A file containing the personal information of Ohio State University students was posted to the internet by the employee of a third party vendor that prints OSU Insurance ID cards.

How many victims? 18,000.

What type of personal information? Names and Social Security numbers, insurance group policy number, and OSU ID number (which, at that time, had the same digits as the student’s Social Security Number). The information did not include any health information, credit card numbers or phone numbers.

What was the response? A website was created to provide information about the breach. The university is informing affected individuals with a letter and making free identity protection available for 12 months to those whose data was exposed.

Details: The file involved current and former Ohio State University students who were enrolled in the university-sponsored Student Health Insurance Plan during the 2005-2006 academic year (Autumn 2005 through Summer 2006).

Security precautions were written into the contracts with insurance company and the vendor who printed the cards, but those security provisions were not followed.

Source: http://www.studentlife.osu.edu/dataexposure/, The Ohio State University Office of Student Life: Data Exposure.

The personal information of Hurricane Katrina evacuees from Louisiana, Mississippi and Alabama was posted online. All sought assistance from the Federal Emergency Management Agency (FEMA) after Katrina hit the Gulf coast in August 2005.

How many victims? About 16,000.

What type of personal information? Not specified.

What was the response? FEMA is conducting an internal investigation about how the information got online. The individuals are being contacted by phone and mail and will receive 18 months of a security monitoring service.

Details: FEMA became aware of the breach Dec. 16. Most of the information posted online was properly released to state agencies that sought the data after Katrina, according to FEMA spokesman Terry Monrad. Monrad declined to identify which Web sites posted the information, which he says
has been removed at FEMA’s request.

Source: Chron.com, Houston Chronicle, Associated Press, “FEMA Investigates Katrina Breach,” Dec. 23, 2008.

Computer backup tapes containing customer and employee information were stolen from home development company, Plute Homes on Nov. 13.

How many victims? 16,000.

What type of personal information? Names, addresses, driver’s license numbers and financial account numbers.

What was the response? A letter was sent to affected individuals and the company is providing its customers a free year of a credit monitoring service. Police were informed and an investigation is underway.

Details: The theft occurred at the Plute Homes’ Las Vegas office. The company noticed shortly after it occurred but it took a month for Pulte’s information systems team to identify the customers who were potentially affected.

Quote: “We proactively informed anyone who can be potentially affected,” Pulte spokeswoman Jacque Petroulakis said. “We definitely pride ourselves in having a safe environment for our customers.”

Source: Lasvegassun.com, Las Vegas Sun, “Identities of 16,000 Pulte Homes customers compromised,” Dec. 25, 2008.

A virus on a University of North Carolina at Greensboro computer may have allowed an unauthorized person access to personal information of university employees.

How many victims? Unspecified.

What type of personal information? Information used to process the institution’s payroll, including included names, Social Security numbers, direct deposit routing and bank account information.

Details: The situation was detected on Dec. 11 when a payroll employee received a notification of a virus alert while attempting to access data. There is evidence that the virus has been on the workstation since April 2008.

What was the response? Notification was sent to UNCG’s faculty, staff and student employees, UNCG technicians took the workstation offline to clean it, a website and phone number were created for employees. The university is notifying credit reporting agencies, and also notified the Consumer Protection Division of the North Carolina Attorney General’s office.

Quote: “This is a very, very serious matter, and the university is taking all the necessary steps to assure the security of our employees’ personal and business information,” said Vice Chancellor for Business Affairs Reade Taylor.

Source: UNCG.edu, UNCG: University News, “UNCG Discovers Security Breach; Employees Being Notified,” Dec. 15, 2008.

The Florida State Agency for Workforce Innovation accidentally posted the personal information about job-seekers on a test server that could be accessed online.

How many victims? 250,000.

What type of personal information? Names and Social Security numbers.

What was the response? The agency is sending notifications to people on the list and plans set up a web site where people can check to see if their information was put online. The agency launched an internal investigation and notified major search engines to remove the site from their cached files.

Details: The names and information were online for 19 days and removed in late October after the state Department of Revenue discovered the breach during “routine work.”

Quote: “Certainly there is no web site that is 100 percent secure. But we take very seriously protecting the public’s privacy,” Agency Director, Monesia Brown said in a statement.

Source: OrlandoSentinel.com, Orlando Sentinel, “State agency put Social Security numbers of 250,000 job seekers online,” Dec. 3, 2008.

Two laptops stolen from the Maryland Department of the Environment contained the personal information of employees who worked at the agency from January 2000 through October 2006.

How many victims? 1,367.

What type of personal information? Names and Social Security numbers.

Details: The laptops were reported stolen from the state office building in Baltimore on Nov. 12.

What was the response? Officials are trying to notify the affected individuals; a web site, phone number and email address were created for individuals who are concerned that their information might have been on one of the stolen computers.

Source: Baltimoresun.com, “Stolen laptops held data of 1,300 state employees,” Nov. 22, 2008.

A hacker accessed the Luxottica Retail computer mainframe and downloaded the personal data of thousands of former employees.

How many victims? 59,000.

What type of personal information? Names, addresses and Social Security numbers.

Details: Investigators were allegedly able to trace the hacker’s IP address to Molly Burns, of Glendale, Ariz.

The 30-year-old has a five-page long arrest record that includes theft, forgery and drug charges. Police confiscated a number of computers from her apartment during a heroin raid this summer.

Burns is currently on the run and Warren County authorities said that three different police departments in Arizona are also looking for her.

What was the response? The case is expected to be handed over to the FBI soon. The company sent letters to all the former employees letting them know what happened.

Quote: “Basically, we have potential victims in all 50 states,” Warren County Cyber Crimes Task Force Lt. Jeff Braley said.

Source: WLWT.com, WLWT Cincinnati’s Channel 5, “Thousands At Risk After Hacker Breaches Computer Mainframe,” Nov. 24, 2008.

A stolen laptop contained personal information of nearly half of Starbucks’ workforce.

How many victims? 97,000.

What type of personal information? Names, addresses and Social Security numbers.

What was the response? A letter was sent out to affected individuals and Starbucks is providing them with a year of credit watch service for free.

Details: The laptop was stolen on Oct. 29 at an unspecified location.

Two years ago, the personal information of more than 60,000 employees and contractors were compromised when four computers disappeared. At the time, the company said it was implementing a policy that forbids putting critical data such as social security numbers on mobile equipment.

Quote: “This is very frustrating! I try so hard to watch who I give my personal information to and the company I work for doesn’t seem to have any security guarding my information,” one commenter wrote.

Source: Komonews.com, KOMO News, Seattle., “Stolen laptop puts Starbucks workers’ IDs at risk,” Nov. 24, 2008.

An unauthorized intruder accessed a University of Florida College of Dentistry computer server containing personal information of current and former dental patients.

How many victims? 344,000

What type of personal information? Names, addresses, birth dates, Social Security numbers and dental procedure information for patients dating back to 1990.

What was the response? FBI and University Police officers are investigating the security breach. After it was discovered, the server was disconnected from the Internet to cut off the intruder’s access. Letters were mailed to 336,234 breach victims; the university is trying to locate the mailing addresses for nearly 8,250 others. A hotline was established for patient inquiries. UF officials are in the process of screening up to 60,000 more computers to ensure appropriate safeguards are in place.

Details: The server was being upgraded when staff found software had been remotely installed on it.

Source: Ocala.com, Star-Banner, “Hacker accesses 344,000 UF dental patient records,” Nov. 12, 2008.

A student found a document on the school’s website that contained names and social security numbers of admissions applicants from 2005.

How many victims? 1,430

What type of personal information? Names and Social Security numbers.

What happened? Through an Internet search on the university’s Web site, a student found the document, which contained her own name and social security number, and reported it to the university.

Details: The document was contained in the archives of a school computer server.  The server itself was purged of sensitive data, but the archives were not.  This was the fourth data breach at the university in two years. A hacker accessed a university server in September and may have had access to a document with students’ Social Security numbers. A university flash drive was misplaced in June 2007 that may have contained 8,000 current and former students’ Social Security numbers and a class roster was misplaced that July that included 49 students’ Social Security numbers.

What was the response? Officials temporarily shut down the site and removed the document; letters to all affected individuals were mailed informing them about the breach. A university official said they will look into hiring outside technology experts to determine what can be done to prevent breaches. The employee responsible for scanning the schools server archives for sensitive data will be reprimanded but not terminated.

Quote: “This is an ongoing problem that all campuses face, with old data on computers with millions of files and it is difficult to make sure that they are all deleted,” said Jody Nelsen, the university’s executive vice president of finance and administration. “It is disappointing that it has happened again and we are going to be very aggressive to alleviate this problem.”

Source: Caller.com, Corpus Christi Caller-Times, “A&M-CC student data exposed,” Nov. 7, 2008.