Top 10 Data Breaches Of 2010 (So Far)

Top 10 Data Breaches Of 2010

Believe it or not, 2010 has thus far shaped up to be a dynamic year for data breaches. While the iPad e-mail leak brought data breaches to the forefront of the public's attention, the incident didn't even make our Top 5. According to the Identity Theft Resource Center (ITRC), which tracks, lists and publicizes data breaches, there have been at least 301 security breaches resulting in the exposure of more than 8.2 million records, throughout the first six months of this year. Some breaches occurred due to external hacks or deliberate theft. Other incidents were the result of simple negligence. And a large majority of those breaches never made the nightly news. But whether accidental or planned, here are the biggest data leaks for the first half of this year. Be careful.

1. Education Credit Management: 3.3 Million Records Breached

Education Credit Management Corp. said in March that a portable media device had been stolen that contained the names, addresses, dates of birth and Social Security numbers of 3.3 million students. No bank account or other financial information was included in the stolen data. ECMC officials said the incident, which affects up to five percent of all students with federal loans in the U.S., could represent one of the biggest cases of student identity theft in the nation's history. ECMC spokespeople maintained that the breach was a case of "simple, old-fashioned theft," and not external hacking, according to the Wall Street Journal . The breach coincided with the enactment of the largest overhaul of federal student loan rules in decade, however officials said they believed that the two events were not related. Altogether, the 3.3 million Social Security numbers stolen from ECMS represent a total of $8.9 million in loans.

2. AvMed Health Plans: 1.2 Million Records Breached

AvMed Health Plans and its clients became victims of a massive data breach when the theft of two company laptops compromised the information of as many as 1.2 million Floridians with Avmed Health Insurance, including current and former subscribers and their dependents. The personal data included names, addresses, phone numbers, Social Security numbers and other protected health information. Company administrators maintained that the only people with keys were the cleaning crew.

Initial estimates tabulated around 200,000 records stolen. However, further investigation revealed that the theft potentially compromised more than a million accounts. The company said that there was no evidence that any personal data was misused as a result of the theft, but still warned customers to watch for phony credit card charges. AvMed also offered affected customers two years of free credit monitoring

3. Lincoln National Financial Securities: 1.2 Million Records Breached

Records of around 1.2 million users were potentially exposed in February as the result of a vulnerability in the portfolio information system for two, broker-deal subsidiaries of Lincoln National Corporation. Attorneys for Lincoln Financial Securities and Lincoln Financial Advisors notified the New Hampshire Attorney General's Office in a letter that personal data such as names, addresses, Social Security numbers, account numbers, account registration, transaction details, account balances and in some cases, dates of birth and e-mail addresses had been potentially exposed.

LFN notified some former and current clients with information on the portfolio information system and offered one year of free credit monitoring and identity theft consultations, if needed. Following the incident, Lincoln Financial said it had taken action to improve data security, while strengthening its security policies and procedures across all IT platforms. And, for kicks, the company ended its practice of using shared user names and passwords in the system.

4. CitiGroup: 600,000 Records Breached

Approximately 600,000 CitiGroup customers received their version of "bill shock" when they received their annual tax documents with their Social Security number printed on the outside of the envelope. The envelopes were sent via the U.S. Postal Service in January. CitiGroup, which began notifying affected customers Feb. 15, said in a letter that the Social Security numbers had been surrounded by other numbers and letters "that resembled a mailing routing number." A Citi spokesman blamed a processing error for the breach and said the company had addressed the error.

’The digits were not identified as a Social Security number, and they were printed at the lower edge of the mailing envelope with other numbers and letters that together resembled a mail routing number,’ according to a statement from the company. ’We believe there is little or no risk to our customers.’

However, more than 50 customers called to complain to CitiGroup, after managing to identify their own social security numbers.

5. Affinity Health Plan: 409,000 Records Breached

Affinity was informed on March 17 that an office copier it had previously leased and returned to the leasing company might still have contained personal information on its hard drive. Affinity, which is currently in the process of obtaining the machine, has yet to examine the hard drive to confirm the information the copier might have retained. Some of the personal information on the copier may have included Social Security numbers, dates of birth, and medical information.

6. U.S. Army Reservists, Serco: 207,000 Records Breached

A laptop stolen from a government contractor in May contained the names, addresses and Social Security numbers for more than 207,000 U.S. Army reservists and their dependents. Col. Johantha Dahms, chief public affairs for the Army Reserve, said that the personal data was contained on a CD-Rom in a laptop that was stolen from the Morrow, Ga. Offices of Serco Inc., a government contractor based in Reston, Va. The laptop was actually one of three that was stolen, but the only one containing personally identifying information. Serco was commissioned to hold data on reservists, according to its contract with the U.S. Army's Family and Morale, Welfare and Recreation division. Following the breach, the Army issued an email to affected service members.

"The Army takes this loss very seriously and is reviewing current policies and practices with a view of determining what can or must be changed to preclude a similar occurrence in the future," the letter said.

The mail continued that "at a minimum," the Army would be providing additional training to personnel in order that they "understand that personally identifiable information must at all times be treated in a manner that preserves and protects the confidentiality of the data." Okay…now tell that to the identity thieves.

7. Millennium Medical Management Resources: 180,111 Records Breached

MMMR, which handles billing for emergency health care physicians, sent letters to 180,111 EHP patients treated between 2003 and 2006, warning them that they might be victims of identity theft due to a data breach. According to the letters, the data, which was stolen from a portable hard drive in February, included names, diagnosis, medical records, Social Security numbers and health insurance information. The ITRC was able to verify the number of affected individuals and information via the notification letter and information sent to HHS's Web site.

8. Valdosta State University: 170,000 Records Breached

Valdosta State University called an investigation after an incident of unauthorized access to a computer server, which possibly compromised 170,000 student and faculty social security numbers and grades. The breach, which dated back to Nov. 11, 2009, was discovered and reported by the university's information technology director Joe Newton. The breached server contained employee and student information. The university however provided a link for the students to determine if their records were exposed in the breach.

9. AT&T Server/Apple iPad Emails: 114,000 Records Breached

An AT&T security breach exposed at least 114,000 e-mail addresses of iPad 3G customers, including those of high ranking government and military officials. The breach occurred when a group of hackers, known as Goatse Security, exploited a security flaw on an AT&T Web application that enabled them to obtain a list of customer e-mail addresses in exchange for a personal ID, known as the ICC-ID by running an automated script. The ICC-ID, or integrated circuit card identifier, is associated with the SIM card and is used to specifically identify iPad and other mobile device's customers.

Thus far the FBI has contacted Gawker , which first broke the iPad breach story in June, requesting that it hold onto any all related documents that would assist with investigation efforts. Gawker reported that the hacked data included a list of high-profile executives, celebrities and government officials, including New York Times Co. CEO Janet Robinson, Diane Sawyer of ABC News, film mogul Harvey Weinstein and New York Mayor Michael Bloomberg, as well as White House Chief of Staff Rahm Emanuel.

10. Iowa Racing and Gaming Commission: 80,000 Records Breached

Iowa Racing and Gaming Commission suffered a security breach in January when the state firewall was temporarily disabled due to network routing changes and a licensing database was compromised. The information potentially exposed included users' names, Social Security numbers, date of birth and other personal data related to an occupational license application. Reports have indicated that the attack was sourced from China.