A Chronology of
Data Breaches
Reported Since the ChoicePoint Incident
Posted = April 20, 2005
Updated - November 19, 2005
The
data breaches noted below have been reported because the personal
information compromised includes data elements useful to identity
thieves, such as Social Security numbers, account numbers, and
driver's license numbers.
The catalyst for reporting data breaches to the affected individuals
has been the California law that requires notice of security breaches,
the first of its kind in the nation, implemented July 2003.
www.privacyrights.org/ar/SecurityBreach.htm
www.privacy.ca.gov/recommendations/secbreach.pdf
This chronology
below begins with ChoicePoint's 2/15/05 announcement of its data
breaches because it was a watershed event in terms of disclosure to
the affected individuals. Since then, the "best practice"
has been to disclose breaches to individuals nationwide -- in a sense,
adopting California's notice requirement nationally.
In the meantime,
over half the states have considered legislation on security breach
notices and security freezes in 2005, and several states passed laws
requiring that individuals be notified of security breaches. For a
list of those states enacting breach and freeze laws, visit the
Consumers Union web site here:
Security breach notice laws: www.consumersunion.org/campaigns/Breach_laws_May05.pdf
Credit freeze laws: www.consumersunion.org/campaigns/learn_more/002355indiv.html
Congress is
considering several bills this year in which security breach notices
would be mandated nationwide. See http://thomas.loc.gov.
See also EPIC's bill-track list, www.epic.org/privacy/bill_track.html.
Here are other
sources for security breach information:
| DATE
MADE PUBLIC |
NAME
|
TYPE OF BREACH
|
NUMBER
|
| Feb.
15, 2005 |
ChoicePoint
|
Bogus accounts established by ID thieves
|
145,000
|
| Feb. 25 , 2005 |
Bank of America
|
Lost backup tape
|
1,200,000
|
| Feb. 25, 2005 |
PayMaxx
|
Exposed online
|
25,000
|
| March 8, 2005 |
DSW/Retail Ventures
|
Hacking
|
100,000
|
| March 10, 2005 |
LexisNexis
|
Passwords compromised
|
32,000
|
| March 11, 2005 |
Univ. of CA, Berkeley
|
Stolen laptop
|
98,400
|
| March 11, 2005 |
Boston College
|
Hacking
|
120,000
|
| March 12, 2005 |
NV Dept. of Motor Vehicle
|
Stolen computer
|
8,900
|
| March 20, 2005 |
Northwestern Univ. |
Hacking |
21,000 |
| March 20, 2005 |
Univ. of NV., Las Vegas
|
Hacking
|
5,000
|
| March 22, 2005 |
Calif. State Univ., Chico
|
Hacking
|
59,000
|
| March 23, 2005 |
Univ. of CA, San Francisco
|
Hacking
|
7,000
|
| March 28, 2005 |
Univ. of Chicago
Hospital |
Dishonest insider |
unknown |
| April ?, 2005 |
Georgia DMV |
Dishonest insider |
465,000 |
| April 5, 2005 |
MCI |
Stolen laptop |
16,500 |
| April 8, 2005 |
Eastern National |
Hacker |
15,000 |
| April 8, 2005 |
San Jose Med. Group
|
Stolen computer
|
185,000
|
| April 11, 2005 |
Tufts University
|
Hacking
|
106,000
|
| April 12, 2005 |
LexisNexis
|
Passwords compromised
|
Additional 280,000
|
| April 14, 2005 |
Polo Ralph Lauren/HSBC
|
Hacking
|
180,000
|
| April 14, 2005 |
Calif. Fastrack |
Dishonest Insider |
4,500 |
| April 15, 2005 |
CA Dept. of Health
Services |
Stolen laptop |
21,600 |
| April 18, 2005 |
DSW/ Retail Ventures
|
Hacking
|
Additional 1,300,000
|
| April 20, 2005 |
Ameritrade
|
Lost backup tape
|
200,000
|
| April 21, 2005 |
Carnegie Mellon
Univ. |
Hacking |
19,000 |
| April 26, 2005 |
Mich. State Univ's
Wharton Center |
Hacking |
40,000 |
| April 26, 2005 |
Christus St.
Joseph's Hospital |
Stolen computer |
19,000 |
| April 28, 2005 |
Georgia Southern
Univ. |
Hacking |
"tens of
thousands" |
| April 28, 2005 |
Wachovia,
Bank of America,
PNC Financial Services Group and
Commerce Bancorp |
Dishonest insiders |
676,000 |
| April 29, 2005 |
Oklahoma State
Univ. |
Missing laptop |
37,000 |
| May 2, 2005 |
Time Warner |
Lost backup tapes |
600,000 |
| May 4, 2005 |
CO. Health Dept. |
Stolen laptop |
1,600 (families) |
| May 5, 2005 |
Purdue Univ. |
Hacking |
11,360 |
| May 7, 2005 |
Dept. of Justice |
Stolen laptop |
80,000 |
| May 11, 2005 |
Stanford Univ. |
Hacking |
9,900 |
| May 12, 2005 |
Hinsdale Central
High School |
Hacking |
2,400 |
| May 16, 2005 |
Westborough Bank |
Dishonest insider |
750 |
| May 18, 2005 |
Jackson Comm.
College, Michigan |
Hacking |
8,000 |
| May 18, 2005 |
Univ. of Iowa |
Hacking |
30,000 |
| May 19, 2005 |
Valdosta State
Univ., GA |
Hacking |
40,000 |
| May 20, 2005 |
Purdue Univ. |
Hacking |
11,000 |
| May 26, 2005 |
Duke Univ. |
Hacking |
5,500 |
| May 27, 2005 |
Cleveland State
Univ. |
Stolen laptop |
44,420 |
| May 28, 2005 |
Merlin Data
Services |
Bogus acct. set up |
9,000 |
| May 30, 2005 |
Motorola |
Computers stolen |
unknown |
| June 6, 2005 |
CitiFinancial |
Lost backup tapes |
3,900,000 |
| June 10, 2005 |
Fed. Deposit
Insurance Corp. (FDIC) |
Not disclosed |
6,000 |
June 16, 2005
|
CardSystems |
Hacking |
40,000,000 |
| June 17, 2005 |
Kent State Univ. |
Stolen laptop |
1,400 |
| June 18, 2005 |
Univ. of Hawaii |
Dishonest Insider |
150,000 |
| June 22, 2005 |
Eastman Kodak |
Stolen laptop |
5,800 |
| June 22, 2005 |
East Carolina Univ. |
Hacking |
250 |
| June 25, 2005 |
Univ. of CT (UCONN) |
Hacking |
72,000 |
| June 28, 2005 |
Lucas Cty. Children
Services (OH) |
Exposed by email |
900 |
| June 29, 2005 |
Bank of America |
Stolen laptop |
18,000 |
| June 30, 2005 |
Ohio State Univ.
Med. Ctr. |
Stolen laptop |
15,000 |
| July 1, 2005 |
Univ. of CA, San
Diego |
Hacking |
3,300 |
| July 6, 2005 |
City National Bank |
Lost backup tapes |
unknown |
| July 7, 2005 |
Mich. State Univ. |
Hacking |
27,000 |
| July 19, 2005 |
Univ. of Southern
Calif. (USC) |
Hacking |
270,000 possibly
accessed; "dozens"exposed |
| July 21, 2005 |
Univ. of
Colorado-Boulder |
Hacking |
42,000 |
| July 30, 2005 |
San Diego Co.
Employees Retirement Assoc. |
Hacking |
33,000 |
| July 30, 2005 |
Calif. State Univ.,
Dominguez Hills |
Hacking |
9,613 |
| July 31, 2005 |
Cal Poly-Pomona |
Hacking |
31,077 |
| Aug. 2, 2005 |
Univ. of Colorado |
Hacking |
36,000 |
| Aug. 9, 2005 |
Sonoma State Univ. |
Hacking |
61,709 |
| Aug. 9, 2005 |
Univ. of Utah |
Hacking |
100,000 |
| Aug. 10, 2005 |
Univ. of North
Texas |
Hacking |
39,000 |
| Aug. 17, 2005 |
Calif. State
University, Stanislaus |
Hacking |
900 |
| Aug. 19, 2005 |
Univ. of Colorado |
Hacking |
49,000 |
| Aug. 22, 2005 |
Air Force |
Hacking |
33,300 |
| Aug. 27, 2005 |
Univ. of Florida,
Health Sciences Center/ChartOne |
Stolen Laptop |
3,851 |
| Aug. 30, 2005 |
J.P. Morgan, Dallas |
Stolen Laptop |
Unknown |
| Aug. 30, 2005 |
Calif. State
University, Chancellor's Office |
Hacking |
154 |
| Sept. 10, 2005 |
Kent State Univ. |
Stolen Computers |
100,000 |
| Sept. 15, 2005 |
Miami Univ. |
Exposed Online |
21,762 |
| Sept.
16, 2005 |
ChoicePoint
(2nd notice, see 2/15/05 for 145,000) |
ID thieves accessed; also misuse of IDs
& passwords.
|
9,903
|
| Sept. 17, 2005 |
North Fork Bank, NY |
Stolen laptop
(7/24/05) with mortgage data |
9,000 |
| Sept. 19, 2005 |
Children's Health
Council, San Jose CA |
Stolen backup tape |
5,000 - 6,000 |
| Sept. 22, 2005 |
City University of
New York |
Exposed online |
350 |
|
Sept. 23,
2005
|
Bank of America |
Stolen laptop with
info of Visa Buxx users (debit cards) |
Not disclosed |
| Sept. 28, 2005 |
RBC Dain Rauscher |
Illegitimate access
to customer data by former employee |
100+ customers'
records compromised out of 300,000 |
| Sept. 29, 2005 |
Univ. of Georgia |
Hacking |
At least 1,600 |
| Oct. 15, 2005 |
Montclair State
Univ. |
Exposed online |
9,100 |
| Oct. 21, 2005 |
Wilcox Memorial
Hospital, Hawaii |
Lost backup tape |
130,000 |
| Nov. 1, 2005 |
Univ. of Tenn.
Medical Center |
Stolen laptop |
3,800 |
| Nov. 4, 2005 |
Keck School of
Medicine, USC |
Stolen computer |
50,000 |
| Nov. 5, 2005 |
Safeway, Hawaii |
Stolen laptop |
1,400 in Hawaii,
perhaps more elsewhere |
| Nov. 8, 2005 |
ChoicePoint |
Bogus accounts
established by ID thieves
Total affected now reaches 162,000
(See Feb. 15 & Sept. 16)
|
17,000 more |
| Nov. 9, 2005 |
TransUnion |
Stolen computer |
3,623 |
| Nov. 11, 2005 |
Georgia Tech Office
of Enrollment Services |
Stolen computer |
13,000 |
| |
|
|
|
| TOTAL |
|
|
51,507,622
|
(Originating URL = http://www.privacyrights.org/ar/ChronDataBreaches.htm
)
|
