1 (888) 400-5530
Toll-Free, No-Cost
Victim Assistance

DATA BREACHES

Information management is critically important to all of us - as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

The ITRC breach list is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. This list is updated daily, and published each Tuesday. To qualify, breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers. ITRC follows U.S. Federal guidelines about what combination of personal information comprise a unique individual, and the exposure of which will constitute a data breach.

There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents individual information about data exposure events and running totals for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure. Breaches are broken down into five categories, as follows: business, financial/credit, educational, governmental/military and health care. Other more detailed reports are generated throughout the year and posted on a quarterly basis.

It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted. The ITRC tracks five categories of data loss methods:

  • Data on the Move
  • Accidental Exposure
  • Insider Theft
  • Subcontractors
  • Hacking

Click here to go the recent High Profile Breaches:

Click here for the 2009 ITRC Breach Report (PDF):

Click here for the 2009 ITRC Breach Stats Report (PDF):

Regarding the rules of inclusion, the ITRC has given a considerable amount of thought to the development of the criteria used when assessing breaches and the integrity of its sources. For example, breaches that occurred in any given year or a previous year are included in the year in which the breach was publicized. Each selected incident is required to have been published by a credible media source, such as TV, radio, press, etc. The item will not be included at all if ITRC is not certain that the source is real and credible. Larger breaches often have multiple attributions, and we usually cite more than one source.

We include in each reported data breach item a link or source of the article, and the information presented by that article. Many times, we have attributions from a multitude of media sources and outlets. ITRC adheres to the facts as reported, and does not alter the previously published information. We always attempt to provide live links back to the original article, but these remain good only as long as the source retains the article at that web URL.

When the number of records exposed is not reported, we note that fact. When records are encrypted, we state that we do not (at this time) consider that to be a data exposure. We do, however, consider “password protected” as not sufficient protection under most circumstances, and do post these events as breaches.

As an authority on data breach exposures, the ITRC is frequently asked if there are more security breaches now than ever before. This question is hard to answer. More companies are revealing that they have had a data breach, either due to laws or public pressure. It is the opinion of the ITRC that the criminal population is stealing more data from companies, AND data breaches are being more frequently publicized. ITRC is aware that many breaches go unreported, and we are certain that our ITRC Breach List underreports the problem. One thing we can say with certainty is that this is NOT a new problem.

Click here for 2009 synopsis and reports
Click here for 2008 synopsis and reports
Click here for 2007 synopsis and reports
Click here for 2006 synopsis and reports
Click here for 2005 synopsis and reports

Other websites and resources for data breaches include:

 

The following breach report contains only those high profile breaches recently publicized. This report is updated as necessary. For full annual reports, go to the links above.

High Profile Breaches Report
  Breaches Listed in Alphabetical Order  

Full Information on a breach may be found in the ITRC Breach Report

by searching for the ITRC Breach ID#
ITRC Breach # Company or Agency

State
Publish Date
Breach Breach Category Records Records #
_________________________________________________________________________________________________________________________
ITRC20081111-02 AIG, Medical Excell LLC

US
10/1/2008
Electronic Medical/Healthcare Yes - Published # 900,000
A special agent for the FBI and other law enforcement officials announced the arrest of a person who stole a computer server with the personal
identifying and health care sensitive information for over 900,000 policy holders and then trying to extort AIG for its return.
________________________________________________________________________________________________________
ITRC20090313-03 Binghamton University

NY
3/10/2009
Paper Data Educational Yes - Unknown # 0
Binghamton University kept payment information for every student, possibly dating back at least ten years in a storage area next to one of the most
trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. The information itself contained social security numbers,
credit card numbers, scans of tax forms, business information (including social security numbers and salary information for employees of students’
parents), asylum records and more, all kept in a haphazard and disorganized fashion, sprawled out in boxes, in unlocked (yet lockable) filing cabinets
________________________________________________________________________________________________________
ITRC20081017-04 Binghamton University

NY
10/14/2008
Paper Data Educational Yes - Published # 56
Heading by a dumpster on the campus of Binghamton University a news team inadvertently stumbled upon a pile of official Binghamton university
documents containing personal information. All of the files contained Social Security numbers and full names, for fifty-six different people. The ninety-
one documents (totaling almost a hundred and fifty pages) were office files from the German Department in the mid-seventies detailing classes,
grades, assistant stipends and other personal information including birthdays and addresses.
________________________________________________________________________________________________________
ITRC20090212-08 Federal Aviation Administration - FAA

US
2/9/2009
Electronic Government/Military Yes - Published # 45,000
A FAA union leader says hackers broke into the Federal Aviation Administration's computer system last week, accessing the names and Social
Security numbers of 45,000 employees and retirees as of Feb. 2006. The FAA said the hackers hijacked 48 files, two containing sensitive personal
information that could expose the employees and retirees to identity theft.
________________________________________________________________________________________________________
ITRC20081021-05 FEMA

TX
10/16/2008
Electronic Government/Military Yes - Published # 1,000
As many as 1,000 hurricane victims may have had their personal information exposed to a stranger. FEMA says an error by its mailing subcontractor
placed one person's aid application under a cover page addressed to another person and each subsequent envelope in the batch was improperly
stuffed.
FEMA plans to offer monitoring to anyone whose most private data, including social security numbers, bank account numbers, insurance policy
________________________________________________________________________________________________________
ITRC20081223-01 FEMA- Katrina

LA
12/22/2008
Electronic Government/Military Yes - Published # 17,000
FEMA says 16,857 names, Social Security & telephone numbers and other private information were publicly posted on 2 websites last week. The
names belonged to applicants from Hurricane Katrina who'd evacuated to Texas, but now live all across the Gulf Coast. FEMA's Acting press
secretary Terry Monrad says when the agency found out, the names were immediately removed.
________________________________________________________________________________________________________
ITRC20080110-06 Florida Dept. of Children and Families

FL
1/4/2008
Electronic Government/Military Yes - Unknown # 0
Thousands of Central Florida day-care-center workers could be at risk of identity theft after burglars stole state computers containing personal
information. Although the theft occurred two months ago, the Florida Department of Children and Families is just now notifying about 1,200 day-care
providers that their employees, as well as center operations, may be at risk. Social Security numbers, birth dates and other information about day-
care workers in Orange, Seminole and Osceola counties were among the data on five laptop computers that were stolen from the DCF office near
Orlando Fashion Square mall in Orlando on Nov. 7-8.
________________________________________________________________________________________________________
ITRC20090224-01 Govtrip.com

DC
2/18/2009
Electronic Government/Military Yes - Unknown # 0
Govtrip.com, which handles travel reservations for at least a dozen U.S. government agencies, last week was infected with a virus that tried to
install malicious software when users visited the site, causing some agencies to block employees from accessing it, Security Fix has learned.
Sometime on Feb. 11, hackers changed the Govtrip.com Web site to redirect visitors to a site that installed malicious software. A number of agencies,
including the departments of Agriculture, Energy, Health & Human Services, Interior, Transportation, and Treasury, use the site exclusively to book
travel arrangements. Govtrip.com also is used to reimburse workers via direct deposit, which means that many federal employees' checking account
________________________________________________________________________________________________________
ITRC20080110-07 Health Net

CA
1/4/2008
Electronic Business Yes - Unknown # 0
Thousands of Health Net employees in Connecticut and other states have been notified that their names and Social Security numbers were on a
laptop computer that was stolen more than a month ago from a company vendor. The laptop had information on about 5,000 employees companywide
and an undisclosed number of health-care providers outside the Northeast. The company has about 1,600 employees in Connecticut. The laptop did
not contain information on employees hired after Jan. 1, 2005.
________________________________________________________________________________________________________
ITRC20090122-02 Heartland Payment Systems

US
1/20/2009
Electronic Banking/Credit/Financi Yes - Unknown # 0
Hundreds of credit and debit card holders appear to have been victims of a nationwide data theft carried out against Heartland Payment Systems,
which processes cards for 250,000 restaurants, retailers and other businesses. Several Maine credit unions have been told by Visa and MasterCard
that fraudulent charges were placed on members' cards between May 16 and August 19, 2008, according to Jon Paradise, a spokesman for the
Maine Credit Union League. Many of the charges were tallied at Wal-Mart stores in Texas, he said. According to the Washington Post (Brian Krebs),
tens of millions of people may be affected. Baldwin said Heartland does not know how long the malicious software was in place, how it got there or
how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates. "The
transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we
________________________________________________________________________________________________________
ITRC20090313-02 Norm Coleman Campaign

MN
3/11/2009
Electronic Business Yes - Published # 4,721
Wikileaks published information to substantiate a rumor that sensitive information belonging to thousands of Coleman's supporters had been floating
around the Internet since Jan. 28 "as a result of sloppy handling by the campaign."
Wikileaks said the decision to publish the information was prompted by claims from Coleman's campaign that no data been compromised and by its
failure to apologize for the "initial leak" or its subsequent "coverup." The statement said that Coleman's campaign had known about the breach since
January but had failed to notify anyone of the potential compromise of their personal data. Wikileaks claimed that the senator collected detailed
information on every supporter and Web site visitor and retained unencrypted credit card information from donors, including their security codes, on
________________________________________________________________________________________________________
ITRC20090304-01 NYPD Pension Fund

NY
3/4/2009
Electronic Government/Military Yes - Published # 80,000
A civilian official of the NYPD’s pension fund has been charged with stealing the identities of 80,000 current and retired cops, sources said. Anthony
Bonelli allegedly got into a secret backup-data warehouse on Staten Island last month and walked out with eight tapes packed with Social Security
numbers, direct-deposit information for bank accounts, and other sensitive material. Bonelli was the fund's director of communications.
________________________________________________________________________________________________________
ITRC20081224-01 RBS WorldPay

US
12/23/2008
Electronic Banking/Credit/Financi Yes - Published # 1,500,000
RBS WorldPay (formerly RBS Lynk), the U.S. payment processing arm of The Royal Bank of Scotland Group, today announced that its computer
system had been improperly accessed by an unauthorized party. Pre-paid cardholders and other individuals were affected and identified on
November 10. RBS WorldPay's internal security professionals and outside experts are working with federal and state law enforcement authorities in
an investigation of this event. The affected pre-paid cards include payroll cards and open-loop gift cards. The fraud that has been identified to-date is
associated with RBS WorldPay's computer system supporting its U.S. pre-paid and open-loop gift card issuing business. Actual fraud has been
committed on approximately 100 cards. Cardholders will not be responsible for unauthorized activity associated with this event. Certain personal
information of approximately 1.5 million cardholders and other individuals may have been affected and, of this group, Social Security numbers of 1.1
________________________________________________________________________________________________________
ITRC20081231-08 SAIC

CA
12/9/2008
Electronic Business Yes - Unknown # 0
Science Applications International Corporation (”SAIC”), recipient of a number of large government contracts, notified the New Hampshire Attorney
General on December 9th of a security breach involving malware. The specific malware was not named, but was described as “designed to provide
backdoor access.”
The breach was detected on October 28th. In its letter to an unspecified number of affected individuals, SAIC wrote: This letter is to notify you of a
potential compromise of your personal information, including your name and social security number, date of birth, home address, home phone number
and clearance level and possibly other personal information necessary to complete government security clearance questionnaires (e.g., SF-8SP or
________________________________________________________________________________________________________
ITRC20090312-01 Sprint

US
3/11/2009
Electronic Business Yes - Unknown # 0
Sprint is warning several thousand customers that a former employee sold or otherwise provided their account data without permission between
Dec. 2008 and Jan 2009. The information that may have been compromised includes your name, address, wireless phone number, Sprint account
number, the answer to your security question, and the name of the authorized point of contact on your account."
________________________________________________________________________________________________________
ITRC20071221-10 SunGard Higher Education

PA
3/19/2007
Electronic Business Yes - (Password) 0
A thief stole a laptop from a parked SunGard employee's vehicle. Names, SSNs, bank transfer ABA numbers and account number and/or credit card
information may have been on the laptop. SunGard is an information technology service company and does data management for some New York
colleges. Multiple colleges have reported being affected by this theft. A final total is not known.
________________________________________________________________________________________________________
ITRC20070308-02 TJX

US
1/17/2007
Electronic Business Yes - Published # 94,000,000
TJX Cos reporter that intruders broke into computers sometime in mid December and stolen an unknown amount of customer data including credit
card, debit card, check and merchandise return transactions for TJ Maxx, Marshalls, HomeGoods and AJ Wright stores in the US. TJX's Bob's Stores
and TK MAX stores are also involved. In addition, Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, said at least eight banks
have been affected by a similar breach of information, related to debit cards they issued. The breach may have started as early as 2003. A multi-
state and FBI investigation is underway.
Update: March- the number of affected consumers revealed in a filing with the SEC is 45.7 million customer records. TJX also reported in the filing that
another 455,000 customers who returned merchandise without receipts had their personal data stolen, including drivers' license numbers.
Update: A settlement has been reached based on info from VISA and Mastercard. Total records updated to 94 million.
________________________________________________________________________________________________________
ITRC20090219-01 University of Florida - Grove

FL
2/19/2009
Electronic Educational Yes - Published # 97,200
On January 14, 2009, the University of Florida discovered that a server was accessed by an unauthorized intruder from outside UF. This server
contained a file with names, and Social Security Numbers (SSNs) for 97,200 people that used the "Grove" system between 1996 and 2009. Although
no evidence was found that this information was accessed, there is no absolute certainty that it was not.
________________________________________________________________________________________________________
ITRC20090225-02 University of Florida- LDAP Directory

FL
2/23/2009
Electronic Educational Yes - Published # 101
On Tuesday, January 20, 2009, the University of Florida discovered a configuration error in its LDAP directory service that would allow anyone to
query the directory for fields that are normally protected from unauthorized access. A human error was made while making changes to the directory
service that created the exposure. The error was fixed immediately after it was detected and the 9 digit number field was permanently removed from
the directory. Reviewing the directory logs, we discovered queries that might have returned the name and a 9 digit directory field that is the Social
Security Number (SSN) for 101 users. The query response screen did not identify the 9 digit number as an SSN.
________________________________________________________________________________________________________
ITRC20071231-01 US Air Force

US
12/28/2007
Electronic Government/Military Yes - Published # 10,501
On November 18, a laptop belonging to an Air Force band member at Bolling Air Force Base in DC turned up missing. The information included SSNs,
birth dates, and telephone numbers of active and retired Air Force members. The Air Force tells WSFA 12 News it was intended to be used for an Air
Force Band Historical Documentation.
________________________________________________________________________________________________________
ITRC20080110-02 Wisconsin Dept. of Health and Family Services

WI
1/8/2008
Paper Data Government/Military Yes - Published # 260,000
Social Security numbers were printed on about 260,000 informational brochures sent by a vendor hired by the state to recipients of SeniorCare and
other state programs. The mailing was first reported by WKOW on January 8. The state Department of Health and Family Services issued a statement
saying the mistake was the fault of EDS, a private vendor for state Medicaid services. Karen Timberlake, deputy secretary of the state department,
said the mailing went to about 260,000 Medicaid, SeniorCare, and BadgerCare members.
________________________________________________________________________________________________________

Copyright 2009 Identity Theft Resource Center

 

| TOP |

Contact Us | Privacy Policy | Legal Notice | Site Map  
Copyright © Identity Theft Resource Center. All rights reserved.
Web design by Savvy Sites.