Sign up now to get free exclusive access to reports, research and invitation only events.
We list the worst data breach incidents recorded by ITRC
The Identity Theft Resource Center, which tracks disclosed data breaches, has recorded 301 for the first half of 2013, with about 6.4 million personal records related to medical, Social Security numbers, payment card and other information exposed. As we did for the first three months of this year, we now list the worst data breach incidents recorded by ITRC for Q2.
In April, Schnuck Markets said a hacker managed to break in and access the credit card numbers and expiration dates of more than 2 million customers in the St. Louis area, though not their names and addresses in cyberattacks that stretched between Decembe 2012 to March 29. The company CEO, Scott Schnuck, apologized.
In June, Facebook disclosed an estimated 6 million Facebook users had e-mail addresses or telephone numbers shared with others due to a software bug in the “Download Your Information” found by a security researcher and reported to Facebook, which fixed it
In May, Washington state’s Administrative Office of the Courts said it discovered hackers had gotten into its servers and obtained copies of up to 160,000 Social Security numbers and 1 million driver’s license numbers. Officials estimated Washington’s court administrator Callie Dietz apologized, adding “we have taken immediate action to enhance the security of these sites.”
Altamonte Springs, Fla., Adventist Health System/Sunbelt was hit by a class-action lawsuit for allegedly failing to protect the health database information of more than 763,000 patients after a former emergency room employee at its hospital in Celebration, Fla., was found selling patient data in a scheme that ran from 2009 to 2011. This year Dale Munroe II pled guilty to selling information on car-accident patients to a co-conspirator who used it to solicit legal and chiropractor services; Munroe was sentenced to serve a year in jail.
RentPath, formerly Primedia, disclosed in May that an independent contractor with access to Primedia’s network operations was found to have stolen hardware that had information on about 56,000 employees, former employees, and job applicants.
The University of Florida in Gainesville had to twice warn about the possibility of identity theft, first in April when it warned 14,339 patients that an employee working at a university medical practice had ties to an identity-theft ring, and a second time in May when it warned 5,682 patients and parents of patients at a pediatric health clinic. Separately, Florida State University admitted in June that personal information on 47,000 Florida teachers was exposed for two weeks on the Internet during a data transfer.
In May, Oklahoma City-based wireless companies TerraCom and YourTel America accused media company Scripps Howard and Scripps Howards News Service journalists of somehow accessing records on about 150,000 prospective customers illegally from a third-party vendor as part of the Scripps investigative report “Privacy on the Line,” but Scripps denied the charges. TerraCom and YourTel have acknowledged a data breach.
Hackers focused last spring on breaking into the Vendini ticketing system in use by various organizations in order to steal customer financial data, acknowledged by Vendini in April. The Maine Attorney General issued a warning that 22,900 Mainers had been hit and an estimated 33,000 customers of the University of Michigan’s Union Ticket Office were, too, in a hacking incident a university spokesman said involved “many ticketing outlets across the U.S. and Canada.”
The Idaho State University agreed to pay $400,000 to the U.S. Department of Health & Human Services to settle alleged violations of the HIPAA security rule because of a data breach of information on about 17,500 patients at a medical clinic due to a disabling of firewall protections at servers maintained by ISU.
In May, the city of Akron, Ohio, said the city’s website and internal systems were hacked, probably by a suspected Turkish hacker group that stole tax-related information, including Social Security and credit-cards, on up to 30,000 citizens. The hackers also left hundreds of “tips” on the police tips page.
In May, Piedmont HealthCare in North Carolina said information, including Social Security numbers, on 10,000 job applicants was stolen due to a hacker and at the same time, Presbyterian Anesthesia Associates there disclosed a hacker apparently exploited a vulnerability flaw in its website to gain access to a database of information on about 10,000 patients who had their credit-card information stolen.
In May, Bon Secours Mary Immaculate Hospital in Newport News, Va., said it terminated the employment of two certified nursing assistants for improper use of its electronic medical records, which potentially compromised the records of 5,000 patients. The hospital, which contacted law enforcement to conduct an investigation to determine if any patient information may have been use illegally, also notified patients about the data breach.