Data breaches continue to be reported at alarming rates even though there is evidence that a lot of corporations fail to report as required in 37 States. To date there have been 524 data breaches affecting over 30 Million Americans. This is a sharp increase from the 424 breaches reported in 2007. It is important to note that identity theft can occur from any breach regardless of size. The reverse is also true in that a massive data breach may not lead to any cases of identity theft. The following is a sample, both large and small, of breaches reported in September. If your data was compromised in any of these it is important to read the details to determine if you need additional ID theft protection.
St. Paul’s Surgery
A robbery that involved St. Paul’s Surgery in Winchester was the reason for over 15,000 patients’ information being stolen mid-September.
The personal information of patients registered at St. Paul’s Surgery was stored on a computer back-up tapes. These tapes were stored in a locked safe that was in a locked room, but the burglars broke through a rear door and set off the alarm.
The tapes are password protected, as well as they require specialized computer equipment to read. The hope is that none of the information is at risk, but managers did send letters to those whose personal details were stored on the stolen computer back-up tapes.
Ex-Employee Copies Data of Lottery Winners in Austin, Texas
A previous computer analyst for the Texas Lottery Commission was arrested for copying data of over 27,000 people who had won prizes from the Texas Lottery. This ex-employee copies the data and took them to his next job, exposing Social Security numbers and some bank account and routing numbers of numerous employees and lottery retailers.
The month-long investigation led to the arrest mid-September. The information has been recovered, and it is unknown if the data had been compromised. Lottery winners are requested to watch their bank accounts and credit reports for any malicious or suspicious charges or changes.
University of Pittsburgh
A laptop at the University of Pittsburgh that contained personal information of it’s College of Business Administration graduates was stolen in August of 2008. Information lost included names and Social Security numbers of graduates. It is unknown the number of students that are affected by this theft.
The laptop was last used by an employee to conduct surveys, and was stolen from Mervis Hall on campus on August 11th, 2008. The employee was violating a policy established by the university regarding storage of sensitive data. The information on the laptop was supposed to have been deleted and removed from the laptop.
It does not appear as though the information has been used, but the university did contact the graduates and notified them of the recent loss. At this time, the thief has not been identified.
GS Caltex
GS Caltex, one of the nation’s largest oil refineries, is responsible for the lost of information of over 11 million of it’s customers.
Two discs, a DVD and a CD-Rom, were found in a backstreet trash pile in a Seoul subway station by an office worker. These discs contained files in a “GS Caltex†folder that included names, address, phone numbers, email addresses, workplaces, and Social Security numbers of it’s customers. Immediately upon receiving the discs, GS Caltex compared the information with the data in their current systems, and found that the information is that collected for a discount card available by it’s company. This information does not include credit card or bank account information.
There has been no evidence of hacking, and so far, none of the information has been used inappropriately by any outside sources. It is believed that this information was taken by an employee of the company, and GS Caltex is doing everything it can to investigate this case.
National Offender Management Service
Staff of the UK justice system, the National Offender Management Service in England and Wales, may be forced to relocate their families due to a data breach that actually happened in the middle of 2007. Approximately 5,000 employees of the justice system were affected.
The data was lost by a company called EDS, and they were not notified of this loss of data until recently. This is extremely upsetting to authorities, considering the information is private and puts the employees, and their families, at risk.
Authorities will look into the information that was lost, as well as how it was lost and how this could affect those whose information was lost. Just weeks before, a computer memory stick with the information and personal details of thousands of criminals was lost as well. This missing information could affect many people and their safety.
This loss could cost taxpayers millions of pounds, as the cost of relocating and protecting the employees and their families could get expensive.
East Burke High School in Morganton, NC
East Burke High School, based in Morganton, North Carolina, recently discovered that for the past five years, their school website had staff member’s personal information available to those online.
Liberty Coalition, an organization that searches and notifies companies and organizations about data security leaks, found the file simply by using Yahoo’s search engine. In this file was information uploaded online in 2003, which included employee names, Social Security numbers, home addresses, unlisted phone numbers, job titles and email addresses. 163 people’s information was available online. They notified the school on August 27, 2008, and the school’s principal informed those affected two days later.
Although the file was immediately removed from the internet by school officials, Liberty Coalition’s spokesperson claims that it is impossible to guarantee that the file was not downloaded or archived by someone else and that the information was indeed entirely removed.
There are numerous ways that the school can assist those who were affected. Instead of filing Social Security numbers, they could replace them with employee numbers. Access to important files like these should be limited and password protected to be available to those who need to access it. The school had a meeting with those affected to discuss protecting their identity and to address the victims’ questions and concerns.
Clarkson University
Near the end of August, a student at Clarkson University in Potsdam, New York gained access to a drive that was meant to be password protected for authorized users only. This student notified the campus of the vulnerability of this drive, and authorities quickly took action. Over 200 employees, including former employees, had personal information on this drive, which included information such as names, social security numbers, date of birth, and records regarding their university credit cards.
The drive was only accessible on the Clarkson University network. It was accessible due to some work being done on the school servers which caused the access information to be set to default, allowing anyone on the campus network to view the files. Once the breach was discovered, authorities launched a full investigation to find out who had accessed the files during this time. The student appeared to be the only unauthorized person to access the drive, and it did not appear as though anyone else had access to the drive.
Reynoldsburg, Ohio School District
Information on the students of Reynoldsburg’s school district in Ohio was stored on a laptop that was stolen on August 23rd, 2008.
The school was recently switching their computerized system to eliminate the use of Social Security numbers. The computer technician that was contracted to do the work had left the laptop in his car while attending a wedding in Columbus, where it was stolen.
The technician had completed the work, but had not deleted the information from the laptop. It is not known if the thief was aware that this information was on the computer. The information included the Social Security numbers and names and addresses of over 4,000 current students.
Forever 21 Retail Store
Recently, the retail store Forever 21 found that some of their customer’s credit card information had been accessed by an outside source. The following nine shopping dates have been affected: March 25, 2004, March 26, 2004; June 23, 2004; July 2, 2004; July 3, 2004; August 4, 2007; August 5, 2007; August 13, 2007; and August 14, 2007. The main store location affected is that in Fresno, California, located at 567 E. Shaw Avenue.
Approximately 98,000 credit and debit card numbers are at risk, though over half of the numbers accessed are expired credit accounts. This information did not contain customer names or addresses.
Tennessee State University
Mid September, a missing flash drive containing Social Security numbers and financial information for over 9,000 students was reported. This information dates back to 2002.
Tennessee State University has sent out letters to those that could be affected, and the university is also offering credit protection to those students whose records were lost. As far as University officials recall, the information was not password protected or encrypted, but at this point, there have been no attempts to use the data.
The employee who misplaced the flash drive is on paid leave during the investigation.
Marshall University in Charleston, West Virginia
Near the end of August, university officials discovered that the information of nearly 200 students, which included social security numbers, was publicly available on the internet. The information was available through a student’s personal web page via a Microsoft Word document.
This breach is not considered a threat, but the university has taken the steps to notify those who may be affected by misuse of this information.
State Farm Insurance
The Surprise, Arizona State Farm branch run by agent Lisa Ro Grant is under investigation after one of her employees fraudulently used customer information to obtain new credit card accounts. Access to this information supplies customer social security numbers, driver’s license numbers, addresses and possible some financial account numbers.
The amount of information accessed and directly affected was not disclosed, but it could have affected those outside of the state of Arizona. Letters have been sent and free credit monitoring has been set up for those affected.
For a complete list of data breaches please visit http://datalossdb.org.
Summary
With 30 Million records already exposed and no end in sight it is clear that identity theft is going to continue at its torrid pace. Illegal internet sites that sell our personal information are popping up all the time and personal information from old data breaches such as the T-Mobile breach are appearing on these sites after being dormant for 2.5 years. This is why you should consider using an identity protection service to help protect your identity.