Order Code RL33199
CRS Report for Congress
Received through the CRS Web
Personal Data Security Breaches:
Context and Incident Summaries
December 16, 2005
Rita Tehan
Information Research Specialist
Knowledge Services Group
Congressional Research Service ˜ The Library of Congress
Personal Data Security Breaches:
Context and Incident Summaries
Summary
Personal data security breaches are occurring with increasing regularity. Within
the last few years, numerous examples of data such as Social Security numbers, bank
account, credit card, driver’s license numbers, and medical and student records have
been compromised. A major reason for the increased awareness of these security
breaches is a California law that requires notice of security breaches to the affected
individuals. This law was the first of its kind in the nation, implemented in July
2003.
State security breach notification laws require companies and other entities that
have lost data to notify affected consumers. Over half the states considered security
breach notice and security freeze legislation in 2005, and several states passed laws
requiring that individuals be notified of security breaches.
Congress is considering legislation to address personal data security breaches,
following a series of high-profile data security breaches at major financial services
firms, data brokers (including ChoicePoint and LexisNexis), and universities.
Multiple measures were introduced in 2005, but to date, none have been enacted.
This report will be updated regularly.
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
List of Tables
Table 1. Examples of Data Security Breaches (2000-2005) . . . . . . . . . . . . . . . . . 5
Personal Data Security Breaches:
Context and Incident Summaries
Introduction
Personal data security breaches are occurring with increasing regularity. During
the past few years, there have been numerous examples of hackers breaking into
corporate, government, academic, and personal computers and compromising
computer systems or stealing personal data such as Social Security numbers, bank
account, credit card, and driver’s license numbers, and medical and student records.
These breaches are not only the result of illegal or fraudulent attacks by computer
hackers, but often because of careless business practices.
A California law that requires notice of security breaches to the affected
individuals is the major reason for the increased awareness of these breaches.1 This
law was the first of its kind in the nation, which was implemented in July 2003.
State security breach notification laws2 require companies and other entities that
have lost personal data to notify affected consumers. Over half the states considered
security breach notice and security freeze legislation in 2005, and several states
passed laws requiring that individuals be notified of security breaches.3
1 California Department of Consumer Affairs, Office of Privacy Protection, Notice of
Security Breach - Civil Code Sections1798.29 and 1798.82 - 1798.84, updated June 24,
2003, at [http://www.privacy.ca.gov/code/cc1798.291798.82.htm] and Recommended
Practices on Notification of Security Breach Involving Personal Information, Oct. 10, 2003,
at [http://www.privacy.ca.gov/recommendations/secbreach.pdf].
2 See also 2005 Breach of Information Legislation, National Conference of State
Legislatures at [http://www.ncsl.org/programs/lis/CIP/priv/breach.htm].
3 In 2005, security breach notification legislation was introduced in at least 35 states. At
least 22 states have enacted security breach notification laws, and a similar bill awaits
gubernatorial action in New Jersey. Security breach notification laws have been enacted in
the following states: AK, CA, CT, DE, FL, GA (data brokers only), IL, IN (state agencies
only), LA, ME, MN, MT, NV, NJ, NY, NC, ND, OH, RI, TN, TX, WA. State PIRG
Summary of State Security Freeze and Security Breach Notification Laws, U.S. Public
Interest Research Group (USPIRG) at [http://www.pirg.org/consumer/credit/statelaws
.htm#breach].
CRS-2
An estimated 10 million consumers are affected annually by lost or stolen data
at a cost to the economy of $53 billion.4 Moreover, victims spend almost 300 million
hours a year trying to clear their names and re-establish good credit ratings.5
Despite the growing fear of Internet related security breaches, a new study
suggests that consumers whose credit cards are lost or stolen or whose personal
information is accidentally compromised face little risk of becoming victims of
identity theft.6 After six months of study, an analysis by ID Analytics, a fraud-
detection company, found that different breaches pose different degrees of risk. In
the research, ID Analytics distinguishes between “identity-level” breaches, where
names and Social Security numbers were stolen and “account-level” breaches, where
only account numbers — sometimes associated with names — were stolen. The
report concludes that even in the most dangerous data breaches, where thieves access
Social Security numbers and other sensitive information on consumers they have
deliberately targeted, the fraud rate was 0.098% — less than one in 1,000 identities
potentially revealed.7
Nonetheless, according to a June 2005 survey by Gartner, Inc., a technology
research firm, nearly 60% of consumers said they worry more about thieves getting
undetected access to private credit reports and other sensitive financial data than
defending against phishing attacks.8 Nearly one-third are “extremely concerned” that
they will suffer some type of identity theft fraud because of unauthorized access to
their data.9
Crimes involving electronic data can be very labor intensive for the criminal.
Account information may be stolen in bulk with a few efficient lines of software
code, but they are sold in much smaller numbers to other criminals who withdraw
money or buy goods one transaction at a time, and usually only for a short period
until the fraudulent activity is detected.10
4 Federal Trade Commission, “Identity Theft Survey Report,” Sept. 2003, at
[http://www.consumer.gov/idtheft/pdf/synovate_report.pdf ].
5 Peter Katel, “Identity Theft: Can Congress Give Americans Better Protection?,” CQ
Researcher, June 10, 2005.
6 Reuters, “ID Theft Risk Lower in Large-Scale Security Breaches,” Computerworld, Dec.
8, 2005, at [http://www.computerworld.com/printthis/2005/0,4814,106854,00.html].
7 ID Analytics, “ID Analytics’ First-Ever National Data Breach Analysis Shows the Rate
of Misuse of Breached Identities May be Lower than Anticipated,” press release, Dec. 8,
2005, at [http://www.idanalytics.com/news_and_events/20051208.htm].
8 Phishing is e-mail fraud where the perpetrator sends out legitimate-looking e-mails that
appear to come from well-known and trustworthy websites in an attempt to gather personal
and financial information from the recipient.
9 “Data Security Lapses, Increased Cyber Attacks Damage Consumer Trust in
E-Commerce,” Government Technology, June 27, 2005, available at
[http://www.govtech.net/magazine/channel_story.php/94447].
10 Henry Fountain, “Worry. But Don’t Stress Out,” New York Times, June 26, 2005, sec. 4,
p. 1.
CRS-3
A fraud specialist with Gartner, Inc., concludes that because the crime is often
misclassified, identity thieves have a one out of 700 chance of being caught.11 In
other words, the risk to benefit ratio favors the criminal. “It’s a crime in which you
can get a lot of money and have a very low probability of ever getting caught,” Mari
J. Frank, a lawyer and author of several books on identity theft, said in an interview.
“Criminals are now saying, Why am I using a gun?”12
The Identity Theft and Assumption Deterrence Act of 1998 established the
Federal Trade Commission (FTC) as the government entity charged with developing
“procedures to ... log and acknowledge the receipt of complaints by individuals,” as
well as educate and assist potential victims.13 The FTC compiles annual reports and
charts of aggregated statistics on these events, but does not identify which
corporations, organizations, or other entities have been victims of security breaches.14
The FTC is also an enforcement agency and does not release data on companies
while an investigation is ongoing. When there is an enforcement action, the FTC
releases information identifying corporations, organization, or others who have
violated data security laws.
Although a number of federal agencies (e.g., the FTC, Department of Justice,
Secret Service, U.S. Postal Service, and Social Security Administration), state
attorneys general, and private organizations such as the Electronic Privacy
Information Center and Privacy Rights Clearinghouse are involved with data privacy
investigations or consumer assistance, none maintains a comprehensive itemized list
of data security breaches.
Congress is considering legislation to address data security, following a series
of high-profile data security breaches at major financial services firms and data
brokers, including ChoicePoint and LexisNexis. Multiple measures were introduced
this year, but to date, none have been enacted. For a discussion of legislative and
other issues on this topic, see CRS Report RL31408, Internet Privacy: Overview and
Pending Legislation, by Marcia S. Smith; CRS Report RL33005, Information
Brokers: Federal and State Laws, by Angie A. Welborn; and CRS Report RS22082,
Identity Theft: The Internet Connection, Marcia S. Smith.
Table 1 summarizes selected data security or identity theft breaches reported in
the press since 2000. A few highlights compiled from the reported incidents:
11 Avivah Litan, “Underreporting of Identity Theft Rewards the Thieves,” Gartner, Inc., July
7, 2003.
12 Tom Zeller, “For Victims, Repairing ID Theft Can be Grueling,” New York Times, Oct.
1, 2005.
13 Identity Theft and Assumption Deterrence Act, as amended by P.L. 105-318, 112 Stat.
3007 (Oct. 30, 1998), at [http://www.ftc.gov/os/statutes/itada/itadact.htm].
14 Federal Trade Commission, ID Theft Data: State Data website at
[http://www.consumer.gov/idtheft/id_state.htm]. National Data is available at
[http://www.consumer.gov/idtheft/id_federal.htm].
CRS-4
! Almost half of the security breaches occurred at institutions of
higher education. (A recent Chronicle of Higher Education article
examines why this is so, noting that while colleges have become
better at detecting electronic break-ins, security practices,
particularly password protections, are lax15. In addition, academic
culture embraces the open exchange of information and provides a
target-rich environment for data breaches — an abundance of
computer equipment filled with sensitive data and a pool of
financially naive students16);
! Other prevalent targets for identity theft are financial institutions
(banks, credit card companies, securities companies, etc.), and
government agencies (international, federal, state, and local); and
! In 2005, a stolen computer (desktop, laptop, or hard drive) was the
cause of the security breach 20% of the time.
15 Dan Carnevale, “Why Can’t Colleges Hold On to Their Data?,” Chronicle of Higher
Education, May 6, 2005, p. A35.
16 Reuters, “U.S. Colleges Struggle to Combat Identity Theft,” eWeek, Aug. 17, 2005, at
[http://www.findarticles.com/p/articles/mi_zdewk/is_200508/ai_n14906864].
CRS-5
Table 1. Examples of Data Security Breaches (2000-2005)
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
Boeing - theft of company
November
current and former
161,000
names, Social Security numbers
Bowermaster, David and Dominic
computer
2005
Boeing workers
(SSNs), some birth dates and
Gates and Melissa Allison,
banking information for
“161,000 Workers’ Personal Data
employees who elected to use
on PC Stolen from Boeing,” Seattle
direct deposit of payroll
Times, November 19, 2005, p. A1.
Georgia Institute of Technology
November
past, present, and
13,000
SSNs, birthdates, names,
Kantor, Arcadiy, “Georgia Tech
Office of Enrollment Services -
2005
prospective students
addresses
Computer Theft Compromises
computer theft
Student Data,” The Technique (via
University Wire), November 11,
2005 at
[http://www.nique.net/issues/2005-
11-11/news/3].
TransUnion (credit reporting
November
customers
3,600
SSNs and personal credit
“Credit Bureau Burglary Leaves
bureau) - stolen desktop
2005
information
3,600 Vulnerable,” Atlanta Journal
computer
and Constitution, November 11,
2005.
Safeway - company laptop stolen
November
employees
1,200
names, SSNs, hire dates and
Akkad, Dania, “Safeway Discloses
from manager’s home
2005
work locations
Security Breach,”Monterey County
Herald, November 5, 2005.
CRS-6
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
Indiana University - malicious
November
Kelly School of
5,300
personal student information
“IU Finds ‘Malicious’ Software,”
software programs installed on
2005
Business students
Associated Press, FortWayne.com,
business instructor’s computer
enrolled in introductory
November 18, 2005, at
business course between
[http://www.fortwayne.com/mld/for
2001-2005
twayne/news/local/13202338.htm].
University of Tennessee Medical
November
patients who received
3,800
names and SSNs
“UT Patients Warned of Stolen
Center - laptop computer stolen
2005
treatment in 2003
Computer,” Chattanooga Times
Free-Press, November 2, 2005, p.
B2.
University of Tennessee -
October 2005
students and employees
1,900
names and SSNs
“State Briefs: UT Students’ Private
inadvertent posting of names and
Data Posted on the ‘Net,” The
Social Security numbers to
Tennessean.com, October 29, 2005,
Internet listserv
at
[http://tennessean.com/apps/pbcs.dl
l/article?AID=/20051029/NEWS01/
510290327/1006/NEWS01].
Bank of America - stolen laptop
September
Visa Buxx card users
undisclosed
names, credit card numbers, bank
McMillan, Robert, “Bank of
2005
account numbers, routing transit
America Notifying Customers After
numbers
Laptop Theft,” Computerworld,
October 7, 2005, at
[http://www.computerworld.com/se
curitytopics/security/story/0,10801,
105246,00.html].
CRS-7
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
University of Georgia - hacker
September
current and former
1,600
SSNs
Simmons, Kelly, “Hackers Breach
hits employee records server
2005
employees of
Database at UGA,” The Atlanta
university’s College of
Journal - Constitution, September
Agricultural and
29, 2005, p. C2.
Environmental Sciences
Children’s Health Council, San
September
patients, employees, and
5,000-6,000
psychiatric records, evaluations
Walsh, Diana, “Data Stolen from
Jose, California - stolen backup
2005
parents of patients
and SSNs; also payroll data on
Children’s Psychiatric Center,” San
tape
hundreds of current and former
Francisco Chronicle, September
employees and credit card
20, 2005, p. B8.
information from parents of
patients
Choicepoint - Miami-Dade
September
consumers
5,103
SSNs, driver’s license
Husted, Bill, “Another Breach of
County Police Department may
2005
information
Records Feared;
have misused the department’s
Choicepoint Tells 5,103 Customers
account to illegally access
about Incident,” Atlanta Journal-
consumer records
Constitution, September 17, 2005,
p. 1H.
Miami University (Ohio) - report
September
students
21,762
SSNs, grades
Giordano, Joe, “Miami University,
containing SSNs and grades of
2005
Ohio, Finds Huge Online Security
more than 20,000 students has
Breach,” Journal-News (Hamilton,
been accessible via the Internet
OH), September 16, 2005.
since 2002
CRS-8
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
Kent State University - five
September
students and professors
100,000
names, SSNs, grades
Gonzalez, Jennifer, “Student,
desktop computers stolen from
2005
Faculty Data on Stolen Computers,”
campus
Plain Dealer (Cleveland),
September 10, 2005, p. B1.
California State University -
August 2005
students who receive
154
names, SSNs
“California State University
Office of the Chancellor may
financial aid and two
Chancellor’s Office Experiences
have experienced unauthorized
financial aid
Potential Computer Security
access to one of its computers
administrators
Breach,”U.S. Fed News, August
29, 2005.
J.P. Morgan (Dallas) - stolen
August 2005
clients
unknown
personal and financial
“Security Breach at J.P. Morgan
laptop
information
Private Bank,”AFX International
Focus, August 30, 2005.
University of Florida Health
August 2005
patients and physicians
3,851
names, SSNs, dates of birth,
Chun, Diane, “3,851 Patients at
Sciences Center/ChartOne -
medical records
Risk of ID Theft,” Gainesville.com,
stolen laptop
August 27, 2005 at
[http://www.gainesville.com/apps/p
bcs.dll/article?AID=/20050827/LO
CAL/208270336/1078/news].
U.S. Air Force - records stolen
August 2005
officers and 19 NCOs
33,300
SSNs, birthdates, and other
Dorsett, Amy, “Identity theft Threat
from the Air Force Personnel
sensitive information
Hangs over AF Officers,” San
Center’s online Assignment
Antonio Express-News, August 24,
Management System
2005, p. 1A.
CRS-9
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
University of Colorado - hackers
August 2005
student records from
49,000
names, SSNs, addresses, phone
Mccrimmon, Katie Kerwin,
tapped into a database in the
June 1999 to May 2001
numbers
“Hackers Tap CU Registrar’s
registrar’s office
and from fall 2003 to
Database; Privacy of 49,000
summer 2005.
Students Potentially Invaded in
Breach,” Rocky Mountain News
(Denver), August 20, 2005, p. 20A.
California State University,
August 2005
student workers
900
names, SSNs
Togneri, Chris, “Hacker Breaks into
Stanislaus - hacking
Stan State Computer,” Modesto
Bee, August 16, 2005, p. B1.
University of North Texas -
August 2005
current, former and
38,607
names, addresses, telephone
Tessyman, Neal, “Hackers Steal
hacking
prospective students
numbers, SSNs, student
Student Info from U. North Texas,”
identification numbers, student
University Wire, August 11, 2005.
ID passwords, student
classification information and
possibly 524 credit card numbers
Sonoma State University -
August 2005
people who either
61,709
names, SSNs
Park, Rohnert, “Hackers Hit
hacking
attended, applied,
College Computer System: Identity
graduated or worked at
Theft Fears at Sonoma State,” San
the school from 1995 to
Francisco Chronicle, August 9,
2002
2005, p. B2.
University of Colorado - hacking
August 2005
students and faculty
36,000
university accounts and personal
Uhls, Anna, “U. Colorado students
into campus Card Office (creates
information
getting (re)carded,” University
IDs for staff and students)
Wire/Colorado Daily, August 4,
2005.
CRS-10
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
California Polytechnic, Pomona -
July 2005
university applicants and
31,077
names, SSNs
Ruiz, Kenneth, “Hackers Infiltrate
two computers hacked
current and former
Cal Poly,” Whittier Daily News
faculty, staff and
(CA), August 5, 2005.
students
California State University
July 2005
students
9613
names, SSNs
“Hackers crack computers, access
Dominguez Hills - hacking
private student
information,”Associated Press, July
29, 2005.
San Diego County Employees
July 2005
current and retired
33,000
workers’ names, Social Security
Chacon, Daniel, “Hackers Breach
Retirement Association - hackers
county government
numbers, addresses and dates of
County’s Personal Records; 33,000
broke into two computers
employees
birth
People at Risk in Retirement
Association,” San Diego
Union-Tribune, July 30, 2005, p.
B1.
University of Colorado, Boulder -
July 2005
students and professors
29,000 students
SSNs, names, photographs
“Hackers Break into CU Computers
hackers broke into a computer
and 7,000
Containing 36k Records,”
server containing information
professors
Associated Press, August 1, 2005.
used to issue identification cards
University of Southern California
July 2005
applicants
270,000
name, address, SSNs, e-mail
Hawkins, Stephanie, “Hacker Hits
- individual hacked into USC’s
address, phone number, date of
Application System at USC,”
online application system
birth, login information
University Wire/ Daily Trojan,
August 18, 2005.
CRS-11
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
Michigan State University -
July 2005
students
27,000
names, addresses, SSNs, course
“Students Informed Social Security
breach of a server in the College
information, personal
Numbers Possibly Compromised,”
of Education
identification numbers
Associated Press, July 7, 2005.
University of California, San
July 2005
students, staff, faculty
3,300
SSNs, driver license and credit
“SD UCSD Hackers,” City News
Diego - hackers broke into
who had attended or
card numbers
Service, July 1, 2005.
university server
worked at UCSD
Extension in the past
five years
Ohio State University Medical
June 2005
patients
15,000
patient names, admission and
Crane, Misti, “Laptop Containing
Center - two stolen laptops
discharge dates, whether the
Patients’ Billing Information
patient had insurance, total
Stolen;
charges and adjustments to the
Birth Dates, Social Security
account.
Numbers Not in Data Taken from
Consultant, Osu Says,” Columbus
Dispatch (OH), June 30, 2005, p.
4C.
Bank of America - laptop stolen
June 2005
California customers
18,000
names, addresses, SSNs,
Lazarus, David, “Breaches in
from car in Walnut Creek
Security Require New Laws,” San
Francisco Chronicle, June 29,
2005, p. C1.
Lucas County (OH) Children
June 2005
agency’s 400 current
900
names, telephone numbers, SSNs
Patch, David, “Lucas County
Services - information from the
employees and about
Children Services Data Stolen,”
agency’s personnel database was
500 others who have
Toledo Blade, June 28, 2005, p. B1.
compiled and e-mailed to an
worked there since 1991
outside computer
CRS-12
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
University of Connecticut -
June 2005
students, staff, and
72,000
names, SSNs, dates of birth,
Naraine, Ryan, “UConn Finds
hacking - rootkit (collection of
faculty
phone numbers and addresses
Rootkit in Hacked Server,” eWeek,
programs that a hacker uses to
June 27, 2005, at
mask intrusion and obtain
[http://www.eweek.com/article2/0,1
administrator-level access to a
759,1831892,00.asp].
computer or computer network)
placed on server on October 26,
2003, but not detected until July
20, 2005
Eastman Kodak - laptop stolen
June 2005
former Eastman Kodak
5,800
names, Social Security numbers,
Davia, Joy, “Kodak Warns of Data
from a consultant’s locked car
workers
birth dates and benefits
Theft,” Rochester Democrat and
trunk.
information
Chronicle (New York), June 22,
2005, p. 8D.
University of Hawaii - dishonest
June 2005
students, faculty, staff
150,000
SSNs, addresses and phone
“UH Warns of Possible Identity
library worker indicted on federal
and library patrons at
numbers
Theft,” Associated Press, June 19,
charges of bank fraud related to
any of the 10 campuses
2005.
identity theft
between 1999 and 2003
Kent State University - laptop
June 2005
full-time faculty
1,400
names, SSNs
Hampp, David, “Kent State U.
stolen from employee’s car
members since 2001
Faculty Affected by Stolen
Computer,” Daily Kent Stater (via
University Wire), June 22, 2005.
CRS-13
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
Japanese credit cardholders -
June 2005
customers of 26
unknown
unknown
“Japan Cardholders ‘Hit’ by
hackers behind U.S. data theft
domestic Japanese credit
Theft,”BBC News, June 21, 2005 at
may have compromised the data
card firms
[http://news.bbc.co.uk/2/hi/business
of Japanese cardholders,
/4114252.stm].
according to the government.
Fraudulent transactions have now
emerged in Japan.
MasterCard - breach occurred
June 2005
MasterCard credit card
40 million
names, account numbers, security
Krim, Jonathan and Michael
late last year at a processing
and some debit card
codes, expiration dates
Barbaro, “40 Million Credit Card
center in Tucson operated by
customers
Numbers Hacked: Data Breached at
CardSystems Solutions, one of
Processing Center,”Washington
several companies that handle
Post, June 18, 2005, p. A1;
transfers of payment between the
bank of a credit card-using
Zeller, Tom and Eric Dash,
consumer and the bank of the
“MasterCard Says 40 Million Files
merchant where a purchase was
Put at Risk,”New York Times, June
made. CardSystems’ computers
18, 2005, p. A1; and
were breached by malicious code
that allowed access to customer
Evers, Joris, “Credit Card Suit Now
data.
Seeks Damages,” CNET News.com,
July 7, 2005, at
[http://news.com.com/Credit+card+
suit+now+seeks+damages/2100-73
50_3-5777818.html].
CRS-14
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
Federal Deposit Insurance
June 2005
FDIC current and
6,000
names, birth dates, SSNs, and
Krim, Jonathan, “FDIC Alerts
Corporation - computer breach in
former employees or
salary information
Employees of Data Breach”,
early 2004. The agency wrote to
anyone employed at the
Washington Post, June 16 2005, p.
employees that it learned of the
agency as of July 2002.
D1.
breach only “recently”, but did
not explain how the breach
occurred, aside from stating that
it was not the result of a
computer security failure.
Motorola - Thieves broke into the
June 2005
Motorola employees
34,000 in U.S.
SSNs and personal information
“Two Computers Stolen with
offices of Affiliated Computer
Motorola Staff Data,” Reuters, June
Services (ACS), a provider of
10, 2005.
human resources services, and
stole two computers
Citigroup - a box of computer
June 2005
personal and home
3.9 million
names, addresses, SSNs and
Krim, Jonathan, “Customer Data
tapes with account information
equity loan customers
loan-account data
Lost, Citigroup Unit Says:3.9
for 3.9 million customers was lost
Million Affected As Firms’
in shipment by CitiFinancial, a
Security Lapses Add Up,
unit of Citigroup
Washington Post, June 7, 2005, p.
A1.
MCI - laptop stolen from a car
May 2005
current and former
16,500
names and SSNs
Young, Shawn, “MCI Reports Loss
that was parked in the garage at
employees
Of Employee Data On Stolen
the home of a MCI financial
Laptop,” Wall Street Journal, May
analyst
23, 2005, p. A2.
CRS-15
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
Florida International University
May 2005
faculty
unknown
SSNs, credit card numbers
Leyden, John, “Florida Univ on
(FIU) - a hacker acquired user
and students
Brown Alert after Hack Attack,”
names and passwords for 165
The Register, April 29, 2005, at
computers on campus
[http://www.theregister.com/2005/0
4/29/fiu_id_fraud_alert/].
Time Warner - loss of 40
May 2005
current and former
600,000
names, SSNs
Zeller, Tom, “Time Warner Says
computer backup tapes
employees, some of
Data on Employees Is Lost,” New
containing sensitive data while
their dependents and
York Times, May 3, 2005, p. C4.
being shipped by Iron Mountain
beneficiaries, and
to an offsite storage center
individuals who
provided services for the
company
Carnegie Mellon University -
May 2005
graduates of the Tepper
5,000
SSNs and personal information
Associated Press, “Carnegie Mellon
security breach of school’s
School of Business from
Reports Computer Breach,”
computer network
1997 to 2004; current
MSNBC, April 21, 2005, at
graduate students;
[http://msnbc.msn.com/id/7590506/
applicants to the
].
doctoral program from
2003 to 2005; applicants
to the MBA program
from 2002 to 2004; and
administrative
employees
CRS-16
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
New Jersey cybercrime ring stole
May 2005
customers of four banks
700,000
names, SSNs, bank account
Weiss, Todd, “Scope of Bank Data
financial records from bank
(Charlotte, North
information
Theft Grows to 676,000 Customers:
accounts
Carolina-based Bank of
Bank Employees Used Computer
America and Wachovia,
note: bank employees sold
Screen Captures to Snag Customer
Cherry Hill, New
financial records to collection
Data,” Computerworld, May 20,
Jersey-based Commerce
agencies and law firms.
2005, at
Bank, and PNC Bank of
[http://www.computerworld.com/se
Pittsburgh)
curitytopics/security/cybercrime/sto
ry/0,10801,101903,00.html].
Ameritrade (securities broker) -
April 2005
Ameritrade current and
200,000
account information
“Ameritrade Loses Customer
loses tapes with back-up
former customers
Account Info,” CNN Money, April
information on customer
19, 2005, at
accounts
[http://money.cnn.com/2005/04/19/
technology/ameritrade/index.htm].
Tufts University - possible
April 2005
alumni
106,000
SSNs and other unspecified
Roberts, Paul, “Tufts Warns
security breach in an alumni and
personal information
106,000 Alumni, Donors of
donor database after abnormal
Security Breach: Personal Data on a
activity on the server in October
Server Used for Fund Raising May
and December, 2004
Have Been Exposed,”
Computerworld, April 13, 2005, at
[http://www.computerworld.com/se
curitytopics/security/privacy/story/0
,10801,101043,00.html?source=x10
].
CRS-17
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
HSBC (global bank) sent out
April 2005
holders of General
180,000
credit card information
“Security Scare Hits HSBC’s
warning letters notifying
Motors MasterCard who
Cards,”BBC News, April 14, 2005,
customers that criminals may
had shopped at Polo
at
have gained access to credit card
Ralph Lauren
[http://news.bbc.co.uk/2/hi/business
info
/4444477.stm]; and
Vijayan, Jaikumar, “Update: Scope
of Credit Card Security Breach
Expands,” Computerworld, April
15, 2005, at
[http://www.computerworld.com/se
curitytopics/security/story/0,10801,
101101,00.html].
San Jose Medical Group
April 2005
former patients from last
185,000
names, addresses, SSNs,
Weiss, Todd, “Update: Stolen
Management - desktop computers
7 years
confidential medical information
Computers Contain Data on
stolen from locked administrative
185,000 Patients,” Computerworld,
office
April 8, 2005, at
[http://www.computerworld.com/da
tabasetopics/data/story/0,10801,100
961,00.html].
University of California, San
April 2005
students, faculty and
7,000
names and SSNs numbers
Lazarus, David, “Another Incident
Francisco - hacker gained access
staff
for UC,” San Francisco Chronicle,
to server used by accounting and
April 6, 2005, p. C1.
personnel department
CRS-18
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
University of California,
March 2005
alumni, graduate
100,000
SSNs numbers, names; addresses,
Liedtke, Michael, “Laptop Theft
Berkeley laptop stolen from
students, and past
and birth dates for 1/3 of affected
Causes Identity Fraud Worry,”
restricted area of campus office
applicants
people
Daily Breeze (Torrance, CA),
March 28, 2005, p. A10.
University Nevada, Las Vegas -
March 2005
current and former
5,000
personal records, including birth
Lipka, Sara, “Hacker Breaks Into
hackers accessed school’s
students and
dates, countries of origin,
Database for Tracking International
Student and Exchange Visitor
faculty
passport numbers, and
Students at UNLV,” Chronicle of
Information System (SEVIS)
SSNs
Higher Education, March 21, 2005,
database
p. A43.
California State University,
March 2005
students, former
59,000
SSNs
Associated Press, “Hackers Gain
Chico - hackers broke into
students, prospective
Personal Information of 59,000
servers
students, and faculty
People Affiliated with California
University,”Grand Rapids Press,
March 22, 2005, p. A2.
LEXIS/NEXIS - intruders used
March 2005
customers
32,000
names, addresses, passwords,
El-Rashidi, Yasmine, “LexisNexis
passwords of legitimate
(subsequent
SSNs, drivers license
Reports Data Breach; Personal
customers to get access to a
investigation
Records Are Hacked as Concerns
Seisint database called Accurint,
reveals the
About Security and Identity Theft
which sells reports to
actual number is
Intensify,” Wall Street Journal,
law-enforcement agencies and
310,000)
March 10, 2005, p. A3; and
businesses. Later analysis
determined that its databases had
Krim, Jonathan, “LexisNexis Data
been fraudulently breached 59
Breach Bigger Than Estimated:
times using stolen passwords.
310,000 Consumers May Be
Affected, Firm Says,” Washington
Post, April 13, 2005, p. E1.
CRS-19
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
DSW Shoe Warehouse store -
March 2005
customers of 103 of the
initially
credit card information
Associated Press, “DSW ID Theft
information stolen from computer
chain’s 175 stores
“hundreds of
May Affect Over 100,000,”
database over 3- month period
thousands,” then
Chicago Tribune, March 11, 2005,
raised to 1.4
p. 4; and
million
“Firm Raises Data Theft Count,”
Washington Post, April 19, 2005, p.
E2.
Bank of America - computer data
February 2005
GSA charge card
1.2 million
customer and account
Carrns, Ann, “Bank of America Is
tapes lost during shipment
program (Visa cards
information
Missing Tapes With Card
issued to federal
Data,”Wall Street Journal, February
employees)
28, 2005, p. B2.
ChoicePoint - criminals used fake
February 2005
consumers
30,000-35,000
names, addresses, SSNs, credit
Perez, Evan, “ChoicePoint Is
documentation to open 50
in California;
reports
Pressed to Explain Database
fraudulent accounts to access
145,000
Breach,” Wall Street Journal,
consumer data
nationwide
February 5, 2005, p. A6.
T-Mobile - hacker intrusion into
February 2005
T-Mobile customers
400
customer records, passwords,
Poulsen, Kevin, “Known Hole
company database
SSNs, private e-mail and candid
Aided T-Mobile Breach,”Wired
celebrity photos
News, February 28, 2005, at
[http://www.wired.com/news/privac
note: data offered for sale via
y/0,1848,66735,00.html].
online forum
CRS-20
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
University of California, San
January 2005
students and alumni of
3,500
names, SSNs
Yang, Eleanor, “Hacker Breaches
Diego (UCSD) - hacker breached
UCSD Extension
Computers That Store UCSD
computer system
Extension Student, Alumni Data,”
San Diego Union Tribune, January
18, 2005, p. B3.
George Mason University -
January 2005
faculty, staff, and
30,000
names, photos, SSNs, and
McCullagh, Declan, “Hackers Steal
hackers gained access to
students
campus ID numbers
ID Info from Virginia University,”
information
Wired News, January 10, 2005, at
[http://news.com.com/2100-7349_3
-5519592.html].
Wells Fargo - computers stolen
November
mortgage and
company would
customers’ names, addresses, and
Breyer, R. Michelle, “Wells Fargo
from Wells Fargo vendor
2004
student-loan customers
not disclose
SSNs, and account numbers
Customer Data Stolen in Computer
Theft ,”Austin-American Statesman,
November 3, 2004, p. D1.
Affiliated Computer Services -
October 2004
county employees
900
names, birth dates, SSNs, bank
Whaley, Monte, “FBI on Weld
inmate hacked into county
account routing numbers and
ID-Theft Case Feds to Analyze
database
checking account numbers
Data from Cell of Inmate Who
Hacked Computer,” Denver Post,
November 11, 2004, p. B1.
University of California,
October 2004
Californians
1.4 million
SSNs, names, addresses, phone
Reuters, “Hacker Strikes University
Berkeley - hacker compromised
participating in
individuals
numbers, and dates of birth
Computer System,”CNET News,
the university’s computer system
California’s In-Home
October 19, 2004, at
Supportive Services
[http://news.com.com/2100-7349_3
program since 2001
-5418388.html].
CRS-21
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
California State - auditor from
August 2004
380,000 current and
23,500
name, address, SSNs
Connell, Sally Ann, “Security
chancellor’s office lost hard drive
former students,
Lapses, Lost Equipment Expose
containing personal information
applicants, staff, faculty
Students to Possible ID Theft; in
and alumni at UC San
the Latest Incident, a Cal State Hard
Diego and 178,000 at
Drive with Data on 23,500
San Diego State
Individuals Is Missing,” Los
Angeles Times, August 29, 2004, p.
B4.
Lowe’s (home improvement
June 2004
customers
unknown
skimmed credit account
Roberts, Paul, “Wireless Hacker
store) - hacker used vulnerable
information for every transaction
Pleads Guilty: Man Admits Using
wireless network to attempt to
processed at a particular Lowe’s
Store’s Wireless Network to Steal
steal credit card info
store
Credit Card Info,” PC World, June
7, 2004, at
[http://msn.pcworld.com/news/artic
le/0,aid,116411,00.asp].
University of California, Los
June 2004
blood donors
145,000
names, birth dates and SSNs
Becker, David, “UCLA Laptop
Angeles - stolen laptop w/ blood
Theft Exposes ID Info,”CNET
donor info
News, October 6, 2004, at
[http://news.com.com/UCLA+lapto
p+theft+exposes+ID+info/2100-10
29_3-5230662.html?tag=nl].
CRS-22
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
University of California, San
April 2004
UCSD students, alumni,
380,000
SSNs, and driver license
Sidener, Jonathan, “SD
Diego (UCSD) - hackers
faculty, employees and
numbers
Supercomputer Center Among
breached security at the San
applicants
Victims of Intrusion,” San Diego
Diego Supercomputer Center and
Union Tribune, April 15, 2004, p.
the University’s Business and
B3.
Financial Services Department
eBay - hackers tricked online
March 2004
several eBay merchants
company did
customer names, e-mail
Kirby, Carrie, “New Scam Threat at
merchants who used the PayPal
not disclose
addresses, home addresses and
eBay / Hackers Obtained
payment processing system into
transactions
Information on Some Customers,”
disclosing their user names and
San Francisco Chronicle, March
passwords, then logged onto the
16, 2004, p. C1.
merchants’ accounts
Illinois Employment
February 2004
people who work as
90,000
SSNs, wages
“Hackers Breach State Files on
Development Department server
domestic employees and
90,000,” Chicago Tribune,
- hackers broke into
those who employ them
February 15, 2004, p. 12.
Wells Fargo - hacker arrested
November
customers with personal
company would
names, addresses, account and
“Suspect Is Arrested in Theft of
with stolen computers and laptop
2003
lines of credit used for
not disclose
SSNs
Bank Data,” Los Angeles Times,
consumer loans and
November 27, 2003, p. C2.
overdraft protection
Kinko’s - hacker installed a key
November
Customers at Internet
450
SSNs, names, passwords, credit
Napoli, Lisa, “A Hacker Masters
logger to record every character
2003
terminals at 13 Kinko’s
cards, bank account data
Keystroke Theft: Personal Data
typed on 13 Kinko’s computers
copy shops in
Stolen from 450 Victims ,”
Manhattan
note: data was sold
International Herald Tribune,
August 9, 2003, p. 1.
CRS-23
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
Acxiom (marketing company) -
August 2003
clients include 14 of the
10% of clientele
passwords, personal, financial,
Lee, W.A. “Hacker Breaches
hacker downloaded data
top 15 credit card
(no total number
and company information
Acxiom Data,” American Banker,
companies, 5 of the top
given)
August 11, 2003, p. 5.
6 retail banks, IBM,
Microsoft, and federal
government
U.S. Department of Defense -
August 2003
Navy’s purchase card
13,000
credit card numbers
Reddy, Anitha, “Hackers Steal
hackers downloaded Navy credit
program, used to order
13,000 Credit Card Numbers; Navy
cards
routine office supplies
Says No Fraud Has Been Noticed,”
Washington Post, November 23,
2003, p. E1.
Weichert Financial Services -
May 2003
clients
3,774
credit reports, driver’s license
Associated Press, “Pair Accused of
credit profiles were unlawfully
info
Fraud in Credit Reports’ Theft:
accessed from internal computer
Allegedly Used Data to Buy Goods
system
over the Internet,”The Record
(Bergen County, NJ), May 2, 2003,
p. A10.
DirecTV - hacker stole trade
April 2003
DirecTV subscribers
50,000
details about the design and
“U. of C. Student Pleads Guilty to
secrets for access card
customers used
architecture of DirecTV’s
Theft of Direc TV Card Data ;
counterfeit
“Period 4” cards
Trade Secrets Ended up on Hacker
access cards to
Site, Enabling Free Access,”
watch
note: data was sold
Chicago Sun-Times, April 30,
programming
2003, p. 16.
without paying
CRS-24
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
University of Texas, Austin -
March 2003
current and former
55,200
names, addresses, SSNs, email
Read, Brock, “Hackers Steal Data
computer hackers broke into
student, faculty and staff
addresses, office phone numbers
From U. of Texas Database,”
database on multiple occasions
members, as well as job
Chronicle of Higher Education,
applicants
note: perpetrator claimed he did
March 21, 2003, p. 35.
not distribute the numbers and
had not used them “to anyone’s
detriment”
Georgia Institute of Technology
March 2003
patrons of art and theatre
57,000
credit card numbers
Lemos, Robert, “Data Thieves
program
Strike Georgia Tech,” Wired News,
March 31, 2003, at
[http://news.com.com/Data+thieves
+strike+Georgia+Tech/2100-1002_
3-994821.html?tag=nl].
Visa, MasterCard, American
February 2003
credit card customers
PNC Bank
ATM/debit/check cards
“PNC Cancels 16,000 Cards After
Express and Discover account
cancelled 16,000
Hacking Theft Incident,” Pittsburgh
numbers - hacker stole 8 million
cards; Citizens
Post-Gazette, February 20, 2003, p.
Bank cancelled
C1.
8,000-10,000
cards
Bronx identity theft ring filed
February 2003
income tax filers
not specified
SSNs
Weiser, Benjamin, “19 Charged in
thousands of fraudulent income
Identity Theft That Netted $7
tax returns
note: ID theft ring obtained
Million in Tax Refunds,” New York
$7million in tax refunds
Times, February 5, 2003, p. B3.
CRS-25
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
University of Kansas - hacker
January 2003
foreign students
1,400
SSNs, passport numbers,
Arnone, Michael, “Hacker Steals
break-in to Student and Exchange
countries of origin, and birth
Personal Data on Foreign Students
Visitor Information System
dates.
at U. of Kansas,”Chronicle of
(SEVIS)
Higher Education, January 24,
2003.
TriWest Healthcare Alliance -
December
military personnel and
500,000
names, addresses, SSNs
Gorman, Tom, “Reward Offered in
theft of a database containing
2002
their dependents
Huge Theft of Identity Data; Stolen
names and SSNs
Computers Had Names, Social
Security Numbers of 500,000
Military Families,”Los Angeles
Times, January 1, 2003, p. 14.
TCI help-desk worker sold client
November
credit reporting bureau
15,000 (Wired
names, addresses, SSNs, credit
Delio, Michelle, “Cops Bust
access codes to two others, who
2002
customers
News)
card
Massive ID Theft Ring,” Wired
then used the codes to obtain
30,000 (Seattle
News, November 25, 2002, at
more than 15,000 customer credit
Times)
note: data sold, for $60 per
[http://www.wired.com/news/privac
records
record
y/0,1848,56567,00.html]; and
Masters, Brooke, “Huge ID-Theft
Ring Broken; 30,000 Consumers at
Risk ; Men Charged with Stealing
Personal, Financial Data ,” Seattle
Times, November 26, 2002, p. A1.
CRS-26
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
Midwest Express Airlines and
April 2002
Midwest Express
unknown
passenger names and airport
Larson, Virgil, “Computer Hackers
Federal Aviation Administration
Airlines customers; FAA
security screening results
Breach Midwest Express Systems,”
- hackers posted list of customer
(two separate incidents)
Omaha World-Herald, April 22,
names to website and posted a list
2002, p. 1D.
of airport security screening
results taken from the FAA’s
system
ChoicePoint - Nigerian-born
2002
unknown
7,000-10,000
names and SSNs
Associated Press, “ChoicePoint
brother and sister posed as
inquiries on
Suffered Previous Breach: Two ID
legitimate businesses to set up
names and
note: data was sold
Thieves Arrested in 2002 for
ChoicePoint accounts
SSNs, then used
Tapping into Data” MSNBC,
identities to
February 3, 2005, at
commit fraud
[http://www.msnbc.msn.com/id/706
5902/].
College of the Canyons
October 2001
current and former
36,000
names, SSNs, and photographs
Mistry, Bhavna, “Identity Theft
(California) - computer hard
students
Alert Issued at College,” Los
drive containing personal student
Angeles Daily News, October 21,
information stolen
2001, p. N7.
Fullerton, California - bogus
June 2001
impersonated more than
1,500
birth dates, SSNs, mothers’
Brown, Aldrin and Jeff Collins,
credit card ring which opened
1,500 people nationwide
maiden names, credit cards,
“Suspicious Mail Triggered Probe
bank accounts, credit lines, auto
and defrauded 76
driver’s licenses, and receipts for
of Identity Theft Crime Losses
and home loans
financial institutions
car and home purchases.
from the Alleged Ring, Which Used
Data Stolen as Far Back as the
Early ‘90s, May Hit $10 Million,”
Orange County Register, June 21,
2001.
CRS-27
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
New York City restaurant busboy
March 2001
chief executives,
200
SSNs, home addresses and birth
Hays, Tom, “Busboy Hacks Only
duped credit reporting companies
celebrities and tycoons
dates, credit card numbers
the Richest, Used Forbes’ List in
into providing detailed credit
from Forbes list of
Plot to Steal Identity, Credit Info,
reports
richest Americans
Big Bucks,” Pittsburgh Post-
Gazette, March 21, 2001, p. A11.
World Economic Forum -
February 2001
attendees
3,200
passport numbers, cell phone
Higgins, Alexander, “Hackers Steal
hackers broke into computer
numbers, credit card numbers,
World Leaders’ Personal Data,”
exact arrival and departure times,
Chicago Sun-Times, February 6,
hotel names, room numbers,
2001, p. 20.
number of overnights, sessions
attended, plus information on
27,000 people who have attended
the global forum in recent years
International credit card ring adds
January 2001
Internet shopping sites
unknown
credit card numbers
James, Michael, “Small-time Thefts
fraudulent charges of 277
Reap Big Net Gain Tens of
Russian rubles ($5-10) to credit
note: data was sold
Thousands of Phony $5-$10
cards
Credit-Card Charges Rake in
Millions for Hackers,” Orlando
Sentinel, January 27, 2001, p. E5.
University of Washington
December
cardiology and
5,000
names, addresses, birth dates,
“Hacker Steals Patient Records,”
Medical Center - hacker broke
2000
rehabilitation patients
heights and weights, SSNs, and
San Diego Union-Tribune,
into computer system
the medical procedure undergone
December 9, 2000, p. A3.
CRS-28
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
Egghead - hacker attacked
December
customers
3.5 million
credit card info
“Sayer, Peter, “Egghead Says
computer system
2000
credit card
Customer Data Safe After Hack
accounts; 7500
Attack,” PC World, January 8, 2001
of which showed
at
“suspected
[http://msn.pcworld.com/news/artic
fraudulent
le/0,aid,37781,00.asp].
activity”
Western Union - hackers made
September
customers who
15,700
credit and debit card information
Cobb, Alan, “Hackers Steal Credit
electronic copies of the credit and
2000
transferred money on a
Card Info from Western Union
debit card information
company website
Site,” Chicago Sun-Times,
September 11, 2000, p. 22.
America Online - AOL
June 2000
customers
500 records
names, addresses, and credit card
“Hackers Breach Security At
customer-service representatives
were viewed
numbers
America Online Inc,” Wall Street
mistakenly downloaded an e-mail
Journal, June 19, 2000, p. A34.
attachment sent by hackers
Two British teens intruded into 9
March 2000
customers
26,000 credit
credit card data
Sniffen, Michael, “2 Teens Accused
e-commerce websites in the
card accounts
of Hacking Charged in $3 Million
United States, Canada, Thailand,
note: some data was posted on
Credit Card Theft,” Chicago Sun-
Japan and Britain
the Web
Times, March 25, 2000, p. 9.
CD Universe (online music store)
January 2000
customers
300,000
credit card numbers
Associated Pres, “Hacker Said to
- hacker stole credit card numbers
Steal 300,000 Card Numbers,”
and released thousands of them
note: Maxus Credit Card
Arizona Republic, January 11,
on a website when the company
Pipeline website posted up to
2000, p. A3.
refused to pay a $100,000 ransom
25,000 stolen numbers
CRS-29
Date
Type of Data
Incident
Who Was Affected
No. Affected
Source(s)
Publicized
Released/Compromised
Pacific Bell - 16-year-old
January 2000
subscribers
63,000 accounts
passwords
Gettleman, Jeffrey, “Passwords of
teenager hacked into server and
were decrypted;
PacBell Net Accounts Stolen;
stole passwords
330,000
Computers: Authorities Say
customers told to
16-year-old Hacker Took the Data
change
for Fun. Theft Affects 63,000
passwords
Customers,” Los Angeles Times,
January 12, 2000, p. 2.
Source: This table was prepared by CRS from publicly available and news media sources.
Note: URLs are listed for exclusively online sources; other publications are identified by name and date.