Hackers, believed to be from China, gained access to an Iowa government database, which contained the personal information of current and former employees of Iowa's casino and racing industries.

How many victims? 80,000.

What type of personal information? Names, Social Security numbers, home addresses and birth dates.  

What happened? Hackers gained entry to the state's computer system on Jan. 26 while the Iowa Communications Network, the state agency that administers Iowa's telecommunications network, was performing routine maintenance on a firewall.

Once inside, the intruders accessed a database of the Iowa Racing and Gaming Commission. It is unclear whether any personal information was downloaded.

The hackers were able to get into the database because a firewall on the commission's computer system had not been properly patched by a private contractor.

Ambient Consulting of Minneapolis maintains the commission's computer system and has said that a computer log indicated before the breach occurred that all appropriate software patches had been installed. In reality, they were not. The problem has since been fixed.

A forensic investigation revealed that China was the source of the hacking incident. State officials, however, are not certain of this because some hackers try to disguise their true country of origin by masking IP addresses.

Details: Most of the people in the database are Iowa residents but it also includes individuals from Illinois, Minnesota, Nebraska, South Dakota and Wisconsin, among other states.

The list includes workers such as card dealers, slot machine technicians, jockeys, trainers and owners of horses and greyhounds.

Quote: "There is nothing to show that even if all the patches had been installed, they still wouldn't have gotten in because they had already gotten through the state's firewall," said Robert Keller, chief technology officer, Ambient Consulting of Minneapolis.

What was the response? Ambient is working with Iowa officials to improve security. In addition, letters are being sent to affected individuals.

Source: DesMoinesRegister.com, The Des Moines Register, “Trail of Iowa computer hack points to China,” Feb. 2, 2010.

A laptop containing sensitive patient information was recently stolen from an employee of the University of California, San Francisco (UCSF) School of Medicine.

How many victims? 4,400.

What type of personal information? Names, medical record numbers, ages and clinical information.

The stolen laptop did not contain any Social Security numbers or financial data.

What happened? The laptop was stolen on Nov. 30. UCSF's police department began an investigation Dec. 1, and the laptop was recovered in Southern California on Jan. 8.

Details: The UCSF Enterprise Information Security department determined that a file on the laptop contained “limited” information for some patients about their treatment at the medical center in 2008 and 2009.

In addition, the laptop also contained files from the employee's prior employer, Beth Israel Deaconess Medical Center in Boston. Those files contained data about Beth Israel patients.

Quote: “There is no indication that unauthorized access to the files or the laptop actually took place,” UCSF said in a statement.

What was the response? The university is alerting affected individuals. In addition, a toll-free number (1-877-809-1270 ext. 74005) was established to provide more information about the breach.

Source: http://sanfrancisco.bizjournals.com/sanfrancisco/, San Francisco Business Times, “UCSF says laptop with 4,400 patient records stolen, then recovered,” Jan. 27, 2010.

Stolen computer hard drives belonging to BlueCross BlueShield of Tennessee contained sensitive member information.

How many victims? 220,000 to 500,000.

What type of personal information? Some of the stolen hard drives contain member's Social Security numbers, birth dates, addresses and medical information.

What happened? On Oct. 2, a thief stole 57 hard drives from the closet of a BlueCross call center in Chattanooga, Tenn.

Data on the stolen hard drives was encoded but not encrypted.

Details: Currently, there is no evidence that any of the stolen data has been used. Investigators are looking for the hard drives. BlueCross has backup files of all the stolen data.

Quote: "There is minimal risk to members' data being accessed due to the specialized nature of the hardware stolen and the difficulties associated with accessing,” BlueCross spokeswoman Mary Thompson said in a statement.

What was the response? Employees and temporary staff have been reviewing video surveillance footage to determine the extent of the breach.

Notification letters are being sent to affected members who will be offered a one-year subscription for identity protection monitoring services.

Source: Associated Press, “More than 220,000 customers affected by stolen BlueCross BlueShield of Tennessee data,” Dec. 25, 2009.

Lincoln National Corp. (LNC), a Radnor, Pa.-based financial services organization, revealed early this month that a vulnerability in its portfolio information system could have caused the personal records of more than one million individuals to be inappropriately accessed.

How many victims? 1.2 million.

What type of personal information? Information contained on the affected system includes customer names, addresses, Social Security numbers, account numbers, account registration information, transaction details, account balances, and, in some cases, birth dates and email addresses.

What happened? The affected portfolio information system is used by LNC subsidiaries, Lincoln Financial Securities (LFS) Corp., based in Concord, N.H. and Lincoln Financial Advisors (LFA) Corp., based in Hartford, Conn. The system is used for analyzing and reporting customer financial accounts.

On Aug. 17, the Financial Industry Regulatory Authority (FINRA), an independent securities regulator, notified LFS that it received a username and password from an unidentified source that provided access to the portfolio information system.  

The username and password were shared by certain employees of LRS, a violation of LNC security policy. In addition, it was discovered that LFA employees also shared usernames and passwords to access the portfolio information system.

Details: An investigation revealed that between LFS and LFA, there were six shared passwords for the system, created as early as 2002.

There is no evidence that anyone outside of the company had access to the shared passwords, that former employees accessed the system after leaving the company or that any current employees used the credentials for anything other than work purposes. But there is no way to be sure that unauthorized access did not occur.

What was the response? Computer forensic organization Kroll Ontrack was brought on to conduct an investigation to determine the scope of the breach. All shared usernames and passwords have been discontinued. Affected individuals will be notified and offered free credit monitoring services.

Source: Statement to New Hampshire attorney general's office, written by Michael Delaney on behalf of Lincoln National Corp., Jan. 11, 2010.

An external drive containing the sensitive data of thousands of patients was stolen from an employee of health insurance provider Kaiser Permanente.

How many victims? 15,500 patients throughout Northern California.

What type of personal information? Names, medical-record numbers and some dates of birth, gender data, phone numbers and other information related to patients' care and treatment.

The device did not contain any Social Security numbers or financial information.  

What happened? The external drive was stolen on Dec. 1 from an employee's car at her home in Sacramento. The employee notified Kaiser of the theft on Dec. 8.

Details: Kaiser officials determined through an internal investigation that the employee was storing the information for work and not for inappropriate purposes.

But the employee, who was not identified, was subsequently fired for violating Kaiser policy by storing the files on a personal device without encryption, and without getting permission to do so.

What was the response? Kaiser notified state and federal regulatory agencies and the Sacramento Police Department. Patients were notified by mail.

In addition, staff members are undergoing security awareness training.  

Source: fresnobee.com, Fresno Bee, “Theft of Valley Kaiser patients' info reported,” Jan. 12, 2010.

A hacker recently accessed a computer server hosting the online banking system of Long Island, N.Y.-based Suffolk County National Bank (SCNB), putting thousands of customer's login information at risk.

How many victims? 8,378.

What type of personal information? Online banking login credentials.

What happened? The breach was discovered through a recent internal security review. It was determined that the unauthorized access occurred during a six-day-period between November 18 and 23, 2009.

Details: To date, there has been no evidence of unauthorized access to customer online banking accounts, SCNB said in a news release. The bank has not received any reports from customers of unusual activity or financial loss.

Quote: "The security of customers' information is of utmost importance to SCNB," J. Gordon Huszagh, president and CEO of Suffolk Bankcorp, said in a news release. "While we know that our diligence in this regard allowed us to uncover this incident, and to take action rapidly to protect our customers, we also recognize that the provision of financial services over the internet requires our dedication to continuous monitoring and security."

What was the response? SCNB launched an investigation of the incident with the assistance of outside forensics experts. They isolated and rebuilt the compromised server. In addition, they notified consumer reporting agencies, including Experian and TransUnion, along with various state government and law enforcement agencies, including the New York State Consumer Protection Board and the Office of Cyber Security and Critical Infrastructure Coordination.

Affected customers will receive a free two-year subscription for credit monitoring services.

Source: News release, Suffolk Bankcorp, “Suffolk Bancorp Thwarts Data Intrusion at Banking Subsidiary,” Jan. 11, 2010.

A hacker accessed the computer network of Eastern Washington University in Cheney, Wash., placing sensitive student information at risk.

How many victims? 130,000.

What type of personal information? Social Security numbers and birth dates.

What happened? IT staff recently discovered the breach during an assessment of the university's network. It was determined that the hacker installed software to store and share video files on the system.

Details: The student information involved in the breach dates back to 1987.

Quote: "EWU regrets that anyone's personal information may have been subject to unauthorized disclosure," President Rodolfo Arevalo said in a statement, obtained by The Seattle Times. "The university is taking this matter seriously and is committed to maintaining everyone's privacy. Eastern is continually putting new measures in place to protect personal information and will do everything it can to protect against further intrusions."

What was the response? Letters are being sent to affected individuals. A website and hot line have been set up to provide information about the breach.

Source: http://seattletimes.nwsource.com/html/home/index.html, The Seattle Times, “Hacker may have accessed EWU student information,” Dec. 31, 2009.

Penn State University officials are working to notify tens of thousands of individuals whose records may have been compromised.

How many victims? 30,000.

What type of personal information? Social Security numbers.

What happened? The breach was caused by malware.

Details: The breach involves 7,758 records from the Eberly College of Science, 6,827 records from the College of Health and Human Development and approximately 15,000 records from one of Penn State's campuses outside of University Park.

What was the response? School officials notified campus officials and began sending letters to affected individuals on Dec. 23. There is no evidence that anyone's information was accessed.

Quote: "Even when theft is only a remote possibility, we alert anyone who may have been affected and arm them with information and steps to take to mitigate their risk," Sarah Morrow, chief privacy officer for Penn State, said.

Source: post-gazette.com, Pittsburgh Post-Gazette, “Records of 30,000 at Penn State hacked,” Dec. 29, 2009.

Sensitive data belonging to the library users at a number of North Carolina state-run community colleges may have been compromised when a server was hacked.

How many victims? 51,000.

What type of personal information? Social Security and driver's license numbers.

What happened? A hacker, earlier this year, was able to access a central server used by libraries at 25 community college campuses. The server stored the personal information, which was used to identify library users.

What was the response? The affected colleges are notifying victims, and officials plan to remove any personal data stored on the server.

Quote: "Our colleges and our system office are making every effort to ensure that personal information is permanently removed from our records," said Saundra Williams, a senior vice president with the state Community College System.

Source: The News & Observer, newsobserver.com ,"Hacker hit community college system," Dec. 17, 2009.

The personal information of former, prospective, and current undergraduate students at Eastern Illinois University may have been stolen when a hacker gained access to the university's Office of Admissions server.

How many victims? 9,000.

What type of personal information? Unspecified data from student files and applications.

What happened? A machine was infected with the Virut computer virus, which spread to two other computers and the university's Office of Admissions server. The server became infected with a number of viruses, some of which gave attackers the ability to access it.

The breach was discovered Nov. 16 during a routine security check.

Details: The server contained electronic admissions application data from prospective undergraduate students dating from March 10, 2000, to Nov. 16, 2009. It is unclear whether the hackers accessed this information.

Those who did not submit their admission applications electronically are not affected by this breach.

Quote: “A machine was compromised by a virus so we don't believe it was a targeted attack against the university data system,” Adam Dodge, assistant director of information security for Eastern Information Technology Services told the Journal Gazette/Times-Courier.

“The Virut computer virus caused this,” Dodge said. “It has been around for a while, but new variants pop up often. We have updated the computers. It was spread by bad practice by a computer user.”

What was the response? The breach is currently under investigation and victims will be offered one year free credit monitoring. The university has created a web page with information about the breach.

Source: Journal Gazette/Times-Courier, JG-TC.com, “Computer data breach at EIU investigated,” Dec. 4, 2009.