It seems like every week there’s news of another security breach at a company holding sensitive consumer information, putting more Americans at risk of identity theft. Thousands of companies maintain files with detailed financial and personal information about consumers, including Social Security numbers, birth dates, account numbers, and addresses. This information is the key that crooks can use to get credit in someone else’s name and steal identities.
To date, the Privacy Rights Clearinghouse estimates that over 50 million people have been put at risk as a result of these breaches. Here are some recent examples of companies and other institutions whose security has been breached and others that have come under fire for failing to maintain strict security practices:

Choicepoint, Inc.: In mid-February 2005, ChoicePoint, Inc., an information broker based in Georgia, announced that a fraud ring had gained access to the personal and financial information of an estimated 145,000 consumers from computer databases maintained by the company. ChoicePoint maintains a huge database with billions of records on consumers culled from public records and other documents. It sells access to that information to businesses for a variety of purposes. The ChoicePoint files that were compromised contained such sensitive information as Social Security numbers matched to names and addresses. Subsequent news reports indicated that ChoicePoint had experienced similar security breaches in the past.

Bank of America: An estimated 1.2 million federal workers were put at risk of identity theft as result of lost computer tapes maintained by Bank of America. The bank announced in late February the loss of the tapes, which included Social Security numbers, addresses and credit account numbers. A Bank of America spokesperson indicated that the tapes were probably stolen by baggage handlers from a commercial airplane when they were being shipped to a back-up data center. Members of Congress were among those federal workers whose information was put at risk as a result of the lost tapes.

Lexis Nexis: In early March 2005, Lexis-Nexis announced that the security of a database maintained by a company it owns had been compromised, leaving another 32,000 people at risk of having their identities stolen and credit ruined. In April, Lexis-Nexis acknowledged that it had underestimated the size of the breach by almost ten times. The company now says that the personal information of 310,000 people was compromised by crooks who obtained passwords from legitimate customers and accessed such information as names, addresses, Social Security numbers, and drivers’ license numbers. The files were part of a database maintained by Seisint, which is owned by Lexis-Nexis. The company sells access to the data to a variety of business and government clients.

Westlaw: This Minnesota-based data search company was criticized in early 2005 for maintaining loose security practices that enabled clients who used the firm’s online “People-Find” database to obtain Social Security numbers and other personal information. Private companies subscribe to this service, giving them easy access to sensitive information that can be used to commit identity theft. A Senator exposed the lax security maintained on the web site and called on the company to disable it until better security was established to prevent fraud. Westlaw responded to the complaints by announcing that it would restrict customer access to Social Security numbers.

DSW Shoe Warehouse: Retail Ventures, Inc. announced in early March that credit card account numbers and other information about customers of 103 DSW Shoe Warehouse stores had been stolen from company computer database. DSW initially estimated that about 100,000 records were lost. However, in April, DSW found that the breach was much worse than that: the credit card numbers of about 1.4 million customers, and the driver’s license information of about 96,000 customers, had been accessed by thieves. DSW initially was made aware of the problem by credit card companies that noticed suspicious activity on some of the affected accounts.

PayMaxx: This payroll processing company was in the news recently after a computer security expert revealed how easy it was to obtain personal information, including Social Security numbers, from the firm’s web site. Aaron Greenspan of Think Computer Corporation contacted the company when he discovered that a software glitch enabled any user to view the W-2 forms generated for employees of companies that use PayMaxx. The company has since taken action to correct the problem.

Ameritrade: Ameritrade Holding Corp., a top online discount broker, announced in April 2005 that it lost a backup tape during shipping between vendors. The tape contained the personal information of about 200,000 current and former customers and may have included Social Security numbers. Ameritrade discovered the loss of the tape in February, when it received a damaged envelope containing backup tapes. An investigation revealed that four tapes were missing, but only three have been recovered.

Boston College: In March, Boston College informed 120,000 alumni that a computer containing their addresses and Social Security numbers had been breached by hackers. The breach was discovered by a computer security worker who found that a computer at a phone bank had been compromised.

University of California, Berkeley: In October 2004, the University of California announced that the names, addresses, telephone numbers, Social Security numbers and birthdates of 1.4 million people had been compromised. The university obtained the information from the California Department of Social Services’ In-Home Supportive Services program, for the purposes of research. The breach was discovered by the information technology staff at the university, using intrusion-detection software.

GeneralMotors Mastercard: In April, HSBC, the bank that issues the GM Rewards Mastercard, notified 180,000 customers that their cards had been used at an anonymous retailer during the period between June 2002 and December 2004. HSBC provided a toll-free number and the investigation is ongoing.

Omega World Travel: In May 2005, US police authorities announced their investigation regarding the theft of a computer containing the private information of 80,000 Justice Department employees. The computer contained password-protected names and credit card account numbers, as well as employee traveler profiles which may include home addresses, telephone numbers, even passport numbers.

Time Warner: Adding another occurrence to the number of cases involving data storage tapes lost in transit, Time Warner announced on May 2 the loss of tapes containing the information of 600,000 current and former employees. Time Warner is the largest media company in the world, and owns American Online, HBO and Warner Brother. The missing tapes include employee information from as far back as 1986 and the United States Secret Service is currently investigating this matter.

Colorado State Health Department: In late May 2005, a Colorado state health department employee took a laptop – containing the medical records of 1,600 children – home for the weekend and left it in a car overnight, where it was stolen. The employee, who violated department policy by removing the laptop, containing the medical records, from the facility, has been demoted. The car has been recovered, but the laptop is still missing. The department has since upgraded its encryption software and begun to re-examine its confidentiality procedures, and the car, though not the laptop, has been recovered.

CitiFinancial: In June 2005, CitiFinancial began mailing notices to the 3.9 million customers whose private information was put at risk when backup tapes containing their information were lost in transit. The tapes contained information about network branch customers in the US, as well as customers with closed, CitiFinancial Retail Services, accounts. This breach occurred despite the “enhanced” security procedures that CitiFinancial claims to have in place and, beginning in July, all such data will be encrypted.

Motorola: In June, Motorola sent emails to its employees, approximately 34,000 of whom are in the US, notifying them of the theft of two computers from the offices of Motorola’s human resources services provider, Affiliated Computer Sources. The stolen computers contained the names and Social Security Numbers of an undisclosed number of employees. Motorola reported the incident to police (who are currently investigating the thefts) and is providing free fraud insurance to employees.

This is only a sampling of the approximately 100 data security breaches that have occurred since February of 2005. For a full listing, please go to: http://www.idtheftcenter.org/breaches.pdf

Updated: 2/6/06