How many victims? 3,000.

What type of personal information? Social Security numbers and other unspecified personal information.

What happened? The information was posted by an employee of the Maryland DHR, a state agency that provides benefits, such as food stamps and other aid, to clients. The employee has since been placed on administrative leave and could face disciplinary action.

The breach was discovered by staff of the Liberty Coalition, a nonprofit that promotes individual freedoms. The group's privacy director, Aaron Titus, said the information was posted from April 27 to July 14.

Staff members at Liberty Coalition tried to notify DHR officials about the breach on July 9 but were unsuccessful until July 12. The data was taken down on July 14.

Details: There currently is no evidence that the information was used for identity theft.

Quote: "We take the privacy of the data that's entrusted to us very seriously," said DHR spokeswoman Nancy Lineman.

What was the response? An investigation into the incident was initiated. Affected individuals are being notified and offered a one-year subscription for credit monitoring services.

Source: www.baltimoresun.com, The Baltimore Sun, “State employee posts nearly 3,000 SSNs online,” July 19, 2010.

How many victims? 93,000.

What type of personal information? Social Security numbers, addresses and driver's license information.

What happened? An investigation conducted by auditing and advisory firm KPMG revealed "some irregularities" in Buena Vista University's network. It was confirmed that unauthorized access to the database occurred in June.

Details: Personal information of students and staff dating back to 1987 could be vulnerable.

University President Frederick Moore has apologized for the incident and said that the university is trying to mitigate potential harm.

Quote: “We do not believe any of the information was misused or provided to a third party,” a university spokesperson said.

What was the response? The case has been handed over to the U.S. attorney's office, which is conducting an  investigation into the matter.

Affected individuals are being notified and offered a one year subscription for credit monitoring services.

Source: www.SCMagazineUK.com, SC Magazine UK, “Personal details of 93,000 staff and students at US university could be exposed after database compromise,” July 19, 2010.

How many victims? 79,000.

What type of personal information? Names, addresses, dates of birth, Social Security numbers and a "limited amount" of bank account information. Additionally, some health insurance information may have also been included — mostly enrollment forms, but also details about coverage, treatment, and other administrative information.

Details: The stolen hard drive contained images of microfilm files that contained the sensitive information. Some of the employee files also contained information on beneficiaries and dependents. The data spans a period from 1960 to 1995.

What was the response? Affected individuals have been notified and offered one year of free credit monitoring services. Additionally, the airline has increased security at its headquarters, including testing its computers for vulnerabilities. An investigation into the incident is currently ongoing.

Source: cbs11tv.com, “American Air Parent Claims Worker Data Compromised,” July 2, 2010.

A cybercriminal recently gained access to a University of Hawaii at Manoa (UH-Manoa) parking office computer server that contained the personal information of tens of thousands of individuals.

How many victims? 53,000.

What type of personal information? Names, Social Security numbers, addresses, driver's license numbers, vehicle information and credit card information

Details: A server used by the UH-Manoa parking office was accessed on May 30, though school officials are unsure how the cybercriminal gained entry. The hacker left behind a virus on the server. The breach was discovered during a routine audit on June 15.

There were 40,870 Social Security numbers and 200 credit card numbers on the server. Those affected include UH-Manoa faculty and staff members employed in 1998, along with anyone who did business with the parking office between Jan. 1, 1998, and June 30, 2009.

Students who paid for parking passes using a credit card were not affected.

Quote: "There is no indication that any information was misused, downloaded or viewed by the hacker,” said Gregg Takayama, a university spokesman.

What was the response? Social Security numbers, which are no longer used for parking transactions, are being removed from all parking databases. The university is strengthening its internal automated network monitoring practices and performing evaluations of systems to identify other potential security risks.

Affected individuals have been notified by mail and email. The matter was turned over to Honolulu police, the FBI and UH-Manoa's forensic investigator.

Source: Staradvertiser.com, Honolulu Star Advertiser, “UH breach affects 53,000,” July 7, 2010.

The Massachusetts secretary of state's office earlier this year accidentally released the confidential personal information of state-registered investment advisers to a business publication.

How many victims? 139,000.

What type of personal information? Names, Social Security numbers, birth dates and locations, in addition to  height, weight, and hair and eye color.

Details: The information was on a CD-ROM sent to IA Week, an investment industry publication, in response to a request for public information. The publication originally asked the office's Securities Division, overseen by Secretary of State William Galvin, for a list of registered investment companies but was instead sent a list of individual investment professionals.

A new employee working in the division caused the error by failing to delete the Social Security numbers and other information, which is normally withheld. IA Week returned the CD-ROM in June with a letter stating it had not made any copies of the data.

Quote: “It's an unfortunate mistake,” said Brian McNiff, a spokesman for Galvin. “It obviously was not done according to [standard] practice.”

What was the response? The Securities Division currently is trying to determine whether it needs to notify affected individuals, since all data was recovered, and there is no reason to believe it was ever misused.

Source: boston.com, The Boston Globe, “State's error unveiled Social Security numbers,” July 6, 2010.

Guests at 21 Destination Hotels & Resorts' properties may have been subjected to credit card theft after the chain discovered malware installed in its credit card processing system.

How many victims? Unknown.

What type of personal information? Credit card numbers.

What happened? According to the hotel, remote attackers installed a malicious program into the card processing system.

Details: Only those hotels where credit cards are physically swiped appear to be affected. The malware has been removed, and the locations again are normally processing transactions.

What was the response? The Englewood, Colo.-based hotel chain is notifying guests who stayed at the affected properties and encouraging them to contact their credit card companies to ensure no fraud was perpetrated.

Quote: “We are concerned for our guests and we sincerely regret any inconvenience this may cause them,” said Charlie Peck, the hotel's president and chief operating officer.  “We know we are not the first hotel company to be victimized by this kind of attack, but our greatest concern is for our guests who may be affected as well.”

Source: Destination Hotels & Resorts news release. "Destination Hotels reacts swiftly to credit card interception," June 24, 2010.

How many victims? 4,585.

What type of personal information? Names, Social Security numbers and clinical information.

Details: Every student who sought counseling services from the school's counseling center between Aug. 8, 2002 and June 21 of this year are affected, school officials said. Currently, it is unclear whether the data was viewed or downloaded.

The university's investigation began on June 16, after counseling center staff reported having trouble obtaining files on the server. The investigation revealed that one of the servers was compromised as early as March 4. After gaining access to the initial machine, the hackers infiltrated a second server.

The Maine Legislature also announced this week that one of its websites was hacked and infected with malware, IT officials said. The site, which details the status of bills, currently remains offline.

Both incidents likely are related.

Quote: "This sort of crime is in every way, shape and form an insidious affront to the rightful privacy expectations of our students," said University of Maine's Dean of Students Robert Dana.

What was the response? University of Maine police are leading an investigation into the hacking incident, along with federal prosecutors and computer crimes experts from the U.S. Secret Service. Affected individuals will receive a one-year subscription for credit monitoring services. In addition, the school is taking additional but unspecified steps to prevent future breaches.

Source: http://www.mpbn.net, The Maine Public Broadcasting Network, “Hackers Compromise UMaine Servers, Legislative Web site,” June 29, 2010.

How many victims? 19,000 students and 88 faculty members.

What type of personal information? GPAs, test scores and Social Security numbers.

What happened? The unsecured database was used in connection with the College of Education students' E-Folio software application, used to capture students' mastery of state of Florida and national teacher education standards through the tracking of grades, test scores, completed assignments and other data elements. The database has since been secured.

Details: There is no indication that any unauthorized individuals retrieved information from the database.

What was the response? The university is notifying all affected individuals.

Source: news.FIU.edu, News at FIU – Florida International University, " University to notify students and faculty regarding unsecure database,” June 22, 2010.

UPDATE: Indianapolis-based health insurance company WellPoint, which runs Blue Cross plans in 14 states, recently revealed that it has notified a total of 470,000 individuals potentially affected by this breach, including the 230,000 customers of its Anthem Blue Cross subsidiary in California.

The personal information of hundreds of thousands of Blue Cross customers was recently exposed following a website glitch made by a third party.

How many victims? 230,000.

What type of personal information? Medical records and Social Security numbers.

What happened? The appropriate security measures were not put in place following an October 2009 upgrade of the company's website made by a third-party vendor, said Anthem spokeswoman Cynthia Sanders. As a result, a site user was able to manipulate web addresses to access confidential information.

A class-action lawsuit was filed on behalf of individuals whose information was in jeopardy.

It's unknown how many people worldwide may have accessed the site illegally. According to Anthem's investigation, the vast majority of unauthorized access was from the plaintiff of the lawsuit and her attorneys, Sanders said.

The attorneys downloaded some information from the site, but have since returned it to the court system.

Meanwhile, this is not the first time WellPoint has experienced a breach. In 2008, it was discovered that the personal information of about 128,000 WellPoint customers from several states was publicly available on the internet. And in 2006, backup computer tapes containing the personal information of 200,000 members were stolen.  

Quote: “We were told by a third-party vendor that all security measures were in place,” Sanders said. “As soon as we heard about the attorneys, we went in, discovered the problem and fixed it immediately.”

Details: Applicants under age 65 who were applying for individual policies were affected by the breach.

What was the response? The company is offering affected individuals a one year free subscription for identity protection services.

Source: Associated Press, “Anthem Blue Cross glitch exposed personal data,” June 23, 2010.

Update Source: Associated Press, “Security glitch exposes WellPoint data again,” June 29, 2010.

A computer containing thousands of Social Security numbers was found to be under the control of a botnet.

How many victims? 15,800.

What type of personal information? Social Security numbers.

What happened? The university discovered that a machine in the campus' Outreach Market Research and Data office was communicating with a botnet's command-and-control center. As it turned out, the computer contained a cached copy of Social Security numbers, which formerly were housed in a database that was removed from the computer in 2005 when the university stopped using the numbers as identifiers.

Details: There is no evidence the information has been exposed to criminals.

What was the response? The university plans to send out notification letters to victims.

Source: http://www.centredaily.com, Centre Daily Times, PSU notifying 15,800 on Social Security breach, June, 3, 2010.