A spreadsheet containing personal information of people charged with minor drug and alcohol offenses in Indianapolis in 2006 and 2007 was posted to the city’s website for 11 days.

How many victims? 3,300.

What type of personal information? Names, Social Security numbers and dates of birth.

What happened? The spreadsheet was posted late September until Oct. 9. The breach was the result of a human error, according to Kevin Ortell, interim chief information officer for the city of Indianapolis.

What was the response? The spreadsheet was taken offline; the city’s website was also taken down and replaced with an older version of the site. Notification letters were sent to affected individuals, along with information about identity theft. The city also notified law enforcement and set up a hotline to answer questions.

Quote: “ISA took aggressive action to correct the problem, to notify the affected individuals and to prevent this type of disclosure from happening again,” Ortell said in a news release.

Source: Indystar.com, The Indianapolis Star, Ind., “Personal data put on city Web site”, Oct. 16, 2008.

Global IT hosting provider, The Planet recently experienced a data breach of customer’s log-in credentials.

How many victims? Up to 2,000 customers potentially affected.

What type of personal information? Customer portal log-in names and passwords.

What happened? The breach is believed to be the result of a compromised employee account, according to Will Charnock, vice president of technology at The Planet.

What was the response? A notification email was sent to all customers. Those affected were advised to immediately change their password for Orbit (The Planet’s customer portal), and be alert for suspicious activity on accounts.

Measures were taken to improve the security of the website.

Quote: “We have identified the methods by which the systems were compromised and have closed those holes,” a statement sent to victims read. “In addition to those actions, we will be implementing additional security measures to further strengthen the infrastructure and systems.”

Details: Two user accounts were definitely affected and no credit card information is believed to have been compromised.

Source: WHIR news, Web Hosting Industry Review, “The Planet Warns of Security Breach”, Oct. 17, 2008.

A laptop containing personal information of West Virginia state employees was stolen out of a parked car in Charleston, W.V.

How many victims? 535 total; 425 employees with the West Virginia Insurance Commission, and 110 employees in the state Bureau of Medical Services and Child Support Enforcement Division of the state Department of Health and Human Resources.

What type of personal information? Social Security numbers, payroll and benefits information, full names or first names.

What was the response? An independent audit of the laptop was conducted and notification letters are being sent out.

Details: The information on the computer was password protected.  Officials said it was probably a crime of opportunity since the laptop was easily visible and the thief likely was not targeting the laptop for the personal data.

Quote: “We take any breach of security very seriously and place priority in protecting all confidential data maintained by state government or any contractor which we utilize,” - Diane Holley, administration spokeswoman.

Source: The Charleston Gazette, The Charleston (W.V.) Gazette, “Stolen Laptop Had West Virginia State Workers’ Information”, Oct. 07, 2008.

Records containing personal information of Southwest Mississippi Community College students and former students were leaked over the internet after a crashed server was brought back online.

How many victims? More than 7,000.

What type of personal information? Names, Social Security numbers, addresses, genders, races and grade point averages.

What was the response? Officials said the junior college hired a firm to help determine the extent of the breach and notify affected students by mail. The college is making a resource center available to students.

Details: Officials say the problem was corrected within a few hours.

Source: SunHerald.com, Biloxi Sun Herald, USA, “Students’ records leaked on Internet,” Oct. 15, 2008.

The confidential data of University of North Dakota (UND) alumni and donors is at risk for theft after a laptop was stolen from the vehicle of a third-party software provider employee.

How many victims? More than 84,000.

What type of personal information? Social Security numbers, among other data, belonging to people involved with the North Dakota Alumni Association and the UND Foundation.

Wha was the response? The association and foundation are notifying affected individuals, and the unnamed software vendor is providing free credit monitoring to victims.

Details: Officials said they do not believe any of the data has been misused. The college plans to better scrutinize vendor security protocols.

Quote: “Despite following state-of-the-art technology procedures on our end, we deeply regret this issue has occurred with our vendor.” - UND Alumni Association and UND Foundation Executive Vice President and CEO Tim O’Keefe

Source: StarTribune.com, Minneapolis-St. Paul Star Tribune, “UND Alumni Association laptop swiped, along with vital ID of thousands,” Oct. 8, 2008.

The personal information of 1,700 brokers was sent in an email by Blue Cross & Blue Shield of Louisiana.

What type of personal information? Social Security numbers, phone numbers and addresses.

What was the response? The company is offering free credit monitoring to the affected brokers for 12 months and has taken steps with its technology systems to assure such an error does not occur again.

Details: The brokers who received the e-mail were the same people whose information was exposed. The spokesman said no customer data was involved.

Source: businessinsurance.com, Business Insurance, “Louisiana Blue Cross confirms data breach,” Sept. 30.

Intruders accessed the confidential data of 11,000 students, faculty and staff at the University of Indianapolis.

What type of personal information? Social Security numbers, among other information.

What happened? The breach was discovered Sept. 18, 10 days after the attack. The hackers compromised information that was at least two years old, when the university was still collecting Social Security numbers as identifiers.

What was the response? Victims were notified by email or standard mail and will be offered one year of free credit monitoring.

Details: The hack appears to have originated outside the United States as investigators discovered foreign language embedded in the programming code.

Quote: “Our investigation leaves no doubt that this was a professional job by hackers from outside, and it was well beyond our control.” - University President Beverley Pitts.

Source: chicagotribune.com, Associated Press, “Hacker compromises data on 11,000 at U. of Indy,” Sept. 30.