Order Code RL33199
CRS Report for Congress
Received through the CRS Web
Data Security Breaches:
Context and Incident Summaries
Updated January 29, 2007
Rita Tehan
Information Research Specialist
Knowledge Services Group
Congressional Research Service ˜ The Library of Congress

Data Security Breaches:
Context and Incident Summaries
Summary
Personal data security breaches are being reported with increasing regularity.
Within the past few years, numerous examples of data such as Social Security, bank
account, credit card, and driver’s license numbers, as well as medical and student
records have been compromised. A major reason for the increased awareness of
these security breaches is a California law that requires notice of security breaches
to the affected individuals. This law, implemented in July 2003, was the first of its
kind in the nation.
State data security breach notification laws require companies and other entities
that have lost data to notify affected consumers. As of December 2006, 34 states had
implemented data security laws.
Congress is considering legislation to address personal data security breaches,
following a series of high-profile data security breaches at major financial services
firms, data brokers (including ChoicePoint and LexisNexis), and universities.
Multiple measures were introduced in 2005 and 2006, but to date, none have been
enacted.
This report will be updated regularly.

Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Data Security Breaches in Federal Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Data Security Breaches: Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
For Additional Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
List of Tables
Table 1. Data Security Breaches in Businesses (2000-2007) . . . . . . . . . . . . . . . 10
Table 2. Data Security Breaches in Education (2000-2007) . . . . . . . . . . . . . . . . 24
Table 3. Data Security Breaches in Financial Institutions (2001-2007) . . . . . . . 43
Table 4. Data Security Breaches in Local, State, and Federal Government
(2003-2007) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Table 5. Data Security Breaches in Health Care (2003-2007) . . . . . . . . . . . . . . 63

Data Security Breaches:
Context and Incident Summaries
Introduction
Personal data security breaches are being reported with increasing regularity.
During the past few years, there have been numerous examples of hackers breaking
into corporate, government, academic, and personal computers and compromising
computer systems or stealing personal data such as Social Security, bank account,
credit card, and driver’s license numbers, as well as medical and student records.
These breaches occur not only because of illegal or fraudulent attacks by computer
hackers, but often because of careless business practices, such as lost or stolen laptop
computers, or the inadvertent posting of personal data on public websites. A recent
infamous example occurred in May 2006, when 26.5 million veterans and their
spouses were in danger of identity theft because a Veterans Affairs data analyst took
home a laptop computer containing personal data (including names, Social Security
numbers, and dates of birth), which was later stolen in a burglary.1
Depending on the definition, the most common type of identity theft is credit
card fraud, and there is evidence that the extent of credit card fraud has increased due
to opportunities provided by the Internet.2 Although some aspects of identity theft
have been known for many years, it is viewed now primarily as a product of the
information age. A particular crime of identity theft may include one or all of these
stages:
Stage 1: Acquisition of the identity through theft, computer hacking, fraud,
trickery, force, re-directing or intercepting mail, or even by legal means
(e.g., purchase information on the Internet).
Stage 2: Use of the identity for financial gain (the most common
motivation) or to avoid arrest or otherwise hide one’s identity from law
enforcement or other authorities (such as bill collectors). Crimes in this
stage may include account takeover, opening of new accounts, extensive
use of debit or credit cards, sale of the identity information on the street or
1 For additional information on legislative proposals introduced after the VA data theft (and
in light of several ongoing information security and information technology management
issues at the VA), see CRS Report RL33612, Department of Veterans Affairs: Information
Security and Information Technology Management Reorganization
, by Sidath Viranga
Panangala.
2 Graeme Newman and Megan McNally, Identity Theft Literature Review, National Criminal
Justice Reference Service (NCJRS), 2005, at [http://www.ncjrs.gov/pdffiles1/nij/grants/
210459.pdf].

CRS-2
black market, acquisition (“breeding”) of additional identity related
documents such as driver’s licenses, passports, visas, health cards, etc.),
filing tax returns for large refunds, insurance fraud, stealing rental cars, and
many more.
Stage 3: Discovery of the theft. While many misuses of credit cards are
discovered quickly, the “classic” identity theft involves a long period of
time to discovery, typically from six months to as long as several years.
Evidence suggests that the time it takes to discovery is related to the
amount of loss incurred by the victim.3
Identity theft is rarely one crime, but is composed of the commission of a wide
variety of other crimes, such as check and card fraud, financial crimes of various
sorts, various telemarketing and Internet scams, auto theft, counterfeiting and forgery,
etc.
The difficulty in studying identity theft is investigating what portion of the long
list of identity theft related crimes is related to the “classic” type of identity theft that
results in repeat victimization. For example, a common type of credit card fraud is
to steal an individual’s credit card. The offender makes a quick purchase of an
expensive item then discards the card. Has the victim’s identity truly been stolen?
The event clearly fits within the definition above, but it is not the wholesale theft of
the victim’s identity. However, should the offender be working with an accomplice,
the card could be turned over several times and even sold on the street. Finally,
should the victim’s driver’s license and other identifying documents such as a health
card with a Social Security number on it also be stolen, the basic elements for
stealing an individual’s identity are present.4
A January 2007 white paper by the computer security research company McAfee
Avert Labs reports a dramatic increase in global identity theft trends.5 One key
finding was that “[p]ersonal data for tens of millions of people disappears each year.
It’s either been stolen or misplaced. Despite this disturbing trend, the number of
complaints is surprisingly low, which leads us to believe the losses are not fully
acknowledged.”6
3 Ibid., p. v.
4 Ibid., p. 14.
5 Francois Paget. Identity Theft, McAfee Avert Labs, January 2007, at
[http://www.mcafee.com/us/local_content/white_papers/wp_id_theft_en.pdf]. This report
discusses recent high-profile examples of identity theft and how several countries define this
type of fraud and its scope; examines both the criminals and their techniques to better
understand how identity theft has evolved in recent years; and focuses on the victims and
consequences of identity theft.
6 Ibid., p. 3.

CRS-3
A California law that requires notice of security breaches to the affected
individuals is the major reason for the increased awareness of these breaches.7 This
law, which was implemented in July 2003, was the first of its kind in the nation.
State security breach notification requires companies and other entities that have
lost personal data to notify affected consumers. Approximately two-thirds of the
states have implemented some type of data breach law.8 State security freeze9 laws
allow a customer to block unauthorized third parties from obtaining one’s credit
report.
Statistics
Identity theft victims spend almost 300 million hours a year trying to clear their
names and re-establish good credit ratings.10 For additional information on this topic,
see CRS Report RL31919, Remedies Available to Victims of Identity Theft, by Gina
Marie Stevens.
In December 2006, a senior editor for Wired News noted a milestone: “... the
total number of lost or exposed personal records since February, 2005, [has passed]
the 100 million mark.”11 The New York Times wrote an article discussing this
landmark and questioned the usefulness of computing such data breaches.
7 California Department of Consumer Affairs, Office of Privacy Protection, Notice of
Security Breach - Civil Code Sections1798.29 and 1798.82 - 1798.84
, updated June 24,
2003, at [http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000
&file=1798.25-1798.29], [http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&
group=01001-02000&file=1798.80-1798.84], and Recommended Practices on Notification
of Security Breach Involving Personal Information
, Oct. 10, 2003, at
[http://www.privacy.ca.gov/recommendations/secbreach.pdf].
8 See 2007 Breach of Information Legislation, National Conference of State Legislatures
at [http://www.ncsl.org/programs/lis/CIP/priv/breach.htm]. As of Dec. 31, 2006, security
breach notification laws have been enacted in the following states: AK, AZ, CA, CO, CT,
DE, FL, GA (data brokers only), HI, ID, IL, IN (state agencies only), KS, LA, ME, MN,
MT, NE, NH, NV, NJ, NY, NC, ND, OH, OK, PA, RI, TN, TX, UT, VT, WA and WI.;
State PIRG Summary of State Security Freeze and Security Breach Notification Laws, U.S.
Public Interest Research Group (USPIRG) at [http://www.pirg.org/consumer/credit/statelaws
.htm#breach]. See also CRS Report RS22374, Data Security: Federal and State Laws, by
Gina Marie Stevens.
9 A security freeze law allows a customer to block unauthorized third parties from obtaining
his or her credit report or score. A consumer who places a security freeze on his or her
credit report or score receives a personal identification number to gain access to credit
information or to authorize the dissemination of credit information. See CRS Report
RS22484, Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills,
Tara Alexandra Rainson.
10 Peter Katel, “Identity Theft: Can Congress Give Americans Better Protection?,” CQ
Researcher
, June 10, 2005.
11 Kevin Poulsen, “Data Spills: 100 Million Served,” 27B Stroke 6, Dec. 14, 2006, at
[http://blog.wired.com/27bstroke6/2006/12/data_spills_100.html].

CRS-4
[T]he bigger picture here may be that we are now slicing and dicing the niceties
of data breaches against a running tally so large, that it has lost nearly any
meaning at all... ‘The threat of identity theft from data losses is being greatly
exaggerated,’ Fred H. Cate, the director of the Center for Applied Cybersecurity
Research at Indiana University in Bloomington, told this newspaper not long ago.
‘And that’s because a lot of people have fallen into the trap of equating data loss
with identity theft.’ Whether or not that is true is open to debate, but what all
this data loss does represent, however, is the potential for identity theft — one
that will never go away. Sure, it’s a game of odds. There is only so much a crook
can do with a few hundred thousand names and Social Security numbers. But
once they are out there, they are out there for good. Names don’t change.
Neither do Social Security numbers or dates of birth. And as long as it remains
easy enough to fashion that trifecta into a car loan, a home, a credit card, work
papers, that would seem to be a bit of a long-term problem.12
The Identity Theft and Assumption Deterrence Act of 199813 established the
Federal Trade Commission (FTC) as the government entity charged with developing
“procedures to ... log and acknowledge the receipt of complaints by individuals,” as
well as educate and assist potential victims.14 The FTC compiles annual reports and
charts of aggregated statistics on these events, but does not identify which
corporations, organizations, or other entities have been victims of security breaches
In 2005, the FTC released an annual report (the most recent available) detailing
consumer complaints about fraud and identity theft. Complaints about identity theft
topped the list, accounting for 255,000 of more than 686,000 (or 37%) of complaints
filed with the agency in 2005.15 Credit card fraud was the most common form of
reported identity theft, followed by phone or utilities fraud, bank fraud, and
employment fraud. The most frequently reported type of identity theft bank fraud
was electronic funds transfers. The major metropolitan areas with the highest per
capita rates of reported identity theft were Phoenix/ Mesa/Scottsdale, AZ; Las Vegas/
Paradise, NV; and Riverside/San Bernardino/Ontario, CA.16
12 Tom Zeller, “An Ominous Milestone: 100 Million Data Leaks,” New York Times, Dec.
18, 2006, p. C3.
13 Identity Theft and Assumption Deterrence Act, as amended by P.L. 105-318, 112 Stat.
3007 (Oct. 30, 1998), at [http://www.ftc.gov/os/statutes/itada/itadact.htm].
14 For an overview of the federal laws that could assist victims of identity theft with purging
inaccurate information from their credit records and removing unauthorized charges from
credit accounts, as well as federal laws that impose criminal penalties on those who assume
another person’s identity through the use of fraudulent identification documents, see CRS
Report RL31919, Remedies Available to Victims of Identity Theft, by Gina Marie Stevens.
(Relevant state laws are also discussed.)
15 See Federal Trade Commission, ID Theft Data: State Data website at
[http://www.consumer.gov/idtheft/id_state.htm]. National Data is available at
[http://www.consumer.gov/idtheft/id_federal.htm]. The FTC is also an enforcement agency
and does not release data on companies while an investigation is ongoing. At the
completion of the investigation, when there is an enforcement action, the FTC then releases
information identifying corporations, organization, or others who have violated data security
laws.
16 Ibid.

CRS-5
A number of federal agencies (e.g., the Federal Trade Commission, Department
of Justice, Secret Service, U.S. Postal Service, and Social Security Administration),
state attorneys general, and nonprofit organizations (such as the Electronic Privacy
Information Center) are involved with data privacy investigations or related
consumer assistance. None of them maintain a comprehensive itemized list of data
security breaches.17 However, the Privacy Rights Clearinghouse maintains a
frequently-updated chronology of data breaches from February 2005 to the present.18
The United States Computer Emergency Readiness Team (US-CERT) interacts
with federal agencies, industry, the research community, state and local governments,
and others to collect reasoned and actionable cybersecurity information and to
identify emerging cybersecurity threats. US-CERT has recently begun monitoring
trends involving the acquisition of personally identifiable information (PII) by
unauthorized, malicious users. Based on the information reported in the fourth
quarter of FY2006, US-CERT was able to identify the following cybersecurity
trends: phishing19 incidents made up the bulk of all incidents reported to US-CERT,
accounting for 84% of all incidents handled. The second highest category was
“others,” the bulk of which generally fell into two main areas: investigations, which
were incidents found by US-CERT analysts combing through data, and incidents
involving PII, both cyber and non-cyber in nature. The remaining 8% of incidents
were spread across malware, equipment theft/loss, policy violations, and suspicious
network activity.20
Data Security Breaches in Federal Agencies
A number of data security breaches by federal agencies revealed many agencies
do not have adequate security controls in place21 (see Table 3, below). In 2006, the
17 For a brief discussion of federal and state data security laws, see CRS Report RS22374,
Data Security: Federal and State Laws, by Gina Marie Stevens.
18 Privacy Rights Clearinghouse, A Chronology of Data Breaches at
[http://www.privacyrights.org/ar/ChronDataBreaches.htm]. The Privacy Rights
Clearinghouse (PRC) is a nonprofit consumer organization which seeks to raise consumers’
awareness of how technology affects personal privacy, and to document privacy complaints.
The chronology “begins with ChoicePoint’s 2/15/05 announcement of its data breaches
because it was a watershed event in terms of disclosure to the affected individuals.”
19 Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking
email in an attempt to gather personal and financial information from recipients. Typically,
the messages appear to come from well-known and trustworthy websites. Web sites that are
frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America
Onl i ne. ( Sou r c e : S e a r c h S e c u r i t y. c o m( p o w e r e d b y w h a t i s . c o m) , at
[http://searchsecurity.techtarget.com/sDefinition/0,290660,sid14_gci916037,00.html].
20 US-CERT, Quarterly Trends and Analysis Report, Nov. 28, 2006, at
[http://www.us-cert.gov/press_room/trendsandanalysisQ406.pdf]. This report summarizes
and provides analysis of incident reports submitted to US-CERT during the third quarter of
FY2006 (April 1, 2006, to June 30, 2006).
21 Rebecca Adams, “Data Drip: How the Feds Handle Personal Data,” CQ Weekly, July 10,
(continued...)

CRS-6
list of agencies with incidents of potentially compromised data included the
Departments of Agriculture, Defense, Energy, Veterans Affairs, and Transportation,
the Federal Trade Commission, the Internal Revenue Service, the Government
Accountability Office, the National Institutes of Health, and the Department of the
Navy. The State Department also suffered a series of hacking attacks. In FY2005,
major federal agencies reported about 3,600 incidents that were serious enough to
warrant alerting the government’s cybersecurity center at the Department of
Homeland Security, including 304 instances of unauthorized access and 1,806 cases
of malicious computer code, according to a yearly OMB report.22
[E]xperts say the federal government faces special challenges because of the
variety of sensitive information it keeps, the increasingly mobile nature of the
federal workforce and the pervasive use of contractors, which allow thousands
of individuals with varying levels of security clearance to access government
databases from remote sites. A 2004 government survey on the work practices
of 1.8 million federal workers found that more than 140,000 had clearance to
connect with government computer systems from home. The IRS says 50,000 of
its employees have laptops allowing them to access personal and business tax
information from anywhere. And 133 Education Department personnel can
access more than 10,000 records containing student loan recipients’ personal
information.23
In a report released in October 2006, the House Government Reform
Committee24 summarized information provided to the Committee by 19 federal
departments and agencies regarding the loss or compromise of personal information
since January 2003. The report finds that every agency has experienced at least one
such breach and that the agencies do not always know what information has been lost
or how many individuals could be affected. 25
In June, 2006, the Office of Management and Budget issued new security
guidelines requiring federal civilian agencies to implement new measures to protect
sensitive personal information held by federal agencies.26 To comply with the new
21 (...continued)
2006, p. 1846.
22 Office of Management and Budget, FY 2005 Report to Congress on Implementation of
The Federal Information Security Management Act of 2002
, March 1, 2006, at
[http://www.whitehouse.gov/omb/inforeg/reports/2005_fisma_report_to_congress.pdf].
23 Zachary Goldfarb, “To Agency Insiders, Cyber Thefts And Slow Response Are No
Surprise,” Washington Post, July 18, 2006, at [http://www.washingtonpost.com/
wp-dyn/content/article/2006/07/17/AR2006071701170.html].
24 In the 110th Congress, the House Government Reform Committee was renamed the House
Committee on Oversight and Government Reform.
25 U.S. House of Representatives. Committee on Government Reform, Staff Report Agency
Data Breaches since January 1, 2003
at [http://oversight.house.gov/story.asp?ID=1127].
See also Agency response letters at House Committee on Government Reform website at
[http://oversight.house.gov/story.asp?ID=1127].
26 Office of Management and Budget Memorandum for the Heads of Departments and
(continued...)

CRS-7
policy, agencies will have to encrypt all data on laptop or handheld computers unless
the data are classified as “non-sensitive” by an agency’s deputy director. Agency
employees also would need two-factor authentication — a password plus a physical
device such as a key card — to reach a work database through a remote connection,
which must be automatically severed after 30 minutes of inactivity.27
On September 19, 2006, the President’s Identity Theft Task Force adopted
interim recommendations on measures that can be implemented immediately to help
address the problem of identity theft. In a September 20, 2006 memo to federal
department and agency heads28, the Office of Management and Budget (OMB)
outlined steps agencies should take in responding to an identity theft or ways to
prevent one from happening. Clay Johnson, the Office of Management and Budget’s
deputy director for management, made it clear the administration supports the task
force’s recommendation that departments establish a “core management group
responsible for responding to the loss of personal information...”29
The Identity Theft Task Force30, which was established by Executive Order of
the President on May 10, 2006,31 is now comprised of 18 federal agencies and
departments. In September 2006, the Identity Theft Task Force provided interim
recommendations to the Administration, including the following.
! Data breach guidance to agencies
! Development of universal police report for identity theft victims
! Extending restitution for victims of identity theft
! Reducing access of identity thieves to Social Security Numbers
! Developing alternative methods of authenticating identities
! Improving data security in the government
! Improving agencies’ ability to respond to data breaches in the
government32
In December 2006, the Identity Theft Task Force website posted a notice for
public comment on ways to improve the effectiveness and efficiency of federal
government efforts to reduce identity theft. “The public comments on these issues
26 (...continued)
Agencies, Protection of Sensitive Agency Information, June 23, 2006, at
[http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf].
27 Ibid.
28 Office of Management and Budget Memorandum for the Heads of Departments and
Agencies, Recommendations for Identity Theft Related Data Breach Notification, Sept. 20,
2006, at [http://www.whitehouse.gov/omb/memoranda/fy2006/task_force _theft_memo.pdf].
29 Ibid., p. 1.
30 Identity Theft Task Force website at [http://www.usdoj.gov/ittf/].
31 Executive Order 13402, "Strengthening Federal Efforts to Protect Against Identity Theft,"
May 10, 2006, at [http://www.whitehouse.gov/news/releases/2006/05/20060510-3.html].
32 U.S. Department of Justice press release, Identity Theft Task Force Announces Interim
Recommendations
, Sept. 19, 2006, at [http://www.usdoj.gov/opa/pr/2006/September/06_ag
_635.html].

CRS-8
will supplement the research and analysis being conducted, provide further
information about the proposals being considered, and identify areas where additional
recommendations may be warranted.”33
In June 2006, a group of government agencies, corporations, and universities
launched a research center dedicated to the study of identity fraud. The Center for
Identity Management and Information Protection is dedicated to furthering a national
research agenda on identity management, information sharing, and data protection.34
Congress considered legislation in the 109th Congress to address data security
following a series of high-profile data security breaches at major financial services
firms and data brokers, including ChoicePoint and LexisNexis. Multiple measures
were introduced in 2005 and 2006, and several were reported out of committee, but
none were brought to the floor.
For a discussion of legislative and other issues on this topic, see

! CRS Report RS22374, Data Security: Federal and State Laws, by
Gina Marie Stevens
! CRS Report RL33273, Data Security: Federal Legislative
Approaches, by Gina Marie Stevens
! CRS Report RS22484, Identity Theft Laws: State Penalties and
Remedies and Pending Federal Bills, by Tara Alexandra Rainson;
! CRS Report RL33005, Information Brokers: Federal and State
Laws, by Angie A. Welborn;
! CRS Report RL33612, Department of Veterans Affairs: Information
Security and Information Technology Management Reorganization,
by Sidath Viranga Panangala;
! CRS Report RL31919, Remedies Available to Victims of Identity
Theft by Gina Marie Stevens;
! and CRS Report RS22082, Identity Theft: The Internet Connection,
by Marcia S. Smith.
Data Security Breaches: Highlights
Tables 1 through 5 summarize selected data security or identity theft breaches
reported in the press since 2000. A few highlights compiled from the report include
the following.
! More than half of the security breaches occurred at institutions of
higher education. (A Chronicle of Higher Education article
examines why this is so, noting that while colleges have become
better at detecting electronic break-ins, security practices,
33 Federal Trade Commission, “Identity Theft Task Force Seeks Public Comment,” press
release, Dec. 26, 2006, at [http://www.ftc.gov/opa/2006/12/fyi0688.htm].
34 Center for Identity Management and Information Protection, at [http://www.utica.edu/
academic/institutes/cimip/].

CRS-9
particularly password protections, are lax.35 In addition, academic
culture embraces the open exchange of information and provides a
target-rich environment for data breaches — an abundance of
computer equipment filled with sensitive data and a pool of
financially naive students.36) In September 2006, Louisiana State
University (LSU), under a year-long agreement with Equifax Inc.,
provided students, faculty and staff members with free daily
monitoring of their credit reports and $2,500 in identity-theft
insurance. LSU claims this is the first agreement of its kind between
a credit agency and a higher-education institution. The university
will pay Equifax, Inc. $150,000.37
! Other prevalent targets for identity theft are financial institutions
(banks, credit card companies, securities companies, etc.), and
government agencies (international, federal, state, and local).
! The AARP analyzed 244 publicly disclosed security breaches from
January 1, 2005 through May 26, 2006, identified by the Identity
Theft Resource Center (ITRC).38 An examination of the most
frequent cause of reported security breaches reveals that a third of all
breaches were caused by hackers who broke into computer systems
to gain access to sensitive personal information. The analysis finds
that educational institutions are more likely than any other type of
entity to report having had a security breach. In fact, educational
institutions were more than twice as likely to report suffering a
breach as any other type of entity. Physical theft of computers,
computer equipment, or paper files is the next most common cause
of security breaches, followed by improper display (allowing
sensitive personal information to be viewed by those who should not
have access (for example, printing of Social Security numbers on
address labels, inadvertently making sensitive personal information
accessible on Internet sites viewable by the general public, or not
properly disposing of files containing sensitive personal
information).
35 Dan Carnevale, “Why Can’t Colleges Hold On to Their Data?,” Chronicle of Higher
Education
, May 6, 2005, p. A35.
36 Reuters, “U.S. Colleges Struggle to Combat Identity Theft,” eWeek, Aug. 17, 2005, at
[http://www.findarticles.com/p/articles/mi_zdewk/is_200508/ai_n14906864].
37 Andrea L. Foster, “Louisiana State U. Signs Deal to Protect Students and Employees in
Case of Data Breach,” Chronicle of Higher Education, Sept. 13, 2006, at
[http://chronicle.com/daily/2006/09/2006091301t.htm].
38 AARP, “Into the Breach: Security Breaches and Identity Theft,” July 2006, at
[http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html].

CRS-10
Table 1. Data Security Breaches in Businesses (2000-2007)
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
T.J. Maxx, Marshalls,
January 2007
customers
unknown
credit card, debit card, check,
Vijayan, Jaikumar, “Breach at TJX
HomeGoods, A.J. Wright, and
and merchandise return
Puts Card Info at Risk; Network
possibly Bob’s Stores in U.S. &
transactions
intrusion shows IT security still not
Puerto Rico — Winners and
up to snuff at some retailers, despite
HomeSense stores in Canada —
push for stronger protections,”
and possibly T.K. Maxx stores in
Computerworld, January 17, 2007.
UK and Ireland - TJX Companies
Inc. experienced an
“unauthorized intrusion” into its
computer systems that process
and store customer transactions
Altria (parent company of Phillp
January 2007
past and present
18,000
names, SSNs, salaries, dates of
Jones, Chip. “Altria employees’ data
Morris/Kraft Foods) via
employees
birth
missing / Personal information was on
consultant Towers Perrin (New
laptop taken from firm in New York,
York, NY) - five stolen laptops
note: employee was arrested
police say,” Richmond Times-
and charged with theft
Dispatch, January 12, 2007, p. B1.
Boeing (Seattle, WA) - laptop
December
current and former
400,000
names, addresses, SSNs, phone
Wallace, James, “Worker Fired over
stolen from employee’s car
2006
employees
numbers, dates of birth, salary
Lost Laptop; Boeing Managers to Be
information
Reprimanded for Leaving Employees
Vulnerable,” Seattle Post-
note: Boeing fired employee
Intelligencer, December 15, 2006.
whose laptop was stolen and
some managers will be
disciplined

CRS-11
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
Starbucks (Seattle, WA) - four
November
current and former
60,000
names, addresses, SSNs
Harris, Craig, “Starbucks Data
laptops misplaced from
2006
employees
Missing ; Company Says Laptops
headquarters
with Employees’ Records Are Lost,”
Seattle Post-Intelligencer, November
4, 2006, p. E1.
Gymboree (San Francisco, CA) -
October 2006
employees
20,000
names, SSNs
“Gymboree gumshoe hunts thief,”
twice in one week, three laptops
San Francisco Chronicle, October 27,
stolen from headquarters
2006, p. D1.
T-Mobile USA (Bellevue, WA) -
October 2006
current and former
43,000
names, addresses, SSNs, home
Rogoway, Mike, “T-Mobile reports
laptop disappeared from
employees
phone numbers, dates of birth,
ID-theft risk,” The Oregonian
employee’s checked luggage
salary information
(Portland), October 20, 2006.
(laptop was protected by
password)
General Electric (Frairfield, CT) -
September
current and former
50,000
names, SSNs
Anderson, Eric and Rick Clemenson,
laptop stolen from locked hotel
2006
employees
“50,000 among missing at GE ;
room (computer was password
Names in stolen laptop have retiree
protected)
questioning company’s need for
sensitive lists,” Times-Union
(Albany)
, September 27, 2006, p. A1.
Linden Labs (creator of Second
September
members of interactive
650,000
names, addresses, encrypted
“Second Life’ Suffers Real-world
Life virtual community)
2006
virtual community
passwords, payment
Breach,” CNET.com, September 10,
information
2006, at [http://news.com.com/2100-
7349_3-6114046.html].

CRS-12
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
Hospital Corporation of America
August 2006
records from 1996 to 2006
unknown
billing records (details
Ferguson, Scott, “FBI Investigating
(HCA) - stolen computers
for patients who had
unknown)
Theft of 10 Hospital Computers,”
received treatment at
eWeek, August 21, 2006 at
hospitals managed by
[http://www.eweek.com/print_article2
HCA in eight states
/0,1217,a=186560,00.asp].
(Colorado, Kansas,
Louisiana, Mississippi,
Oklahoma, Oregon, Texas
and Washington)
AT&T - hackers broke into
August 2006
customers who purchased
19,000
credit card data
Associated Press, “Hackers Gain Data
computer system
DSL equipment from
on AT&T Shoppers,” New
AT&T online store
YorkTimes.com, August 30, 2006.
Automated Data Processing
July 2006
individual investors with
hundreds of
names, addresses, number of
Spangler, Todd, “ADP Duped into
(ADP) (Roseland, NJ) - “an
60 companies including
thousands
shares held of investors
Disclosing Data,”BaselineMag.com,
unauthorized party impersonated
Fidelity, UBS, Morgan
July 10, 2006, at
officers” to obtain information on
Stanley , Bear Stearns,
[http://www.baselinemag.com/article2
investors
Citigroup, Merrill Lynch
/0,1540,1986655,00.asp].
Kaiser HMO - stolen laptop
July 2006
HMO subscribers to
160,000
names, phone numbers, Kaiser
Singel, Ryan, “Kaiser Joins Lost
Kaiser health plan
numbers
Laptop Crowd,” InfoSecurity, July 30,
2006, at
[http://infosecurity.us/mambo//content
/view/90/49/].

CRS-13
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
C.S. Stars (insurance contractor) -
July 2006
injured New York state
540,000
SSNs, names, addresses
Hines, Matt, “Insurance Company
lost computer containing
workers (claiming
Loses 540,000 N.Y Employee
workers’ records
compensation funds)
Records,” eWeek, July 26, 2006, at
[http://www.eweek.com/article2/0,18
95,1994416,00.asp].
National Association of
July 2006
securities dealers who
73
SSNs of securities dealers, plus
Jamieson, Dan, “Rule Likely on
Securities Dealers (NASD)-
were the subject of
inactive account numbers of
Notification of Data Breaches, Some
(Boca Raton, FL) - 10 stolen
investigations involving
about 1,000 consumers
Say; Theft of NASD Laptops Raises
laptops
possible misconduct.
Questions about Regulators’
security,” Investment News, July 10,
2006, p. 2.
American Red Cross, Farmers
July 2006
regional blood donors
8,000
names, SSNs, birth dates,
Schreier, Laura, “Donor Data Stolen
Branch (Dallas, TX) - 3 stolen
medical information
at Local Red Cross Exclusive: 3
laptops
Laptops from Farmers Branch Office
Held Encrypted Records,” Dallas
Morning News
, July 1, 2006, p. 1A.
Bisys Group Inc.(Roseland, NJ) -
July 2006
hedge fund donors
61,000
SSNs of 35,000 individuals
Clair, Chris, “Bisys Discloses Data
employee’s truck carrying
Theft,” HedgeWorld Daily News, July
backup tapes was stolen
6, 2006 (no page given).

CRS-14
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
American International Group
June 2006
employees of various
970,000
names, addresses, SSNs,
Smith, Elliot Blair, “AIG: Personal
(AIG)- burglary of a file server
companies whose
medical information
Data on 970,000 Lost in Burglary;
insurance information was
Insurer Has Yet to Alert Those
submitted to AIG
Affected by March 31 Break-in,” USA
Today
, June 19, 2006, p. 5B.
Ernst & Young- stolen laptop
June 2006
Hotels.com customers
243,000
names, credit card numbers
Reilly, David, “Hotels.com Credit-
Card Data Lost in Stolen Laptop
Computer,” Wall Street Journal, June
2, 2006, p. A14.
Union Pacific- stolen laptop
June 2006
employees of the railroad
30,000
personal data
Vijayan, Jaikumar and Todd Weiss,
company
“Flurry of New Data Breaches
Disclosed,” Computerworld, June 19,
2006 at
[http://www.computerworld.com/acti
on/article.do?command=viewArticleB
asic&articleId=9001282].
Ross-Simmons- data breach
April 2006
customers
undisclosed
credit card numbers, financial
“Ross-Simons Says Security Breach
information, other personal
Exposes Customers,” Computerworld,
information
April 12, 2006, at
[http://www.computerworld.com/secu
ritytopics/security/story/0,10801,1104
25,00.html?source=x3888].

CRS-15
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
EBay- hackers harvesting and
March 2006
customers
undisclosed
account information
Niccolai, James, “Russian Web Site
selling user information
Offered eBay Account Info for $5,”
Computerworld, March 24, 2006, at
[http://www.computerworld.com/secu
ritytopics/security/cybercrime/story/0,
10801,109881,00.html].
Deloitte & Touche- unencrypted
February 2006
all U.S. and Canadian
9,200
names, SSNs, McAfee stock
Kuruvila, Matthai C., “Security
CD left on a plane
employees of McAfee
holdings
Giant’s Data Lost,” Silicon Valley,
Software hired before
February 24, 2006.
April 2005
Atlantis Resort- theft from the
January 2006
customers
55,000
names, addresses, credit card
“IDs of 50,000 Bahamas Resort
hotel’s database
details, SSNs, driver’s license
Guests Stolen,” CNet News, January
numbers, bank account data
10, 2006.
Guidance Software- hacker
December
security researchers and
3,800
credit card numbers
Krebs, Brian, “Hackers Break Into
2005
law enforcement agencies
Computer-Security Firm’s Customer
worldwide
Database,” Washington Post
December 19, 2005, p. D5.
Sam’s Club- “card-skimming”
December
customers who bought
600
credit card information
Vijayan, Jaikumar, “Card Skimmers
devices
2005
fuel at its gas stations
Eyed in Sam’s Club Data Theft,”
between September 21 and
Computerworld, December 14, 2005,
October 2.
at
[http://www.computerworld.com/data
basetopics/data/story/0,10801,107067
,00.html].

CRS-16
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
Marriott Vacation Club
December
customers and employees
206,000
addresses and credit card
“Marriott Vacation Club reports
International- missing data tapes
2005
information
missing data tapes,” Computerworld,
December 26, 2005, at
[http://computerworld.com/securityto
pics/security/story/0,10801,107366,00
.html?SKC=security-107366].
Ford Motor Company- stolen
December
current and former Ford
70,000
names and SSNs
“Tech Crime Gets Personal at Ford,”
computer
2005
employees
CNN Money, December 22, 2005, at
[http://money.cnn.com/2005/12/22/ne
ws/fortune500/ford_theft/].
Safeway - company laptop stolen
November
employees
1,200
names, SSNs, hire dates and
Akkad, Dania, “Safeway Discloses
from manager’s home
2005
work locations
Security Breach,”Monterey County
Herald
, November 5, 2005 (no page
given).
Boeing - theft of company
November
current and former Boeing
161,000
names, Social Security numbers
Bowermaster, David and Dominic
computer
2005
workers
(SSNs), some birth dates and
Gates and Melissa Allison, “161,000
banking information for
Workers’ Personal Data on PC Stolen
employees who elected to use
from Boeing,” Seattle Times,
direct deposit of payroll
November 19, 2005, p. A1.
Eastman Kodak - laptop stolen
June 2005
former Eastman Kodak
5,800
names, Social Security
Davia, Joy, “Kodak Warns of Data
from a consultant’s locked car
workers
numbers, birth dates and
Theft,” Rochester Democrat and
trunk.
benefits information
Chronicle (New York), June 22, 2005,
p. 8D.

CRS-17
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
Time Warner - loss of 40
May 2005
current and former
600,000
names, SSNs
Zeller, Tom, “Time Warner Says Data
computer backup tapes
employees, some of their
on Employees Is Lost,” New York
containing sensitive data while
dependents and
Times, May 3, 2005, p. C4.
being shipped by Iron Mountain
beneficiaries, and
to an offsite storage center
individuals who provided
services for the company
MCI - laptop stolen from a car
May 2005
current and former
16,500
names and SSNs
Young, Shawn, “MCI Reports Loss
that was parked in the garage at
employees
Of Employee Data On Stolen
the home of a MCI financial
Laptop,” Wall Street Journal, May
analyst
23, 2005, p. A2.
LEXIS/NEXIS - intruders used
March 2005
customers
32,000
names, addresses, passwords,
El-Rashidi, Yasmine, “LexisNexis
passwords of legitimate
(subsequent
SSNs, drivers license
Reports Data Breach; Personal
customers to get access to a
investigation
Records Are Hacked as Concerns
Seisint database called Accurint,
reveals the actual
About Security and Identity Theft
which sells reports to
number is
Intensify,” Wall Street Journal,
law-enforcement agencies and
310,000)
March 10, 2005, p. A3; and
businesses. Later analysis
determined that its databases had
Krim, Jonathan, “LexisNexis Data
been fraudulently breached 59
Breach Bigger Than Estimated:
times using stolen passwords.
310,000 Consumers May Be
Affected, Firm Says,” Washington
Post
, April 13, 2005, p. E1.

CRS-18
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
DSW Shoe Warehouse store -
March 2005
customers of 103 of the
initially
credit card information
Associated Press, “DSW ID Theft
information stolen from computer
chain’s 175 stores
“hundreds of
May Affect Over 100,000,” Chicago
database over 3- month period
thousands,” then
Tribune, March 11, 2005, p. 4; and
raised to 1.4
million
“Firm Raises Data Theft Count,”
Washington Post, April 19, 2005, p.
E2.
T-Mobile - hacker intrusion into
February 2005
T-Mobile customers
400
customer records, passwords,
Poulsen, Kevin, “Known Hole Aided
company database
SSNs, private e-mail and
T-Mobile Breach,”Wired News,
candid celebrity photos
February 28, 2005, at
[http://www.wired.com/news/privacy/
note: data offered for sale via
0,1848,66735,00.html].
online forum
Motorola - Thieves broke into the
June 2005
Motorola employees
34,000 in U.S.
SSNs and personal information
“Two Computers Stolen with
offices of Affiliated Computer
Motorola Staff Data,” Reuters, June
Services (ACS), a provider of
10, 2005.
human resources services, and
stole two computers
ChoicePoint - criminals used fake
February 2005
consumers
30,000-35,000 in names, addresses, SSNs, credit
Perez, Evan, “ChoicePoint Is Pressed
documentation to open 50
California;
reports
to Explain Database Breach,” Wall
fraudulent accounts to access
145,000
Street Journal, February 5, 2005, p.
consumer data
nationwide
A6.

CRS-19
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
Affiliated Computer Services -
October 2004
county employees
900
names, birth dates, SSNs, bank
Whaley, Monte, “FBI on Weld
inmate hacked into county
account routing numbers and
ID-Theft Case Feds to Analyze Data
database
checking account numbers
from Cell of Inmate Who Hacked
Computer,” Denver Post, November
11, 2004, p. B1.
Lowe’s (home improvement
June 2004
customers
unknown
skimmed credit account
Roberts, Paul, “Wireless Hacker
store) - hacker used vulnerable
information for every
Pleads Guilty: Man Admits Using
wireless network to attempt to
transaction processed at a
Store’s Wireless Network to Steal
steal credit card info
particular Lowe’s store
Credit Card Info,” PC World, June 7,
2004, at
[http://msn.pcworld.com/news/article/
0,aid,116411,00.asp].
eBay - hackers tricked online
March 2004
several eBay merchants
company did
customer names, e-mail
Kirby, Carrie, “New Scam Threat at
merchants who used the PayPal
not disclose
addresses, home addresses and
eBay / Hackers Obtained Information
payment processing system into
transactions
on Some Customers,” San Francisco
disclosing their user names and
Chronicle, March 16, 2004, p. C1.
passwords, then logged onto the
merchants’ accounts
Kinko’s - hacker installed a key
November
Customers at Internet
450
SSNs, names, passwords, credit
Napoli, Lisa, “A Hacker Masters
logger to record every character
2003
terminals at 13 Kinko’s
cards, bank account data
Keystroke Theft: Personal Data
typed on 13 Kinko’s computers
copy shops in Manhattan
Stolen from 450 Victims,”
note: data was sold
International Herald Tribune, August
9, 2003, p. 1.

CRS-20
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
Acxiom (marketing company) -
August 2003
clients include 14 of the
10% of clientele
passwords, personal, financial,
Lee, W.A. “Hacker Breaches Acxiom
hacker downloaded data
top 15 credit card
(no total number
and company information
Data,” American Banker, August 11,
companies, 5 of the top 6
given)
2003, p. 5.
retail banks, IBM,
Microsoft, and federal
government
DirecTV - hacker stole trade
April 2003
DirecTV subscribers
50,000
details about the design and
“U. of C. Student Pleads Guilty to
secrets for access card
customers used
architecture of DirecTV’s
Theft of Direc TV Card Data ; Trade
counterfeit
“Period 4” cards
Secrets Ended up on Hacker Site,
access cards to
Enabling Free Access,” Chicago Sun-
watch
note: data was sold
Times, April 30, 2003, p. 16.
programming
without paying
TCI help-desk worker sold client
November
credit reporting bureau
15,000 (Wired
names, addresses, SSNs, credit
Delio, Michelle, “Cops Bust Massive
access codes to two others, who
2002
customers
News)
card
ID Theft Ring,” Wired News,
then used the codes to obtain
30,000 (Seattle
November 25, 2002, at
more than 15,000 customer credit
Times)
[http://www.wired.com/news/privacy/
records
0,1848,56567,00.html]; and
note: data sold, for $60 per
Masters, Brooke, “Huge ID-Theft
record
Ring Broken; 30,000 Consumers at
Risk ; Men Charged with Stealing
Personal, Financial Data ,” Seattle
Times
, November 26, 2002, p. A1.

CRS-21
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
Midwest Express Airlines and
April 2002
Midwest Express Airlines
unknown
passenger names and airport
Larson, Virgil, “Computer Hackers
Federal Aviation Administration
customers; FAA (two
security screening results
Breach Midwest Express Systems,”
- hackers posted list of customer
separate incidents)
Omaha World-Herald, April 22,
names to website and posted a list
2002, p. 1D.
of airport security screening
results taken from the FAA’s
system
ChoicePoint - Nigerian-born
2002
unknown
7,000-10,000
names and SSNs
Associated Press, “ChoicePoint
brother and sister posed as
inquiries on
Suffered Previous Breach: Two ID
legitimate businesses to set up
names and SSNs,
Thieves Arrested in 2002 for Tapping
ChoicePoint accounts
then used
into Data” MSNBC, February 3,
identities to
note: data was sold
2005, at
commit fraud
[http://www.msnbc.msn.com/id/7065
902/].
New York City restaurant busboy
March 2001
chief executives,
200
SSNs, home addresses and
Hays, Tom, “Busboy Hacks Only the
duped credit reporting companies
celebrities and tycoons
birth dates, credit card numbers
Richest, Used Forbes’ List in Plot to
into providing detailed credit
from Forbes list of richest
Steal Identity, Credit Info, Big
reports
Americans
Bucks,” Pittsburgh Post-Gazette,
March 21, 2001, p. A11.

CRS-22
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
World Economic Forum -
February 2001
attendees
3,200
passport numbers, cell phone
Higgins, Alexander, “Hackers Steal
hackers broke into computer
numbers, credit card numbers,
World Leaders’ Personal Data,”
exact arrival and departure
Chicago Sun-Times, February 6,
times, hotel names, room
2001, p. 20.
numbers, number of overnights,
sessions attended, plus
information on 27,000 people
who have attended the global
forum in recent years
International credit card ring adds
January 2001
Internet shopping sites
unknown
credit card numbers
James, Michael, “Small-time Thefts
fraudulent charges of 277
Reap Big Net Gain Tens of
Russian rubles ($5-10) to credit
Thousands of Phony $5-$10
cards
note: data was sold
Credit-Card Charges Rake in Millions
for Hackers,” Orlando Sentinel,
January 27, 2001, p. E5.
Egghead - hacker attacked
December
customers
3.5 million credit credit card info
“Sayer, Peter, “Egghead Says
computer system
2000
card accounts;
Customer Data Safe After Hack
7500 of which
Attack,” PC World, January 8, 2001
showed
at
“suspected
[http://msn.pcworld.com/news/article/
fraudulent
0,aid,37781,00.asp].
activity”

CRS-23
Date
Number
Type of Data
Business Incidents
Who Was Affected
Source(s)
Publicized
Affected
Released/Compromised
Western Union - hackers made
September
customers who transferred
15,700
credit and debit card
Cobb, Alan, “Hackers Steal Credit
electronic copies of the credit and
2000
money on a company
information
Card Info from Western Union Site,”
debit card information
website
Chicago Sun-Times, September 11,
2000, p. 22.
America Online - AOL
June 2000
customers
500 records were names, addresses, and credit
“Hackers Breach Security At America
customer-service representatives
viewed
card numbers
Online Inc,” Wall Street Journal, June
mistakenly downloaded an e-mail
19, 2000, p. A34.
attachment sent by hackers
Two British teens intruded into 9
March 2000
customers
26,000 credit
credit card data
Sniffen, Michael, “2 Teens Accused
e-commerce websites in the
card accounts
of Hacking Charged in $3 Million
United States, Canada, Thailand,
note: some data was posted on
Credit Card Theft,” Chicago Sun-
Japan and Britain
the Web
Times, March 25, 2000, p. 9.
CD Universe (online music store)
January 2000
customers
300,000
credit card numbers
Associated Press, “Hacker Said to
- hacker stole credit card numbers
Steal 300,000 Card Numbers,”
and released thousands of them
note: Maxus Credit Card
Arizona Republic, January 11, 2000,
on a website when the company
Pipeline Website posted up to
p. A3.
refused to pay a $100,000 ransom
25,000 stolen numbers
Pacific Bell - 16-year-old
January 2000
subscribers
63,000 accounts
passwords
Gettleman, Jeffrey, “Passwords of
teenager hacked into server and
were decrypted;
PacBell Net Accounts Stolen;
stole passwords
330,000
Computers: Authorities Say
customers told to
16-year-old Hacker Took the Data for
change
Fun. Theft Affects 63,000
passwords
Customers,” Los Angeles Times,
January 12, 2000, p. 2.

CRS-24
Table 2. Data Security Breaches in Education (2000-2007)
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
University of Arizona -
January 2007
students and
30 servers,
on a few computes, hackers
Swedlund, Eric, “Foreign hackers gum up UA
Foreign hackers infiltrated the
employees
350 work
installed software that captures
computers; motive unknown,” Arizona Daily Star
UA’s computer network
stations
and logs keystrokes and can be
(Tucson), January 9, 2007.
several times, depositing files
used to catch log-in names and
on numerous servers and
passwords
workstations in the library
University of Idaho (Moscow,
January 2007
alumni, donors,
331,000
SSNs, names, addresses
Vestal, Shawn, “UI Theft Spurs Alert; Personal data
Idaho) - 3 computers stolen
employees, and
individuals
of students, staff compromised,” Spokesman Review
from fundraising office
students
exposed
(Spokane, WA), January 12, 2007, p. B1.
University of California, Los
January 2007
students,
800,000
names, SSNs, dates of birth,
Read, Brock, “UCLA Warns 800,000 That a Hacker
Angeles - hacker
alumni, and
addresses, contact information
May Have Obtained Personal Information,”
faculty and staff
Chronicle of Higher Education, January 5, 2007, p.
31.
Texas Woman’s University -
December
students
15,000
SSNs, names, addresses
“WU announces identity theft alert,” Houston
records transmitted via a non-
2006
enrolled at the
Chronicle, December 27, 2006, p. B2.
secure connection for a brief
Denton, Dallas
period
and Houston
campuses in
2005

CRS-25
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
Montana State University
December
students who
259
names, SSNs
Associated Press, “University apologizes for
(Bozeman, MT) - student
2006
had paid off
mistakenly sharing student information,” December
working in loan office
their student
27, 2006.
mistakenly sent personal
loans
information to other students
Mississippi State University
December
students and
2,400
names, SSNs, some dates of
Lake, Richard, “MSU Data Put Online in Mishap,”
(Jackson, MS) - information
2006
employees
birth
Clarion-Ledger (Jackson, Mississippi), December 20,
inadvertently published on
2006, p. 1A.
website
University of Colorado
December
individuals who
17,500
names, SSNs
Danna, Nicole, “U. Colorado security breach not used
(Boulder) - server hacked
2006
attended
for nefarious purposes,” University Wire, December
orientation
19, 2006.
sessions from
2002 to 2004
Riverside High School
December
employees
“thousands”
names, SSNs
Dopart, Brianne, “Students accused of hacking DPS;
(Durham, NC) - two students
2006
(unspecified)
Two told teacher about security breach found during
accused of hacking into
computer class,” Herald-Sun (Durham, NC),
databases
December 15, 2006, p. B1.
Virginia Commonwealth
December
students
561 students
names, SSNs, addresses, grade
Robertson, Gary, “E-mail includes data on
University (Richmond, VA) -
2006
in the College
point averages
students,”Richmond Times - Dispatch (Virginia),
personal information
of
December 9, 2006.
inadvertently included in two
Humanities
e-mail attachments
and Sciences

CRS-26
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
University of Texas (Dallas) -
December
current and
5,000 - 6,000
names, SSNs, and in some
Hacker, Holly, “UTD computer attack worse than
computer network intrusion
2006
former students,
cases, addresses, e-mail
first thought: Campus officials now say 6,000 at risk
faculty, staff,
addresses and telephone
of identity theft,” Dallas Morning News , December
and others
numbers
14, 2006.
Nassau Community College
December
all registered
21,000
names, addresses, SSNs, phone
Winslow, Olivia, “College loses data;
(Garden City, NY) - theft of
2006
students
numbers
Printed list with personal information of Nassau
computer printout
Community College students gone missing, officials
say,” Newsday, December 6, 2006, p. A9.
California State University
November
students,
2,534
names, SSNs, campus
US States News, “Education College Alerts Teacher
(Los Angeles) - stolen USB
2006
applicants,
identification numbers (CIN),
Credential Applicants of Information Security
drive containing unencrypted
faculty
phone numbers, e-mail
Incident,” November 28, 2006.
personal data
supervisors
addresses
GreenvilleCounty School
November
students and
101,000
names, SSNs, dates of birth,
Barnett, Ron, “Student Data Left on Sold
District (Greenville, SC) -
2006
employees
addresses, phone numbers,
Computers,” Greenville News (South Carolina),
computers containing personal
contact information
November 27, 2006, p. 1A.
information inadvertently sold
at auctions
Chicago Public School District
November
former school
1,740
names, SSNs, home addresses
Flynn, Courtney, “Teachers’ IDs mailed by mistake:
- contractor mistakenly mailed
2006
employees
1,740 Social Security numbers included in city
personal information as part of
schools’ packets,” Chicago Tribune, November 27,
an insurance-information
2006.
package

CRS-27
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
Adams State College
October
high school
184
unspecified personal data
Smith, Erin, “Stolen ASC laptop holds student data,”
(Alamosa, CO) - stolen laptop
2006
Outward Bound
Pueblo Chieftain, October 10, 2006.
students
Connors State
November
students who
22,500
SSNs and other (unspecified)
Simpson, Susan, “Stolen computer contained student
College(Warner, OK) - stolen
2006
receive
identifying information
data,” Daily Oklahoman, November 15, 2006.
laptop
Oklahoma
Higher Learning
Access Program
scholarships
University of Minnesota
October
students
200
names, university IDs, grades
Tosto, Paul, “Second laptop with student data was
(Spain) - laptop stolen from a
2006
stolen: No Social Security numbers compromised,”
faculty member on a trip to
Pioneer Press (St. Paul, Minnesota), October 20,
Spain
2006.
University of Texas
October
students
2,500
names, SSNs, university IDs,
“U. Texas-Arlington student info on stolen
(Arlington) - stolen computers
2006
grades, emails
computers,” University Wire, October 12, 2006.
San Juan Capistrano Unified
October
employees
unknown
unknown
McDonald, John, “Computers stolen from offices of
School District (CA) - theft of
2006
Capistrano school district; the five machines, valued
5 computers
at $5,000, may have contained confidential
information on employees, a spokeswoman says,”
Orange County Register (California), October 6,
2006, p. South_B.

CRS-28
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
Troy Athens High School
October
alumni
4,400
names, addresses, SSNs
Lewis, Shawn, “Alumni will get credit watch;
(Troy, MI) - stolen hard drive
2006
In wake of lost data, Troy district offers 14 months of
free identity theft protection,” Detroit News, October
23, 2006.
University of Iowa Department
September
subjects who
14,500
SSNs
“University of Iowa Contacts Research Subjects
of Psychology (Iowa City, IA)
2006
participated in
about Computer Intrusion,” US Fed News, September
- computer attack
research studies
29, 2006.
on maternal and
child health
from 1995 until
the present.
Western Illinois University-
July 2006
students,
180,000
SSNs, personal data, credit
Maguire, John, “Alums Just Told of Computer
hacker accessed several
customers of the
card information
Breach: Data on 180,000 with Ties to WIU Hacked a
electronic student services
university’s
Month Ago,” Chicago Sun-Times, July 5, 2006, p. 8.
systems
online
bookstore,
guests of the
university hotel
University of Tennessee -
July 2006
past and current
36,000
SSNs, names, addresses
Herrington, Angie, “UT Notifies Workers of
hacker broke into UT
employees
Computer Hacking,” Chattanooga Times Free Press,
computer
July 7, 2006, p. O.

CRS-29
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
Northwestern University
July 2006
students and
17,000
names, addresses, SSNs
“Hackers break into NU Admissions, Financial Aid
(Chicago) - hackers broke into
applicants to the
Computers,” Chicago Sun Times, July 15, 2006, at
nine desktop computers in the
school
[http://www.suntimes.com/cgi-bin/print.cgi?getReferr
Office of Admissions and
er=[http://www.suntimes.com/output/news/cst-nws-
Financial Aid
hack15.html].
Moraine Park Technical
July 2006
apprenticeship
1,500
names, addresses, phone
“News Summaries Ozaukee and Washington
College
students back to
numbers, SSNs
Counties,” Milwaukee Journal Sentinel, July 16,
(Beaver Dam, Fond du Lac, &
1993
2006, p. Z3.
West Bend, WI) - missing
computer disk
Catawba County Schools
June 2006
students who
619
names, SSNs, test scores
Shain, Andrew, and Hannah Mitchell, “619 Students’
(Newton, NC) - website
had taken
Secure Data Revealed Online: Google Page Showed
exposed personal data
keyboarding and
Social Security Numbers, Test Scores, Charlotte
computer
Observer, June 24, 2006, p. 1B.
applications
placement test
during the
2001-02 school
year
San Francisco State University
June 2006
current and
3,000
names, SSNs, phone numbers
Asimov, Nanette, “SFSU students’ information
- faculty member’s laptop
former students
and grade point averages.
stolen;
stolen
School alerts 3,000 affected by theft of faculty
laptop,” San Francisco Chronicle, June 23, 2006, p.
B5.

CRS-30
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
University of Kentucky- stolen
June 2006
current and
6,500
SSNs
Kiernan, Vincent, “Incidents at Two Universities Put
thumb drive
former students
More Than 200,000 Students at Risk of Data Theft,”
The Chronicle of Higher Education, June 19, 2006, p.
A21.
Ohio University (Athens, OH)
May 2006
individuals and
300,00
SSNs, personal information,
Vijayan, Jaikumar, “Ohio University Reports Two
- hackers breach servers in two
organizations
biographical information,
Separate Security Breaches,” Computerworld, May 3,
separate incidents
listed in the
patent data, intellectual
2006, at
alumni database,
property files
[http://www.computerworld.com/action/article.do?co
owners of
mmand=viewArticleBasic&articleId=111113&intsrc
patents and
=article_pots_bot].
other
intellectual
property
Sacred Heart University-
May 2006
students and
135,000
personal information, SSNs
Sandoval, Greg, “Sacred Heart is Latest University to
hackers intrude system
some
be Hacked,” CNet News, May 26, 2006, at
individuals not
[http://news.com.com/2100-7349_3-6077212.html].
associated with
the university
University of Texas, Austin-
April 2006
students,
200,000
SSNs, biographical materials
Associated Press, “University of Texas Probes
data breach
alumni, faculty,
Computer Breach,” MSNBC, April 24, 2006, at
and staff of the
[http://www.msnbc.msn.com/id/12459840/].
business school

CRS-31
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
University of Arizona- hackers
February
journalism
undisclosed
none so far
Grossman, Djamila, “Romanian Hacker Breaks into
break into journalism
2006
students
UA Journalism Computers,” Arizona Daily Star,
department’s computer system
February 14, 2006, p. B2.
Notre Dame- hackers attack
January 2006
alumni and
undisclosed
SSNs, credit card numbers,
Roberts, Paul F., “Hackers Target Notre Dame
server
other donors to
check images
Donors,” eWeek, January 24, 2006, at
the university
[http://www.eweek.com/article2/0,1895,1915087,00.a
sp].
Indiana University - malicious
November
Kelly School of
5,300
personal student information
Associated Press,”IU Finds ‘Malicious’ Software,”
software programs installed on
2005
Business
FortWayne.com, November 18, 2005, at
business instructor’s computer
students
[http://www.fortwayne.com/mld/fortwayne/news/loca
enrolled in
l/13202338.htm].
introductory
business course
between 2001-
2005
University of Tennessee
November
patients who
3,800
names and SSNs
“UT Patients Warned of Stolen Computer,”
Medical Center - laptop
2005
received
Chattanooga Times Free-Press, November 2, 2005,
computer stolen
treatment in
p. B2.
2003
Georgia Institute of
November
past, present,
13,000
SSNs, birth dates, names,
Kantor, Arcadiy, “Georgia Tech Computer Theft
Technology Office of
2005
and prospective
addresses
Compromises Student Data,” The Technique (via
Enrollment Services -
students
University Wire), November 11, 2005 at
computer theft
[http://www.nique.net/issues/2005-11-11/news/3].

CRS-32
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
University of Tennessee -
October
students and
1,900
names and SSNs
“State Briefs: UT Students’ Private Data Posted on
inadvertent posting of names
2005
employees
the ‘Net,” The Tennessean.com, October 29, 2005, at
and Social Security numbers to
[http://tennessean.com/apps/pbcs.dll/article?AID=/20
Internet lists
051029/NEWS01/510290327/1006/NEWS01].

University of Georgia - hacker
September
current and
1,600
SSNs
Simmons, Kelly, “Hackers Breach Database at
hits employee records server
2005
former
UGA,” The Atlanta Journal - Constitution,
employees of
September 29, 2005, p. C2.
university’s
College of
Agricultural and
Environmental
Sciences
Miami University (Ohio) -
September
students
21,762
SSNs, grades
Giordano, Joe, “Miami University, Ohio, Finds Huge
report containing SSNs and
2005
Online Security Breach,” Journal-News (Hamilton,
grades of more than 20,000
OH), September 16, 2005 (no page given).
students has been accessible
via the Internet since 2002
Kent State University - five
September
students and
100,000
names, SSNs, grades
Gonzalez, Jennifer, “Student, Faculty Data on Stolen
desktop computers stolen from
2005
professors
Computers,” Plain Dealer (Cleveland), September
campus
10, 2005, p. B1.

CRS-33
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
Sonoma State University -
August 2005
people who
61,709
names, SSNs
Park, Rohnert, “Hackers Hit College Computer
hacking
either attended,
System: Identity Theft Fears at Sonoma State,” San
applied,
Francisco Chronicle, August 9, 2005, p. B2.
graduated or
worked at the
school from
1995 to 2002
California State University -
August 2005
students who
154
names, SSNs
“California State University Chancellor’s Office
Office of the Chancellor may
receive financial
Experiences Potential Computer Security
have experienced unauthorized
aid and two
Breach,”U.S. States News, August 29, 2005 (no page
access to one of its computers
financial aid
given).
administrators
University of Florida Health
August 2005
patients and
3,851
names, SSNs, dates of birth,
Chun, Diane, “3,851 Patients at Risk of ID Theft,”
Sciences Center/ChartOne -
physicians
medical records
Gainesville.com, August 27, 2005 at
stolen laptop
[http://www.gainesville.com/apps/pbcs.dll/article?AI
D=/20050827/LOCAL/208270336/1078/news].
University of Colorado -
August 2005
students and
36,000
university accounts and
Uhls, Anna, “U. Colorado students getting
hacking into campus Card
faculty
personal information
(re)carded,” University Wire/Colorado Daily, August
Office (creates IDs for staff
4, 2005 (no page given).
and students)

CRS-34
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
University of North Texas -
August 2005
current, former
38,607
names, addresses, telephone
Tessyman, Neal, “Hackers Steal Student Info from U.
hacking
and prospective
numbers, SSNs, student
North Texas,” University Wire, August 11, 2005 (no
students
identification numbers, student
page given).
ID passwords, student
classification information and
possibly 524 credit card
numbers
University of Colorado -
August 2005
student records
49,000
names, SSNs, addresses, phone
Mccrimmon, Katie Kerwin, “Hackers Tap CU
hackers tapped into a database
from June 1999
numbers
Registrar’s Database; Privacy of 49,000 Students
in the registrar’s office
to May 2001
Potentially Invaded in Breach,” Rocky Mountain
and from fall
News (Denver), August 20, 2005, p. 20A.
2003 to summer
2005.
California State University,
August 2005
student workers
900
names, SSNs
Togneri, Chris, “Hacker Breaks into Stan State
Stanislaus - hacking
Computer,” Modesto Bee, August 16, 2005, p. B1.
University of Southern
July 2005
applicants
270,000
name, address, SSNs, e-mail
Hawkins, Stephanie, “Hacker Hits Application
California - individual hacked
address, phone number, date of
System at USC,” University Wire/ Daily Trojan,
into USC’s online application
birth, login information
August 18, 2005 (no page given).
system

CRS-35
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
California Polytechnic,
July 2005
university
31,077
names, SSNs
Ruiz, Kenneth, “Hackers Infiltrate Cal Poly,” Whittier
Pomona - two computers
applicants and
Daily News (CA), August 5, 2005 (no page given).
hacked
current and
former faculty,
staff and
students
University of Colorado,
July 2005
students and
29,000
SSNs, names, photographs
Associated Press, “Hackers Break into CU Computers
Boulder - hackers broke into a
professors
students and
Containing 36k Records,” August 1, 2005.
computer server containing
7,000
information used to issue
professors
identification cards
Michigan State University -
July 2005
students
27,000
names, addresses, SSNs,
Associated Press, “Students Informed Social Security
breach of a server in the
course information, personal
Numbers Possibly Compromised,” July 7, 2005.
College of Education
identification numbers
University of California, San
July 2005
students, staff,
3,300
SSNs, driver license and credit
“SD UCSD Hackers,” City News Service, July 1,
Diego - hackers broke into
faculty who had
card numbers
2005 (no page given).
university server
attended or
worked at
UCSD
Extension in the
past five years
California State University
July 2005
students
9613
names, SSNs
Associated Press, “Hackers crack computers, access
Dominguez Hills - hacking
private student information,” July 29, 2005.

CRS-36
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
University of Connecticut -
June 2005
students, staff,
72,000
names, SSNs, dates of birth,
Naraine, Ryan, “UConn Finds Rootkit in Hacked
hacking - rootkit (collection of
and faculty
phone numbers and addresses
Server,” eWeek, June 27, 2005, at
programs that a hacker uses to
[http://www.eweek.com/article2/0,1759,1831892,00.a
mask intrusion and obtain
sp].
administrator-level access to a
computer or computer
network) placed on server on
October 26, 2003, but not
detected until July 20, 2005
Kent State University - laptop
June 2005
full-time faculty
1,400
names, SSNs
Hampp, David, “Kent State U. Faculty Affected by
stolen from employee’s car
members since
Stolen Computer,” Daily Kent Stater (via University
2001
Wire), June 22, 2005 (no page given).
Ohio State University Medical
June 2005
patients
15,000
patient names, admission and
Crane, Misti, “Laptop Containing Patients’ Billing
Center - two stolen laptops
discharge dates, whether the
Information Stolen;
patient had insurance, total
Birth Dates, Social Security Numbers Not in Data
charges and adjustments to the
Taken from Consultant, Osu Says,” Columbus
account.
Dispatch (OH), June 30, 2005, p. 4C.
University of Hawaii -
June 2005
students,
150,000
SSNs, addresses and phone
Associated Press, “UH Warns of Possible Identity
dishonest library worker
faculty, staff
numbers
Theft,” June 19, 2005.
indicted on federal charges of
and library
bank fraud related to identity
patrons at any of
theft
the 10 campuses
between 1999
and 2003

CRS-37
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
Jackson Community College
May 2005
employees and
8,000
SSNs
“Computer Crime: Hacker May Have Stolen Social
(MI)- hacker breaks into
students of the
Security Numbers From Jackson Community
computer system
college
Collegea,” Computer Crime Research Center,” May
29, 2005 (no page given).
Carnegie Mellon University -
May 2005
graduates of the
5,000
SSNs and personal information
Associated Press, “Carnegie Mellon Reports
security breach of school’s
Tepper School
Computer Breach,” MSNBC, April 21, 2005, at
computer network
of Business
[http://msnbc.msn.com/id/7590506/].
from 1997 to
2004; current
graduate
students;
applicants to the
doctoral
program from
2003 to 2005;
applicants to the
MBA program
from 2002 to
2004; and
administrative
employees
Stanford University- computer
May 2005
students and
9,600
SSNs, resumes, financial data,
Musil, Steven, “FBI Probes Network Breach at
system breach
recruiters of the
government information
Stanford,” CNet News, May 25, 2005.
university

CRS-38
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
Florida International
May 2005
faculty
unknown
SSNs, credit card numbers
Leyden, John, “Florida Univ on Brown Alert after
University (FIU) - a hacker
and students
Hack Attack,” The Register, April 29, 2005, at
acquired user names and
[http://www.theregister.com/2005/04/29/fiu_id_fraud
passwords for 165 computers
_alert/].
on campus
Northwestern University
May 2005
faculty,
17,500
user IDs and passwords
Meglio, Francesca Di, “Hacker Break-In,” Computer
(Kellog School of
students, and
Crime Research Center, May 23, 2005 (no page
Management) - computer
alumni
given).
network breach
University of California, San
April 2005
students, faculty
7,000
names and SSNs numbers
Lazarus, David, “Another Incident for UC,” San
Francisco - hacker gained
and staff
Francisco Chronicle, April 6, 2005, p. C1.
access to server used by
accounting and personnel
department
Tufts University - possible
April 2005
alumni
106,000
SSNs and other unspecified
Roberts, Paul, “Tufts Warns 106,000 Alumni, Donors
security breach in an alumni
personal information
of Security Breach: Personal Data on a Server Used
and donor database after
for Fund Raising May Have Been Exposed,”
abnormal activity on the server
Computerworld, April 13, 2005, at
in October and December,
[http://www.computerworld.com/securitytopics/securi
2004
ty/privacy/story/0,10801,101043,00.html?source=x10
].

CRS-39
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
University of Nevada, Las
March 2005
current and
5,000
personal records, including
Lipka, Sara, “Hacker Breaks Into Database for
Vegas - hackers accessed
former students
birth dates, countries of origin,
Tracking International Students at UNLV,” Chronicle
school’s Student and Exchange
and
passport numbers, and
of Higher Education, March 21, 2005, p. A43.
Visitor Information System
faculty
SSNs
(SEVIS) database
California State University,
March 2005
students, former
59,000
SSNs
Associated Press, “Hackers Gain Personal
Chico - hackers broke into
students,
Information of 59,000 People Affiliated with
servers
prospective
California University,”Grand Rapids Press, March
students, and
22, 2005, p. A2.
faculty
University of California,
March 2005
alumni,
100,000
SSNs numbers, names;
Liedtke, Michael, “Laptop Theft Causes Identity
Berkeley laptop stolen from
graduate
addresses, and birth dates for
Fraud Worry,” Daily Breeze (Torrance, CA), March
restricted area of campus
students, and
1/3 of affected people
28, 2005, p. A10.
office
past applicants
George Mason University -
January 2005
faculty, staff,
30,000
names, photos, SSNs, and
McCullagh, Declan, “Hackers Steal ID Info from
hackers gained access to
and students
campus ID numbers
Virginia University,” Wired News, January 10, 2005,
information
at
[http://news.com.com/2100-7349_3-5519592.html].
University of California, San
January 2005
students and
3,500
names, SSNs
Yang, Eleanor, “Hacker Breaches Computers That
Diego (UCSD) - hacker
alumni of
Store UCSD Extension Student, Alumni Data,” San
breached computer system
UCSD
Diego Union Tribune, January 18, 2005, p. B3.
Extension

CRS-40
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
University of California,
October
Californians
1.4 million
SSNs, names, addresses, phone
Reuters, “Hacker Strikes University Computer
Berkeley - hacker
2004
participating in
individuals
numbers, and dates of birth
System,”CNET News, October 19, 2004, at
compromised the university’s
California’s
[http://news.com.com/2100-7349_3-5418388.html].
computer system
In-Home
Supportive
Services
program since
2001
California State - auditor from
August 2004
380,000 current
23,500
name, address, SSNs
Connell, Sally Ann, “Security Lapses, Lost
chancellor’s office lost hard
and former
Equipment Expose Students to Possible ID Theft; in
drive containing personal
students,
the Latest Incident, a Cal State Hard Drive with Data
information
applicants, staff,
on 23,500 Individuals Is Missing,” Los Angeles
faculty and
Times, August 29, 2004, p. B4.
alumni at UC
San Diego and
178,000 at San
Diego State
University of California, Los
June 2004
blood donors
145,000
names, birth dates and SSNs
Becker, David, “UCLA Laptop Theft Exposes ID
Angeles - stolen laptop w/
Info,”CNET News, October 6, 2004, at
blood donor info
[http://news.com.com/UCLA+laptop+theft+exposes+
ID+info/2100-1029_3-5230662.html?tag=nl].

CRS-41
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
University of California, San
April 2004
UCSD students,
380,000
SSNs, and driver license
Sidener, Jonathan, “SD Supercomputer Center
Diego (UCSD) - hackers
alumni, faculty,
numbers
Among Victims of Intrusion,” San Diego Union
breached security at the San
employees and
Tribune, April 15, 2004, p. B3.
Diego Supercomputer Center
applicants
and the University’s Business
and Financial Services
Department
Georgia Institute of
March 2003
patrons of art
57,000
credit card numbers
Lemos, Robert, “Data Thieves Strike Georgia Tech,”
Technology
and theatre
Wired News, March 31, 2003, at
program
[http://news.com.com/Data+thieves+strike+Georgia+
Tech/2100-1002_3-994821.html?tag=nl].
University of Texas, Austin -
March 2003
current and
55,200
names, addresses, SSNs, email
Read, Brock, “Hackers Steal Data From U. of Texas
computer hackers broke into
former student,
addresses, office phone
Database,” Chronicle of Higher Education, March 21,
database on multiple occasions
faculty and staff
numbers
2003, p. 35.
members, as
well as job
note: perpetrator claimed he
applicants
did not distribute the numbers
and had not used them “to
anyone’s detriment”
University of Kansas - hacker
January 2003
foreign students
1,400
SSNs, passport numbers,
Arnone, Michael, “Hacker Steals Personal Data on
break-in to Student and
countries of origin, and birth
Foreign Students at U. of Kansas,”Chronicle of
Exchange Visitor Information
dates.
Higher Education, January 24, 2003 (no page given).
System (SEVIS)

CRS-42
Date
Who Was
Number
Type of Data
Education Incidents
Source(s)
Publicized
Affected
Affected
Released/Compromised
College of the Canyons
October
current and
36,000
names, SSNs, and photographs
Mistry, Bhavna, “Identity Theft Alert Issued at
(California) - computer hard
2001
former students
College,” Los Angeles Daily News, October 21, 2001,
drive containing personal
p. N7.
student information stolen
University of Washington
December
cardiology and
5,000
names, addresses, birth dates,
“Hacker Steals Patient Records,” San Diego Union-
Medical Center - hacker broke
2000
rehabilitation
heights and weights, SSNs, and
Tribune, December 9, 2000, p. A3.
into computer system
patients
the medical procedure
undergone

CRS-43
Table 3. Data Security Breaches in Financial Institutions (2001-2007)
Financial Institutions
Date
Number
Type of Data
Who Was Affected
Source(s)
Incidents
Publicized
Affected
Released/Compromised
MoneyGram International -
January 2007
customers
79,000
names, addresses, phone numbers,
Onaran, Yalman and Elizabeth Hester,
server unlawfully accessed
and in some cases, bank accounts
“Breach affects 79,000 MoneyGram
accounts; Money-transfer and bill-paying
service doesn’t know if hackers stole
personal data,” Saint Paul Pioneer Press
(Minnesota)
, January 13, 2007, p. 1C.
Premier Bank - report stolen
December
customers
1,8000
names, account numbers of
Sorkin, Michael, “ Bank data stolen out
from truck
2006
customers who opened accounts in
of exec’s vehicle: Names with account
October, 2006
numbers were in truck outside award
ceremony,” St. Louis Post-Dispatch,
December 6, 2006, p. C1.
TD Ameritrade - criminals,
December
customers
unknown;
names, addresses, birth dates, SSNs
Greenemeier, Larry, “Cybercrooks Get
using stolen customer accounts
2006
company has
Smarter; E-Trade and TD Ameritrade
acquired from a hacked
6 million
were victims of an online brokerage
computer, drove up the prices
clients
note: TD Ameritrade had to cover $4
pump-and-dump scheme,” Wall Street &
of low-priced stocks through
million in fraudulent transactions for
Technology, December 1, 2006, p. 14.
high-volume purchases and
its most recent quarter
then sold those shares at a
profit
ING Financial Services- stolen
June 2006
District of Columbia
13,000
SSNs, personal data
Dwyer, Timothy, “ING Financial to
laptop
government workers
Notify Potential Identity Theft Victims,”
and retirees
Washington Post, June 19, 2006, p. B4.

CRS-44
Financial Institutions
Date
Number
Type of Data
Who Was Affected
Source(s)
Incidents
Publicized
Affected
Released/Compromised
Equifax Inc.- stolen laptop
June 2006
nearly all the U.S.
2,500
names, SSNs
Stempel, Jonathan, “Equifax Says
employees of the
Laptop With Employee Data Was
credit reporting
Stolen,” eWeek, June 20, 2006, at
bureau
[http://www.eweek.com/article2/0,1759,
1979296,00.asp?kc=EWRSS03129TX1
K0000614].
Fidelity Investments- stolen
March 2006
Hewlett-Packard
196,000
personal data
Hines, Matt, “Stolen Fidelity Laptop
laptop
employees
Exposes HP Workers,” eWeek, March
23, 2006, at
[http://www.eweek.com/article2/0,1895,
1942049,00.asp].
Bank of America, Washington
February
customers using
200,000
debit card information which was
Sandoval, Greg “Web of Intrigue Widens
Mutual- debit cards cancelled
2006
debit cards issued by
used to accrue fraudulent charges
in Debit-Card Theft Case,” CNet News,
the two banks at
February 13, 2006, at
Sam’s Club gas
[http://news.com.com/Web+of+intrigue+
stations and Office
widens+in+debit-card+theft+case/2100-1
Max
029_3-6038405.html].
Ameriprise Financial- laptop
January 2006
customers and
230,000
names, SSNs, internal account
Dash, Eric, “Ameriprise Loses Data on
theft
advisers with the
numbers
230,000 Customers and Advisers,” New
financial firm
York Times, January 25, 2006.

CRS-45
Financial Institutions
Date
Number
Type of Data
Who Was Affected
Source(s)
Incidents
Publicized
Affected
Released/Compromised
H&R Block- Social Security
January 2006
recipients of the
undisclosed
SSNs
Gilbert, Alorie, “H&R Block Blunder
numbers printed on unsolicited
company’s tax
Exposes Consumer Data,” CNet News,
packages containing free
preparation software
January 3, 2006, at
software
[http://news.com.com/H38R+Block+blu
nder+exposes+consumer+data/2100-102
9_3-6016720.html].
Visa USA
December
customers with Visa
undisclosed
credit card information
Weinstein, Natalie, “Visa Deals With
2005
cards from various
Possible Data Breach,” CNet News,
financial institutions
December 24, 2005, at
using a mutual
[http://news.com.com/2100-1029_3-600
merchant
7759.html].
Scottrade Inc.- internet hacker
December
customers of the
140,000
names, birth dates, drivers license
“Hackers Reveal 140,000 Customer
2005
stock brokerage firm
numbers, phone numbers, bank
ID’s,” Computer Crime Research
names, bank routing numbers, bank
Center, December 2, 2005 (no page
account numbers, and Scottrade
given).
account numbers
TransUnion (credit reporting
November
customers
3,600
SSNs and personal credit information
Paul, Peralte, “Credit Bureau Burglary
bureau) - stolen desktop
2005
Leaves 3,600 Vulnerable,” Atlanta
computer
Journal and Constitution, November 11,
2005, p. 5G.

CRS-46
Financial Institutions
Date
Number
Type of Data
Who Was Affected
Source(s)
Incidents
Publicized
Affected
Released/Compromised
Choicepoint - Miami-Dade
September
consumers
5,103
SSNs, driver’s license information
Husted, Bill, “Another Breach of
County Police Department may
2005
Records Feared;
have misused the department’s
Choicepoint Tells 5,103 Customers about
account to illegally access
Incident,” Atlanta Journal-Constitution,
consumer records
September 17, 2005, p. 1H.
Bank of America - stolen
September
Visa Buxx card users
undisclosed
names, credit card numbers, bank
McMillan, Robert, “Bank of America
laptop
2005
account numbers, routing transit
Notifying Customers After Laptop
numbers
Theft,” Computerworld, October 7,
2005, at
[http://www.computerworld.com/securit
ytopics/security/story/0,10801,105246,0
0.html].
J.P. Morgan (Dallas) - stolen
August 2005
clients
unknown
personal and financial information
“Security Breach at J.P. Morgan Private
laptop
Bank,”AFX International Focus, August
30, 2005 (no page given).
Citigroup - a box of computer
June 2005
personal and home
3.9 million
names, addresses, SSNs and
Krim, Jonathan, “Customer Data Lost,
tapes with account information
equity loan
loan-account data
Citigroup Unit Says:3.9 Million Affected
for 3.9 million customers was
customers
As Firms’ Security Lapses Add Up,
lost in shipment by
Washington Post, June 7, 2005, p. A1.
CitiFinancial, a unit of
Citigroup

CRS-47
Financial Institutions
Date
Number
Type of Data
Who Was Affected
Source(s)
Incidents
Publicized
Affected
Released/Compromised
Japanese credit cardholders -
June 2005
customers of 26
unknown
unknown
“Japan Cardholders ‘Hit’ by Theft,”BBC
hackers behind U.S. data theft
domestic Japanese
News, June 21, 2005 at
may have compromised the
credit card firms
[http://news.bbc.co.uk/2/hi/business/411
data of Japanese cardholders,
4252.stm].
according to the government.
Fraudulent transactions have
now emerged in Japan.
MasterCard - breach occurred
June 2005
MasterCard credit
40 million
names, account numbers, security
Krim, Jonathan and Michael Barbaro,
in 2004 at a processing center
card and some debit
codes, expiration dates
“40 Million Credit Card Numbers
in Tucson operated by
card customers
Hacked: Data Breached at Processing
CardSystems Solutions, one of
Center,”Washington Post, June 18, 2005,
several companies that handle
p. A1;
transfers of payment between
the bank of a credit card-using
Zeller, Tom and Eric Dash, “MasterCard
consumer and the bank of the
Says 40 Million Files Put at Risk,”New
merchant where a purchase was
York Times, June 18, 2005, p. A1; and
made. CardSystems’ computers
were breached by malicious
Evers, Joris, “Credit Card Suit Now
code that allowed access to
Seeks Damages,” CNET News.com, July
customer data.
7, 2005, at
[http://news.com.com/Credit+card+suit+
now+seeks+damages/2100-7350_3-5777
818.html].
Bank of America - laptop
June 2005
California customers
18,000
names, addresses, SSNs,
Lazarus, David, “Breaches in Security
stolen from car in Walnut
Require New Laws,” San Francisco
Creek, CA
Chronicle, June 29, 2005, p. C1.

CRS-48
Financial Institutions
Date
Number
Type of Data
Who Was Affected
Source(s)
Incidents
Publicized
Affected
Released/Compromised
New Jersey cybercrime ring
May 2005
customers of four
700,000
names, SSNs, bank account
Weiss, Todd, “Scope of Bank Data Theft
stole financial records from
banks (Charlotte,
information
Grows to 676,000 Customers: Bank
bank accounts
North Carolina-based
Employees Used Computer Screen
Bank of America and
note: bank employees sold financial
Captures to Snag Customer Data,”
Wachovia, Cherry
records to collection agencies and
Computerworld, May 20, 2005, at
Hill, New
law firms.
[http://www.computerworld.com/securit
Jersey-based
ytopics/security/cybercrime/story/0,1080
Commerce Bank, and
1,101903,00.html].
PNC Bank of
Pittsburgh)
Ameritrade (securities broker) -
April 2005
Ameritrade current
200,000
account information
“Ameritrade Loses Customer Account
loses tapes with back-up
and former
Info,” CNN Money, April 19, 2005, at
information on customer
customers
[http://money.cnn.com/2005/04/19/techn
accounts
ology/ameritrade/index.htm].
HSBC (global bank) sent out
April 2005
holders of General
180,000
credit card information
“Security Scare Hits HSBC’s
warning letters notifying
Motors MasterCard
Cards,”BBC News, April 14, 2005, at
customers that criminals may
who had shopped at
[http://news.bbc.co.uk/2/hi/business/444
have gained access to credit
Polo Ralph Lauren
4477.stm]; and
card info
stores
Vijayan, Jaikumar, “Update: Scope of
Credit Card Security Breach Expands,”
Computerworld, April 15, 2005, at
[http://www.computerworld.com/securit
ytopics/security/story/0,10801,101101,0
0.html].

CRS-49
Financial Institutions
Date
Number
Type of Data
Who Was Affected
Source(s)
Incidents
Publicized
Affected
Released/Compromised
Bank of America - computer
February
GSA charge card
1.2 million
customer and account information
Carrns, Ann, “Bank of America Is
data tapes lost during shipment
2005
program (Visa cards
Missing Tapes With Card Data,”Wall
issued to federal
Street Journal, February 28, 2005, p. B2.
employees)
Wells Fargo - computers stolen
November
mortgage and
company
customers’ names, addresses, and
Breyer, R. Michelle, “Wells Fargo
from Wells Fargo vendor
2004
student-loan
would not
SSNs, and account numbers
Customer Data Stolen in Computer Theft
customers
disclose
,”Austin-American Statesman, November
3, 2004, p. D1.
Wells Fargo - hacker arrested
November
customers with
company
names, addresses, account and SSNs
“Suspect Is Arrested in Theft of Bank
with stolen computers and
2003
personal lines of
would not
Data,” Los Angeles Times, November 27,
laptop
credit used for
disclose
2003, p. C2.
consumer loans and
overdraft protection
Weichert Financial Services -
May 2003
clients
3,774
credit reports, driver’s license info
Associated Press, “Pair Accused of
credit profiles were unlawfully
Fraud in Credit Reports’ Theft:
accessed from internal
Allegedly Used Data to Buy Goods over
computer system
the Internet,”The Record (Bergen
County, NJ), May 2, 2003, p. A10.

CRS-50
Financial Institutions
Date
Number
Type of Data
Who Was Affected
Source(s)
Incidents
Publicized
Affected
Released/Compromised
Visa, MasterCard, American
February
credit card customers
PNC Bank
ATM/debit/check cards
Sabatini, Patricia, “PNC Cancels 16,000
Express and Discover account
2003
cancelled
Cards After Hacking Theft Incident,”
numbers - hacker stole 8
16,000 cards;
Pittsburgh Post-Gazette, February 20,
million
Citizens Bank
2003, p. C1.
cancelled
8,000-10,000
cards
Fullerton, California - bogus
June 2001
impersonated more
1,500
birth dates, SSNs, mothers’ maiden
Brown, Aldrin and Jeff Collins,
credit card ring opened bank
than 1,500 people
names, credit cards, driver’s licenses,
“Suspicious Mail Triggered Probe of
accounts, credit lines, auto and
nationwide and
and receipts for car and home
Identity Theft Crime Losses from the
home loans
defrauded 76
purchases.
Alleged Ring, Which Used Data Stolen
financial institutions
as Far Back as the Early ‘90s, May Hit
$10 Million,” Orange County Register,
June 21, 2001 (no page given).

CRS-51
Table 4. Data Security Breaches in Local, State, and Federal Government (2003-2007)
Government (Local, State
Date
Who Was
Type of Data
Number Affected
Source(s)
and Federal) Incidents
Publicized
Affected
Released/Compromised
Wisconsin Department of
January 2007
taxpayers
171,000
SSNs
Associated Press, “Wis. warns of identity theft
Revenue - SSNs printed on
after tax-form misprint puts social security
labels of mailed tax booklets
numbers on labels,” January 4, 2007.
Santa Clara County (CA)
December
employment
2,500
names, SSNs
Khanh, Truong Phuoc,
employment agency - stolen
2006
agency clients
Stolen server holds 2,500 Social Security
computer
numbers,” San Jose Mercury News, December
21, 2006.
West Virginia Air National
December
members of the
1,000
unspecified personal
Associated Press, “Laptop containing data on
Guard unit - stolen laptop
2006
Charleston-based
information
1,000 guardsmen stolen,” December 6, 2006.
130th Airlift
Wing
Vermont state website -
December
health care
“several hundred,
names, SSNs
Gram, David, “Health providers’ Social Security
inadvertent posting of private
2006
providers
likely more”
numbers posted on state site,” Associated Press
information
State & Local Wire, December 9, 2006.
Pennsylvania Department of
November
people who had
11,384
names, addresses, dates of
Lieback, Ron, “Data on 11,000 at risk,” Times
Transportation (Hanover
2006
their photos taken
birth, driver’s license numbers
Leader (Wilkes-Barre, Pennsylvania), December
township drivers licences
for a driver’s
and the last four digits of some
1, 2006.
facility, Dunmore, PA) -
license or an
SSNs and complete SSNs of
computer theft
identification card
5,348 individuals

CRS-52
Government (Local, State
Date
Who Was
Type of Data
Number Affected
Source(s)
and Federal) Incidents
Publicized
Affected
Released/Compromised
Indiana State Department of
November
women in the
7,700
name, address, SSN, medical
Associated Press, “Women alerted to possible
Health via Family Health
2006
state’s Breast and
information
identity theft,” November 26, 2006.
Center of Clark County
Cervical Cancer
(Jeffersonville, IN) - two
Program
stolen computers
Bowling Green Police Dept.
November
victims or
200
names, SSNs, phone numbers
Feehan, Jennifer, “Bowling Green police
(Bowling Green, OH) -
2006
suspects on the
mistakenly put private data online,” Blade
inadvertent publishing of
daily blotter
(Toledo, Ohio), November 14, 2006.
personal data to website
Administration for Children’s
November
families, social
200 case files
unspecified confidential
Schapiro, Rich and Nicole Bode, “Secret Shame
Services (New York, NY) -
2006
workers and
information
for All to See. Confidential Acs Files Found
unshredded files found on the
police
Dumped on Street,” New York Daily News,
street in clear plastic garbage
November 20, 2006, p. 3.
bag
City of Lubbock (TX) -
November
job applicants
5,800
names, addresses, SSNs,
Roberts, Paul, “Texas Tech-are police discover
hackers broke into city job
2006
drivers license numbers
security breach in city database” (sic),
application website
University Wire, November 9, 2006.
Manhattan Veterans Affairs
November
veterans who
1,600
names, SSNs, medical
Hutchinson, Bill, “Your Identity May Be Stolen,
Medical Center, New York
2006
receive
diagnoses
Vets Are Warned, New York Daily News,
Harbor Health Care System
pulmonary care at
November 2, 2006, p. 19.
(New York, NY) -
the facility
unencrypted stolen laptop

CRS-53
Government (Local, State
Date
Who Was
Type of Data
Number Affected
Source(s)
and Federal) Incidents
Publicized
Affected
Released/Compromised
Veterans Affairs Hospital and
November
veterans
1,400
names, SSNs, billing
Thornton, Tony, “VA hospital loses data on
McAlester Clinic - missing
2006
information
patients; No indication of misuse, agency says,”
computer disks (Muskogee,
The Oklahoman, November 2, 2006, p. 1A.
OK)
U.S. Army Cadet Command
November
high school
4,600
names, addresses, W-2 tax
Petkofsy, Andrew, “ROTC applicants’ data on
(Fort Monroe, VA) - stolen
2006
students who
forms, SSNs
stolen computer,” Richmond Times Dispatch
laptop
applied for Army
(Virginia), November 2, 2006, p. B6.
ROTC
scholarships.
Colorado Dept. of Human
November
recently hired
up to 1.4 million
names, SSNs, birth dates
Migoya, David, “Stolen state database puts 1.4
Services via private contractor
2006
employees
million at ID-theft risk,” Denver Post, November
Affiliated Computer Services
2, 2006, p. B1.
(Dallas, TX) - stolen computer
Port of Seattle (Seattle, WA) -
October
individuals who
6,943
unspecified personal
“Port of Seattle Hires Id Protection Service,”
missing CD-ROMS
2006
applied for airport
information
Pacific Shipper, October 27, 2006.
security badges
Camp Pendleton Marine Corps
October
Marines who live
2,400
unspecified personal
Hoellworth, John, “Lost laptop contains 2,400
base, via Lincoln BP
2006
on the base
information
Pendleton Marines’ info,” Marine Corps Times,
Management (near Oceanside,
October 23, 2006, p. 13.
CA) - missing laptop

CRS-54
Government (Local, State
Date
Who Was
Type of Data
Number Affected
Source(s)
and Federal) Incidents
Publicized
Affected
Released/Compromised
City of Visalia, Recreation
October
current and
200
names, SSNs
Castellon, David, “Tossed records are still a
Division (Visalia, CA) - city
2006
former employees
mystery,” Visalia Times-Delta (California),
documents were found
October 17, 2006, p. 1C.
scattered on a city street.
Poulsbo Department of
October
citizens processed
2,200
names, addresses, drivers
US States News, “Small Department of
Licensing (Poulsbo, WA) -
2006
at one workstation
license photos
Licensing Data Backup Device Missing,”
missing data backup device
October 10, 2006.
Congressional Budget Office -
October
subscribers to
unknown
unknown
“Hackers Breach Budget Office’s Mailing List,”
mailing list hacked and
2006
CBO’s mailing
National Journal, Technology Daily, October
phishing email that appeared
list
13, 2006.
to come from CBO was sent
Cleveland Air Route Traffic
October
air traffic
400
names, SSNs
Sangiacomo, Michael, “FAA data in Oberlin
Control Center (Oberlin, OH) -
2006
controllers
computer lost Drives had names, Social Security
computer hard drive stolen
numbers,” Cleveland Plain Dealer, October 6,
2006, p. B3.
Florida Department of Labor -
October
individuals
4,624
names, SSNs,
Samples, Eve, “More than 4,600 Floridians’
personal information
2006
enrolled for
personal data accidentally posted,”Palm Beach
inadvertently posted on test
services with
Post, October 11, 2006.
server
regional
workforce boards

CRS-55
Government (Local, State
Date
Who Was
Type of Data
Number Affected
Source(s)
and Federal) Incidents
Publicized
Affected
Released/Compromised
Cumberland County, PA -
October
employees
1,200
names, SSNs
Miller, Matt, “Employee numbers removed from
SSNs in meeting minutes
2006
Web,” Patriot-News, October 3, 2006, p. B1.
posted on website
Kentucky Personnel Cabinet
September
employees in state
146,000
SSNs
Alford, Roger, “State sends out letters with
(Frankfort, KY) - letters sent to
2006
agencies,
Social Security numbers visible,” Associated
employees displayed their
community and
Press, September 29, 2006.
SSNs on front
technical colleges,
school districts,
health
departments and
other offices
covered by the
state’s insurance
program
North Carolina Department of
September
drivers
16,000
names, SSNs, driver’s license
“Thieves take N.C. DMV computer with
Motor Vehicles (Louisburg,
2006
numbers, dates of birth
personal info,” Associated Press, September 28,
NC) - stolen computer
2006.
U.S. Department of Commerce
September
Census Bureau
6,200 households
unknown
Sipress, Alan, “1,100 Laptops Missing from
- 1,137 stolen, lost, or missing
2006
and National
(estimated)
Commerce Dept.,” Washington Post, September
laptops
Oceanic and
22, 2006, p. A3.
Atmospheric
Administration

CRS-56
Government (Local, State
Date
Who Was
Type of Data
Number Affected
Source(s)
and Federal) Incidents
Publicized
Affected
Released/Compromised
U. S. Department of Veterans
August 2006
patients at VA
38,000
SSNs, names, addresses, birth
Rash, Wayne, “Another VA Computer Goes
Affairs - missing computer
hospitals in
dates, insurance carriers,
Missing,” eWeek, August 7, 2006, at
from contractor’s office
Pennsylvnia
billing information, details of
[http://www.eweek.com/article2/0,1895,200026
service
8,00.asp].
U.S. Department of
August 2006
drivers license
133,000
SSNs, names, addresses
Rash, Wayne, “DOT is the Latest Victim of
Transportation - stolen laptop
records of Florida
Computer Theft,” eWeek, August 10, 2006, at
residents
[http://www.eweek.com/article2/0,1895,200214
8,00.asp?kc=EWNAVEMNL081106EOAD].
U.S. Department of Education
August 2006
students who
21,000
names, birth dates, SSNs,
Yen, Hope, “Ed. Dept. offers free credit
- exposed loan data
borrowed money
addresses, phone numbers and
monitoring,” Houston Chronicle, August 24,
under
in some cases account
2006 (no page given).
the Federal Direct
information for holders of
Student Loan
federal direct student loans
program
Naval Safety Center - personal
July 2006
Naval and Marine
“more than
SSNs, personal information
“Naval Safety Center Finds Personal Data on
data exposed on website and
Corps aviators
100,000”
Website,” U.S. Department of Defense press
on 1,100 computer discs
and air crew, both
release, July 8, 2006, at
mailed to naval commands
active and reserve
[http://www.news.navy.mil/search/display.asp?st
ory_id=24568].

CRS-57
Government (Local, State
Date
Who Was
Type of Data
Number Affected
Source(s)
and Federal) Incidents
Publicized
Affected
Released/Compromised
U.S. State Department -
July 2006
Washington
unknown
access to data and passwords
“State Department Releases Details Of
hackers
headquarters, and
Computer System Attacks,” COMMWEB, July
the Bureau of East
13, 2006 (no page given), and Greenemeier,
Asian and Pacific
Larry, “State Department Hack Escalates Federal
Affairs
Data Insecurity,” Information Week, July 12,
2006, at
[http://www.informationweek.com/news/showAr
ticle.jhtml?articleID=190302905].
Federal Trade Commission
June 2006
subjects of law
110
names, addresses, SSNs,
Reuters, “FTC Laptops Stolen, 110 People at
enforcement
financial account numbers
Risk of ID Theft,” Baseline.com, June 23, 2006
investigations
(no page given).
U.S. Navy - an open website
June 2006
Navy members
30,000
names, birth dates and SSNs
“Navy Personal Data on Web Is
contained five spreadsheet
and dependents
Katrina-related,” States News Service, June 26,
files with personal information
2006 (no page given).
Texas Guaranteed Student
June 2006
college students
1.3 million
names, SSNs
Evers, Joris, “Loan Company Reports Loss of
Loan- computer equipment
borrowing money
Data on 1.3 Million,” CNet News, June 1, 2006,
lost
from the loan
at
company
[http://news.com.com/Loan+company+reports+l
oss+of+data+on+1.3+million/2100-1029_3-607
9261.html].

CRS-58
Government (Local, State
Date
Who Was
Type of Data
Number Affected
Source(s)
and Federal) Incidents
Publicized
Affected
Released/Compromised
National Institutes of Health
June 2006
credit union
“small number”
unidentified personal
Trejos, Nancy, “Identity Thieves Hit NIH Credit
Federal Credit Union
members
information
Union;
(Rockville, MD)
Scheme Is Latest in Spate of Breaches Affecting
Millions,” Washington Post, June 29, 2006, p.
B3.
U.S. Department of
June 2006
current and retired
26,000
names, SSNs, employee
Azaroff, Rachel, “Hacker Might Have Breached
Agriculture- external security
employees of the
photos, internal building
Personal Data at USDA,” FCW, June 22, 2006,
breach of a workstation and
department
locations
at
two servers
[http://www.fcw.com/article94991-06-22-06-We
b].
Minnesota Department of
June 2006
individuals and
2,400 individuals
names, addresses, SSNs,
MN Department of Revenue, “Department of
Revenue
businesses
and 48,000
employment data
Revenue to Assist Taxpayers Whose Private
(St. Paul, MN) - missing data
(taxpayers)
businesses
Information Was Included in a Package Lost in
tape
the Mail,” June 28, 2006, at
[http://www.taxes.state.mn.us/taxes/publications/
press_releases/content/taxpayer_information.sht
ml]
Department of Energy- file
June 2006
employees of the
1,500
names, SSNs, birth datess,
Associated Press, “DOE Computers Hacked;
stolen by hacker
Energy
codes showing where the
Info on 1,500 Taken,” June 11, 2006.
Department’s
employees worked, codes
nuclear weapons
showing their security
agency
clearance

CRS-59
Government (Local, State
Date
Who Was
Type of Data
Number Affected
Source(s)
and Federal) Incidents
Publicized
Affected
Released/Compromised
Government Accountability
June 2006
DoD employees
“fewer than
service members’ names,
Thormeyer, Rob, “GAO Removes Archived
Office (GAO) -website
1,000”
SSNs, addresses
Personal Data from Web Site,”
exposed data from audit
WashingtonTechnology.com, June 27, 2006 at
reports on Defense Department
[http://www.washingtontechnology.com/news/1
travel vouchers from the 1970s
_1/daily_news/28845-1.html].
King County Records,
June 2006
current and
unknown
SSNs
Associated Press, “Councilman Irked by Data
Elections, and Licensing
former county
(potentially
Postings on Web,” June 27, 2006.
Services Division
residents
thousands)
(Seattle, WA) - website
exposed personal data
Internal Revenue Service - lost
June 2006
IRS employees
291
names, birth dates, SSNs,
Lee, Christopher, “IRS Laptop Lost with Data
laptop
and job applicants
fingerprints
on 291 People,” Washington Post, June 8, 2006,
p. A4.
Nebraska Treasurer’s Office
June 2006
individuals and
300,000
names, SSNs, tax
Nebraska State Treasurer, “Hacker Virus
(Lincoln, NE) - hacker broke
employers who
individuals and
identification numbers for
Stopped by Treasurer’s Office,” June 29, 2006,
into a child-support computer
pay and receive
9,000 employers
businesses
at [http://www.treasurer.state.ne.us/ie/server.asp]
system
child support
payments
Pentagon, Tricare
May 2006
Defense
14,000
names, SSNs, credit card
Barr, Stephen, “Conference Attendees’ Personal
Management Activity- hackers
Department
numbers, employer
Data May Be at Risk,” Washington Post, May
break into server
conference
identification, other personal
12, 2006, p. D4.
attendees
information

CRS-60
Government (Local, State
Date
Who Was
Type of Data
Number Affected
Source(s)
and Federal) Incidents
Publicized
Affected
Released/Compromised
Department of Veterans
May 2006
military veterans
26.5 million
names, birth dates, SSNs
Lee, Christopher and Steve Vogel, “Personal
Affairs- laptop and external
Data on Veterans is Stolen,” Washington Post,
hard drive stolen
May 23, 2006, p. A1.
National Institutes of Health
October
applicants to the
undisclosed
grant proposals and other grant
Pulley, John L., “NIH Accidentally Posts
(NIH)- posting of confidential
2005
NIH
review materials
Confidential Grant Applications on the Web,”
grant applications
The Chronicle of Higher Education, October 31,
2005 (no page given).
U.S. Air Force - records stolen
August 2005
officers and 19
33,300
SSNs, birth dates, and other
Dorsett, Amy, “Identity theft Threat Hangs over
from the Air Force Personnel
NCOs
sensitive information
AF Officers,” San Antonio Express-News,
Center’s online Assignment
August 24, 2005, p. 1A.
Management System
San Diego County Employees
July 2005
current and retired
33,000
workers’ names, Social
Chacon, Daniel, “Hackers Breach County’s
Retirement Association -
county
Security numbers, addresses
Personal Records; 33,000 People at Risk in
hackers broke into two
government
and dates of birth
Retirement Association,” San Diego
computers
employees
Union-Tribune, July 30, 2005, p. B1.

CRS-61
Government (Local, State
Date
Who Was
Type of Data
Number Affected
Source(s)
and Federal) Incidents
Publicized
Affected
Released/Compromised
Federal Deposit Insurance
June 2005
FDIC current and
6,000
names, birth dates, SSNs, and
Krim, Jonathan, “FDIC Alerts Employees of
Corporation - computer breach
former employees
salary information
Data Breach”, Washington Post, June 16 2005,
in early 2004. The agency
or anyone
p. D1.
wrote to employees that it
employed at the
learned of the breach only
agency as of July
“recently”, but did not explain
2002.
how the breach occurred, aside
from stating that it was not the
result of a computer security
failure.
Lucas County (OH) Children
June 2005
agency’s 400
900
names, telephone numbers,
Patch, David, “Lucas County Children Services
Services - information from
current employees
SSNs
Data Stolen,” Toledo Blade, June 28, 2005, p.
the agency’s personnel
and about 500
B1.
database was compiled and
others who have

e-mailed to an outside
worked there
computer
since 1991
hackers breached Illinois
February
people who work
90,000
SSNs, wages
“Hackers Breach State Files on 90,000,”
Employment Development
2004
as domestic
Chicago Tribune, February 15, 2004, p. 12.
Department server
employees and
those who employ
them

CRS-62
Government (Local, State
Date
Who Was
Type of Data
Number Affected
Source(s)
and Federal) Incidents
Publicized
Affected
Released/Compromised
U.S. Department of Defense -
August 2003
Navy’s purchase
13,000
credit card numbers
Reddy, Anitha, “Hackers Steal 13,000 Credit
hackers downloaded Navy
card program,
Card Numbers; Navy Says No Fraud Has Been
credit cards
used to order
Noticed,” Washington Post, November 23, 2003,
routine office
p. E1.
supplies
Bronx identity theft ring filed
February
income tax filers
not specified
SSNs
Weiser, Benjamin, “19 Charged in Identity Theft
thousands of fraudulent
2003
That Netted $7 Million in Tax Refunds,” New
income tax returns
note: ID theft ring obtained
York Times, February 5, 2003, p. B3.
$7million in tax refunds

CRS-63
Table 5. Data Security Breaches in Health Care (2003-2007)
Date
Who Was
Type of Data
Healthcare Incidents
Number Affected
Source(s)
Publicized
Affected
Released/Compromised
Electronic Registry Systems
December
cancer patients at
more than 63,000
names, addresses, dates of birth,
“Emory Healthcare Data Breach Sparks
(Springdale, OH) - two stolen
2006
Emory University
SSNs, medical record number,
Concerns of Identify Theft,” US Fed
computers
(Emory Hospital,
medical data and treatment
News, January 4, 2007.
Emory Crawford
information
Long Hospital,
Grady Memorial
Hospital),
Geisinger Health
System
(Pennyslvania),
Williamson
Medical Center
Aetna via Concentra Preferred
December
members of
130,000 plus
names, hospital codes, SSNs or Aetna
Levick, Diane, “Health Plan Members’
Systems (Dayton, OH) -
2006
Aetna and other
42,000 determined
member IDs of 750 medical
Data Stolen Victimized Vendor and
backup data tapes stolen (note:
Concentra health
later
professionals; tapes with personal
Affected Insurers Call Risk of Identity
company stated “backup tapes
plans
information of 42,000 NY employees
Theft Low,” Hartford Courant,
cannot be used on a standard
insured by Group Health Insurance,
December 14, 2006, p. E1.
personal computer, and that
Inc.
both a specific tape drive and
specific version of the backup
tape software are required to
read the tapes”)

CRS-64
Date
Who Was
Type of Data
Healthcare Incidents
Number Affected
Source(s)
Publicized
Affected
Released/Compromised
Gundersen Lutheran Medical
December
patients
unknown
names, SSNs, dates of birth
“La Crosse hospital worker charged with
Center (LaCrosse, WI) -
2006
identity theft,” Associated Press,
employee used patient
December 3, 2006.
information to apply for credit
cards in their names
note: employee was arrested for 37
counts of identity theft and was
convicted of identity theft and
uttering forged writing
Kaiser Permanente Colorado
November
patients
38,000
names, Kaiser ID number, date of
“Health Data On 45,000 Lost In Two
Skyline and Southwest offices
2006
birth, gender, physician information
Laptop Thefts,” National Journal
(Denver, CO) - employee
Technology Daily, November 30, 2006.
laptop stolen from car
Intermountain Healthcare
November
employees
6,244
names, job titles, SSNs, telephone
Fantin, Linda and Bob Mims, “IHC
(Salt Lake City, UT) - laptop
2006
numbers
laptop donated to thrift store contained
donated to secondhand store
employee information,” Salt Lake
contained personal data
Tribune, November 3, 2006.
Allina Hospitals and Clinics
November
patients
personal
names, SSNs
Olson, Jeremy, “Nurse’s stolen laptop
(Minneapolis-St.Paul, MN) -
2006
information for
held patient data; Allina warns clients,
theft of laptop from nurse’s
33,000 and SSNs
alters recordkeeping,” St. Paul Pioneer
car (data was protected by two
for 17,000
Press, November 1, 2006, p. 10B.
passwords)

CRS-65
Date
Who Was
Type of Data
Healthcare Incidents
Number Affected
Source(s)
Publicized
Affected
Released/Compromised
Akron Childrens Hospital
October
donors, hospital
230,000 from one
names, SSNs, billing information
Washkuch, Frank, “Hackers breach
(Akron, OH) - hackers broke
2006
patients, and their
database and
Ohio hospital’s databases, obtain
into two databases
parents and
12,000 from the
personal information of 240,000,” SC
guardians
other
Magazine, October 30, 2006 at
[http://www.scmagazine.com.au/news/6
7465,hackers-breach-ohio-hospitals-data
bases-obtain-personal-information-of-24
0000.aspx ].
Swedish Medical Center,
October
patients
1,100
names, dates of birth, SSNs
Song, Kyung, “3 Swedish patients say
Ballard Campus (Seattle, WA)
2006
IDs stolen at Ballard campus; worker
- employee used patients’
fired; Employee allegedly opened credit
personal information to open
cards; Hospital warns patients to watch
credit card accounts
for activity on their credit reports,”
Seattle Times, October 25, 2006, p. B4.
Sisters of St. Francis Health
October
patients,
260,000
names, SSNs
Lee, Daniel, “Lost and found: info on
Services via Advanced
2006
employees,
patients and 6,200
260,000 patients,” Indianopolis Star,
Receivables Strategy
physicians and
employees
October 25, 2006.
(Indianapolis, IN) - contractor
Board members
inadvertently left CDs
containing confidential billing
information in a new
computer bag she purchased
but later returned to a store

CRS-66
Date
Who Was
Type of Data
Healthcare Incidents
Number Affected
Source(s)
Publicized
Affected
Released/Compromised
Erlanger Health System
September
current and
4,150
names, SSNs
Berry, Emily, “Erlanger loses computer
(Chattanooga, TN) - missing
2006
former employees
device, personnel data,” Chattanooga
data device
Times/Free Press, September 24, 2006.
Medco Health Solutions-
March 2006
Ohio state
4,600
SSNs, birth dates
Weiss, Todd R., “Vendor Waited Six
stolen laptop
employees and
Weeks to Notify Ohio Officials of Data
their dependents
Breach,” Computerworld, March 1,
2006, at
[http://www.computerworld.com/printth
is/2006/0,4814,109116,00.htm].
Children’s Health Council,
September
patients,
5,000-6,000
psychiatric records, evaluations and
Walsh, Diana, “Data Stolen from
San Jose, California - stolen
2005
employees, and
SSNs; also payroll data on hundreds
Children’s Psychiatric Center,” San
backup tape
parents of patients
of current and former employees and
Francisco Chronicle, September 20,
credit card information from parents
2005, p. B8.
of patients
San Jose Medical Group
April
former patients
185,000
names, addresses, SSNs, confidential
Weiss, Todd, “Update: Stolen
Management - desktop
2005
from last seven
medical information
Computers Contain Data on 185,000
computers stolen from locked
years
Patients,” Computerworld, April 8,
administrative office
2005, at
[http://www.computerworld.com/databa
setopics/data/story/0,10801,100961,00.h
tml].

CRS-67
Date
Who Was
Type of Data
Healthcare Incidents
Number Affected
Source(s)
Publicized
Affected
Released/Compromised
TriWest Healthcare Alliance -
December
military personnel
500,000
names, addresses, SSNs
Gorman, Tom, “Reward Offered in
theft of a database containing
2002
and their
Huge Theft of Identity Data; Stolen
names and SSNs
dependents
Computers Had Names, Social Security
Numbers of 500,000 Military
Families,”Los Angeles Times, January 1,
2003, p. 14.
Source: The tables were prepared by CRS from publicly available and news media sources.
Note: URLs are listed for exclusively online sources; other publications are identified by name and date.


CRS-68
For Additional Reading
CRS Report RS22374. Data Security: Federal and State Laws, by Gina Marie
Stevens.
CRS Report RL33273. Data Security: Federal Legislative Approaches, by Gina
Marie Stevens.
CRS Report RS22484. Identity Theft Laws: State Penalties and Remedies and
Pending Federal Bills, by Tara Alexandra Rainson.
CRS Report RL33005. Information Brokers: Federal and State Laws, by Angie A.
Welborn.
CRS Report RL33612. Department of Veterans Affairs: Information Security and
Information Technology Management Reorganization, by Sidath Viranga
Panangala.
CRS Report RL31919. Remedies Available to Victims of Identity Theft, by Gina
Marie Stevens.
CRS Report RS22082. Identity Theft: The Internet Connection (archived), by Marcia
S. Smith.
crsphpgw