Worst Data Breaches of 2013 (Part 3)

The Identity Theft Resource Center has recorded 450 data breaches so far this year, and here are the worst that become known between July and September.

Virginia Polytechnic Institute and State University

In August, Virginia Polytechnic Institute and State University had a server in the human resources department illegally accessed which held information on 114,963 individuals who had applied for jobs there. “The issue here is someone on our staff goofed,” Larry Hinckler, associate vice president for university relations, noting the security problem was related to human error.

St. Mary’s Bank

In July, St. Mary’s Bank, a credit union in  in New Hampshire, disclosed that malware discovered on an employee computer may have spread to two dozen other computers there. The malware was designed to capture information. Therefore, the credit union notified 115,775 customers their personal information may have been exposed.

Internal Revenue Service

The U.S. Internal Revenue Service mistakenly posted tens of thousands of names, addresses and Social Security numbers — perhaps as many as 100,000 - -on a government website, a discovery made in July by a group called Public.Resource.org.

Republic Services

In August, an unencrypted laptop was stolen from a Republic Services’ employee’s home which had personal information on about 82,160 current and former employees at the Phoenix-based waste management company. In an apology letter, the company pledged to change its privacy and data policies to prevent similar situations from occurring.

University of Delaware

The University of Delaware said its investigation into a cyberattack in July determined that confidential personal information on more than 74,000 individuals was stolen by attackers exploiting a website vulnerability. The data breach is expected to cost the university millions of dollars.

Northrop Grumman

In August, aircraft manufacturer Northrop Grumman disclosed an unauthorized access to a database containing personal information occurred between November of last year to May of this year. Letters were sent to those who may have had information compromised. Separately, the company’s retiree health plan reported 4,305 enrollees were impacted in a paper-records data breach involving CVS Caremark.

Credit: Reuters/Donna W. Carson

The U.S. Department of Energy told its employees in August that hackers had gained personal information, including Social Security numbers, on about 14,000 current and former employees. The DoE earlier in the year said computer systems were hacked to steal information on contractors.

Chris Koster

In August, the Missouri Attorney General, Chris Koster, warned consumers to be on the alert for fraud because computer problems that were identified at the Missouri Credit Union exposed personal information online. The credit union itself notified its 39,000 members and former members about the data breach.

Michigan Department of Community Health

In July, the Michigan Department of Community Health notified more than 49,000 individuals that a server was hacked, exposing their names, birth dates, Social Security numbers, cancer-screening test results and testing data.

Ferris State University

In August, Ferris State University in Michigan disclosed that names and addresses for about 39,000 individuals — mainly current, former and prospective students and employees alike — was inadvertently accessible for a short time in July during which it was  accessed “after an unauthorized person evaded network security.” The Ferris staff said they shut down the server and have been investigating the incident.

Cogent Healthcare

Healthcare provider Cogent Healthcare disclosed in August that information related to about 32,000 patients seen by its doctor groups had been compromised after a security lapse by vendor M2ComSy related to its firewall allowed this patient data be exposed to the Internet and even indexed by Google. Cogent Healthcare ended its relationship with M2ComSys, took possession of hardware in use there, and also worked with Google to take down any sensitive patient information.

New York state’s Office of the Medicaid Inspector General

In July, New York state’s Office of the Medicaid Inspector General announced that an employee there sent 17,743 records of Medicaid recipients to a personal e-mail account, an action wholly unauthorized by supervisors. The New York office said the employee is on administrative leave while an investigation is conducted by the New York State Inspector General’s office. Tighter security controls limiting access to data are said to be in place. 

D.R. Horton

After receiving a tip, Texas television station KXAN in September investigated and reported how Texas-based homebuilder D.R. Horton had dumped a large amount of documents related to loans, copies of checks, purchase order sand site plans into large dumpsters on school campuses. After the TV station’s report, D.R. Horton, saying it simply wanted to help the school’s re-cycling program which gets paid for each ton of paper it collects, went back to retrieve the outdated D.R. Horton files.

Data breaches of 2013: first three months, second three months