbers, scans of tax forms, business information (including social security numbers and salary information for employees of students’ |
| parents), asylum records and more, all kept in a haphazard and disorganized fashion, sprawled out in boxes, in unlocked (yet lockable) filing cabinets |
| ________________________________________________________________________________________________________ |
| ITRC20081017-04 |
Binghamton University |
| NY |
| 10/14/2008 |
| Paper Data |
Educational |
Yes - Published # |
56 |
| Heading by a dumpster on the campus of Binghamton University a news team inadvertently stumbled upon a pile of official Binghamton university |
| documents containing personal information. All of the files contained Social Security numbers and full names, for fifty-six different people. The ninety- |
| one documents (totaling almost a hundred and fifty pages) were office files from the German Department in the mid-seventies detailing classes, |
| grades, assistant stipends and other personal information including birthdays and addresses. |
| ________________________________________________________________________________________________________ |
| ITRC20091005-04 |
Blue Cross - Blue Shield |
| US |
| 10/3/2009 |
| Electronic |
Medical/Healthcare |
Yes - Published # |
850,000 |
| The Blue Cross Blue Shield national office had a laptop stolen from an employee of the national office in August. The breach involves “tens of |
| thousands’’ of physicians nationwide, although the precise number is unclear, according to a national Blue Cross-Blue Shield spokesman. Thirty- |
| nine affiliates feed information about providers into a database maintained by the association’s national headquarters. "Jeff Smokler, national Blue |
| Cross-Blue Shield spokesman, said the insurance giant - roughly 90 percent of physicians nationwide are in its network - encrypts all of its |
| information on company computers, but an employee who was authorized to have the information violated company rules by downloading an |
| unencrypted version onto a personal laptop. Smokler said the data breach was perhaps the most serious for Massachusetts physicians and other |
| providers because they typically use their Social Security number as their tax identification number. Physicians in most other states, he said, choose |
| separate tax ID numbers." |
| ________________________________________________________________________________________________________ |
| ITRC20091006-02 |
BlueCross BlueShield |
| US |
| 10/6/2009 |
| Electronic |
Medical/Healthcare |
Yes - Unknown # |
0 |
| 68 hard drives are missing from the BlueCross BlueShield office in Eastgate, TN. Investigators also want to know why *these* drives might have |
| been targeted. "We don't know what's on the hard drive files. Only blue cross blue shield does, but as with the medical files and anything else that |
| contains personal information and social security numbers and financial information, there's always the possibility for identity theft," says Sgt. Weary. |
| A Blue Cross spokesperson says she doesn't know if the missing drives contain private patient information. But they are cooperating in the event of |
| ________________________________________________________________________________________________________ |
| ITRC20090212-08 |
Federal Aviation Administration (FAA) |
| US |
| 2/9/2009 |
| Electronic |
Government/Military |
Yes - Published # |
45,000 |
| A FAA union leader says hackers broke into the Federal Aviation Administration's computer system last week, accessing the names and Social |
| Security numbers of 45,000 employees and retirees as of Feb. 2006. The FAA said the hackers hijacked 48 files, two containing sensitive personal |
| information that could expose the employees and retirees to identity theft. |
| ________________________________________________________________________________________________________ |
| ITRC20091006-01 |
Federal Reserve |
| NY |
| 10/6/2009 |
| Electronic |
Banking/Credit/Financial |
Yes - Unknown # |
0 |
| A federal bank information analyst from Elm Park has admitted he stole his fellow employees’ identities so he and his brother could apply for more |
| than $1 million in student and boat loans. Curtis Wiltshire, 34, committed the fraud from 2006 and 2008, while he was working as an information and |
| technical analyst at the Federal Reserve Bank of New York in lower Manhattan. He had access to computer files with other employees’ names, dates |
| of birth, social security numbers and photographs. |
| ________________________________________________________________________________________________________ |
| TX |
| 10/16/2008 |
| Electronic |
Government/Military |
Yes - Published # |
1,000 |
| As many as 1,000 hurricane victims may have had their personal information exposed to a stranger. FEMA says an error by its mailing subcontractor |
| placed one person's aid application under a cover page addressed to another person and each subsequent envelope in the batch was improperly |
| FEMA plans to offer monitoring to anyone whose most private data, including social security numbers, bank account numbers, insurance policy |
| numbers and even annual income, was mistakenly sent to another applicant . |
| ________________________________________________________________________________________________________ |
| ITRC20081223-01 |
FEMA - Katrina |
| LA |
| 12/22/2008 |
| Electronic |
Government/Military |
Yes - Published # |
17,000 |
| FEMA says 16,857 names, Social Security & telephone numbers and other private information were publicly posted on 2 websites last week. The |
| names belonged to applicants from Hurricane Katrina who'd evacuated to Texas, but now live all across the Gulf Coast. FEMA's Acting press |
| secretary Terry Monrad says when the agency found out, the names were immediately removed. As of 3/35/09, those affected are just now being |
| ________________________________________________________________________________________________________ |
| ITRC20080110-06 |
Florida Department of Children and Families |
| FL |
| 1/4/2008 |
| Electronic |
Government/Military |
Yes - Unknown # |
0 |
| Thousands of Central Florida day-care-center workers could be at risk of identity theft after burglars stole state computers containing personal |
| information. Although the theft occurred two months ago, the Florida Department of Children and Families is just now notifying about 1,200 day-care |
| providers that their employees, as well as center operations, may be at risk. Social Security numbers, birth dates and other information about day-care |
| workers in Orange, Seminole and Osceola counties were among the data on five laptop computers that were stolen from the DCF office near |
| Orlando Fashion Square mall in Orlando on Nov. 7-8. |
| ________________________________________________________________________________________________________ |
| ITRC20090224-01 |
Govtrip.com |
| DC |
| 2/18/2009 |
| Electronic |
Government/Military |
Yes - Unknown # |
0 |
| Govtrip.com, which handles travel reservations for at least a dozen U.S. government agencies, last week was infected with a virus that tried to install |
| malicious software when users visited the site, causing some agencies to block employees from accessing it, Security Fix has learned. Sometime on |
| Feb. 11, hackers changed the Govtrip.com Web site to redirect visitors to a site that installed malicious software. A number of agencies, including |
| the departments of Agriculture, Energy, Health & Human Services, Interior, Transportation, and Treasury, use the site exclusively to book travel |
| arrangements. Govtrip.com also is used to reimburse workers via direct deposit, which means that many federal employees' checking account |
| information is stored there as well. |
| ________________________________________________________________________________________________________ |
| ITRC20080110-07 |
Health Net |
| CA |
| 1/4/2008 |
| Electronic |
Business |
Yes - Unknown # |
0 |
| Thousands of Health Net employees in Connecticut and other states have been notified that their names and Social Security numbers were on a |
| laptop computer that was stolen more than a month ago from a company vendor. The laptop had information on about 5,000 employees companywide |
| and an undisclosed number of health-care providers outside the Northeast. The company has about 1,600 employees in Connecticut. The laptop did |
| not contain information on employees hired after Jan. 1, 2005. |
| ________________________________________________________________________________________________________ |
| ITRC20090122-02 |
Heartland Payment Systems |
| US |
| 1/20/2009 |
| Electronic |
Banking/Credit/Financial |
Yes - Published # |
130,000,000 |
| Hundreds of credit and debit card holders appear to have been victims of a nationwide data theft carried out against Heartland Payment Systems, |
| which processes cards for 250,000 restaurants, retailers and other businesses. Several Maine credit unions have been told by Visa and MasterCard |
| that fraudulent charges were placed on members' cards between May 16 and August 19, 2008, according to Jon Paradise, a spokesman for the |
| Maine Credit Union League. Many of the charges were tallied at Wal-Mart stores in Texas, he said. According to the Washington Post (Brian |
| Krebs), tens of millions of people may be affected. Baldwin said Heartland does not know how long the malicious software was in place, how it got |
| there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates. "The |
| transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we |
| don't know the magnitude of what was grabbed." |
| Update: As of the end of May 2009, more than 656 institutions have been impacted As of October the number of records seems to have stabilized at |
| 130 million. ITRC wants to remind all readers: the number of records does not mean number of people |
| ________________________________________________________________________________________________________ |
| ITRC20090520-01 |
National Archives |
| US |
| 5/20/2009 |
| Electronic |
Government/Military |
Yes - Published # |
100,000 |
| An external hard drive containing 1 terabyte of data from the Clinton Administration is missing from the National Archives and Recording |
| Administration. The information includes more than 100,000 SSNs and home addresses of people who visited or worked at the White House. The |
| drive also contained details on the security procedures used by the Secret Service at the White House, as well as event logs, social gathering logs, |
| political records and other information from the Clinton administration. Rep. Darrell Issa, (R-Calif.), ranking member of the House Committee on |
| Oversight and Government Reform, in a statement yesterday said that the loss is believed to have occurred between October 2008 and March 2009. |
| According to Issa, the Archives was in the process of converting information from the drive to a digital records system when it apparently |
| disappeared. The hard drive was apparently removed from a secure storage area to a workplace where at least 100 "badge-holders" had access to it, |
| Issa noted. In addition to those with official access to the area, the IG said that janitors, visitors, interns and others passed through the area, Issa |
| ________________________________________________________________________________________________________ |
| ITRC20090902-02 |
Naval Hospital Pensacola |
| US |
| 9/2/2009 |
| Electronic |
Government/Military |
Yes - Published # |
38,000 |
| Naval Hospital Pensacola will be notifying thousands of beneficiaries who use its pharmacy services, following the disappearance of a laptop |
| computer August 18. The computer's database contains 38,000 pharmacy service customers' names, Social Security numbers and dates of birth on |
| all patients that used the pharmacy in the last year. |
| ________________________________________________________________________________________________________ |
| ITRC20090304-01 |
New York Police Department (NYPD) - Pension |
| NY |
| 3/4/2009 |
| Electronic |
Government/Military |
Yes - Published # |
80,000 |
| A civilian official of the NYPD’s pension fund has been charged with stealing the identities of 80,000 current and retired cops, sources said. Anthony |
| Bonelli allegedly got into a secret backup-data warehouse on Staten Island last month and walked out with eight tapes packed with Social Security |
| numbers, direct-deposit information for bank accounts, and other sensitive material. Bonelli was the fund's director of communications. |
| ________________________________________________________________________________________________________ |
| ITRC20090313-02 |
Norm Coleman Campaign |
| MN |
| 3/11/2009 |
| Electronic |
Business |
Yes - Published # |
4,721 |
| Wikileaks published information to substantiate a rumor that sensitive information belonging to thousands of Coleman's supporters had been floating |
| around the Internet since Jan. 28 "as a result of sloppy handling by the campaign." |
| Wikileaks said the decision to publish the information was prompted by claims from Coleman's campaign that no data been compromised and by its |
| failure to apologize for the "initial leak" or its subsequent "cover-up." The statement said that Coleman's campaign had known about the breach since |
| January but had failed to notify anyone of the potential compromise of their personal data. Wikileaks claimed that the senator collected detailed |
| information on every supporter and Web site visitor and retained unencrypted credit card information from donors, including their security codes, on |
| ________________________________________________________________________________________________________ |
| ITRC20090427-04 |
Oklahoma Department of Human Services |
| OK |
| 4/23/2009 |
| Electronic |
Government/Military |
Yes - (Password) |
1,000,000 |
| Officials with the Department of Human Services said a computer was stolen from a worker's car on April 3. The machine had names, Social Security |
| numbers and birthdates of people who receive state assistance. Those affected include clients who receive aid from Medicaid, Child Care |
| Assistance, Temporary Assistance to Needy Families, Aid to the Aged, Blind and Disabled and the Supplemental Nutrition Assistance Program. |
| ________________________________________________________________________________________________________ |
| ITRC20081224-01 |
RBS WorldPay |
| US |
| 12/23/2008 |
| Electronic |
Banking/Credit/Financial |
Yes - Published # |
1,500,000 |
| RBS WorldPay (formerly RBS Lynk), the U.S. payment processing arm of The Royal Bank of Scotland Group, today announced that its computer |
| system had been improperly accessed by an unauthorized party. Pre-paid cardholders and other individuals were affected and identified on November |
| 10. RBS WorldPay's internal security professionals and outside experts are working with federal and state law enforcement authorities in an |
| investigation of this event. The affected pre-paid cards include payroll cards and open-loop gift cards. The fraud that has been identified to-date is |
| associated with RBS WorldPay's computer system supporting its U.S. pre-paid and open-loop gift card issuing business. Actual fraud has been |
| committed on approximately 100 cards. Cardholders will not be responsible for unauthorized activity associated with this event. Certain personal |
| information of approximately 1.5 million cardholders and other individuals may have been affected and, of this group, Social Security numbers of 1.1 |
| million people may have been accessed. |
| ________________________________________________________________________________________________________ |
| ITRC20081231-08 |
Science Applications International Corporation |
| CA |
| 12/9/2008 |
| Electronic |
Business |
Yes - Unknown # |
0 |
| Science Applications International Corporation (”SAIC”), recipient of a number of large government contracts, notified the New Hampshire Attorney |
| General on December 9th of a security breach involving malware. The specific malware was not named, but was described as “designed to provide |
| The breach was detected on October 28th. In its letter to an unspecified number of affected individuals, SAIC wrote: This letter is to notify you of a |
| potential compromise of your personal information, including your name and social security number, date of birth, home address, home phone number |
| and clearance level and possibly other personal information necessary to complete government security clearance questionnaires (e.g., SF-8SP or |
| ________________________________________________________________________________________________________ |
| US |
| 3/11/2009 |
| Electronic |
Business |
Yes - Unknown # |
0 |
| Sprint is warning several thousand customers that a former employee sold or otherwise provided their account data without permission between Dec. |
| 2008 and Jan 2009. The information that may have been compromised includes your name, address, wireless phone number, Sprint account number, |
| the answer to your security question, and the name of the authorized point of contact on your account." |
| ________________________________________________________________________________________________________ |
| ITRC20071221-10 |
SunGard Higher Education |
| PA |
| 3/19/2007 |
| Electronic |
Business |
Yes - (Password) |
0 |
| A thief stole a laptop from a parked SunGard employee's vehicle. Names, SSNs, bank transfer ABA numbers and account number and/or credit card |
| information may have been on the laptop. SunGard is an information technology service company and does data management for some New York |
| colleges. Multiple colleges have reported being affected by this theft. A final total is not known. |
| ________________________________________________________________________________________________________ |
| US |
| 1/17/2007 |
| Electronic |
Business |
Yes - Published # |
94,000,000 |
| TJX Cos reporter that intruders broke into computers sometime in mid December and stolen an unknown amount of customer data including credit |
| card, debit card, check and merchandise return transactions for TJ Maxx, Marshalls, HomeGoods and AJ Wright stores in the US. TJX's Bob's |
| Stores and TK MAX stores are also involved. In addition, Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, said at least eight |
| banks have been affected by a similar breach of information, related to debit cards they issued. The breach may have started as early as 2003. A |
| multi-state and FBI investigation is underway. |
| Update: March- the number of affected consumers revealed in a filing with the SEC is 45.7 million customer records. TJX also reported in the filing |
| that another 455,000 customers who returned merchandise without receipts had their personal data stolen, including drivers' license numbers. |
| Update: A settlement has been reached based on info from VISA and Mastercard. Total records updated to 94 million. |
| ________________________________________________________________________________________________________ |
| ITRC20061009-01 |
Troy Athens High School |
| MI |
| 10/9/2006 |
| Electronic |
Educational |
Yes - Unknown # |
0 |
| – “Alumni of Troy Athens High School learned on Friday that their identity may be at risk. The Troy School District and Superintendent mailed out a |
| letter to former students of the high school who graduated from 1994 to present indicating that a hard drive that was inside a guidance room was |
| stolen. The hard drive was stolen from a computer that was having technical work done Officials made the discovery of the stolen hard drive in mid- |
| August but failed to inform those affected because, as stated in the letter, they weren’t sure what specific information was stored on the drive. |
| Through an investigation, the school learned that students’ transcripts, test scores, addresses and Social Security numbers were saved on the stolen |
| drive.” (, October 9, 2006) |
| ________________________________________________________________________________________________________ |
| ITRC20090219-01 |
University of Florida - Grove |
| FL |
| 2/19/2009 |
| Electronic |
Educational |
Yes - Published # |
97,200 |
| On January 14, 2009, the University of Florida discovered that a server was accessed by an unauthorized intruder from outside UF. This server |
| contained a file with names, and Social Security Numbers (SSNs) for 97,200 people that used the "Grove" system between 1996 and 2009. Although |
| no evidence was found that this information was accessed, there is no absolute certainty that it was not. |
| ________________________________________________________________________________________________________ |
| ITRC20090925-02 |
University of North Carolina Chapel Hill, Dept. |
| NC |
| 9/25/2009 |
| Electronic |
Medical/Healthcare |
Yes - Published # |
163,000 |
| A hacker has infiltrated a computer server housing the personal data of 236,000 women enrolled in a UNC-Chapel Hill research study. Among the |
| information exposed: the Social Security numbers of 163,000 study participants." Though the intrusion was detected in late July, computer forensics |
| experts say it may have happened two years ago, said Matthew Mauro, chairman of the UNC-CH Department of Radiology. The medical school will |
| send letters to all 236,000 study participants about the security breach. School officials said they held off on notifying participants until they had |
| completed their investigation and would be able to field questions." |
| ________________________________________________________________________________________________________ |
| ITRC20071231-01 |
US Air Force |
| US |
| 12/28/2007 |
| Electronic |
Government/Military |
Yes - Published # |
10,501 |
| On November 18, a laptop belonging to an Air Force band member at Bolling Air Force Base in DC turned up missing. The information included |
| SSNs, birth dates, and telephone numbers of active and retired Air Force members. The Air Force tells WSFA 12 News it was intended to be used |
| for an Air Force Band Historical Documentation. |
| ________________________________________________________________________________________________________ |
| ITRC20091002-02 |
US Military |
| US |
| 10/1/2009 |
| Electronic |
Government/Military |
Yes - Published # |
76,000,000 |
| The Inspector General of the National Archives and Records Administration is looking into a potential data breach of millions of records about US |
| military veterans. The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. |
| The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions |
| of Social Security numbers dating to 1972. The Pentagon requires that old drives be degaussed (de-magnified) or physically destroyed. |
| ________________________________________________________________________________________________________ |
| ITRC20090410-01 |
Vavrinek, Trine, Day and Co. |
| CA |
| 4/10/2009 |
| Electronic |
Banking/Credit/Financial |
Yes - (Password) |
0 |
| The theft of six laptop computers from an auditing firm has led the Borrego Springs Bank to send warning letters to all of its customers saying their |
| personal financial information may be in the hands of criminals. The bank released this brief statement: “Borrego Springs Bank is promptly |
| responding to an isolated incident involving customer information provided to a contracted third party accounting firm. The computer files contain |
| sensitive personal financial information including account name, number and balance.” Update: More than 50 banks now involved. "There was some |
| information, I would say 99.9 percent of it is information someone could get off of your check," said bank president Darrell Lautaret. "It was just name, |
| account number and balances as of August 31, (2008)." |
| ________________________________________________________________________________________________________ |
| ITRC20080110-02 |
Wisconsin Department of Health and Family |
| WI |
| 1/8/2008 |
| Paper Data |
Government/Military |
Yes - Published # |
260,000 |
| Social Security numbers were printed on about 260,000 informational brochures sent by a vendor hired by the state to recipients of SeniorCare and |
| other state programs. The mailing was first reported by WKOW on January 8. The state Department of Health and Family Services issued a |
| statement saying the mistake was the fault of EDS, a private vendor for state Medicaid services. Karen Timberlake, deputy secretary of the state |
| department, said the mailing went to about 260,000 Medicaid, SeniorCare, and BadgerCare members. |
| ________________________________________________________________________________________________________ |
| Copyright 2009 Identity Theft Resource Center |
| TOP |
|