Recent Data Security Breaches Underscore Need for Stronger Identity Theft Protections
It seems like every week there’s news of another security breach at a company holding sensitive consumer information, putting more Americans at risk of identity theft. Thousands of companies maintain files with detailed financial and personal information about consumers, including Social Security numbers, birth dates, account numbers, and addresses. This information is the key that crooks can use to get credit in someone else’s name and steal identities.
To date, the Privacy Rights Clearinghouse estimates that over 93 million sensitive records have been put at risk as a result of these breaches. Here are some recent examples of companies and other institutions whose security has been breached and others that have come under fire for failing to maintain strict security practices:
February 2005, Choicepoint, Inc.: In mid-February 2005, ChoicePoint, Inc., an information broker based in Georgia, announced that a fraud ring had gained access to the personal and financial information of an estimated 145,000 consumers from computer databases maintained by the company. ChoicePoint maintains a huge database with billions of records on consumers culled from public records and other documents. It sells access to that information to businesses for a variety of purposes. The ChoicePoint files that were compromised contained such sensitive information as Social Security numbers matched to names and addresses. Subsequent news reports indicated that ChoicePoint had experienced similar security breaches in the past.
February 2005, Bank of America: An estimated 1.2 million federal workers were put at risk of identity theft as result of lost computer tapes maintained by Bank of America. The bank announced in late February the loss of the tapes, which included Social Security numbers, addresses and credit account numbers. A Bank of America spokesperson indicated that the tapes were probably stolen by baggage handlers from a commercial airplane when they were being shipped to a back-up data center. Members of Congress were among those federal workers whose information was put at risk as a result of the lost tapes.
February 2005, Westlaw: This Minnesota-based data search company was criticized in early 2005 for maintaining loose security practices that enabled clients who used the firm’s online “People-Find” database to obtain Social Security numbers and other personal information. Private companies subscribe to this service, giving them easy access to sensitive information that can be used to commit identity theft. A Senator exposed the lax security maintained on the web site and called on the company to disable it until better security was established to prevent fraud. Westlaw responded to the complaints by announcing that it would restrict customer access to Social Security numbers.
February 2005, PayMaxx: This payroll processing company was in the news recently after a computer security expert revealed how easy it was to obtain personal information, including Social Security numbers, from the firm’s web site. Aaron Greenspan of Think Computer Corporation contacted the company when he discovered that a software glitch enabled any user to view the W-2 forms generated for employees of companies that use PayMaxx. The company has since taken action to correct the problem.
March 2005, Lexis Nexis: In early March 2005, Lexis-Nexis announced that the security of a database maintained by a company it owns had been compromised, leaving another 32,000 people at risk of having their identities stolen and credit ruined. In April, Lexis-Nexis acknowledged that it had underestimated the size of the breach by almost ten times. The company now says that the personal information of 310,000 people was compromised by crooks who obtained passwords from legitimate customers and accessed such information as names, addresses, Social Security numbers, and drivers’ license numbers. The files were part of a database maintained by Seisint, which is owned by Lexis-Nexis. The company sells access to the data to a variety of business and government clients.
March 2005, DSW Shoe Warehouse: Retail Ventures, Inc. announced in early March that credit card account numbers and other information about customers of 103 DSW Shoe Warehouse stores had been stolen from company computer database. DSW initially estimated that about 100,000 records were lost. However, in April, DSW found that the breach was much worse than that: the credit card numbers of about 1.4 million customers, and the driver’s license information of about 96,000 customers, had been accessed by thieves. DSW initially was made aware of the problem by credit card companies that noticed suspicious activity on some of the affected accounts.
March 2005, Boston College: In March, Boston College informed 120,000 alumni that a computer containing their addresses and Social Security numbers had been breached by hackers. The breach was discovered by a computer security worker who found that a computer at a phone bank had been compromised.
March 2005, University of California, Berkeley: In October 2004, the University of California announced that the names, addresses, telephone numbers, Social Security numbers and birthdates of 1.4 million people had been compromised. The university obtained the information from the California Department of Social Services’ In-Home Supportive Services program, for the purposes of research. The breach was discovered by the information technology staff at the university, using intrusion-detection software.
April 2005, Ameritrade: Ameritrade Holding Corp., a top online discount broker, announced in April 2005 that it lost a backup tape during shipping between vendors. The tape contained the personal information of about 200,000 current and former customers and may have included Social Security numbers. Ameritrade discovered the loss of the tape in February, when it received a damaged envelope containing backup tapes. An investigation revealed that four tapes were missing, but only three have been recovered.
April 2005, GeneralMotors Mastercard: In April, HSBC, the bank that issues the GM Rewards Mastercard, notified 180,000 customers that their cards had been used at an anonymous retailer during the period between June 2002 and December 2004. HSBC provided a toll-free number and the investigation is ongoing.
May 2005, Omega World Travel: In May 2005, US police authorities announced their investigation regarding the theft of a computer containing the private information of 80,000 Justice Department employees. The computer contained password-protected names and credit card account numbers, as well as employee traveler profiles which may include home addresses, telephone numbers, even passport numbers.
May 2005, Time Warner: Adding another occurrence to the number of cases involving data storage tapes lost in transit, Time Warner announced on May 2 the loss of tapes containing the information of 600,000 current and former employees. Time Warner is the largest media company in the world, and owns American Online, HBO and Warner Brother. The missing tapes include employee information from as far back as 1986 and the United States Secret Service is currently investigating this matter.
May 2005, Colorado State Health Department: In late May 2005, a Colorado state health department employee took a laptop – containing the medical records of 1,600 families – home for the weekend and left it in a car overnight, where it was stolen. The employee, who violated department policy by removing the laptop, containing the medical records, from the facility, has been demoted. The car has been recovered, but the laptop is still missing. The department has since upgraded its encryption software and begun to re-examine its confidentiality procedures, and the car, though not the laptop, has been recovered.
June 2005, CitiFinancial: In June 2005, CitiFinancial began mailing notices to the 3.9 million customers whose private information was put at risk when backup tapes containing their information were lost in transit. The tapes contained information about network branch customers in the US, as well as customers with closed, CitiFinancial Retail Services, accounts. This breach occurred despite the “enhanced” security procedures that CitiFinancial claims to have in place and, beginning in July, all such data will be encrypted.
June 2005, Motorola: In June, Motorola sent emails to its employees, approximately 34,000 of whom are in the US, notifying them of the theft of two computers from the offices of Motorola’s human resources services provider, Affiliated Computer Sources. The stolen computers contained the names and Social Security Numbers of an undisclosed number of employees. Motorola reported the incident to police (who are currently investigating the thefts) and is providing free fraud insurance to employees.
June 2005, CardSystems: A record 40 million credit card holders throughout the United States may have had their credit card numbers stolen after a hacker infiltrated a major third-party payment processor’s database in late 2004. CardSystems Solutions Inc., a Tucson, Ariz. based company said that a hacker infiltrated the company’s computer network to access financial information for millions of consumers carrying MasterCard, Visa, Discover, American Express and other brands of credit cards. The breach has been characterized as one of the largest security blunders ever to occur in terms of the number of potential victims. It was discovered after a MasterCard investigation revealed a link between numerous fraudulent transactions that CardSystems had handled.
June 2005, University of Hawaii: University of Hawaii officials fear that up to 150,000 users of its library system may be at risk of identity theft after discovering that a former university employee who had access to tens of thousands of Social Security numbers had been indicted of identity theft and fraud. While it is unclear if the ex-employee, Deborah Jenkins misused the private information the library uses, Jenkins and her husband have been accused of using a Maryland man’s identity to co-sign on tens of thousands of dollars in student loans. Her husband was arrested in Florida in early 2005; Jenkins is still on the loose. University officials encouraged the affected library patrons to keep a close eye on their credit records.
July 2005, University of Southern California: In late April 2006, federal prosecutors charged a San Diego man with hacking into the University of Southern California’s admissions website and stealing the personal information for several applicants in June 2005. The hacker, 25-year old Eric McCarty said that he earned money for exposing security vulnerabilities on secure websites and wrote about how he hacked into USC’s servers on an internet-security website. McCarty later reported the vulnerability to the school. The university took its admissions site offline for two weeks after discovering that the programming flaw could allow outsiders to access its database containing Social Security numbers and birthdates for more than a 270,000 prospective students who applied at the prestigious university between 1997 and 2005.
August 2005, University of Utah: The University of Utah reported that a hacker gained access to a database of 100,000 employee names and Social Security numbers on one of the school’s servers and may have downloaded them. The University encouraged anyone who worked at the school between 1970 and 2003 to keep a watchful eye on their credit records. At least one former employee has come forward saying that a fraudulent purchase was made using his credit card. The employee suspects that whoever made the purchase obtained his private information from the breached school server.
September 2005, Kent State University: Numerous desktop computers containing names, Social Security numbers and student grades for 100,000 students and faculty at Kent State University in Ohio were stolen in Sept. 2005. The university sent out e-mails alerting the campus of the thefts and warned about the potential for identity theft. A university spokesman said that the computer was password protected, but did not make it clear whether the information was encrypted.
October 2005, Wilcox Memorial Hospital: 130,000 former and current patients at Hawaii’s Wilcox Memorial Hospital were warned after a computer drive with their names, addresses, medical record numbers and Social Security numbers disappeared in Oct. 2005. A hospital spokesman said that the unencrypted information was contained on a small USB memory drive and is in a highly accessible PDF format. Hospital officials waited 12 days before notifying patients after unsuccessfully trying to locate the drive within a “secure area” of the medical facility. Hawaii state laws do not require companies to notify consumers after their private information has been compromised, but Wilcox voluntarily sent notification letters to affected patients. It is unclear if the drive has been recovered.
November 2005, Boeing: A laptop with sensitive data such as names, Social Security numbers, birth dates, and financial information was stolen from a Boeing human-resources employee in Nov. 2005. The crook took private information for 161,000 current and former employees of the Seattle-based aircraft manufacturer. A company spokesman said that the laptop was password protected but the data was not encrypted. Boeing is enrolling employees in a credit-monitoring service free of charge and will assist in the registration with the three credit-reporting agencies.
December 2005, Firstrust Bank: A man disguised as a janitor made his way into a Northeastern Philadelphia bank and stole a laptop containing account information and Social Security numbers for 100,000 customers in early Nov. 2005. The institution, Firstrust Bank, frustrated its customers after waiting nearly a month before issuing a warning about the theft. Firstrust and authorities said that the computer was password protected and that they were not sure if the thief was specifically looking for the private information.
December 2005, Marriott International: Officials at Marriott International’s Orlando office don’t know whether computer back-up tapes containing credit card information and Social Security numbers of 206,000 of its time-share owners and employees went lost or was stolen, a company spokesman said in late December 2005. The tapes have been missing since mid-November, but Marriott began sending out letters to affected individuals and public outreach a little more than a month after the disappearance. The hotel chain said that special equipment is required to access the information contained on the disks. They were not aware if there had been any misuse of the missing information and offered free credit monitoring services to affected parties.
January 2006, Providence Home Services: Ten disks containing unencrypted names, addresses, medical records, and in some cases, financial information for 365,000 Providence Home Services customers were stolen from an employee’s personal automobile on Dec. 31, 2005. A significant number of the records also contained Social Security numbers. The Pacific Northwest-based healthcare provider said that the employee had taken the disks home “as part of a backup process intended to guarantee access to critical information in case of an emergency at our primary offices.” The company waited nearly a month before contacting at-risk customers saying that it needed the extended period of time to identify what information had been stolen.
January 2006, The Boston Globe & The Worcester Telegram & Gazette: As many as 240,000 subscribers to The Boston Globe and its sister publication The Worcester Telegram & Gazette were potentially exposed to identity theft after documents containing bank routing numbers, credit card information and debit card numbers were used to wrap bundles of newspapers. The bundles were distributed to thousands of local retailers in the Boston area in late January 2006. The information was mistakenly released after print-outs containing the sensitive information were recycled to bundle the newspapers instead of being properly shredded. Publisher Richard H. Gilman apologized for the mistake and set up a hotline for subscribers to call to learn if their personal financial data was accidentally released. So far, there have been no reports of identity theft resulting from the release of the information.
March 2006, Los Angeles County Department of Social Services: An investigation by KNBC-TV, the NBC station in Los Angeles, revealed that boxes upon boxes of personal information including social security numbers, W-2 forms and medical records were left unattended in a southland parking garage for months by the Los Angeles County Department of Social Services. The documents were ordered to be shredded by an outside contractor, but ended up sitting outside an unlocked dumpster in the department’s parking structure. The director of the department, Bryce Yokomizo, said that there was no way to track whose documents were included in the boxes and admitted that he did not know how many records had gone missing. Yokomizo said that there would be no way to contact all of the potential victims, but told KNBC-TV that to prevent further incidents, a chain-link fence would be constructed around the dumpster area.
March 2006, Hamilton County Clerk of Courts (OH): Federal prosecutors discovered that identity thieves who allegedly stole $500,000 over four years obtained Social Security numbers needed to commit the thefts from a Hamilton County website. According to an investigation by The Cincinnati Enquirer, the website contained thousands of government documents including tax returns and parking citations which contained personal identifying information such as addresses and Social Security numbers. In 2004, the newspaper reported that the county clerk’s website was under scrutiny for posting the private information. The county clerk’s office said that they were public documents, and no laws prevented them from posting the information online. The office has changed its policy, and removed the private identifying information from its website, which according to the County Clerk, gets 60 million hits a year.
March 2006, Fidelity Investments (Boston, MA): The largest mutual fund manager in the country said that a laptop containing the personal information including names, addresses, birth dates, Social Security numbers for close to 196,000 Hewlett Packard retirement account customers was stolen in March 2006. Fidelity Investments, the provider of HP’s 401(k) and pension plans said that they regretted any inconveniences caused by the theft and said that they would be providing free credit monitoring services to affected individuals. Additionally, the Boston-based investment firm said that it would reimburse account holders if any unauthorized transactions were made as a result of the stolen laptop. The incident provides a troubling example of how highly sensitive information increasingly can be found on employee laptops.
March 2006, Georgia Technology Authority: A hacker used “sophisticated hacking tools” to break into a Georgia Technology Authority database in March 2006 prompting GTA officials to send out 180,000 written notices to Georgia pension plan recipients. The state does not have contact information for the remaining 373,000 people affected by the breach and is hoping to alert them through media and other outreach. The hacker accessed the main server which contained names, Social Security numbers and bank account information for pension recipients sometime between Feb. 21 and Feb 23. The Georgia Bureau of Investigation is looking into the breach, and the authority has brought in outside security experts to identify vulnerabilities in its infrastructure. This breach follows an incident in 2005 in which an employee downloaded confidential information on 450,000 members of the state’s health plan on a home computer.
April 2006, University of Texas, McCombs School of Business:
197,000 current, prospective, alumni and faculty of the McCombs School of Business at University of Texas were alerted in late April that a hacker had accessed their private information from databases maintained by the school. UT President William Powers Jr. encouraged everyone in the business school to guard against identity theft by keeping a watchful eye on their credit files and taking action against any illegitimate transactions. Powers said that names, biographical information, some Social Security numbers and birthdays were accessed by the hacker. University officials believed that the source of the breach was a computer in the Far East.
April 2006, Ohio University: Hackers breached an Ohio University computer server and had access to the personal information of 137,000 people for a year or longer, said a senior university administrator. This, and four other data breaches at the University, left close to 300,000 alumni, patients of the school’s health center, and employees vulnerable to identity theft. An FBI and university investigation indicated that names, birth dates, Social Security numbers, intellectual property files and medical information had been accessed by domestic and international hackers. The school responded by sending e-mail notifications to students and other individuals and encouraged potential identity theft victims to monitor their credit records.
April 2006, Ohio’s Secretary of State: CD-ROMs containing the private information of “potentially millions of registered voters” in Ohio were erroneously sent out by the Secretary of State’s office to 20 political campaign operations in April 2006. The CDs contained Social Security numbers for many of Ohio’s 7.7 million voters whose records were contained on the CDs. A spokesman for the Secretary of State J. Kenneth Blackwell said that the problem was brought to light after one of the campaign offices alerted the Secretary of State’s office to the sensitive information on the discs. The CDs were subsequently recalled, and replaced with discs which did not contain the social security numbers.
May 2006, American Institute of Certified Public Accountants:
In May 2006, the American Institute of Certified Public Accountants (AICPA) reported that a damaged hard drive containing unencrypted personal information on 330,000 individuals such as names, addresses and Social Security numbers failed to return from a data-recovery service. AICPA said that the repaired hard drive was sent out by the service via FedEx, but the institute never received the package by its anticipated delivery date. A spokesman for FedEx said that his company was conducting an investigation into the missing package. AICPA offered a free year-long credit monitoring service to its members whose information was potentially compromised, and said that the missing information didn’t appear to have been misused. The institute also decided to delete all Social Security numbers from its member database.
May 2006, U.S. Department of Veteran Affairs: In May 2006, the Veterans Affairs Department reported that a laptop and hard drive containing sensitive information for about 26.5 million veterans had been stolen from a staff analyst’s home. The stolen equipment contained unencrypted names, social security numbers, birthdates and health information. The VA staffer had been authorized by the administration to take the laptop and personal information to work from home. This revelation created a firestorm of scrutiny for the VA, who had been previously under fire for lax security practices dating back to 1997. In response to the theft, Veterans Affairs Secretary R. James Nicholson announced that the VA would be providing complimentary credit monitoring to veterans and encouraged them to review their credit report to identify signs of identity theft. In June 2006, both the laptop and hard drive were recovered by authorities. An FBI computer forensic search showed that none of the information had been accessed. To date, no cases of identity theft have been reported stemming from the VA personal data breach, but the incident has underscored the need for tighter data security practices at government agencies.
May 2006, American Red Cross (St. Louis, MO): Sensitive information including names, Social Security numbers and dates of birth were stolen by a deceitful American Red Cross employee in the St. Louis region placing upwards of one million blood donors at risk of identity theft. The employee, who is now facing three counts of aggravated identity theft and one case of credit card fraud, opened credit cards using the stolen information of three donors. Authorities suspect that the employee, who worked as a telephone operator for five months, had access to a million names and Social Security numbers of blood donors. In a press release, the Red Cross notified the at-risk donors through writing and suggested that fraud alerts be placed on their credit records. To prevent further instances of theft and misuse by Red Cross employees, the blood center said that it would be restricting access to Social Security numbers and reminding staff that donors are not required to furnish their numbers.
May 2006, Texas Guaranteed Student Loan Corporation: Texas Guaranteed employees worked through the Memorial Day weekend identifying the 1.3 million borrowers whose names and social security numbers were lost by a contractor building the company’s document management system. The contractor, Toronto-based Hummingbird Ltd., said that it was searching for the unidentified piece of equipment that contained the private information, which was unencrypted. Company president and chief executive Barry Litwin said that the information was password protected and that it was unlikely that someone would maliciously use the information. Despite this, Texas Guaranteed notified the 1.3 million borrowers by mail soon after identifying the borrowers who were at risk.
June 2006, Ernst & Young: Approximately a quarter million hotels.com customers are at heightened risk of identity theft after a thief stole a laptop from the trunk of a car belonging to the online hotel specialist’s auditor, Ernst & Young. The laptop was unencrypted and contained the names and credit card numbers for 243,000 customers who booked with the website from 2002 to 2004. A spokesman for the accounting firm said that the computer was password protected and that there was no proof that the information had been accessed or misused. He added that the company has taken precautions to prevent additional thefts by encrypting other laptops. Both hotels.com and Ernst & Young said that it would provide free credit monitoring services to affected customers for a year.
June 2006, Denver Election Commission: Denver elections officials are still looking for a filing cabinet containing microfilm with personal information for 60,000 voters. The cabinet went missing after the Denver Election Commission moved into a new building. Movers hired by the commission noticed the file cabinet in the old building, but when they returned the next day ready to transport it to the new facility, it had disappeared. Executive director John Gaydeski vowed to “search every square inch of that building” until the cabinet was found, but so far it hasn’t yielded any results. City officials have contacted the voters whose information was lost and suggested that fraud alerts be placed on their credit accounts. The missing records included such sensitive information as names, Social Security numbers, birth dates, signatures and addresses. A week earlier, election officials recovered 87,000 microfilm files in a plastic box at the Commission’s old offices after they were reportedly lost in February.
June 2006, American Insurance Group (AIG): A laptop computer and file server containing personal information on close to a million people was stolen from an American Insurance Group (AIG) office in the Midwest during an apparent burglary. A computer server containing the sensitive information was taken along with other electronic devices in the office. The lost records included names, Social Security numbers and in some cases, medical records on an estimated 970,000 people. The insurance giant waited 2 ½ months after the burglary before notifying customers of the theft, but a spokesman for the insurance group said that there was no indication that the lost records were being used for illicit purposes.
June 2006, Western Illinois University: 180,000 students and alumni of Western Illinois University in Macomb, Ill were notified two weeks after a hacker accessed the school’s computer database system which stores personal information such as Social Security numbers, addresses and in some cases credit card information. School officials said that anyone who took a class at the university since 1983 should take “prudent steps” to protect themselves from identity theft. Mitch Davidson, executive director of University Computer Support Services, said that the University is proactively taking steps to prevent future breaches and says that a preliminary investigation shows that no information was copied from the school’s computers. The university said it waited three weeks before notifying potential victims because it was trying to fix the breach caused by the hacker.
June 2006, Nebraska Treasurer’s Office: In June 2006, a hacker accessed the computer server of the Nebraska Treasurer’s Office and may have obtained Social Security numbers and other sensitive information for 300,000 participants in a state child support payment program. Another 9,000 state employees were notified that their personal records may also have been breached by the hacker, who reportedly launched a virus into the state’s computer server. Ross said that the virus was immediately removed and that computer security would be bolstered to prevent future unauthorized intrusions. Nebraska authorities are performing a computer forensic investigation in hopes of capturing the computer hacker.
July 2006, Nelnet Inc. (Student Loans, Colorado area): Approximately 188,000 Colorado college students who took out loans with Lincoln, Nebraska based Nelnet Inc, a student loan company, are at heightened risk of identity theft after a computer tape containing Social Security numbers and account information disappeared while being delivered by United Parcel Service. UPS notified Nelnet about its missing package in mid-July 2006, after the shipping service failed to locate the package. Nelnet says that in the future, it will store sensitive information on encrypted electronic transmissions, rather than highly accessible computer tape.
August 2006, US Dept. of Transportation (Miami, FL): A thief swiped a US Dept. of Transportation laptop containing driving records, names, dates of birth and Social Security numbers from a government vehicle in late July 2006, placing nearly 132,470 Florida residents at increased risk of identity theft. Federal officials waited more than a week before warning the potential victims, which include 80,000 Miami-Dade commercial license holders, 42,800 licensed pilots in Florida, and 9,500 Tampa area motorists. The department’s inspector general said that the computer was password protected and posted a $10,000 reward for the recovery of the stolen laptop. The department is currently in the process of notifying all 132,470 victims of the theft.
Please Note: This is only a sampling of the data security breaches that have occurred since February of 2005. Dates listed are the dates when media reports about the data security breach first appeared and not necessarily when the breach took place. For a full listing of data security breaches, please go to:
http://www.privacyrights.org/ar/ChronDataBreaches.htm
Updated: 10/3/06