How many victims? 18,000.

What type of personal information? Names and Social Security numbers, insurance group policy number, and OSU ID number (which, at that time, had the same digits as the student’s Social Security Number). The information did not include any health information, credit card numbers or phone numbers.

What was the response? A website was created to provide information about the breach. The university is informing affected individuals with a letter and making free identity protection available for 12 months to those whose data was exposed.

Details: The file involved current and former Ohio State University students who were enrolled in the university-sponsored Student Health Insurance Plan during the 2005-2006 academic year (Autumn 2005 through Summer 2006).

Security precautions were written into the contracts with insurance company and the vendor who printed the cards, but those security provisions were not followed.

Source: http://www.studentlife.osu.edu/dataexposure/, The Ohio State University Office of Student Life: Data Exposure.

How many victims? About 16,000.

What type of personal information? Not specified.

What was the response? FEMA is conducting an internal investigation about how the information got online. The individuals are being contacted by phone and mail and will receive 18 months of a security monitoring service.

Details: FEMA became aware of the breach Dec. 16. Most of the information posted online was properly released to state agencies that sought the data after Katrina, according to FEMA spokesman Terry Monrad. Monrad declined to identify which Web sites posted the information, which he says
has been removed at FEMA’s request.

Source: Chron.com, Houston Chronicle, Associated Press, “FEMA Investigates Katrina Breach,” Dec. 23, 2008.

How many victims? 16,000.

What type of personal information? Names, addresses, driver’s license numbers and financial account numbers.

What was the response? A letter was sent to affected individuals and the company is providing its customers a free year of a credit monitoring service. Police were informed and an investigation is underway.

Details: The theft occurred at the Plute Homes’ Las Vegas office. The company noticed shortly after it occurred but it took a month for Pulte’s information systems team to identify the customers who were potentially affected.

Quote: “We proactively informed anyone who can be potentially affected,” Pulte spokeswoman Jacque Petroulakis said. “We definitely pride ourselves in having a safe environment for our customers.”

Source: Lasvegassun.com, Las Vegas Sun, “Identities of 16,000 Pulte Homes customers compromised,” Dec. 25, 2008.

How many victims? 22,000 students, community users and employees.

What types of personal information? Social Security numbers.

What happened? The intrusion, which occurred during the Thanksgiving break, was apparently orchestrated to pilfer additional storage space for the hackers - not to steal personal information. The college’s security systems detected the breach, thanks to a virus alert, and immediately shut down server access.

What was the response? Victims were notified by letter, which contained information of how to register for credit monitoring.

Source: chroniclet.com, The Chronicle-Telegram (Ohio), “Hackers strike LCCC system,” Dec. 24, 2008.

How many victims? 9,300 people enrolled in prescription drug program Medicare Part D.

What type of personal information? Names, addresses, Social Security numbers.

What happened? The state agency errantly included the attachment in Dec. 1 emails to health care providers, such as nursing homes, home care providers and case managers. The emails were intended to update these 61 providers on changes to Medicare Part D, a prescription drug plan for the elderly and disabled.

What was the response? The department, which set up a hot-line to answer calls, encouraged victims to monitor their credit report. Also, officials have asked the email recipients to delete it.

Details: There is no evidence any of the data has been misused.

Source: concordmonitor.com, Concord (N.H) Monitor, “Medicare data accidentally breached,” Dec. 18, 2008.

How many victims? Unspecified.

What type of personal information? Information used to process the institution’s payroll, including included names, Social Security numbers, direct deposit routing and bank account information.

Details: The situation was detected on Dec. 11 when a payroll employee received a notification of a virus alert while attempting to access data. There is evidence that the virus has been on the workstation since April 2008.

What was the response? Notification was sent to UNCG’s faculty, staff and student employees, UNCG technicians took the workstation offline to clean it, a website and phone number were created for employees. The university is notifying credit reporting agencies, and also notified the Consumer Protection Division of the North Carolina Attorney General’s office.

Quote: “This is a very, very serious matter, and the university is taking all the necessary steps to assure the security of our employees’ personal and business information,” said Vice Chancellor for Business Affairs Reade Taylor.

Source: UNCG.edu, UNCG: University News, “UNCG Discovers Security Breach; Employees Being Notified,” Dec. 15, 2008.

How many victims? 250,000.

What type of personal information? Names and Social Security numbers.

What was the response? The agency is sending notifications to people on the list and plans set up a web site where people can check to see if their information was put online. The agency launched an internal investigation and notified major search engines to remove the site from their cached files.

Details: The names and information were online for 19 days and removed in late October after the state Department of Revenue discovered the breach during “routine work.”

Quote: “Certainly there is no web site that is 100 percent secure. But we take very seriously protecting the public’s privacy,” Agency Director, Monesia Brown said in a statement.

Source: OrlandoSentinel.com, Orlando Sentinel, “State agency put Social Security numbers of 250,000 job seekers online,” Dec. 3, 2008.

How many victims? 6,000.

What type of personal information? Names, Social Security numbers and health data.

What happened? The laptop went missing Oct. 4 by an employee who was en route to a temporary duty assignment. The employee apparently lost the machine, which was contained in a backpack, while at a train station in Nuremberg.

What was the response? Victims weren’t notified until Nov. 24. Army officials blamed the delay on bureaucracy, privacy concerns and the time required to gather accurate information.

Details: Officials said the laptop was protected by encryption and access controls.

Source: Stripes.com, Stars and Stripes, “Army waited to tell of possible security breach,” Dec. 2, 2008.

How many victims? 1,367.

What type of personal information? Names and Social Security numbers.

Details: The laptops were reported stolen from the state office building in Baltimore on Nov. 12.

What was the response? Officials are trying to notify the affected individuals; a web site, phone number and email address were created for individuals who are concerned that their information might have been on one of the stolen computers.

Source: Baltimoresun.com, “Stolen laptops held data of 1,300 state employees,” Nov. 22, 2008.

How many victims? 59,000.

What type of personal information? Names, addresses and Social Security numbers.

Details: Investigators were allegedly able to trace the hacker’s IP address to Molly Burns, of Glendale, Ariz.

The 30-year-old has a five-page long arrest record that includes theft, forgery and drug charges. Police confiscated a number of computers from her apartment during a heroin raid this summer.

Burns is currently on the run and Warren County authorities said that three different police departments in Arizona are also looking for her.

What was the response? The case is expected to be handed over to the FBI soon. The company sent letters to all the former employees letting them know what happened.

Quote: “Basically, we have potential victims in all 50 states,” Warren County Cyber Crimes Task Force Lt. Jeff Braley said.

Source: WLWT.com, WLWT Cincinnati’s Channel 5, “Thousands At Risk After Hacker Breaches Computer Mainframe,” Nov. 24, 2008.