Perfect score for crooks? Princeton Review publishes test-taker personal data Thursday, 21 August 2008, 12:20 pm

Standardized exam preparatory company The Princeton Review errantly posted the personal information and test scores of more than 100,000 Florida and Virginia students on its website.

What type of personal information? Names, birth dates, ethnicities, test scores.

How many victims? One filed contained data on 34,000 public school students in Sarasota, Fla., where the school district was using The Princeton Review to measure student performance. Another exposed file contained the names and birth dates of 74,000 students in the Fairfax County, Va. school district, which had hired the company for a similar reason.

What happened? The company moved its website to a new internet provider in June, which may have caused password protection to be lost and the files to be publicly accessible, The Princeton Review said.

Details: The company is investigating how many people may have accessed the files.

Source:nytimes.com, The New York Times, “Student Files Are Exposed on Web Site,” Aug. 19.

Source: Breach Alerts |

Marketing services provider has server hacked Thursday, 21 August 2008, 11:57 am

Hackers broke into a computer server belonging to Norfolk, Va.-based Dominion Enterprises, possibly exposed the personal information of tens of thousands of people.

How many victims? 92,095 applicants who submitted credit applications to the InterActive Financial Marketing Group, a division of Dominion.

What type of personal information? Names, Social Security numbers, addresses and birth dates.

What happened? The company is remaining tight-lipped on specifics, only saying that the intrusion happened between November 2007 and February 2008.

What was the response? Dominion is notifying victims via letter and plans to offer them one year of free credit monitoring.

Quote: “We deeply regret this incident and apologize for the concern and inconvenience it has caused.” - Dominion President and CEO Conrad Hall

Source: Business Wire news release, MarketWatch.com, “Dominion Enterprises Discloses Data Breach in Business Division,” Aug. 18.

Source: Breach Alerts |

Cable TV company employees might be at risk after laptop thefts Friday, 15 August 2008, 4:20 pm

The confidential information of current and former employees of Charter Communications was being stored on laptops that were stolen.

How many victims? More than 9,000 employees nationwide.

What type of personal information? Names, Social Security numbers, birth dates and driver’s license numbers.

What happened?Several laptops were stolen last month from the cable provider’s Greenville, S.C. office.

What was the response? The company is offering victims one year of free credit monitoring.

Details: Charter said it has no reason to believe any of the information will be misused. Police are investigating the theft.

Source: wyff4.com, WYFF-TV, “Laptops with cable company workers’ data stolen,” Aug. 13.

Source: Breach Alerts |

Hackers break into University of Texas at Dallas Friday, 1 August 2008, 11:55 am

Hackers may have compromised the personal information of 9,100 students, faculty and staff at the University of Texas at Dallas.

What type of personal information? Names, Social Security numbers, home addresses, email addresses and telephone numbers.

How many victims? 9,100, including 4,406 students who were on the Dean’s List or graduated between 2000 and 2003.

What happened? The university is releasing few details about how the attack occurred.

Quote: “We would like to minimize the impact of such an event, but we find no indication that the information has been disclosed, disseminated or used to anyone’s detriment.” - Jim Gary, the university’s vice president and chief information officer.

Source: dallasnews.com, The Dallas Morning News, “Computer breach at UT Dallas may have exposed students’ personal info,” July 31.

Source: Breach Alerts |

Ga. health insurer sends benefit letters to wrong people Friday, 1 August 2008, 11:38 am

Blue Cross and Blue Shield of Georgia accidentally mailed 202,000 benefit letters to the wrong addresses.

What type of personal information? Patient names and identification numbers, with a small number containing Social Security numbers. Amounts owed and the name of their medical provider also were included.

What happened? “Explanation of Benefit” letters were mistakenly sent to the wrong addresses because of a computer system glitch, which has since been resolved.

What was the response? Victims will receive one year of free credit monitoring. The number of affected people may not be as high as 202,000 because some people received multiple letters.

Details: Blue Cross and Blue Shield may have violated Health Insurance Portability and Accountability Act regulations, experts say. The insurer plans to remove Social Security numbers from all future mailings.

Quote: “This is very, very serious.” - State Insurance Commissioner John Oxendine

Source: ajc.com, The Atlanta Journal-Constitution, “Private medical data exposed,” July 29.

Source: Breach Alerts |

St. Mary’s hospital database breach exposes 128,000 Monday, 28 July 2008, 2:55 pm

The personal information of thousands of clients and patients of St. Mary’s Regional Medical Center in Reno, Nev. was potentially compromised when a database was illegally accessed.

How many victims? About 128,000.

What type of personal information? Names, addresses and some health information and Social Security numbers.

Details: The breach, discovered April 28, resulted in the immediate shutdown of the database. Notifications, done by letter, were delayed because the database had to be rebuilt. There have been no reports of fraud as a result of the compromise.

What was the response? The hospital is offering one year of free credit monitoring to those patients whose Social Security numbers were stored in the database. 

Quote:“Our first concern is for the continued privacy and well-being of our patients and customers.” -Mike Uboldi, president and chief executive officer, in a news release.

Source: rgj.com, Reno Gazette-Journal, “St. Mary’s warns of possible data leak,” July 24.

Source: Breach Alerts |

Investment firm exposes data on Supreme Court justice, 2,000 others Friday, 11 July 2008, 4:48 pm

An employee of McLean, Va.-based investment company, Wagner Resource Group, accidentally exposed the personal information of thousands of its clients through LimeWire, a peer-to-peer (P2P) network.

What type of personal information? Names, Social Security numbers and birth dates.

How many victims? 2,000.

What happened? An employee’s P2P software apparently was configured to allow the sharing of documents with other LimeWire users.

Details: Among the victims is U.S. Supreme Court Justice Stephen Breyer. Tiversa, the P2P security company hired by Wagner to respond to the breach, determined that more than a dozen LimeWire users downloaded the files containing the confidential data.

Quote: “I didn’t even know what peer-to-peer was. I do now.” - Wagner Resource Group founder Phylyp Wagner.

Source: washingtonpost.com, The Washington Post, “Justice Breyer is Among Victims in Data Breach Caused by File Sharing,” July 9.

Source: Breach Alerts |

Organ and tissue donors’ personal info possibly exposed Friday, 11 July 2008, 11:17 am

A vulnerability in the Organ and Tissue Donor Registry, run by Florida’s Agency for Health Care Administrators, could have permitted the authorized viewing of the confidential data of some 55,000 people.

What type of personal information? Names, addresses, birth dates and driver’s license numbers.

Details: The breach occurred on June 20, and the hole was plugged a day later. Officials do not believe the information was wrongfully accessed.

Source: Associated Press, Naples (Fla.) News, “Breach in Fla. donor registry may have exposed IDs,” July 7.

Source: Breach Alerts |

Word document inadvertently leaves California DCA Friday, 27 June 2008, 5:14 pm

The personal data of about 5,000 employees, contractors and board members was included on a Microsoft Word document accidentally sent outside of the agency.

What type of personal information? Names, Social Security numbers, salaries and titles.

What was the response? Victims were notified June 10, about five days after the incident. They were told to keep watch on their credit files. The agency has agreed to pay for one year of free credit reports and offer fraud insurance of up to $25,000.

Details: Authorities do not believe any of the information has been misused and they are not sure the unintended recipient even opened up the Word document.

Quote: “We know it left the building and that it wound up somewhere it shouldn’t have wound up. We’re looking into how that happened.” - California Department of Consumer Affairs spokesman Russ Heimerich

Source: capitolweekly.com, Capitol Weekly, “Security breach compromises 5,000 Social Security numbers at Consumer Affairs,” June 23.

Source: Breach Alerts |

CNET employees face identity theft risk Friday, 27 June 2008, 4:58 pm

Thieves stole computer systems containing personal information of employees from the offices of a CNET Networks’ contractor

How many victims? More than 6,500.

What type of personal information? Names, Social Security numbers, birth dates and employement data on health insurance beneficiaries.

What happened? The computers were stolen from Colt Express Outsourcing Services, which administers benefit plans for CNET, a web publishing company.

What was the response? Local police are investigating. Affected CNET employees can receive one year of free credit monitoring from Equifax. Colt said it is not able to offer the services due to financial reasons.

Source: pcworld.com, PCWorld, “CNET Employees Notified After Data Breach,” June 23.

Source: Breach Alerts |