Data Security Breaches: Context and Incident Summaries

Data Security Breaches:
Context and Incident Summaries
Updated May 7, 2007
Rita Tehan
Information Research Specialist
Knowledge Services Group

Data Security Breaches:
Context and Incident Summaries
Personal data security breaches are being reported with increasing regularity.
Within the past few years, numerous examples of data such as Social Security, bank
account, credit card, and driver’s license numbers, as well as medical and student
records have been compromised. A major reason for the increased awareness of
these security breaches is a California law that requires notice of security breaches
to the affected individuals. This law, implemented in July 2003, was the first of its
kind in the nation.
State data security breach notification laws require companies and other entities
that have lost data to notify affected consumers. As of January 2007, 35 states have
enacted legislation requiring companies or state agencies to disclose security
breaches involving personal information.
Congress is considering legislation to address personal data security breaches,
following a series of high-profile data security breaches at major financial services
firms, data brokers (including ChoicePoint and LexisNexis), and universities. In the
past three years, multiple measures have been introduced, but to date, none have been
This report will be updated regularly.

In troduction ......................................................1
Statistics .........................................................3
Data Security Breaches in Federal Agencies.............................5
Data Security Breaches: Highlights....................................9
For Additional Reading............................................75
List of Tables
Table 1. Data Security Breaches in Businesses (2000-2007)...............11
Table 2. Data Security Breaches in Education (2000-2007)................26
Table 3. Data Security Breaches in Financial Institutions (2001-2007).......47
Table 4. Data Security Breaches in Local, State, and Federal Government
(2003-2007) .................................................56
Table 5. Data Security Breaches in Health Care (2003-2007)..............70

Data Security Breaches:
Context and Incident Summaries
Personal data security breaches are being reported with increasing regularity.
During the past few years, there have been numerous examples of hackers breaking
into corporate, government, academic, and personal computers and compromising
computer systems or stealing personal data such as Social Security, bank account,
credit card, and driver’s license numbers, as well as medical and student records.
These breaches occur not only because of illegal or fraudulent attacks by computer
hackers, but often because of careless business practices, such as lost or stolen laptop
computers, or the inadvertent posting of personal data on public websites. A recent
infamous example occurred in May 2006, when 26.5 million veterans and their
spouses were in danger of identity theft because a Veterans Affairs data analyst took
home a laptop computer containing personal data (including names, Social Security
numbers, and dates of birth), which was later stolen in a burglary.1
Depending on the definition, the most common type of identity theft is credit
card fraud, and there is evidence that the extent of credit card fraud has increased due
to opportunities provided by the Internet.2 Although some aspects of identity theft
have been known for many years, it is viewed now primarily as a product of the
information age. A particular crime of identity theft may include one or all of these
Stage 1: Acquisition of the identity through theft, computer hacking, fraud,
trickery, force, re-directing or intercepting mail, or even by legal means
(e.g., purchase information on the Internet).
Stage 2: Use of the identity for financial gain (the most common
motivation) or to avoid arrest or otherwise hide one’s identity from law
enforcement or other authorities (such as bill collectors). Crimes in this
stage may include account takeover, opening of new accounts, extensive
use of debit or credit cards, sale of the identity information on the street or

1 For additional information on legislative proposals introduced after the VA data theft (and
in light of several ongoing information security and information technology management
issues at the VA), see CRS Report RL33612, Department of Veterans Affairs: Information
Security and Information Technology Management Reorganization, by Sidath Viranga
2 Graeme Newman and Megan McNally, Identity Theft Literature Review, National Criminal
Justice Reference Service (NCJRS), 2005, at [


black market, acquisition (“breeding”) of additional identity related
documents such as driver’s licenses, passports, visas, health cards, etc.),
filing tax returns for large refunds, insurance fraud, stealing rental cars, and
many more.
Stage 3: Discovery of the theft. While many misuses of credit cards are
discovered quickly, the “classic” identity theft involves a long period of
time to discovery, typically from six months to as long as several years.
Evidence suggests that the time it takes to discovery is related to the
amount of loss incurred by the victim.3
Identity theft is rarely one crime, but is composed of the commission of a wide
variety of other crimes, such as check and card fraud, financial crimes of various
sorts, various telemarketing and Internet scams, auto theft, counterfeiting and forgery,
The difficulty in studying identity theft is investigating what portion of the long
list of identity theft related crimes is related to the “classic” type of identity theft that
results in repeat victimization. For example, a common type of credit card fraud is
to steal an individual’s credit card. The offender makes a quick purchase of an
expensive item then discards the card. Has the victim’s identity truly been stolen?
The event clearly fits within the definition above, but it is not the wholesale theft of
the victim’s identity. However, should the offender be working with an accomplice,
the card could be turned over several times and even sold on the street. Finally,
should the victim’s driver’s license and other identifying documents such as a health
card with a Social Security number on it also be stolen, the basic elements for
stealing an individual’s identity are present.4
A January 2007 white paper by the computer security research company McAfee
Avert Labs reports a dramatic increase in global identity theft trends.5 One key
finding was that “[p]ersonal data for tens of millions of people disappears each year.
It’s either been stolen or misplaced. Despite this disturbing trend, the number of
complaints is surprisingly low, which leads us to believe the losses are not fully

3 Ibid., p. v.
4 Ibid., p. 14.
5 Francois Paget. Identity Theft, McAfee Avert Labs, January 2007, at
[]. This report
discusses recent high-profile examples of identity theft and how several countries define this
type of fraud and its scope; examines both the criminals and their techniques to better
understand how identity theft has evolved in recent years; and focuses on the victims and
consequences of identity theft.
6 Ibid., p. 3.

A California law that requires notice of security breaches to the affected
individuals is the major reason for the increased awareness of these breaches.7 This
law, which was implemented in July 2003, was the first of its kind in the nation.
State security breach notification requires companies and other entities that have
lost personal data to notify affected consumers. Thirty-five states have enacted
legislation requiring companies or state agencies to disclose security breaches
involving personal information.8 State security freeze9 laws allow a customer to
block unauthorized third parties from obtaining one’s credit report.
Identity theft victims spend almost 300 million hours a year trying to clear their
names and re-establish good credit ratings.10 For additional information on this topic,
see CRS Report RL31919, Remedies Available to Victims of Identity Theft, by Gina
Marie Stevens.
In December 2006, a senior editor for Wired News noted a milestone: “... the
total number of lost or exposed personal records since February, 2005, [has passed]

7 California Department of Consumer Affairs, Office of Privacy Protection, Notice of
Security Breach - Civil Code Sections1798.29 and 1798.82 - 1798.84, updated June 24,
2003, at [
&file=1798.25-1798.29], [
group=01001-02000&file=1798.80-1798.84], and Recommended Practices on Notification
of Security Breach Involving Personal Information, October 10, 2003, at
[ recommendations/secbreach.pdf].
8 See State Security Breach Notification Laws, National Conference of State Legislatures
at []. As of January 9, 2007, the
following states have enacted security breach notification laws: Arizona, Arkansas,
California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois,
Indiana, Kansas, Louisiana, Maine, Michigan, Minnesota, Montana, Nebraska, Nevada, New
Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma,
Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, Wisconsin.
See also: State PIRG Summary of State Security Freeze and Security Breach Notification
Laws, U.S. Public Interest Research Group (USPIRG) at [
credit/statelaws.htm#breach]. See also CRS Report RS22374, Data Security: Federal and
State Laws, by Gina Marie Stevens.
9 A security freeze law allows a customer to block unauthorized third parties from obtaining
his or her credit report or score. A consumer who places a security freeze on his or her
credit report or score receives a personal identification number to gain access to credit
information or to authorize the dissemination of credit information. See CRS Report
RS22484, Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills,
Tara Alexandra Rainson.
10 Peter Katel, “Identity Theft: Can Congress Give Americans Better Protection?,” CQ
Researcher, June 10, 2005.

the 100 million mark.”11 The New York Times wrote an article discussing this
landmark and questioned the usefulness of computing such data breaches.
[T]he bigger picture here may be that we are now slicing and dicing the niceties
of data breaches against a running tally so large, that it has lost nearly any
meaning at all... ‘The threat of identity theft from data losses is being greatly
exaggerated,’ Fred H. Cate, the director of the Center for Applied Cybersecurity
Research at Indiana University in Bloomington, told this newspaper not long ago.
‘And that’s because a lot of people have fallen into the trap of equating data loss
with identity theft.’ Whether or not that is true is open to debate, but what all
this data loss does represent, however, is the potential for identity theft — one
that will never go away. Sure, it’s a game of odds. There is only so much a crook
can do with a few hundred thousand names and Social Security numbers. But
once they are out there, they are out there for good. Names don’t change.
Neither do Social Security numbers or dates of birth. And as long as it remains
easy enough to fashion that trifecta into a car loan, a home, a credit card, work12
papers, that would seem to be a bit of a long-term problem.
The Identity Theft and Assumption Deterrence Act of 199813 established the
Federal Trade Commission (FTC) as the government entity charged with developing
“procedures to ... log and acknowledge the receipt of complaints by individuals,” as
well as educate and assist potential victims.14 The FTC compiles annual reports and
charts of aggregated statistics on these events, but does not identify which
corporations, organizations, or other entities have been victims of security breaches.
In February 2007, FTC issued its annual report on fraud complaints consumers have
filed with the agency. For the seventh year in a row, identity theft topped the list,
accounting for 36% of the 674,354 complaints received between January 1 and
December 31, 2006.15 Credit card fraud was the most common form of reported
identity theft, followed by phone or utilities fraud, bank fraud, and employment
A number of federal agencies (e.g., the FTC, Department of Justice, Secret
Service, U.S. Postal Service, and Social Security Administration), state attorneys
general, and nonprofit organizations (such as the Electronic Privacy Information
Center) are involved with data privacy investigations or related consumer assistance.

11 Kevin Poulsen, “Data Spills: 100 Million Served,” 27B Stroke 6, December 14, 2006, at
[http://blog.wi ].
12 Tom Zeller, “An Ominous Milestone: 100 Million Data Leaks,” New York Times,
December 18, 2006, p. C3.
13 Identity Theft and Assumption Deterrence Act, as amended by P.L. 105-318, 112 Stat.

3007 (October 30, 1998), at [].

14 For an overview of the federal laws that could assist victims of identity theft with purging
inaccurate information from their credit records and removing unauthorized charges from
credit accounts, as well as federal laws that impose criminal penalties on those who assume
another person’s identity through the use of fraudulent identification documents, see CRS
Report RL31919, Remedies Available to Victims of Identity Theft, by Gina Marie Stevens.
(Relevant state laws are also discussed.)
15 Federal Trade Commission press release, “FTC Issues Annual List of Top Consumer
Complaints,” February 7, 2007, at [].

None of them maintain a comprehensive itemized list of data security breaches.16
However, the Privacy Rights Clearinghouse maintains a frequently updated
chronology of data breaches from February 2005 to the present.17
The United States Computer Emergency Readiness Team (US-CERT) interacts
with federal agencies, industry, the research community, state and local governments,
and others to collect reasoned and actionable cybersecurity information and to
identify emerging cybersecurity threats. US-CERT has recently begun monitoring
trends involving the acquisition of personally identifiable information (PII) by
unauthorized, malicious users. Based on the information reported in the first quarter
of FY2007, US-CERT identified the following cybersecurity trends: phishing18 made
up the bulk of security threats reported to US-CERT, accounting for almost 75% of
all incidents handled. The number of reports grew by more than 500%, with just over
16,000 reports in FY2006 Q1, compared with over 103,000 in FY2007 Q1. The
second highest category was “others,” the bulk of which generally fell into two main
areas: investigations, which were incidents found by US-CERT analysts combing
through data, and incidents involving PII, both cyber and non-cyber in nature. The
remaining 8% of incidents were spread across malware, equipment theft/loss, policy
violations, and suspicious network activity.19
Data Security Breaches in Federal Agencies
In reports to Congress since 1997, GAO has identified information security as
a government-wide high-risk issue.20 In their FY2006 financial statement audit
reports, 21 out of 24 agencies indicated that they had significant weaknesses in
information security controls. As shown in reports by GAO and agency inspectors

16 For a brief discussion of federal and state data security laws, see CRS Report RS22374,
Data Security: Federal and State Laws, by Gina Marie Stevens.
17 Privacy Rights Clearinghouse, A Chronology of Data Breaches at
[]. The Privacy Rights
Clearinghouse (PRC) is a nonprofit consumer organization which seeks to raise consumers’
awareness of how technology affects personal privacy, and to document privacy complaints.
The chronology “begins with ChoicePoint’s 2/15/05 announcement of its data breaches
because it was a watershed event in terms of disclosure to the affected individuals.”
18 Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking
email in an attempt to gather personal and financial information from recipients. Typically,
the messages appear to come from well-known and trustworthy websites. Websites that are
frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America
Online. (Source: by, at
[ 0,290660,sid14_gci916037,00.html ].
19 US-CERT, Quarterly Trends and Analysis Report, March 1, 2007, at
[]. This report summarizes
and provides analysis of incident reports submitted to US-CERT during the first quarter of
FY2007 (October 1, 2006, to December 31, 2006).
20 Government Accountability Office, Information Security: Persistent Weaknesses
Highlight Need for Further Improvement, GAO-07-751T, April 19, 2007, at
[ h t t p : / / n ew.i t e ms / d07751t .pdf ] .

general (IG), the weaknesses persist in major categories of controls — including, for
example, access controls, which ensure that only authorized individuals can read,
alter, or delete data; and configuration management controls, which provide
assurance that only authorized software programs are implemented. “Organizations
can reduce the risks associated with intrusions and misuse if they take steps to detect
and respond to incidents before significant damage occurs, analyze the causes and
effects of incidents, and apply the lessons learned.”21
In February 2007, the Federal Bureau of Investigation (FBI) reported that 160
laptop computers were lost or stolen in less than four years (February 2002 to
September 2005), including at least 10 that contained sensitive or classified
information — one of which held “personal identifying information on FBI
personnel.”22 According to the report, the FBI failed to report 76% of the missing
laptops to the Justice Department as required. 23
A number of data security breaches by federal agencies revealed many agencies
do not have adequate security controls in place24 (see Table 3, below). In 2006, the
list of agencies with incidents of potentially compromised data included the
Departments of Agriculture, Defense, Energy, Veterans Affairs, and Transportation,
the Federal Trade Commission, the Internal Revenue Service, the Government
Accountability Office, the National Institutes of Health, and the Department of the
Navy. The State Department also suffered a series of hacking attacks. In FY2006,
5,146 incidents were reported to the Department of Homeland Security’s incident
response center for six categories of incidents, a substantial increase in the number
of incidents (3,600) reported the prior year, including 706 instances of unauthorized
access and 1,465 cases of malicious computer code, according to a yearly OMB25
[E]xperts say the federal government faces special challenges because of the
variety of sensitive information it keeps, the increasingly mobile nature of the
federal workforce and the pervasive use of contractors, which allow thousands
of individuals with varying levels of security clearance to access government
databases from remote sites. A 2004 government survey on the work practices
of 1.8 million federal workers found that more than 140,000 had clearance to
connect with government computer systems from home. The IRS says 50,000 of
its employees have laptops allowing them to access personal and business tax
information from anywhere. And 133 Education Department personnel can

21 Ibid., p.2.
22 U.S. Department of Justice, Office of the Inspector General, Audit Division, The Federal
Bureau of Investigation’s Control over Weapons and Laptop Computers Follow-up Audit,
Audit Report 07-18, February 2007, at [
23 Ibid., p. 6.
24 Rebecca Adams, “Data Drip: How the Feds Handle Personal Data,” CQ Weekly, July 10,

2006, p. 1846.

25 Office of Management and Budget, FY 2006 Report to Congress on Implementation of
The Federal Information Security Management Act of 2002, March 1, 2007 at
[ h t t p : / / www.whi t e house.go v/ omb/ i n f o r e g/ r e por t s / 2006_f i s ma _r epor t .pdf ] .

access more than 10,000 records containing student loan recipients’ personal26
In a report released in October 2006, the House Government Reform
Committee27 summarized information provided to the Committee by 19 federal
departments and agencies regarding the loss or compromise of personal information
since January 2003. The report finds that every agency has experienced at least one
such breach and that the agencies do not always know what information has been lost
or how many individuals could be affected. 28
In June, 2006, the Office of Management and Budget issued new security
guidelines requiring federal civilian agencies to implement new measures to protect
sensitive personal information held by federal agencies.29 To comply with the new
policy, agencies will have to encrypt all data on laptop or handheld computers unless
the data are classified as “non-sensitive” by an agency’s deputy director. Agency
employees also would need two-factor authentication — a password plus a physical
device such as a key card — to reach a work database through a remote connection,30
which must be automatically severed after 30 minutes of inactivity.
The President’s Identity Theft Task Force,31 which was established by Executive
Order on May 10, 2006,32 is now composed of 18 federal agencies and departments.
After a year of study, the Identity Theft Task Force released its final
recommendations in April 2007.33 The recommendations include the following:
!Reduce the unnecessary use of Social Security numbers by federal
!Establish national standards that require private sector entities to
safeguard the personal data they compile and maintain and to

26 Zachary Goldfarb, “To Agency Insiders, Cyber Thefts And Slow Response Are No
Surprise,” Washington Post, July 18, 2006, at [
wp-dyn/content/article/2006/07/17/AR2006071701170.html ].
27 In the 110th Congress, the House Government Reform Committee was renamed the House
Committee on Oversight and Government Reform.
28 U.S. House of Representatives. Committee on Government Reform, Staff Report Agency
Data Breaches since January 1, 2003 at [].
See also Agency response letters at House Committee on Government Reform website at
[ story.asp?ID=1127].
29 Office of Management and Budget Memorandum for the Heads of Departments and
Agencies, Protection of Sensitive Agency Information, June 23, 2006, at
[ h t t p : / / www.whi t e house.go v/ OMB/ me mo r a nda/ f y2006/ m06-16.pdf ] .
30 Ibid.
31 Identity Theft Task Force website at [].
32 Executive Order 13402, “Strengthening Federal Efforts to Protect Against Identity Theft,”
May 10, 2006, at [].
33 The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan,
April 2007 at [].

provide notice to consumers when a breach occurs that poses a
significant risk of identity theft,
!Implement a broad, sustained awareness campaign by federal
agencies to educate consumers, the private sector, and the public
sector on methods to deter, detect, and defend against identity theft,
!Create a National Identity Theft Law Enforcement Center to allow
law enforcement agencies to coordinate their efforts and information
more efficiently, and investigate and prosecute identity thieves more
effect i v el y. 34
In June 2006, a group of government agencies, corporations, and universities
launched a research center dedicated to the study of identity fraud. The Center for
Identity Management and Information Protection is dedicated to furthering a national
research agenda on identity management, information sharing, and data protection.35
Congress considered legislation in the 109th Congress to address data security
following a series of high-profile data security breaches at major financial services
firms and data brokers, including ChoicePoint and LexisNexis. Multiple measures
were introduced in 2005 and 2006, and several were reported out of committee, but
none were brought to the floor. For information on proposed data security legislation
in the 110th Congress, see CRS Report RL33273, Data Security: Federal Legislative
Approaches, by Gina Marie Stevens.
For a discussion of legislative and other issues on this topic, see
!CRS Report RS22374, Data Security: Federal and State Laws, by
Gina Marie Stevens;
!CRS Report RL33273, Data Security: Federal Legislative
Approaches, by Gina Marie Stevens;
!CRS Report RS22484, Identity Theft Laws: State Penalties and
Remedies and Pending Federal Bills, by Tara Alexandra Rainson;
!CRS Report RL33005, Information Brokers: Federal and State
Laws, by Angie A. Welborn;
!CRS Report RL33612, Department of Veterans Affairs: Information
Security and Information Technology Management Reorganization,
by Sidath Viranga Panangala;
!CRS Report RL31919, Remedies Available to Victims of Identity
Theft by Gina Marie Stevens; and
!CRS Report RS22082, Identity Theft: The Internet Connection, by
Marcia S. Smith.

34 Ibid.
35 Center for Identity Management and Information Protection, at [
academic/institutes/cimi p/].

Data Security Breaches: Highlights
Tables 1 through 5 summarize selected data security or identity theft breaches
reported in the press since 2000. A few highlights compiled from the report include
the following.
!More than half of the security breaches occurred at institutions of
higher education. (A Chronicle of Higher Education article
examines why this is so, noting that while colleges have become
better at detecting electronic break-ins, security practices,
particularly password protections, are lax.36 In addition, academic
culture embraces the open exchange of information and provides a
target-rich environment for data breaches — an abundance of
computer equipment filled with sensitive data and a pool of
financially naive students.37) In September 2006, Louisiana State
University (LSU), under a year-long agreement with Equifax Inc.,
provided students, faculty and staff members with free daily
monitoring of their credit reports and $2,500 in identity-theft
insurance. LSU claims this is the first agreement of its kind between
a credit agency and a higher-education institution. The university
will pay Equifax, Inc. $150,000.38
!Other prevalent targets for identity theft are financial institutions
(banks, credit card companies, securities companies, etc.), and
government agencies (international, federal, state, and local).
!The AARP analyzed 244 publicly disclosed security breaches from
January 1, 2005 through May 26, 2006, identified by the Identity
Theft Resource Center (ITRC).39 An examination of the most
frequent cause of reported security breaches reveals that a third of all
breaches were caused by hackers who broke into computer systems
to gain access to sensitive personal information. The analysis finds
that educational institutions are more likely than any other type of
entity to report having had a security breach. In fact, educational
institutions were more than twice as likely to report suffering a
breach as any other type of entity. Physical theft of computers,
computer equipment, or paper files is the next most common cause
of security breaches, followed by improper display (allowing

36 Dan Carnevale, “Why Can’t Colleges Hold On to Their Data?,” Chronicle of Higher
Education, May 6, 2005, p. A35.
37 Reuters, “U.S. Colleges Struggle to Combat Identity Theft,” eWeek, August 17, 2005, at
[ h t t p : / / www.f i ndar t i c l e p/ ar t i c l e s/ mi _zdewk/ i s _200508/ ai _n14906864] .
38 Andrea L. Foster, “Louisiana State U. Signs Deal to Protect Students and Employees in
Case of Data Breach,” Chronicle of Higher Education, September 13, 2006, at
[ daily/2006/09/2006091301t.htm] .
39 AARP, “Into the Breach: Security Breaches and Identity Theft,” July 2006, at
[ ht t p: / / www.aar p.or g/ r e sear ch/ f r a uds-s cams / f r a ud/ dd142_secur i t y_br ml ] .

sensitive personal information to be viewed by those who should not
have access (for example, printing of Social Security numbers on
address labels, inadvertently making sensitive personal information
accessible on Internet sites viewable by the general public, or not
properly disposing of files containing sensitive personal

Table 1. Data Security Breaches in Businesses (2000-2007)
Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
hnny’s Selected SeedsMarch 2007customers11,500credit card informationSecurity Log,ComputerWorld,
nslow, ME) - hacker brokeMarch 8, 2007.
websiteNote: 20 stolen card numbers
have been used fraudulently
Maxx date breach (see below) February 2007customersundiscloseddrivers license numbers,Greenemeir, Larry, “ T.J. Maxx Probe
iki/CRS-RL33199rse than previously thought.ile the company previouslynames, addresses werecompromised for the last fourReveals Data Breach Worse ThanOriginally Thought, Information
g/wlieved that the intrusion tookmonths of 2003 and May andWeek, February 21, 2007 at
s.orrom May 2006 to JanuaryJune 2004[
leakJX now believes itsry/showArticle.jhtml?articleID=19700
puter system was hacked in7754&cid=RSSfeed_IWK_News].
://wikily 2005 and on various
httpbsequent dates in 2005.
Home - stolen computerJanuary 2007customers2,700names, SSNs of people whoRupon, Kristy, “KB Home warns of
had visited the sales office forID theft risk: Home builder issues
Foxbank Plantation, a newalert to customers after computer is
home community in Berkeleystolen from companys Charleston
County sales, The State (Columbia, SC),
January 18, 2007.

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
nwide Mutual Insurance -January 2007customers of health28,279names, SSNs, hospital stayBabcock, Charles, Data On 28,279
lockbox containinginsurance unit, Nationwideinformation. To find theNationwide Customers Stolen,
stomer information backupHealth Plansinformation on the tapesInformation Week, January 25, 2007,
stored at subcontractorrequiresa very specificat
ncenta Preferred Systemshigh-tech tape reader with[
aymouth, MA) officematching software,” that policery/showArticle.jhtml?articleID=19700
concluded was unlikely to be0630&cid=RSSfeed_IWK_News].
accessible to the thieves
iki/CRS-RL33199J. Maxx, Marshalls,January 2007customersundisclosedcredit card, debit card, check,Vijayan, Jaikumar, “Breach at TJX
g/wmeGoods, A.J. Wright, andand merchandise returnPuts Card Info at Risk; Network
s.orsibly Bob’s Stores in U.S. &transactionsintrusion shows IT security still not
leakerto Rico — Winners andup to snuff at some retailers, despite
eSense stores in Canada — push for stronger protections,”
://wikid possibly T.K. Maxx stores inComputerworld, January 17, 2007.
httpd Ireland - TJX Companies
c. experienced an
nauthorized intrusion into its
puter systems that process
d store customer transactions
ia (parent company of PhillpJanuary 2007past and present18,000names, SSNs, salaries, dates ofJones, Chip. “Altria employees’ data
s/Kraft Foods) viaemployeesbirthmissing / Personal information was on
nsultant Towers Perrin (Newlaptop taken from firm in New York,
rk, NY) - five stolen laptopsnote: employee was arrestedpolice say,Richmond Times-
and charged with theftDispatch, January 12, 2007, p. B1.

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
eing (Seattle, WA) - laptopDecembercurrent and former400,000names, addresses, SSNs, phoneWallace, James,Worker Fired over
from employee’s car2006employeesnumbers, dates of birth, salaryLost Laptop; Boeing Managers to Be
informationReprimanded for Leaving Employees
Vulnerable,” Seattle Post-
note: Boeing fired employeeIntelligencer, December 15, 2006.
whose laptop was stolen and
some managers will be
d iscip lined
iki/CRS-RL33199bucks (Seattle, WA) - fourNovembercurrent and former60,000names, addresses, SSNsHarris, Craig,Starbucks Data
g/w misplaced from2006employeesMissing ; Company Says Laptops
s.orarterswith Employees Records Are Lost,”
leakSeattle Post-Intelligencer, November
4, 2006, p. E1.
://wikimboree(San Francisco, CA) -October 2006employees20,000names, SSNsGymboree gumshoe hunts thief,
httpice in one week, three laptopsSan Francisco Chronicle, October 27,
en from headquarters2006, p. D1.
Mobile USA (Bellevue, WA) -October 2006current and former43,000names, addresses, SSNs, homeRogoway, Mike, “T-Mobile reports
op disappeared fromemployeesphone numbers, dates of birth,ID-theft risk, The Oregonian
ployees checked luggagesalary information(Portland), October 20, 2006.

op was protected by

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
eral Electric (Frairfield, CT) -Septembercurrent and former50,000names, SSNsAnderson, Eric and Rick Clemenson,
op stolen from locked hotel2006employees50,000 among missing at GE ;
(computer was passwordNames in stolen laptop have retiree
questioning companys need for
sensitive lists,” Times-Union
(Albany), September 27, 2006, p. A1.
&T - hackers broke intoAugust 2006customers who purchased19,000credit card dataAssociated Press, “Hackers Gain Data
iki/CRS-RL33199puter systemDSL equipment fromAT&T online storeon AT&T Shoppers,”, August 30, 2006.
s.ortomated Data ProcessingJuly 2006individual investors withhundreds ofnames, addresses, number ofSpangler, Todd, “ADP Duped into
leakDP) (Roseland, NJ) -an60 companies includingthousandsshares held of investorsDisclosing Data,”,
uthorized party impersonatedFidelity, UBS, MorganJuly 10, 2006, at
://wikificers” to obtain information onStanley , Bear Stearns,[
httpstorsCitigroup, Merrill Lynch/0,1540,1986655,00.asp].
iser HMO - stolen laptopJuly 2006HMO subscribers to160,000names, phone numbers, KaiserSingel, Ryan,Kaiser Joins Lost
Kaiser health plannumbersLaptop Crowd,” InfoSecurity, July 30,
2006, at
[ http ://info secur mb o //co ntent
S. Stars (insurance contractor) -July 2006injured New York state540,000SSNs, names, addressesHines, Matt,Insurance Company
t computer containingworkers (claimingLoses 540,000 N.Y Employee
rkers recordscompensation funds)Records,” eWeek, July 26, 2006, at
[ h t t p : / / www. e we e k . c o m / a r t i c l e 2 / 0 , 1 8

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
nal Association ofJuly 2006securities dealers who73SSNs of securities dealers, plusJamieson, Dan, “Rule Likely on
rities Dealers (NASD)-were the subject ofinactive account numbers ofNotification of Data Breaches, Some
aton, FL) - 10 stoleninvestigations involvingabout 1,000 consumersSay; Theft of NASD Laptops Raises
opspossible misconduct.Questions about Regulators’
security,” Investment News, July 10,
2006, p. 2.
erican Red Cross, FarmersJuly 2006regional blood donors8,000names, SSNs, birth dates, Schreier, Laura, “Donor Data Stolen
iki/CRS-RL33199anch (Dallas, TX) - 3 stolenopsmedical informationat Local Red Cross Exclusive: 3Laptops from Farmers Branch Office
g/wHeld Encrypted Records,Dallas
s.orMorning News, July 1, 2006, p. 1A.
sys Group Inc.(Roseland, NJ) - July 2006hedge fund donors61,000SSNs of 35,000 individualsClair, Chris,Bisys Discloses Data
://wikiployee’s truck carryingTheft,” HedgeWorld Daily News, July
httpckup tapes was stolen6, 2006 (no page given).
erican International GroupJune 2006employees of various970,000names, addresses, SSNs,Smith, Elliot Blair,AIG: Personal
IG)- burglary of a file servercompanies whosemedical informationData on 970,000 Lost in Burglary;
insurance information wasInsurer Has Yet to Alert Those
submitted to AIGAffected by March 31 Break-in,USA
Today, June 19, 2006, p. 5B.
nst & Young- stolen laptopJune customers243,000names, credit card numbersReilly, David, “ Credit-
Card Data Lost in Stolen Laptop
Computer, Wall Street Journal, June
2, 2006, p. A14.

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
ion Pacific- stolen laptopJune 2006employees of the railroad30,000personal dataVijayan, Jaikumar and Todd Weiss,
companyFlurry of New Data Breaches
Disclosed,” Computerworld, June 19,
2006 at
[ h t t p : / / www. c o mp u t e r wo r l d . c o m/ a c t i
o n/ar ticle.d o ? co mma nd =viewAr ticleB
iki/CRS-RL33199ss-Simmons- data breachApril 2006customersundisclosedcredit card numbers, financialinformation, other personalRoss-Simons Says Security BreachExposes Customers,” Computerworld,
g/winformationApril 12, 2006, at
s.or [ h t t p : / / www. c o mp u t e r wo r l d . c o m/ s e c u
leak ritytopics/security/sto ry/0 ,10801,1104
25,00.html? source=x3888].
httpay- hackers harvesting andMarch 2006customersundisclosedaccount informationNiccolai, James,Russian Web Site
g user informationOffered eBay Account Info for $5,”
Computerworld, March 24, 2006, at
[ h t t p : / / www. c o mp u t e r wo r l d . c o m/ s e c u
r ityto p ics/secur ity/cyb er cr ime/sto r y/0 ,
itte & Touche- unencryptedFebruary 2006all U.S. and Canadian9,200names, SSNs, McAfee stockKuruvila, Matthai C., “Security
left on a planeemployees of McAfeeholdingsGiant’s Data Lost,” Silicon Valley,
Software hired beforeFebruary 24, 2006.

April 2005

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
tis Resort- theft from theJanuary 2006customers55,000names, addresses, credit cardIDs of 50,000 Bahamas Resort
tel’s databasedetails, SSNs, drivers licenseGuests Stolen,” CNet News, January
numbers, bank account data10, 2006.
idance Software- hackerDecembersecurity researchers and3,800credit card numbersKrebs, Brian,Hackers Break Into
2005law enforcement agenciesComputer-Security Firms Customer
worldwideDatabase,” Washington Post
December 19, 2005, p. D5.
iki/CRS-RL33199m’s Club-card-skimmingDecembercustomers who bought600credit card informationVijayan, Jaikumar, “Card Skimmers
g/wices2005fuel at its gas stationsEyed in Sams Club Data Theft,”
s.orbetween September 21 andComputerworld, December 14, 2005,
[ h t t p : / / www. c o mp u t e r wo r l d . c o m/ d a t a
://wiki basetopics/d ata/story/0,10801,107067
http ,00.html].
riott Vacation ClubDecembercustomers and employees206,000addresses and credit cardMarriott Vacation Club reports
ternational- missing data tapes2005informationmissing data tapes,” Computerworld,
December 26, 2005, at
[ http ://co mp uter wo r ld .co m/secur ityto
pics/security/sto ry/0 ,10801,107366,00
.html? SKC=security-107366].
ompany- stolenDecembercurrent and former Ford70,000names and SSNsTech Crime Gets Personal at Ford,”
puter2005employees CNN Money, December 22, 2005, at
ws/fortune500/fo rd_theft/].

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
feway - company laptop stolenNovemberemployees1,200names, SSNs, hire dates andAkkad, Dania, “Safeway Discloses
m managers home2005work locationsSecurity Breach,”Monterey County
Herald, November 5, 2005 (no page
gi ve n) .
eing - theft of companyNovembercurrent and former Boeing161,000names, Social Security numbersBowermaster, David and Dominic
puter2005workers(SSNs), some birth dates andGates and Melissa Allison, “161,000
banking information forWorkers Personal Data on PC Stolen
iki/CRS-RL33199employees who elected to usedirect deposit of payrollfrom Boeing,Seattle Times,November 19, 2005, p. A1.
s.ortman Kodak - laptop stolenJune 2005former Eastman Kodak5,800names, Social SecurityDavia, Joy,Kodak Warns of Data
leak a consultants locked carworkersnumbers, birth dates andTheft,” Rochester Democrat and
benefits informationChronicle (New York), June 22, 2005,
://wikip. 8D.
me Warner - loss of 40May 2005current and former600,000names, SSNsZeller, Tom,Time Warner Says Data
puter backup tapesemployees, some of theiron Employees Is Lost,” New York
ntaining sensitive data whiledependents andTimes, May 3, 2005, p. C4.
ng shipped by Iron Mountainbeneficiaries, and
offsite storage centerindividuals who provided
services for the company
I - laptop stolen from a carMay 2005current and former 16,500 names and SSNsYoung, Shawn, “MCI Reports Loss
as parked in the garage atemployeesOf Employee Data On Stolen
home of a MCI financialLaptop,” Wall Street Journal, May
alyst 23, 2005, p. A2.

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
XIS/NEXIS - intruders usedMarch 2005customers32,000names, addresses, passwords,El-Rashidi, Yasmine, “LexisNexis
sswords of legitimate(subsequentSSNs, drivers licenseReports Data Breach; Personal
stomers to get access to ainvestigationRecords Are Hacked as Concerns
t database called Accurint,reveals the actualAbout Security and Identity Theft
ich sells reports tonumber isIntensify,Wall Street Journal,
-enforcement agencies and310,000)March 10, 2005, p. A3; and
sinesses. Later analysis
termined that its databases hadKrim, Jonathan, “LexisNexis Data
iki/CRS-RL33199 fraudulently breached 59es using stolen passwords.Breach Bigger Than Estimated:310,000 Consumers May Be
g/wAffected, Firm Says,” Washington
s.orPost, April 13, 2005, p. E1.
W Shoe Warehouse store -March 2005customers of 103 of theinitiallycredit card informationAssociated Press, “DSW ID Theft
://wikiormation stolen from computerchains 175 stores“hundreds ofMay Affect Over 100,000,” Chicago
httpabase over 3- month periodthousands, thenTribune, March 11, 2005, p. 4; and
raised to 1.4
millionFirm Raises Data Theft Count,”
Washington Post, April 19, 2005, p.
Mobile - hacker intrusion intoFebruary 2005T-Mobile customers400customer records, passwords,Poulsen, Kevin, “Known Hole Aided
pany databaseSSNs, private e-mail andT-Mobile Breach,”Wired News,
candid celebrity photos February 28, 2005, at
[ h t t p : / / www. wi r e d . c o m/ n e ws / p r i v a c y /
note: data offered for sale via0,1848,66735,00.html].

online forum

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
torola - Thieves broke into theJune 2005Motorola employees34,000 in U.S.SSNs and personal informationTwo Computers Stolen with
fices of Affiliated ComputerMotorola Staff Data,” Reuters, June
ices (ACS), a provider of10, 2005.
man resources services, and
o computers
oicePoint - criminals used fakeFebruary 2005 consumers30,000-35,000 innames, addresses, SSNs, creditPerez, Evan, “ChoicePoint Is Pressed
iki/CRS-RL33199mentation to open 50dulent accounts to accessCalifornia;145,000reports to Explain Database Breach,” WallStreet Journal, February 5, 2005, p.
g/wnsumer datanationwideA6.
leakfiliated Computer Services -October 2004county employees900names, birth dates, SSNs, bankWhaley, Monte, “FBI on Weld
ate hacked into countyaccount routing numbers andID-Theft Case Feds to Analyze Data
://wikiabasechecking account numbersfrom Cell of Inmate Who Hacked
httpComputer, Denver Post, November
11, 2004, p. B1.
wes (home improvementJune 2004customersunknownskimmed credit accountRoberts, Paul, “Wireless Hacker
hacker used vulnerableinformation for everyPleads Guilty: Man Admits Using
reless network to attempt totransaction processed at aStore’s Wireless Network to Steal
foparticular Lowes storeCredit Card Info,” PC World, June 7,
2004, at
[ http ://msn.p cwo r ld .co m/news/ar ticle/

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
ay - hackers tricked onlineMarch 2004several eBay merchantscompany didcustomer names, e-mailKirby, Carrie, “New Scam Threat at
rchants who used the PayPalnot discloseaddresses, home addresses andeBay / Hackers Obtained Information
yment processing system intotransactionson Some Customers,San Francisco
losing their user names andChronicle, March 16, 2004, p. C1.
swords, then logged onto the
rchants accounts
kos - hacker installed a keyNovemberCustomers at Internet450SSNs, names, passwords, creditNapoli, Lisa, “A Hacker Masters
iki/CRS-RL33199ger to record every character 13 Kinkos computers2003terminals at 13 Kinkoscopy shops in Manhattancards, bank account dataKeystroke Theft: Personal DataStolen from 450 Victims,
g/wnote: data was soldInternational Herald Tribune, August
s.or9, 2003, p. 1.
xiom (marketing company) -August 2003clients include 14 of the10% of clientelepasswords, personal, financial,Lee, W.A.Hacker Breaches Acxiom
://wikier downloaded datatop 15 credit card(no total numberand company informationData,” American Banker, August 11,
httpcompanies, 5 of the top 6given)2003, p. 5.
retail banks, IBM,
Microsoft, and federal
go ve r nme nt
V - hacker stole tradeApril 2003DirecTV subscribers50,000details about the design andU. of C. Student Pleads Guilty to
for access card customers usedarchitecture of DirecTV’sTheft of Direc TV Card Data ; Trade
counterfeitPeriod 4” cardsSecrets Ended up on Hacker Site,
access cards toEnabling Free Access,Chicago Sun-
watchnote: data was soldTimes, April 30, 2003, p. 16.

without paying

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
I help-desk worker sold clientNovembercredit reporting bureau15,000 (Wirednames, addresses, SSNs, creditDelio, Michelle, “Cops Bust Massive
s codes to two others, who2002customersNews)card ID Theft Ring,” Wired News,
used the codes to obtain30,000 (SeattleNovember 25, 2002, at
re than 15,000 customer creditTimes)[
0,1848,56567,00.html]; and
note: data sold, for $60 perMasters, Brooke, “Huge ID-Theft
recordRing Broken; 30,000 Consumers at
iki/CRS-RL33199Risk ; Men Charged with StealingPersonal, Financial Data ,” Seattle
g/wTimes, November 26, 2002, p. A1.
leakest Express Airlines andApril 2002Midwest Express Airlinesunknownpassenger names and airportLarson, Virgil,Computer Hackers
eral Aviation Administrationcustomers; FAA (twosecurity screening resultsBreach Midwest Express Systems,
://wikiackers posted list of customerseparate incidents)Omaha World-Herald, April 22,
httpmes to website and posted a list2002, p. 1D.
airport security screening
lts taken from the FAAs
ste m
oicePoint - Nigerian-born2002unknown7,000-10,000names and SSNsAssociated Press, “ChoicePoint
her and sister posed asinquiries onSuffered Previous Breach: Two ID
itimate businesses to set upnames and SSNs,Thieves Arrested in 2002 for Tapping
oicePoint accounts then usedinto Data” MSNBC, February 3,
identities tonote: data was sold2005, at
commit fraud[

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
w York City restaurant busboyMarch 2001chief executives, 200 SSNs, home addresses andHays, Tom,Busboy Hacks Only the
ped credit reporting companiescelebrities and tycoonsbirth dates, credit card numbersRichest, Used Forbes List in Plot to
providing detailed creditfrom Forbes list of richestSteal Identity, Credit Info, Big
s AmericansBucks,Pittsburgh Post-Gazette,
March 21, 2001, p. A11.
d Economic Forum -February 2001attendees 3,200passport numbers, cell phoneHiggins, Alexander, “Hackers Steal
ers broke into computernumbers, credit card numbers,World Leaders Personal Data,”
iki/CRS-RL33199exact arrival and departuretimes, hotel names, roomChicago Sun-Times, February 6,2001, p. 20.
g/wnumbers, number of overnights,
s.orsessions attended, plus
leakinformation on 27,000 people
who have attended the global
://wikiforum in recent years
ternational credit card ring addsJanuary 2001Internet shopping sitesunknowncredit card numbersJames, Michael, “Small-time Thefts
dulent charges of 277Reap Big Net Gain Tens of
ssian rubles ($5-10) to creditThousands of Phony $5-$10
note: data was soldCredit-Card Charges Rake in Millions
for Hackers,Orlando Sentinel,
January 27, 2001, p. E5.

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
ghead - hacker attackedDecembercustomers3.5 million creditcredit card infoSayer, Peter, “Egghead Says
puter system2000card accounts;Customer Data Safe After Hack
7500 of whichAttack,” PC World, January 8, 2001
sho we d at
suspected [ http ://msn.p cwo r ld .co m/news/ar ticle/
fr a u d u l e nt 0,aid,37781,00.asp].
iki/CRS-RL33199estern Union - hackers madeic copies of the credit andSeptember2000customers who transferredmoney on a company15,700credit and debit cardinformationCobb, Alan, “Hackers Steal CreditCard Info from Western Union Site,”
g/wbit card informationwebsiteChicago Sun-Times, September 11,
s.or2000, p. 22.
erica Online - AOLJune 2000customers500 records werenames, addresses, and creditHackers Breach Security At America
://wikistomer-service representativesviewedcard numbersOnline Inc,” Wall Street Journal, June
httpstakenly downloaded an e-mail19, 2000, p. A34.
ment sent by hackers
o British teens intruded into 9March 2000customers26,000 creditcredit card dataSniffen, Michael, “2 Teens Accused
merce websites in thecard accountsof Hacking Charged in $3 Million
ited States, Canada, Thailand,note: some data was posted onCredit Card Theft,” Chicago Sun-
pan and Britain the WebTimes, March 25, 2000, p. 9.
Universe (online music store)January 2000customers300,000credit card numbersAssociated Press,Hacker Said to
acker stole credit card numbersSteal 300,000 Card Numbers,
d released thousands of themnote: Maxus Credit CardArizona Republic, January 11, 2000,
a website when the companyPipeline Website posted up top. A3.

used to pay a $100,000 ransom25,000 stolen numbers

Business IncidentsDatePublicizedWho Was AffectedNumberAffectedType of DataReleased/CompromisedSource(s)
ic Bell - 16-year-oldJanuary 2000subscribers63,000 accountspasswordsGettleman, Jeffrey, “Passwords of
ager hacked into server andwere decrypted;PacBell Net Accounts Stolen;
e passwords330,000Computers: Authorities Say
customers told to16-year-old Hacker Took the Data for
changeFun. Theft Affects 63,000
passwords Customers, Los Angeles Times,
January 12, 2000, p. 2.


Table 2. Data Security Breaches in Education (2000-2007)
Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
Mexico State Univ.April 2007students5,600names, SSNsAssociated Press,Personal data of NMSU students
as Cruces, NM) - personalposted online,” April 19, 2007.
ormation posted to schools
b site
iki/CRS-RL33199iversity of California, SanApril 2007research3,000names, SSNs, and for someRauber, Chris,UCSF research data on at least 3,000
g/wcisco - computer filerver stolen from lockedsubjects inclinical studiesindividuals, personal healthinformationpeople missing in server theft,” San FranciscoBusiness Times, April 18, 2007.
s.orc e
://wikiio State Universityolumbus, OH) - two laptopsApril 2007chemistrystudents3,500names, SSNs, employee IDnumbers, birth dates, gradesBush, Bill, “Hacker, thieves get OSU ID data: About14,000 faculty and staff and 3,500 students affected,”
httpen from professor’s houseColumbus Dispatch, April 17, 2007.
ebruary 2007
io State UniversityApril 2007current and17,500names, SSNs, employee IDBush, Bill, “Hacker, thieves get OSU ID data: About
olumbus, OH) - hackerformer staffnumbers, birth dates14,000 faculty and staff and 3,500 students affected,”
ng foreign Internet addressmembersColumbus Dispatch, April 17, 2007.
oke through computer
e wa l l
icago Public Schools - twoApril 2007current and40,000names, SSNsWalberg, Matthew, “Laptops with teacher data
en laptops formerstolen, Chicago Tribune, April 7, 2007.


Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
iversity of California, SanApril 2007students,46,000names, SSNs, bank accountsLazarus, David, “Security Breached at UCSF,” San
cisco - campus serverfaculty, andFrancisco Chronicle, April15, 2007, p. D1.
mpromisedstaff associated
with UCSF or
UCSF Medical
Center over the
past two years
iki/CRS-RL33199iversity of Missouri,search Board GrantFebruary2007researchers,faculty3,799names, SSNsHacker hits MU database: Personal info stored incomputer system,” Columbia Daily Tribune
g/wplication Systemmembers, (Missouri), February 2, 2007.
s.orolumbia, MO) - a hackercomputer users
leake into computer server
://wikirgia Institute ofFebrurarycurrent and3,000names, addresses, SSNs, otherHackers hit Georgia Tech and steal personal info,”
httpchnology (Atlanta, GA) -2007formersensitive informationAtlanta Business Chronicle, February 21, 2007.
authorized access to employees of
puter account School of
Electrical and
Co mp ute r
E ngi ne e r i ng
nguard University (CostaJanuary 2007financial aid5,105names, SSNs, dates of birth,Edds, Kimberly, “Computer theft puts financial data
a, CA) - two computersapplicants forphone numbers, driver’sat risk for 5,105 students;
en from financial aid office2005-2006 andlicense numbers, lists of assetsCosta Mesa police officer says stolen equipment
2006-2007holds extensive information on aid applicants at
school yearsVanguard, Orange County Register (CA), January
27, 2007.

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
n Illinois UniversityJanuary 2007membership1,400SSNs, birthdates, addressesU.S. State News, “ Computer Theft Results in
harleston, IL) - stolenrosters of of theSecurity Breach; Students Notified,” January 26,
ktopUniversitys 232007.
fraternities and
so r o r ities
iversity of Idaho (Moscow,January 2007university70,000names, addresses, SSNsPrince, Brian,University of Idaho Reports Computer
) - theft of three desktopalumni, donors,Thefts,”, January 12, 2007 at
iki/CRS-RL33199putersstudents andemployees[,1759,2082796,00.asp?kc=EWRSS03129TX1K0000614].
s.ortana State UniversityDecemberstudents who259names, SSNsAssociated Press,University apologizes for
leakozeman, MT) - student2006had paid offmistakenly sharing student information,” December
rking in loan officetheir student27, 2006.
://wikistakenly sent personalloans
httpormation to other students
ississippi State UniversityDecemberstudents and2,400names, SSNs, some dates ofLake, Richard,MSU Data Put Online in Mishap,”
son, MS) - information2006employeesbirthClarion-Ledger (Jackson, Mississippi), December 20,
vertently published on2006, p. 1A.
b site
iversity of ColoradoDecemberindividuals who17,500names, SSNsDanna, Nicole, “U. Colorado security breach not used
oulder) - server hacked2006attendedfor nefarious purposes,” University Wire, December
orientation19, 2006.

sessions from
2002 to 2004

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
verside High SchoolDecemberemployeesthousandsnames, SSNsDopart, Brianne, “Students accused of hacking DPS;
urham, NC) - two students2006(unspecified)Two told teacher about security breach found during
sed of hacking intocomputer class,Herald-Sun (Durham, NC),
abasesDecember 15, 2006, p. B1.
ginia CommonwealthDecemberstudents561 students names, SSNs, addresses, gradeRobertson, Gary, “E-mail includes data on
iversity (Richmond, VA) -2006in the Collegepoint averagesstudents,Richmond Times - Dispatch (Virginia),
rsonal informationofDecember 9, 2006.
iki/CRS-RL33199vertently included in twoail attachmentsHumanitiesand Sciences
s.oriversity of Texas (Dallas) -Decembercurrent and5,000 - 6,000names, SSNs, and in someHacker, Holly, “UTD computer attack worse than
leakmputer network intrusion2006former students,cases, addresses, e-mailfirst thought: Campus officials now say 6,000 at risk
faculty, staff,addresses and telephoneof identity theft,” Dallas Morning News , December
://wikiand othersnumbers14, 2006.
Community CollegeDecemberall registered21,000names, addresses, SSNs, phoneWinslow, Olivia, “College loses data;
arden City, NY) - theft of2006studentsnumbersPrinted list with personal information of Nassau
puter printoutCommunity College students gone missing, officials
say, Newsday, December 6, 2006, p. A9.
lifornia State UniversityNovemberstudents,2,534names, SSNs, campusUS States News, “Education College Alerts Teacher
os Angeles) - stolen USB2006applicants,identification numbers (CIN),Credential Applicants of Information Security
ive containing unencryptedfacultyphone numbers, e-mailIncident,” November 28, 2006.

onal datasupervisorsaddresses

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
eenvilleCounty SchoolNovemberstudents and101,000names, SSNs, dates of birth,Barnett, Ron,Student Data Left on Sold
ict (Greenville, SC) -2006employeesaddresses, phone numbers,Computers,Greenville News (South Carolina),
puters containing personalcontact informationNovember 27, 2006, p. 1A.
ormation inadvertently sold
icago Public School DistrictNovemberformer school1,740names, SSNs, home addressesFlynn, Courtney, “Teachers IDs mailed by mistake:
tractor mistakenly mailed2006employees1,740 Social Security numbers included in city
iki/CRS-RL33199onal information as part of insurance-informationschools packets,Chicago Tribune, November 27,2006.
leakams State CollegeOctoberhigh school184unspecified personal dataSmith, Erin, “Stolen ASC laptop holds student data,”
lamosa, CO) - stolen laptop2006Outward BoundPueblo Chieftain, October 10, 2006.
://wiki stud e nts
nnors StateNovemberstudents who22,500SSNs and other (unspecified)Simpson, Susan, “Stolen computer contained student
llege(Warner, OK) - stolen2006receiveidentifying informationdata,” Daily Oklahoman, November 15, 2006.
op Oklaho ma
Higher Learning
Access Program
sc ho l a r s hi p s
iversity of MinnesotaOctoberstudents200names, university IDs, gradesTosto, Paul, “Second laptop with student data was
pain) - laptop stolen from a2006stolen: No Social Security numbers compromised,”
lty member on a trip toPioneer Press (St. Paul, Minnesota), October 20,
ain 2006.

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
iversity of TexasOctoberstudents2,500names, SSNs, university IDs,“U. Texas-Arlington student info on stolen
rlington) - stolen computers 2006grades, emailscomputers,” University Wire, October 12, 2006.
n Juan Capistrano UnifiedOctoberemployeesunknownunknownMcDonald, John, “Computers stolen from offices of
hool District (CA) - theft of2006Capistrano school district; the five machines, valued
putersat $5,000, may have contained confidential
information on employees, a spokeswoman says,”
Orange County Register (California), October 6,
iki/CRS-RL331992006, p. South_B.
g/woy Athens High SchoolOctober alumni4,400names, addresses, SSNsLewis, Shawn,Alumni will get credit watch;
s.orroy, MI) - stolen hard drive2006In wake of lost data, Troy district offers 14 months of
leakfree identity theft protection,” Detroit News, October
23, 2006.
httpiversity of Iowa DepartmentSeptembersubjects who 14,500SSNsUniversity of Iowa Contacts Research Subjects
Psychology (Iowa City, IA) 2006participated inabout Computer Intrusion,” US Fed News, September
puter attackresearch studies29, 2006.

on maternal and
child health
from 1995 until
the present.

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
estern Illinois University-July 2006students,180,000SSNs, personal data, creditMaguire, John, “Alums Just Told of Computer
er accessed severalcustomers of thecard informationBreach: Data on 180,000 with Ties to WIU Hacked a
ic student servicesuniversity’sMonth Ago, Chicago Sun-Times, July 5, 2006, p. 8.
ste ms o nline
guests of the
university hotel
iki/CRS-RL33199iversity of Tennessee -er broke into UTJuly 2006past and currentemployees36,000SSNs, names, addressesHerrington, Angie, “UT Notifies Workers ofComputer Hacking,Chattanooga Times Free Press,
g/wputerJuly 7, 2006, p. O.
leakrthwestern UniversityJuly 2006students and17,000names, addresses, SSNsHackers break into NU Admissions, Financial Aid
hicago) - hackers broke intoapplicants to theComputers,Chicago Sun Times, July 15, 2006, at
://wiki desktop computers in theschool[
httpe of Admissions ander=[
nancial Aidhack15.html].
e Park TechnicalJuly 2006apprenticeship1,500names, addresses, phoneNews Summaries Ozaukee and Washington
llegestudents back tonumbers, SSNsCounties,” Milwaukee Journal Sentinel, July 16,
eaver Dam, Fond du Lac, &19932006, p. Z3.

est Bend, WI) - missing
puter disk

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
tawba County SchoolsJune 2006students who619names, SSNs, test scores Shain, Andrew, and Hannah Mitchell,619 Students
ewton, NC) - websitehad takenSecure Data Revealed Online: Google Page Showed
posed personal datakeyboarding andSocial Security Numbers, Test Scores, Charlotte
computerObserver, June 24, 2006, p. 1B.
ap p licatio ns
placement test
during the
2001-02 school
iki/CRS-RL33199 year
g/w Francisco State UniversityJune 2006current and3,000names, SSNs, phone numbersAsimov, Nanette, “SFSU students’ information
s.oraculty member’s laptopformer studentsand grade point averages.stolen;
leaklenSchool alerts 3,000 affected by theft of faculty
laptop,” San Francisco Chronicle, June 23, 2006, p.
://wiki B5.
iversity of Kentucky- stolenJune 2006current and6,500SSNsKiernan, Vincent, “Incidents at Two Universities Put
mb driveformer studentsMore Than 200,000 Students at Risk of Data Theft,
The Chronicle of Higher Education, June 19, 2006, p.

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
io University (Athens, OH)May 2006individuals and300,00SSNs, personal information,Vijayan, Jaikumar, “Ohio University Reports Two
ackers breach servers in twoorganizationsbiographical information,Separate Security Breaches,” Computerworld, May 3,
arate incidentslisted in thepatent data, intellectual2006, at
alumni database,property files[
owners ofmmand=viewArticleBasic&articleId=111113&intsrc
patents and=article_pots_bot].
intellectua l
iki/CRS-RL33199 property
g/wiversity-May 2006students and135,000personal information, SSNsSandoval, Greg, “Sacred Heart is Latest University to
s.orers intrude systemsomebe Hacked,” CNet News, May 26, 2006, at
leakindividuals not[].
associated with
://wikithe university
iversity of Texas, Austin-April 2006students,200,000SSNs, biographical materialsAssociated Press, “University of Texas Probes
alumni, faculty,Computer Breach,” MSNBC, April 24, 2006, at
and staff of the[].
business school
iversity of Arizona- hackersFebruaryjournalismundisclosednone so farGrossman, Djamila, “Romanian Hacker Breaks into
eak into journalism2006studentsUA Journalism Computers, Arizona Daily Star,
ents computer systemFebruary 14, 2006, p. B2.

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
e- hackers attackJanuary 2006alumni andundisclosedSSNs, credit card numbers,Roberts, Paul F., “Hackers Target Notre Dame
rverother donors tocheck imagesDonors,” eWeek, January 24, 2006, at
the university[,1895,1915087,00.a
sp ] .
diana University - maliciousNovemberKelly School of5,300personal student informationAssociated Press,IU Finds ‘Malicious’ Software,
ftware programs installed, November 18, 2005, at
siness instructor’s computerstudents[
iki/CRS-RL33199enrolled inintroductoryl/13202338.htm].
g/wbusiness course
s.orbetween 2001-
leak 2005
://wikiiversity of TennesseeNovemberpatients who3,800names and SSNsUT Patients Warned of Stolen Computer,”
httpcal Center - laptop2005receivedChattanooga Times Free-Press, November 2, 2005,
puter stolentreatment inp. B2.
rgia Institute ofNovemberpast, present,13,000SSNs, birth dates, names,Kantor, Arcadiy, “Georgia Tech Computer Theft
chnology Office of2005and prospectiveaddressesCompromises Student Data, The Technique (via
rollment Services -studentsUniversity Wire), November 11, 2005 at
puter theft[].

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
iversity of Tennessee -Octoberstudents and1,900names and SSNsState Briefs: UT Students Private Data Posted on
dvertent posting of names2005employeesthe ‘Net,” The, October 29, 2005, at
d Social Security numbers to[
ternet lists051029/NEWS01/510290327/1006/NEWS01].

iversity of Georgia - hackerSeptembercurrent and1,600 SSNsSimmons, Kelly, “Hackers Breach Database at
employee records server2005formerUGA,” The Atlanta Journal - Constitution,
iki/CRS-RL33199employees ofuniversity’sSeptember 29, 2005, p. C2.
g/wCollege of
s.orAgricultural and
leak E nvi r o nme nt a l
httpi University (Ohio) -Septemberstudents21,762SSNs, gradesGiordano, Joe, “Miami University, Ohio, Finds Huge
ort containing SSNs and2005Online Security Breach,” Journal-News (Hamilton,
ades of more than 20,000OH), September 16, 2005 (no page given).
dents has been accessible
he Internet since 2002
t State University - fiveSeptemberstudents and100,000 names, SSNs, gradesGonzalez, Jennifer, “Student, Faculty Data on Stolen
ktop computers stolen from2005professorsComputers,Plain Dealer (Cleveland), September
pus10, 2005, p. B1.

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
oma State University -August 2005people who61,709names, SSNsPark, Rohnert, “Hackers Hit College Computer
ingeither attended,System: Identity Theft Fears at Sonoma State,” San
applied,Francisco Chronicle, August 9, 2005, p. B2.
graduated or
worked at the
school from
1995 to 2002
iki/CRS-RL33199lifornia State University -fice of the Chancellor mayAugust 2005students whoreceive financial154names, SSNsCalifornia State University Chancellor’s OfficeExperiences Potential Computer Security
g/wve experienced unauthorizedaid and twoBreach,”U.S. States News, August 29, 2005 (no page
s.ors to one of its computersfinancial aidgiven).
leak administrators
://wikiiversity of Florida HealthAugust 2005patients and3,851names, SSNs, dates of birth,Chun, Diane, “3,851 Patients at Risk of ID Theft,
httpces Center/ChartOne -physiciansmedical, August 27, 2005 at
en laptop[
iversity of Colorado -August 2005students and36,000university accounts andUhls, Anna, “U. Colorado students getting
ing into campus Cardfacultypersonal information(re)carded,” University Wire/Colorado Daily, August
fice (creates IDs for staff4, 2005 (no page given).

d students)

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
iversity of North Texas -August 2005current, former38,607names, addresses, telephoneTessyman, Neal, “Hackers Steal Student Info from U.
ingand prospectivenumbers, SSNs, studentNorth Texas, University Wire, August 11, 2005 (no
studentsidentification numbers, studentpage given).
ID passwords, student
classification information and
possibly 524 credit card
numb e r s
iki/CRS-RL33199iversity of Colorado -ers tapped into a databaseAugust 2005student recordsfrom June 199949,000names, SSNs, addresses, phonenumbersMccrimmon, Katie Kerwin, “Hackers Tap CURegistrar’s Database; Privacy of 49,000 Students
g/we registrars officeto May 2001Potentially Invaded in Breach,” Rocky Mountain
s.orand from fallNews (Denver), August 20, 2005, p. 20A.
leak2003 to summer
httplifornia State University,August 2005student workers900names, SSNsTogneri, Chris,Hacker Breaks into Stan State
islaus - hackingComputer, Modesto Bee, August 16, 2005, p. B1.
iversity of SouthernJuly 2005applicants270,000 name, address, SSNs, e-mailHawkins, Stephanie, “Hacker Hits Application
lifornia - individual hackedaddress, phone number, date ofSystem at USC,University Wire/ Daily Trojan,
USC’s online applicationbirth, login informationAugust 18, 2005 (no page given).

ste m

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
ornia Polytechnic,July 2005university31,077names, SSNsRuiz, Kenneth, “Hackers Infiltrate Cal Poly,” Whittier
mona - two computersapplicants andDaily News (CA), August 5, 2005 (no page given).
edcurrent and
former faculty,
staff and
iversity of Colorado,July 2005students and29,000SSNs, names, photographsAssociated Press, “Hackers Break into CU Computers
iki/CRS-RL33199ulder - hackers broke into aputer server containingprofessorsstudents and7,000Containing 36k Records, August 1, 2005.
g/wormation used to issueprofessors
s.ortification cards
igan State University -July 2005students27,000names, addresses, SSNs,Associated Press,Students Informed Social Security
://wiki of a server in thecourse information, personalNumbers Possibly Compromised,” July 7, 2005.
httpllege of Educationidentification numbers
iversity of California, SanJuly 2005students, staff,3,300SSNs, driver license and creditSD UCSD Hackers,City News Service, July 1,
o - hackers broke intofaculty who hadcard numbers2005 (no page given).
versity serverattended or
worked at
Extension in the
past five years
lifornia State UniversityJuly 2005students9613names, SSNsAssociated Press,Hackers crack computers, access
minguez Hills - hackingprivate student information,” July 29, 2005.

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
iversity of Connecticut -June 2005students, staff,72,000names, SSNs, dates of birth,Naraine, Ryan, “UConn Finds Rootkit in Hacked
ing - rootkit (collection ofand facultyphone numbers and addresses Server,” eWeek, June 27, 2005, at
rams that a hacker uses to[,1759,1831892,00.a
sk intrusion and obtainsp].
inistrator-level access to a
puter or computer
twork) placed on server on
tober 26, 2003, but not
iki/CRS-RL33199ntil July 20, 2005
g/wt State University - laptopJune 2005full-time faculty1,400names, SSNsHampp, David, “Kent State U. Faculty Affected by
s.or from employee’s carmembers sinceStolen Computer,” Daily Kent Stater (via University
leak2001Wire), June 22, 2005 (no page given).
://wikiio State University MedicalJune 2005patients15,000patient names, admission andCrane, Misti, “Laptop Containing Patients’ Billing
httpnter - two stolen laptopsdischarge dates, whether theInformation Stolen;
patient had insurance, totalBirth Dates, Social Security Numbers Not in Data
charges and adjustments to theTaken from Consultant, Osu Says, Columbus
account. Dispatch (OH), June 30, 2005, p. 4C.
iversity of Hawaii -June 2005students,150,000SSNs, addresses and phoneAssociated Press,UH Warns of Possible Identity
onest library workerfaculty, staffnumbersTheft,” June 19, 2005.

federal charges ofand library
nk fraud related to identitypatrons at any of
tthe 10 campuses
between 1999
and 2003

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
son Community CollegeMay 2005employees and8,000SSNsComputer Crime: Hacker May Have Stolen Social
hacker breaks intostudents of theSecurity Numbers From Jackson Community
puter systemcollegeCollegea,” Computer Crime Research Center,” May
29, 2005 (no page given).
negie Mellon University -May 2005graduates of the5,000SSNs and personal informationAssociated Press, “Carnegie Mellon Reports
rity breach of school’sTepper SchoolComputer Breach,” MSNBC, April 21, 2005, at
puter networkof Business[].
iki/CRS-RL33199from 1997 to2004; current
g/w gr a d ua t e
s.or stud e nts;
leakapplicants to the
docto ral
://wikiprogram from
http2003 to 2005;
applicants to the
MBA program
from 2002 to
2004; and
ad ministr a tive
ford University- computerMay 2005students and9,600SSNs, resumes, financial data,Musil, Steven, “FBI Probes Network Breach at
stem breachrecruiters of thegovernment informationStanford,” CNet News, May 25, 2005.

uni ve r s i t y

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
rida InternationalMay 2005facultyunknownSSNs, credit card numbersLeyden, John, “Florida Univ on Brown Alert after
iversity (FIU) - a hackerand students Hack Attack,” The Register, April 29, 2005, at
ired user names and[
swords for 165 computers_alert/].
rthwestern UniversityMay 2005faculty,17,500user IDs and passwordsMeglio, Francesca Di, “Hacker Break-In,Computer
ellog School ofstudents, andCrime Research Center, May 23, 2005 (no page
iki/CRS-RL33199anagement) - computertwork breachalumnigiven).
s.oriversity of California, SanApril 2005students, faculty7,000names and SSNs numbersLazarus, David, “Another Incident for UC,” San
leakcisco - hacker gainedand staff Francisco Chronicle, April 6, 2005, p. C1.
s to server used by
://wikinting and personnel
fts University - possibleApril 2005alumni106,000SSNs and other unspecifiedRoberts, Paul, “Tufts Warns 106,000 Alumni, Donors
rity breach in an alumnipersonal informationof Security Breach: Personal Data on a Server Used
d donor database afterfor Fund Raising May Have Been Exposed,
ormal activity on the serverComputerworld, April 13, 2005, at
d December,[
ty/p rivacy/sto ry/0 ,10801,101043,00.html? source=x1 0

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
iversity of Nevada, LasMarch 2005current and5,000personal records, includingLipka, Sara, “Hacker Breaks Into Database for
as - hackers accessedformer studentsbirth dates, countries of origin,Tracking International Students at UNLV,” Chronicle
hool’s Student and Exchangeandpassport numbers, andof Higher Education, March 21, 2005, p. A43.
sitor Information SystemfacultySSNs
EVIS) database
lifornia State University,March 2005students, former59,000SSNsAssociated Press, “Hackers Gain Personal
ico - hackers broke intostudents,Information of 59,000 People Affiliated with
iki/CRS-RL33199rversprospectivestudents, andCalifornia University,”Grand Rapids Press, March22, 2005, p. A2.
g/w faculty
leakiversity of California,March 2005alumni,100,000SSNs numbers, names;Liedtke, Michael, “Laptop Theft Causes Identity
eley laptop stolen fromgraduateaddresses, and birth dates forFraud Worry,” Daily Breeze (Torrance, CA), March
://wikitricted area of campusstudents, and1/3 of affected people28, 2005, p. A10.
httpcepast applicants
rge Mason University -January 2005faculty, staff,30,000names, photos, SSNs, andMcCullagh, Declan, “Hackers Steal ID Info from
ers gained access toand studentscampus ID numbers Virginia University,” Wired News, January 10, 2005,
o r matio n at
[http://news. com. co m/2100-7349_3-5519592.html].
iversity of California, SanJanuary 2005students and3,500names, SSNsYang, Eleanor, “Hacker Breaches Computers That
o (UCSD) - hackeralumni ofStore UCSD Extension Student, Alumni Data, San
ed computer systemUCSDDiego Union Tribune, January 18, 2005, p. B3.

Extensio n

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
iversity of California,OctoberCalifornians1.4 millionSSNs, names, addresses, phoneReuters,Hacker Strikes University Computer
rkeley - hacker2004participating inindividualsnumbers, and dates of birthSystem,”CNET News, October 19, 2004, at
mpromised the university’sCalifornia’s[].
puter systemIn-Home
program since
iki/CRS-RL33199lifornia State - auditor fromAugust 2004380,000 current23,500name, address, SSNsConnell, Sally Ann,Security Lapses, Lost
g/wancellor’s office lost hardand formerEquipment Expose Students to Possible ID Theft; in
s.ore containing personalstudents,the Latest Incident, a Cal State Hard Drive with Data
leakormation applicants, staff,on 23,500 Individuals Is Missing,Los Angeles
faculty andTimes, August 29, 2004, p. B4.
://wikialumni at UC
httpSan Diego and
178,000 at San
Diego State
iversity of California, LosJune 2004blood donors145,000names, birth dates and SSNsBecker, David, “UCLA Laptop Theft Exposes ID
geles - stolen laptop w/Info,”CNET News, October 6, 2004, at
or info[
ID+info/2100-1029_3-5230662.html? tag=nl].

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
iversity of California, SanApril 2004UCSD students,380,000SSNs, and driver licenseSidener, Jonathan, “SD Supercomputer Center
o (UCSD) - hackersalumni, faculty,numbersAmong Victims of Intrusion,San Diego Union
ed security at the Sanemployees andTribune, April 15, 2004, p. B3.
ego Supercomputer Centerapplicants
d the Universitys Business
d Financial Services
a rtme nt
iki/CRS-RL33199rgia Institute ofchnologyMarch 2003patrons of artand theatre57,000credit card numbersLemos, Robert, “Data Thieves Strike Georgia Tech,”Wired News, March 31, 2003, at
g/w program [ http :// m. co m/Data+thieves+str ike+Geo r gia+
s.or T ech/2100-1002_3-994821.html? tag=nl].
iversity of Texas, Austin -March 2003current and55,200names, addresses, SSNs, emailRead, Brock,Hackers Steal Data From U. of Texas
://wikiputer hackers broke intoformer student,addresses, office phoneDatabase,” Chronicle of Higher Education, March 21,
httptabase on multiple occasionsfaculty and staffnumbers2003, p. 35.
members, as
well as jobnote: perpetrator claimed he
applicantsdid not distribute the numbers
and had not used them “to
anyones detriment”
iversity of Kansas - hackerJanuary 2003foreign students1,400SSNs, passport numbers,Arnone, Michael, “Hacker Steals Personal Data on
-in to Student andcountries of origin, and birthForeign Students at U. of Kansas,Chronicle of
change Visitor Informationdates.Higher Education, January 24, 2003 (no page given).

stem (SEVIS)

Education IncidentsDateWho WasNumberType of DataSource(s)
Publicized Affected Affected Released/Compromised
llege of the CanyonsOctobercurrent and36,000 names, SSNs, and photographsMistry, Bhavna, “Identity Theft Alert Issued at
alifornia) - computer hard2001former studentsCollege,” Los Angeles Daily News, October 21, 2001,
e containing personalp. N7.
dent information stolen
iversity of WashingtonDecembercardiology and5,000names, addresses, birth dates,Hacker Steals Patient Records,San Diego Union-
enter - hacker broke2000rehabilitationheights and weights, SSNs, andTribune, December 9, 2000, p. A3.

puter systempatientsthe medical procedure
iki/CRS-RL33199 und e r go ne

Table 3. Data Security Breaches in Financial Institutions (2001-2007)
Financial InstitutionsDateWho Was AffectedNumberType of DataSource(s)
Incident s Publicized Affected Released/Compromised
Horizons CommunityApril 2007credit union9,000loan account informationStates News Service, “New Horizons
edit Union (Denver, CO) -membersCommunity CU Takes Action after
en laptop. Note: computerPotential Data Breach; Members
s protected by two layers ofInformed of Protections,” April 11, 2007.
rity, a unique
er-identifier, and a
iki/CRS-RL33199ltip le-c ha r acter ,
g/wa-numeric password.
s.orneyGram International -January 2007customers79,000names, addresses, phone numbers,Onaran, Yalman and Elizabeth Hester,
leakrver unlawfully accessedand in some cases, bank accountsBreach affects 79,000 MoneyGram
://wikiaccounts; Money-transfer and bill-payingservice doesnt know if hackers stole
httppersonal data, Saint Paul Pioneer Press
(Minnesota), January 13, 2007, p. 1C.
ier Bank - report stolenDecembercustomers1,8000names, account numbers ofSorkin, Michael, “ Bank data stolen out
m truck2006customers who opened accounts inof exec’s vehicle: Names with account
October, 2006numbers were in truck outside award
ceremony,St. Louis Post-Dispatch,
December 6, 2006, p. C1.

Financial InstitutionsDateWho Was AffectedNumberType of DataSource(s)
Incident s Publicized Affected Released/Compromised
Ameritrade - criminals,Decembercustomersunknown;names, addresses, birth dates, SSNsGreenemeier, Larry,Cybercrooks Get
ing stolen customer accounts2006company hasSmarter; E-Trade and TD Ameritrade
ired from a hacked6 millionwere victims of an online brokerage
puter, drove up the pricesclientsnote: TD Ameritrade had to cover $4pump-and-dump scheme, Wall Street &
low-priced stocks throughmillion in fraudulent transactions forTechnology, December 1, 2006, p. 14.
lume purchases andits most recent quarter
sold those shares at a
iki/CRS-RL33199ancial Services- stolenJune 2006District of Columbia13,000SSNs, personal dataDwyer, Timothy,ING Financial to
g/wopgovernment workersNotify Potential Identity Theft Victims,”
s.orand retireesWashington Post, June 19, 2006, p. B4.
ifax Inc.- stolen laptopJune 2006nearly all the U.S.2,500names, SSNsStempel, Jonathan, “Equifax Says
://wikiemployees of theLaptop With Employee Data Was
httpcredit reportingStolen,” eWeek, June 20, 2006, at
bureau [ h t t p : / / www. e we e k . c o m / a r t i c l e 2 / 0 , 1759,
1979296,00.asp? kc=EWRSS03129T X1
elity Investments- stolenMarch 2006Hewlett-Packard196,000personal dataHines, Matt, “Stolen Fidelity Laptop
opemployeesExposes HP Workers,” eWeek, March
23, 2006, at
[ h t t p : / / www. e we e k . c o m / a r t i c l e 2 / 0 , 1895,

Financial InstitutionsDateWho Was AffectedNumberType of DataSource(s)
Incident s Publicized Affected Released/Compromised
nk of America, WashingtonFebruarycustomers using200,000debit card information which wasSandoval, GregWeb of Intrigue Widens
tual- debit cards cancelled2006debit cards issued byused to accrue fraudulent charges in Debit-Card Theft Case,” CNet News,
the two banks atFebruary 13, 2006, at
Sams Club gas[
stations and Officewidens+in+debit-card+theft+case/2100-1
Max 029_3-6038405.html].
eriprise Financial- laptopJanuary 2006customers and230,000names, SSNs, internal accountDash, Eric,Ameriprise Loses Data on
iki/CRS-RL33199tadvisers with thefinancial firmnumbers230,000 Customers and Advisers,” NewYork Times, January 25, 2006.
s.orR Block- Social SecurityJanuary 2006recipients of theundisclosedSSNsGilbert, Alorie, “H&R Block Blunder
leakmbers printed on unsolicitedcompanys taxExposes Consumer Data,” CNet News,
ages containing freepreparation softwareJanuary 3, 2006, at
://wikiftwa r e [ http :// m. co m/H3 8 R+B lo ck+b lu
http nd er+exposes+consumer+data/2100-102
a USADecembercustomers with Visaundisclosedcredit card informationWeinstein, Natalie, “Visa Deals With
2005cards from variousPossible Data Breach,” CNet News,
financial institutionsDecember 24, 2005, at
using a mutual[
me r c ha nt 7759.html].

Financial InstitutionsDateWho Was AffectedNumberType of DataSource(s)
Incident s Publicized Affected Released/Compromised
c.- internet hackerDecembercustomers of the140,000names, birth dates, drivers licenseHackers Reveal 140,000 Customer
2005stock brokerage firmnumbers, phone numbers, bankID’s,” Computer Crime Research
names, bank routing numbers, bankCenter, December 2, 2005 (no page
account numbers, and Scottradegiven).
account numbers
ansUnion (credit reportingNovembercustomers3,600SSNs and personal credit informationPaul, Peralte, “Credit Bureau Burglary
reau) - stolen desktop2005Leaves 3,600 Vulnerable,” Atlanta
iki/CRS-RL33199puterJournal and Constitution, November 11,2005, p. 5G.
s.oroicepoint - Miami-DadeSeptemberconsumers5,103 SSNs, driver’s license informationHusted, Bill, “Another Breach of
leakunty Police Department may2005Records Feared;
ve misused the departmentsChoicepoint Tells 5,103 Customers about
://wikiunt to illegally accessIncident,” Atlanta Journal-Constitution,
httpsumer recordsSeptember 17, 2005, p. 1H.
nk of America - stolenSeptemberVisa Buxx card usersundisclosednames, credit card numbers, bankMcMillan, Robert, “Bank of America
op2005account numbers, routing transitNotifying Customers After Laptop
numbersTheft,” Computerworld, October 7,
2005, at
[ h t t p : / / www. c o mp u t e r wo r l d . c o m/ s e c u r i t
ytopics/security/sto ry/0 ,10801,105246,0
. Morgan (Dallas) - stolenAugust 2005clientsunknownpersonal and financial informationSecurity Breach at J.P. Morgan Private
op Bank,AFX International Focus, August
30, 2005 (no page given).

Financial InstitutionsDateWho Was AffectedNumberType of DataSource(s)
Incident s Publicized Affected Released/Compromised
roup - a box of computerJune 2005personal and home3.9 millionnames, addresses, SSNs andKrim, Jonathan, “Customer Data Lost,
with account informationequity loanloan-account dataCitigroup Unit Says:3.9 Million Affected
r 3.9 million customers wascustomersAs Firms Security Lapses Add Up,
shipment byWashington Post, June 7, 2005, p. A1.
ancial, a unit of
ese credit cardholders - June 2005customers of 26unknownunknown“Japan Cardholders ‘Hit by Theft,BBC
iki/CRS-RL33199ers behind U.S. data thefty have compromised thedomestic Japanesecredit card firmsNews, June 21, 2005 at[
g/wa of Japanese cardholders,4252.stm]. to the government.
leakaudulent transactions have
w emerged in Japan.

Financial InstitutionsDateWho Was AffectedNumberType of DataSource(s)
Incident s Publicized Affected Released/Compromised
terCard - breach occurredJune 2005MasterCard credit40 million names, account numbers, securityKrim, Jonathan and Michael Barbaro,
a processing centercard and some debitcodes, expiration dates40 Million Credit Card Numbers
ucson operated bycard customersHacked: Data Breached at Processing
dSystems Solutions, one ofCenter,Washington Post, June 18, 2005,
eral companies that handlep. A1;
sfers of payment between
k of a credit card-usingZeller, Tom and Eric Dash, “MasterCard
sumer and the bank of theSays 40 Million Files Put at Risk,”New
iki/CRS-RL33199rchant where a purchase wasde. CardSystems computersYork Times, June 18, 2005, p. A1; and
g/wre breached by maliciousEvers, Joris,Credit Card Suit Now
s.orat allowed access toSeeks Damages,” CNET, July
leakstomer data.7, 2005, at
://wiki [ http :// m. co m/Cr ed it+car d + suit+no w+seeks+damages/2100-7350_3-5777
http 818.html].
k of America - laptopJune 2005California customers18,000names, addresses, SSNs, Lazarus, David, “Breaches in Security
from car in WalnutRequire New Laws, San Francisco
eek, CAChronicle, June 29, 2005, p. C1.

Financial InstitutionsDateWho Was AffectedNumberType of DataSource(s)
Incident s Publicized Affected Released/Compromised
Jersey cybercrime ringMay 2005customers of four700,000names, SSNs, bank accountWeiss, Todd, “Scope of Bank Data Theft
inancial records frombanks (Charlotte,informationGrows to 676,000 Customers: Bank
k accountsNorth Carolina-basedEmployees Used Computer Screen
Bank of America andnote: bank employees sold financialCaptures to Snag Customer Data,”
Wachovia, Cherryrecords to collection agencies andComputerworld, May 20, 2005, at
Hill, Newlaw firms.[
J ersey-b ased ytopics/security/cyb ercrime/story/0,1080
Commerce Bank, and1,101903,00.html].
iki/CRS-RL33199PNC Bank ofPittsburgh)
s.oreritrade (securities broker) -April 2005Ameritrade current200,000account informationAmeritrade Loses Customer Account
leakes with back-upand formerInfo,” CNN Money, April 19, 2005, at
ormation on customercustomers[
://wikints ology/ameritrade/index.htm].
BC (global bank) sent outApril 2005holders of General180,000credit card informationSecurity Scare Hits HSBCs
rning letters notifyingMotors MasterCardCards,BBC News, April 14, 2005, at
stomers that criminals maywho had shopped at[
ve gained access to creditPolo Ralph Lauren4477.stm]; and
fo sto r e s
Vijayan, Jaikumar, “Update: Scope of
Credit Card Security Breach Expands,
Computerworld, April 15, 2005, at
[ h t t p : / / www. c o mp u t e r wo r l d . c o m/ s e c u r i t
ytopics/security/sto ry/0 ,10801,101101,0

Financial InstitutionsDateWho Was AffectedNumberType of DataSource(s)
Incident s Publicized Affected Released/Compromised
nk of America - computerFebruaryGSA charge card1.2 millioncustomer and account informationCarrns, Ann,Bank of America Is
ta tapes lost during shipment2005program (Visa cardsMissing Tapes With Card Data,Wall
issued to federalStreet Journal, February 28, 2005, p. B2.
ells Fargo - computers stolenNovembermortgage andcompany customers’ names, addresses, andBreyer, R. Michelle, “Wells Fargo
Wells Fargo vendor2004student-loanwould notSSNs, and account numbersCustomer Data Stolen in Computer Theft
customersdisclose,”Austin-American Statesman, November
iki/CRS-RL331993, 2004, p. D1.
g/wells Fargo - hacker arrestedNovembercustomers withcompanynames, addresses, account and SSNsSuspect Is Arrested in Theft of Bank
s.or stolen computers and2003personal lines ofwould notData,” Los Angeles Times, November 27,
leakopcredit used fordisclose2003, p. C2.
consumer loans and
://wikioverdraft protection
eichert Financial Services -May 2003clients3,774credit reports, driver’s license infoAssociated Press, “Pair Accused of
it profiles were unlawfullyFraud in Credit Reports’ Theft:
sed from internalAllegedly Used Data to Buy Goods over
puter systemthe Internet,”The Record (Bergen
County, NJ), May 2, 2003, p. A10.

Financial InstitutionsDateWho Was AffectedNumberType of DataSource(s)
Incident s Publicized Affected Released/Compromised
a, MasterCard, AmericanFebruarycredit card customersPNC BankATM/debit/check cardsSabatini, Patricia, “PNC Cancels 16,000
press and Discover account2003cancelledCards After Hacking Theft Incident,”
mbers - hacker stole 816,000 cards;Pittsburgh Post-Gazette, February 20,
nCitizens Bank2003, p. C1.
iki/CRS-RL33199llerton, California - bogust card ring opened bankJune 2001impersonated morethan 1,500 people1,500birth dates, SSNs, mothers maidennames, credit cards, driver’s licenses,Brown, Aldrin and Jeff Collins,Suspicious Mail Triggered Probe of
g/wnts, credit lines, auto andnationwide andand receipts for car and homeIdentity Theft Crime Losses from the
s.orme loansdefrauded 76purchases.Alleged Ring, Which Used Data Stolen
leakfinancial institutionsas Far Back as the Early90s, May Hit
$10 Million,Orange County Register,
://wikiJune 21, 2001 (no page given).


Table 4. Data Security Breaches in Local, State, and Federal Government (2003-2007)
overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
ansportation SecurityMay 2007individuals100,000name, SSN, date of birth,Hu, Spencer, “TSA Hard Drive With Employee
ministration - missingemployed by thepayroll information, bankData Is Reported Stolen,” Washington Post,
ternal hard driveagency fromaccount and routingMay 5, 2007, p. A9.
January 2002 untilinformation
August 2005
iki/CRS-RL33199artment ofApril 2007recipients of loans63,000 (firstSSNsNakashima, Ellen,U.S. Exposed Personal
g/wriculture - publicormation disclosed for moreor other financialassistanceestimate), then38,700 (afterData; Census Bureau Posted 63,000 Social Security
s.or a decade on publicUSDANumbers Online,” Washington Post, April 2,
leakbsiteinvestigation)2007, p. A5
://wikiandPrince, Brian, USDA Cuts Number Affected
httpby Data Exposure,” eWeek, April 23, 2007.
ia Secretary of StateApril 2007Fulton County75,000 name, address, SSNsAssociated Press,75,000 voter registration
tlanta, GA) - 30 boxes ofvoterscards found in trash bin in Atlanta,” April 12,
ter registration records2007.
und in trash
ildNet (non-profit that runsApril 2007adoptive and12,000SSNs, financial and credit data,Haas, Brian, and Bill Hirschman,Stolen
ard Countys childfoster-care parentsdriver’s license data, passportChildNet laptop puts 12,000 at risk of ID theft,
lfare program (FortnumbersSouth Florida Sun-Sentinel (Fort Lauderdale),
uderdale, FL) - formerApril 12, 2007.

ployee allegedly stole

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
s Angeles County ChildMarch 2007child support243,000130,500 SSNs (most withoutRosenblatt, Susannah,Child support data may
pport Services (Losclientsnames attached), about 12,000be at risk; L.A. County agency tells 243,000
les, CA) - three missingindividuals names andclients that three missing laptops may contain
opsaddresses, and more thanpersonal info,” Los Angeles Times, March 30,
101,000 child support case2007, p. B4.
rt MonroeMarch 2007civilian16,000names, SSNs, payrollHowe, Kevin,Army warns of data theft: laptop
iki/CRS-RL33199ort Monroe, VA) - stolenmy laptop employeesinformationwith information of 16,000 civilian employeesstolen in Virginia,” Monterey County Herald
g/w(California), March 29, 2007.
leakornia National GuardMarch 2007California1,300names, addresses, SSNs, datesAssociated Press,Stolen hard drive contains
ento, CA) - stolenNational Guardof birthdata for California Guard troops,” March 10,
://wikiputer hard drivetroops deployed to2007.
httpthe U.S.-Mexico
artment of VeteransFebruaryveterans535,000. Hardnames, SSNs, some MedicareThornton, William,535,000 on lost VA drive:
fairs, VA Medical Center2007drive also maybilling record information andAgency to notify those possibly affected,”
irmingham, AL) - missinghave includedbilling codes for 1.3 millionBirmingham News (Alabama), February 12,
rd drivedata, not all of itdoctors2007.

sensitive, on
about 1.3 million
no n-V A
physicians, both
living and dead

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
nnecticut - personalFebruarystate employees1,700names, SSNsGreenemeir, Larry, Stop & Shop PIN Pads
ormation inadvertently2007Breached; Connecticut Removes Worker Data
sted to state AdministrativeFrom Site,” Information Week, February 20,
rvices Departments website2007, at
[ h t t p : / / www. i n f o r m a t i o n we e k . c o m / s t o r y
/sho wArticle.j html? articleID=197007473&cid=
iki/CRS-RL33199assachusetts Department ofdustrial AccidentsFebruary2007accident victims1,200names, SSNsMurphy, Sean, “Worker charged with identitytheft,” Boston Globe, February 2, 2007.

g/woston, MA) - contractor
s.orsed a workers
leakmpensation data file and
le the identities of at least
://wikie, opened credit
httpnts in their names,
d charged thousands of
lars for jewelry and other

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
icago Board of Elections -January 2007Chicago voters1.3 millionnames, SSNs, dates of birth,Associated Press, Social Security numbers
puter disks mistakenlyaddressesdistributed on computer discs,” January 23,
tributed to aldermen and2007.
rd committeemen
te: class-action lawsuit was
ainst the Board of
ns in Cook County
iki/CRS-RL33199cuit Court
g/wternal Revenue Service,January 2007taxpayersunknownunknown (potentially containHorsley, Lynne, “26 IRS tapes missing from
s.orsas City, KS - 26 computertaxpayers’ names, SSNs, bankCity Hall: Records were delivered in August.
leakes missingaccount numbers, or employerTrail of where taxpayer data went is under
information)investigation,Kansas City Star, January 19,
://wikite: tapes require special2007, p. A1.
httpipment to read and
ftware that is not commonly
diana State Department ofNovemberwomen in the7,700name, address, SSN, medicalAssociated Press,Women alerted to possible
via Family Health2006state’s Breast andinformationidentity theft,” November 26, 2006.

nter of Clark CountyCervical Cancer
fersonville, IN) - twoProgram

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
wling Green Police Dept.Novembervictims or200names, SSNs, phone numbersFeehan, Jennifer, “Bowling Green police
owling Green, OH) -2006suspects on themistakenly put private data online,” Blade
vertent publishing ofdaily blotter(Toledo, Ohio), November 14, 2006.
onal data to website
ministration for ChildrensNovemberfamilies, social200 case filesunspecified confidentialSchapiro, Rich and Nicole Bode, “Secret Shame
rvices (New York, NY) -2006workers andinformationfor All to See. Confidential Acs Files Found
edded files found on thepoliceDumped on Street,” New York Daily News,
iki/CRS-RL33199 clear plastic garbageNovember 20, 2006, p. 3.
s.orty of Lubbock (TX) -Novemberjob applicants5,800names, addresses, SSNs,Roberts, Paul, “Texas Tech-are police discover
leakers broke into city job2006drivers license numberssecurity breach in city database” (sic),
plication websiteUniversity Wire, November 9, 2006.
httpanhattan Veterans AffairsNovemberveterans who1,600names, SSNs, medicalHutchinson, Bill, “Your Identity May Be Stolen,
enter, New York2006receivediagnosesVets Are Warned, New York Daily News,
Care Systempulmonary care atNovember 2, 2006, p. 19.
York, NY) -the facility
encrypted stolen laptop
ans Affairs Hospital andNovemberveterans1,400names, SSNs, billingThornton, Tony, “VA hospital loses data on
lester Clinic - missing2006informationpatients; No indication of misuse, agency says,”
mputer disks (Muskogee,The Oklahoman, November 2, 2006, p. 1A.

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
S. Army Cadet CommandNovemberhigh school4,600names, addresses, W-2 taxPetkofsy, Andrew, “ROTC applicants data on
ort Monroe, VA) - stolen2006students whoforms, SSNsstolen computer,” Richmond Times Dispatch
opapplied for Army(Virginia), November 2, 2006, p. B6.
sc ho l a r s hi p s .
lorado Dept. of HumanNovemberrecently hiredup to 1.4 millionnames, SSNs, birth datesMigoya, David,Stolen state database puts 1.4
ices via private contractor2006employeesmillion at ID-theft risk,” Denver Post,
iki/CRS-RL33199filiated Computer Services , TX) - stolen computerNovember 2, 2006, p. B1.
s.orrt of Seattle (Seattle, WA) -Octoberindividuals who6,943unspecified personalPort of Seattle Hires Id Protection Service,”
leakssing CD-ROMS2006applied for airportinformationPacific Shipper, October 27, 2006.
security badges
httpmp Pendleton Marine CorpsOctoberMarines who live2,400unspecified personalHoellworth, John,Lost laptop contains 2,400
se, via Lincoln BP2006on the baseinformationPendleton Marines’ info, Marine Corps Times,
agement (near Oceanside,October 23, 2006, p. 13.
) - missing laptop
of Visalia, RecreationOctobercurrent and200names, SSNsCastellon, David,Tossed records are still a
ision (Visalia, CA) - city2006former employeesmystery,Visalia Times-Delta (California),
cuments were foundOctober 17, 2006, p. 1C.

a city street.

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
lsbo Department ofOctobercitizens processed2,200names, addresses, driversUS States News, “Small Department of
censing (Poulsbo, WA) -2006at one workstationlicense photosLicensing Data Backup Device Missing,
ssing data backup deviceOctober 10, 2006.
ngressional Budget Office -Octobersubscribers tounknownunknownHackers Breach Budget Office’s Mailing List,
iling list hacked and2006CBO’s mailingNational Journal, Technology Daily, October
ishing email that appearedlist13, 2006.
ome from CBO was sent
iki/CRS-RL33199eveland Air Route TrafficOctoberair traffic400names, SSNsSangiacomo, Michael, “FAA data in Oberlin
g/wntrol Center (Oberlin, OH) -2006controllerscomputer lost Drives had names, Social Security
s.orputer hard drive stolennumbers, Cleveland Plain Dealer, October 6,
leak2006, p. B3.
://wikiorida Department of Labor -Octoberindividuals4,624names, SSNs,Samples, Eve, “More than 4,600 Floridians
httprsonal information2006enrolled forpersonal data accidentally posted,”Palm Beach
vertently posted on testservices with Post, October 11, 2006.
r ve r regional
workforce boards
berland County, PA -Octoberemployees1,200names, SSNsMiller, Matt, “Employee numbers removed
s in meeting minutes2006from Web,” Patriot-News, October 3, 2006, p.
ted on websiteB1.

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
ntucky Personnel CabinetSeptemberemployees in state146,000SSNsAlford, Roger, “State sends out letters with
rankfort, KY) - letters sent to2006agencies,Social Security numbers visible,” Associated
ployees displayed theircommunity andPress, September 29, 2006.
Ns on fronttechnical colleges,
school districts,
departments and
other offices
iki/CRS-RL33199covered by thestates insurance
g/w program
leakrth Carolina Department ofSeptemberdrivers16,000names, SSNs, driver’s licenseThieves take N.C. DMV computer with
icles (Louisburg,2006numbers, dates of birthpersonal info,” Associated Press, September 28,
://wiki) - stolen computer2006.
S. Department of CommerceSeptemberCensus Bureau 6,200 householdsunknownSipress, Alan, “1,100 Laptops Missing from
tolen, lost, or missing2006and National(estimated)Commerce Dept., Washington Post, September
opsOceanic and22, 2006, p. A3.
At mo s p h e r i c
Ad mi ni str a tio n
artment of VeteransAugust 2006patients at VA38,000SSNs, names, addresses, birthRash, Wayne, “Another VA Computer Goes
irs - missing computerhospitals indates, insurance carriers, billingMissing, eWeek, August 7, 2006, at
m contractor’s officePennsylvniainformation, details of service[,1895,200026

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
artment ofAugust 2006drivers license133,000SSNs, names, addressesRash, Wayne, “DOT is the Latest Victim of
ansportation - stolen laptoprecords of FloridaComputer Theft,” eWeek, August 10, 2006, at
residents [ h t t p : / / www. e we e k . c o m / a r t i c l e 2 / 0 , 1895,200214
8,00.asp? kc=EWNAVEMNL081106EOAD].
artment of EducationAugust 2006students who21,000names, birth dates, SSNs,Yen, Hope, “Ed. Dept. offers free credit
posed loan databorrowed moneyaddresses, phone numbers andmonitoring, Houston Chronicle, August 24,
underin some cases account2006 (no page given).
iki/CRS-RL33199the Federal DirectStudent Loaninformation for holders offederal direct student loans
g/w program
leakal Safety Center - personalJuly 2006Naval and Marinemore thanSSNs, personal informationNaval Safety Center Finds Personal Data on
a exposed on website andCorps aviators100,000”Website,” U.S. Department of Defense press
://wiki 1,100 computer discsand air crew, bothrelease, July 8, 2006, at
httpiled to naval commandsactive and reserve[
to ry_id=24568].
artment -July 2006Washingtonunknownaccess to data and passwordsState Department Releases Details Of
ersheadquarters, andComputer System Attacks,COMMWEB, July
the Bureau of East13, 2006 (no page given), and Greenemeier,
Asian and PacificLarry,State Department Hack Escalates
AffairsFederal Data Insecurity,” Information Week,
July 12, 2006, at
[ h t t p : / / www. i n f o r m a t i o n we e k . c o m / n e ws / s h o wA
rticle.j html? articleID=190302905].

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
deral Trade CommissionJune 2006subjects of law110names, addresses, SSNs,Reuters, “FTC Laptops Stolen, 110 People at
enforcementfinancial account numbersRisk of ID Theft,”, June 23, 2006
investigations(no page given).
S. Navy - an open websiteJune 2006Navy members30,000names, birth dates and SSNsNavy Personal Data on Web Is
tained five spreadsheetand dependentsKatrina-related,States News Service, June 26,
ith personal information2006 (no page given).
xas Guaranteed StudentJune 2006college students1.3 millionnames, SSNsEvers, Joris, “Loan Company Reports Loss of
iki/CRS-RL33199an- computer equipmentborrowing moneyData on 1.3 Million,” CNet News, June 1, 2006,
g/wfrom the loanat
s.or comp any [ http :// m. co m/Lo an+co mp a ny+r ep o r ts+
leak loss+of+data+on+1.3+million/2100-1029_3-60
httpnal Institutes of HealthJune 2006credit unionsmall number” unidentified personalTrejos, Nancy,Identity Thieves Hit NIH Credit
eral Credit UnionmembersinformationUnion;
ockville, MD)Scheme Is Latest in Spate of Breaches Affecting
Millions,” Washington Post, June 29, 2006, p.
artment ofJune 2006current and retired26,000names, SSNs, employeeAzaroff, Rachel, “Hacker Might Have Breached
riculture- external securityemployees of thephotos, internal buildingPersonal Data at USDA,” FCW, June 22, 2006,
of a workstation anddepartmentlocationsat
o servers[

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
innesota Department ofJune 2006individuals and2,400 individualsnames, addresses, SSNs,MN Department of Revenue, “Department of
venuebusinessesand 48,000employment dataRevenue to Assist Taxpayers Whose Private
t. Paul, MN) - missing data(taxpayers)businessesInformation Was Included in a Package Lost in
ethe Mail,” June 28, 2006, at
[ h t t p : / / www. t a x e s . s t a t e . mn . u s / t a x e s / p u b l i c a t i o n s
/p r e ss_ r e leases/co ntent/taxp ayer _ info r ma tio n. sh
g/wpartment of Energy- fileJune 2006employees of the1,500names, SSNs, birth datess,Associated Press, “DOE Computers Hacked;
s.or by hackerEnergycodes showing where theInfo on 1,500 Taken,” June 11, 2006.
leakDepartmentsemployees worked, codes
://wikinuclear weaponsagencyshowing their securityclearance
vernment AccountabilityJune 2006DoD employeesfewer thanservice members names,Thormeyer, Rob, “GAO Removes Archived
ce (GAO) -website1,000”SSNs, addressesPersonal Data from Web Site,”
posed data from, June 27, 2006 at
s on Defense Department[
el vouchers from the 1970s_1/daily_news/28845-1.html].
ng County Records,June 2006current andunknownSSNsAssociated Press, “Councilman Irked by Data
s, and Licensingformer county(potentiallyPostings on Web,” June 27, 2006.

ices Divisionresidentsthousands)
eattle, WA) - website
posed personal data

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
ternal Revenue Service - lostJune 2006IRS employees291names, birth dates, SSNs,Lee, Christopher, “IRS Laptop Lost with Data
opand job applicantsfingerprintson 291 People,” Washington Post, June 8, 2006,
p. A4.
ka Treasurer’s OfficeJune 2006individuals and300,000names, SSNs, tax identificationNebraska State Treasurer, “Hacker Virus
incoln, NE) - hacker brokeemployers whoindividuals andnumbers for businessesStopped by Treasurer’s Office,” June 29, 2006,
o a child-support computerpay and receive9,000 employersat
stem child support[]
iki/CRS-RL33199 payments
g/wntagon, TricareMay 2006Defense14,000names, SSNs, credit cardBarr, Stephen,Conference Attendees Personal
s.oranagement Activity- hackersDepartmentnumbers, employerData May Be at Risk,” Washington Post, May
leak into serverconferenceidentification, other personal12, 2006, p. D4.
attend ees info r matio n
httppartment of VeteransMay 2006military veterans26.5 millionnames, birth dates, SSNsLee, Christopher and Steve Vogel, “Personal
fairs- laptop and externalData on Veterans is Stolen,” Washington Post,
rd drive stolenMay 23, 2006, p. A1.
nal Institutes of HealthOctoberapplicants to theundisclosed grant proposals and other grantPulley, John L., “NIH Accidentally Posts
IH)- posting of confidential2005NIHreview materialsConfidential Grant Applications on the Web,
ant applicationsThe Chronicle of Higher Education, October 31,
2005 (no page given).
ir Force - records stolenAugust 2005officers and 1933,300SSNs, birth dates, and otherDorsett, Amy,Identity theft Threat Hangs over
the Air Force PersonnelNCOssensitive informationAF Officers,San Antonio Express-News,
nter’s online AssignmentAugust 24, 2005, p. 1A.

anagement System

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
n Diego County EmployeesJuly 2005current and retired33,000workers names, SocialChacon, Daniel, “Hackers Breach Countys
ement Association -countySecurity numbers, addressesPersonal Records; 33,000 People at Risk in
ers broke into twogovernmentand dates of birthRetirement Association,San Diego
putersemployees Union-Tribune, July 30, 2005, p. B1.
deral Deposit InsuranceJune 2005FDIC current and6,000names, birth dates, SSNs, andKrim, Jonathan, “FDIC Alerts Employees of
rporation - computer breachformer employeessalary informationData Breach”, Washington Post, June 16 2005,
y 2004. The agencyor anyonep. D1.
iki/CRS-RL33199ote to employees that ited of the breach onlyemployed at theagency as of July
g/wtly”, but did not explain2002.
s.orw the breach occurred, aside
leakm stating that it was not the
ult of a computer security
://wikir e .
as County (OH) ChildrenJune 2005agencys 400900 names, telephone numbers,Patch, David, “Lucas County Children Services
vices - information fromcurrent employeesSSNsData Stolen,” Toledo Blade, June 28, 2005, p.
encys personneland about 500B1.
abase was compiled andothers who have
ailed to an outsideworked there
putersince 1991
ers breached IllinoisFebruarypeople who work90,000SSNs, wagesHackers Breach State Files on 90,000,”
ployment Development2004as domesticChicago Tribune, February 15, 2004, p. 12.

ment serveremployees and
those who employ

overnment (Local, StateDateWho WasNumber AffectedType of DataSource(s)
and Federal) IncidentsPublicizedAffectedReleased/Compromised
artment of Defense -August 2003Navys purchase13,000credit card numbersReddy, Anitha, “Hackers Steal 13,000 Credit
ers downloaded Navycard program,Card Numbers; Navy Says No Fraud Has Been
used to orderNoticed,” Washington Post, November 23,
routine office2003, p. E1.
sup p lies
onx identity theft ring filedFebruaryincome tax filersnot specifiedSSNsWeiser, Benjamin, “19 Charged in Identity
sands of fraudulent2003Theft That Netted $7 Million in Tax Refunds,”
iki/CRS-RL33199me tax returnsnote: ID theft ring obtained$7million in tax refundsNew York Times, February 5, 2003, p. B3.


Table 5. Data Security Breaches in Health Care (2003-2007)
Healthcare IncidentsDatePublicizedWho WasAffectedNumber AffectedType of DataReleased/CompromisedSource(s)
orgia Dept. of CommunityApril 2007state health care2,900,000SSNs, addresses, birthdates, dates ofMiller, Andy, and Bill Hendrick,
(Atlanta, GA) andrecipientseligibility, full names, Medicaid orGeorgians personal data lost;
ivate contractor Affiliatedchildrens health care recipientMedicaid, PeachCare clients: A
mputer Services (ACS) -identification numberscomputer disk including Social Security
ssing computer disknumbers on 2.9 million people was lost
in transit,” Atlanta Journal and
iki/CRS-RL33199Constitution, April 11, 2007, p. 1A.
s.orH Health SystemsApril 2007employees and6,000retirement benefit information, SSNs,Associated Press State & Local Wire,
leakuscaloosa, AL) - lostretireesother uspecified personal informationTuscaloosa-based DCH loses personal
://wikiputer disk and documentsdata on employees,” April 5, 2007.
httpoup Health CooperativeMarch 2007patients and31,000names, addresses, SSNs, group healthPacific Northwest,” Seattle Times,
Care SystememployeesnumbersMarch 27, 2007, p. B3.
eattle, WA) - two laptops
esterly Hospital (Westerly,March 2007patients2,242names, SSNs, insurance informationArmental, Maria, “ Data breach at
) - patients’ confidentialWesterly Hospital,” Providence Journal
ormation posted on public(Rhode Island), March 2, 2007.

b site

Healthcare IncidentsDatePublicizedWho WasAffectedNumber AffectedType of DataReleased/CompromisedSource(s)
lpoint, Inc (IN-basedMarch 2007members of its75,000names, SSNs, health planFreudenheim, Milt, “Medical Data on
insurer) - lost compactEmpire Blueidentification numbers, descriptionsEmpire Blue Cross Members May Be
kCross and Blueof medical services back to 2003Lost, New York Times, March 14, 2007.
Shield unit inand
te: Company found the CDNew York Gaudin, Sharon, “ WellPoint Finds
an a week later. Missing CD With Data On 75,000
ellPoint did not release anyPeople,” Information Week, March 15,
ormation on where the disk2007, at
iki/CRS-RL33199s found. [
g/w 5&cid=RSSfeed_IWK_News].
leakn Family of HospitalsFebruarypatients who7,800SSNs, dates of birth, insuranceGaudin, Sharon, “ Hospital Laptop
ustin, TX) - stolen laptop2007sought care asprogram numbersStolen; Info On 7,800 Patients At Risk,”
://wikipart of anInformation Week, February 26, 2007, at
httpoutpatient or[
clinic visit since/showArticle.jhtml?articleID=19700871
July 1, 20051&cid=RSSfeed_IWK_News].
hns Hopkins UniversityFebruarynew Johns52,000 universityinformation on the university payrollJohns Hopkins Institutions press release,
U) and Johns Hopkins2007Hopkins Hospitalemployees and tapes included Social SecurityIdentity Alert: A Joint Statement from
spital (Baltimore, MD) -patients first seen83,000 hospitalnumbers and, in some cases, bankThe Johns Hopkins University and
backup tapes containingbetween July 4patientsaccount information for present andThe Johns Hopkins Hospital, “ February
onal information on JHUand Dec. 18, 2006former employees; information on7, 2007, at
ployees lost; one backuphospital patients included names and[
e containing informationdates of birth s/statement.html].

JH hospital patients lost

Healthcare IncidentsDatePublicizedWho WasAffectedNumber AffectedType of DataReleased/CompromisedSource(s)
lf Coast Medical CenterFebruarypatients,1,900 individualsnames, SSNsVavala, Donna, “Laptop thefts cause
ashville, TN & Tallahassee,2007employees andwere affected by aalarm: Devices contained hospital
) - two computers missingformer employeestheft in Nashville,patient, employee information; no ID
o separate incidentsTN in Novemberthefts reported,News Herald (Panama
and 8,000 whenCity, Florida), March 1, 2007.
another computer
was stolen in
T a llaha ssee
iki/CRS-RL33199s HospitalFebruaryformer and130,000names, SSNs, dates of birthOBrien, Dennis, Second Hospital
g/weonardtown, MD) - stolen2007current hospitalReports Lost Data. St. Marys Notifies
s.oroppatients130,000, Days after Hopkins Notice;
leakSecond Md. Hospital Reports Loss of
Patients’ Data,” Baltimore Sun,
://wikiFebruary 13, 2007, p. A1.
ellpoint/Anthem Blue CrossFebruaryAnthem members196,000names, SSNsHowington, Patrick,Cassette tapes
ue Shield - cassette tapes 2007in Kentucky,containing customer information were
en from a lock box held byIndiana, Ohio andstolen from a lock box held by one of its
ndor Concentra PreferredVirginiavendors,Courier-Journal (Louisville,
stemsKentucky), February 15, 2007.
io Board of Nursing -Januarynewly licensed3,031names, SSNsHoholik, Suzanne, “Error puts nurses
bsite posted names and2007nursespersonal data online,” Columbus
f nurses twice in oneDispatch (OH), January 25, 2007.

n t h

Healthcare IncidentsDatePublicizedWho WasAffectedNumber AffectedType of DataReleased/CompromisedSource(s)
edish Medical Center,Octoberpatients1,100names, dates of birth, SSNsSong, Kyung, “3 Swedish patients say
llard Campus (Seattle, WA)2006IDs stolen at Ballard campus; worker
ployee used patientsfired; Employee allegedly opened credit
rsonal information to opencards; Hospital warns patients to watch
ntsfor activity on their credit reports,”
Seattle Times, October 25, 2006, p. B4.
ters of St. Francis HealthOctoberpatients,260,000names, SSNsLee, Daniel, “Lost and found: info on
iki/CRS-RL33199ices via Advancedables Strategy2006employees,physicians andpatients and 6,200employees260,000 patients,Indianopolis Star,October 25, 2006.
g/wdianapolis, IN) - contractor Board members
s.orvertently left CDs
leakntaining confidential billing
ormation in a new
://wikiputer bag she purchased
httpt later returned to a store
langer Health SystemSeptembercurrent and4,150names, SSNsBerry, Emily, “Erlanger loses computer
hattanooga, TN) - missing2006former employeesdevice, personnel data,” Chattanooga
a device Times/Free Press, September 24, 2006.
co Health Solutions-March 2006Ohio state4,600SSNs, birth datesWeiss, Todd R., “Vendor Waited Six
en laptopemployees andWeeks to Notify Ohio Officials of Data
their dependentsBreach,” Computerworld, March 1,
2006, at
[ h t t p : / / www. c o mp u t e r wo r l d . c o m/ p r i n t t h

Healthcare IncidentsDatePublicizedWho WasAffectedNumber AffectedType of DataReleased/CompromisedSource(s)
ildrens Health Council,Septemberpatients,5,000-6,000psychiatric records, evaluations andWalsh, Diana, “Data Stolen from
n Jose, California - stolen2005employees, andSSNs; also payroll data on hundredsChildren’s Psychiatric Center, San
ckup tapeparents of patientsof current and former employees andFrancisco Chronicle, September 20,
credit card information from parents2005, p. B8.
of patients
n Jose Medical GroupAprilformer patients185,000names, addresses, SSNs, confidentialWeiss, Todd, “Update: Stolen
anagement - desktop2005from last sevenmedical informationComputers Contain Data on 185,000
iki/CRS-RL33199puters stolen from lockedinistrative officeyearsPatients,” Computerworld, April 8,2005, at
g/w [ h t t p : / / www. c o mp u t e r wo r l d . c o m/ d a t a b a
s.or setopics/d ata/story/0,10801,100961,00.h
leak tml] .
://wikiiWest Healthcare Alliance - Decembermilitary personnel500,000names, addresses, SSNsGorman, Tom,Reward Offered in
httpt of a database containing 2002and theirHuge Theft of Identity Data; Stolen
es and SSNsdependentsComputers Had Names, Social Security
Numbers of 500,000 Military
Families,”Los Angeles Times, January 1,
2003, p. 14.
The tables were prepared by CRS from publicly available and news media sources.
e: URLs are listed for exclusively online sources; other publications are identified by name and date.

For Additional Reading
CRS Report RS22374. Data Security: Federal and State Laws, by Gina Marie
CRS Report RL33273. Data Security: Federal Legislative Approaches, by Gina
Marie Stevens.
CRS Report RS22484. Identity Theft Laws: State Penalties and Remedies and
Pending Federal Bills, by Tara Alexandra Rainson.
CRS Report RL33005. Information Brokers: Federal and State Laws, by Angie A.
CRS Report RL33612. Department of Veterans Affairs: Information Security and
Information Technology Management Reorganization, by Sidath Viranga
CRS Report RL31919. Remedies Available to Victims of Identity Theft, by Gina
Marie Stevens.
CRS Report RS22082. Identity Theft: The Internet Connection (archived), by Marcia
S. Smith.