Data Security Breaches: Context and Incident Summaries

Data Security Breaches:
Context and Incident Summaries
Updated May 7, 2007
Rita Tehan
Information Research Specialist
Knowledge Services Group

Data Security Breaches:
Context and Incident Summaries
Summary
Personal data security breaches are being reported with increasing regularity.
Within the past few years, numerous examples of data such as Social Security, bank
account, credit card, and driver’s license numbers, as well as medical and student
records have been compromised. A major reason for the increased awareness of
these security breaches is a California law that requires notice of security breaches
to the affected individuals. This law, implemented in July 2003, was the first of its
kind in the nation.
State data security breach notification laws require companies and other entities
that have lost data to notify affected consumers. As of January 2007, 35 states have
enacted legislation requiring companies or state agencies to disclose security
breaches involving personal information.
Congress is considering legislation to address personal data security breaches,
following a series of high-profile data security breaches at major financial services
firms, data brokers (including ChoicePoint and LexisNexis), and universities. In the
past three years, multiple measures have been introduced, but to date, none have been
enacted.
This report will be updated regularly.

Contents
In troduction ......................................................1
Statistics .........................................................3
Data Security Breaches in Federal Agencies.............................5
Data Security Breaches: Highlights....................................9
For Additional Reading............................................75
List of Tables
Table 1. Data Security Breaches in Businesses (2000-2007)...............11
Table 2. Data Security Breaches in Education (2000-2007)................26
Table 3. Data Security Breaches in Financial Institutions (2001-2007).......47
Table 4. Data Security Breaches in Local, State, and Federal Government
(2003-2007) .................................................56
Table 5. Data Security Breaches in Health Care (2003-2007)..............70

Data Security Breaches:
Context and Incident Summaries
Introduction
Personal data security breaches are being reported with increasing regularity.
During the past few years, there have been numerous examples of hackers breaking
into corporate, government, academic, and personal computers and compromising
computer systems or stealing personal data such as Social Security, bank account,
credit card, and driver’s license numbers, as well as medical and student records.
These breaches occur not only because of illegal or fraudulent attacks by computer
hackers, but often because of careless business practices, such as lost or stolen laptop
computers, or the inadvertent posting of personal data on public websites. A recent
infamous example occurred in May 2006, when 26.5 million veterans and their
spouses were in danger of identity theft because a Veterans Affairs data analyst took
home a laptop computer containing personal data (including names, Social Security
numbers, and dates of birth), which was later stolen in a burglary.¹
Depending on the definition, the most common type of identity theft is credit
card fraud, and there is evidence that the extent of credit card fraud has increased due
to opportunities provided by the Internet.² Although some aspects of identity theft
have been known for many years, it is viewed now primarily as a product of the
information age. A particular crime of identity theft may include one or all of these
stages:
Stage 1: Acquisition of the identity through theft, computer hacking, fraud,
trickery, force, re-directing or intercepting mail, or even by legal means
(e.g., purchase information on the Internet).
Stage 2: Use of the identity for financial gain (the most common
motivation) or to avoid arrest or otherwise hide one’s identity from law
enforcement or other authorities (such as bill collectors). Crimes in this
stage may include account takeover, opening of new accounts, extensive
use of debit or credit cards, sale of the identity information on the street or

¹ For additional information on legislative proposals introduced after the VA data theft (and
in light of several ongoing information security and information technology management
issues at the VA), see CRS Report RL33612, Department of Veterans Affairs: Information
Security and Information Technology Management Reorganization, by Sidath Viranga
Panangala.
² Graeme Newman and Megan McNally, Identity Theft Literature Review, National Criminal
Justice Reference Service (NCJRS), 2005, at [http://www.ncjrs.gov/pdffiles1/nij/grants/

210459.pdf].

black market, acquisition (“breeding”) of additional identity related
documents such as driver’s licenses, passports, visas, health cards, etc.),
filing tax returns for large refunds, insurance fraud, stealing rental cars, and
many more.
Stage 3: Discovery of the theft. While many misuses of credit cards are
discovered quickly, the “classic” identity theft involves a long period of
time to discovery, typically from six months to as long as several years.
Evidence suggests that the time it takes to discovery is related to the
amount of loss incurred by the victim.³
Identity theft is rarely one crime, but is composed of the commission of a wide
variety of other crimes, such as check and card fraud, financial crimes of various
sorts, various telemarketing and Internet scams, auto theft, counterfeiting and forgery,
etc.
The difficulty in studying identity theft is investigating what portion of the long
list of identity theft related crimes is related to the “classic” type of identity theft that
results in repeat victimization. For example, a common type of credit card fraud is
to steal an individual’s credit card. The offender makes a quick purchase of an
expensive item then discards the card. Has the victim’s identity truly been stolen?
The event clearly fits within the definition above, but it is not the wholesale theft of
the victim’s identity. However, should the offender be working with an accomplice,
the card could be turned over several times and even sold on the street. Finally,
should the victim’s driver’s license and other identifying documents such as a health
card with a Social Security number on it also be stolen, the basic elements for
stealing an individual’s identity are present.⁴
A January 2007 white paper by the computer security research company McAfee
Avert Labs reports a dramatic increase in global identity theft trends.⁵ One key
finding was that “[p]ersonal data for tens of millions of people disappears each year.
It’s either been stolen or misplaced. Despite this disturbing trend, the number of
complaints is surprisingly low, which leads us to believe the losses are not fully
acknowledged.”⁶

³ Ibid., p. v.
⁴ Ibid., p. 14.
⁵ Francois Paget. Identity Theft, McAfee Avert Labs, January 2007, at
[http://www.mcafee.com/us/local_content/white_papers/wp_id_theft_en.pdf]. This report
discusses recent high-profile examples of identity theft and how several countries define this
type of fraud and its scope; examines both the criminals and their techniques to better
understand how identity theft has evolved in recent years; and focuses on the victims and
consequences of identity theft.
⁶ Ibid., p. 3.

A California law that requires notice of security breaches to the affected
individuals is the major reason for the increased awareness of these breaches.⁷ This
law, which was implemented in July 2003, was the first of its kind in the nation.
State security breach notification requires companies and other entities that have
lost personal data to notify affected consumers. Thirty-five states have enacted
legislation requiring companies or state agencies to disclose security breaches
involving personal information.⁸ State security freeze⁹ laws allow a customer to
block unauthorized third parties from obtaining one’s credit report.
Statistics
Identity theft victims spend almost 300 million hours a year trying to clear their
names and re-establish good credit ratings.¹⁰ For additional information on this topic,
see CRS Report RL31919, Remedies Available to Victims of Identity Theft, by Gina
Marie Stevens.
In December 2006, a senior editor for Wired News noted a milestone: “... the
total number of lost or exposed personal records since February, 2005, [has passed]

⁷ California Department of Consumer Affairs, Office of Privacy Protection, Notice of
Security Breach - Civil Code Sections1798.29 and 1798.82 - 1798.84, updated June 24,
2003, at [http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000
&file=1798.25-1798.29], [http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&
group=01001-02000&file=1798.80-1798.84], and Recommended Practices on Notification
of Security Breach Involving Personal Information, October 10, 2003, at
[http://www.privacy.ca.gov/ recommendations/secbreach.pdf].
⁸ See State Security Breach Notification Laws, National Conference of State Legislatures
at [http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm]. As of January 9, 2007, the
following states have enacted security breach notification laws: Arizona, Arkansas,
California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois,
Indiana, Kansas, Louisiana, Maine, Michigan, Minnesota, Montana, Nebraska, Nevada, New
Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma,
Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, Wisconsin.
See also: State PIRG Summary of State Security Freeze and Security Breach Notification
Laws, U.S. Public Interest Research Group (USPIRG) at [http://www.pirg.org/consumer/
credit/statelaws.htm#breach]. See also CRS Report RS22374, Data Security: Federal and
State Laws, by Gina Marie Stevens.
⁹ A security freeze law allows a customer to block unauthorized third parties from obtaining
his or her credit report or score. A consumer who places a security freeze on his or her
credit report or score receives a personal identification number to gain access to credit
information or to authorize the dissemination of credit information. See CRS Report
RS22484, Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills,
Tara Alexandra Rainson.
¹⁰ Peter Katel, “Identity Theft: Can Congress Give Americans Better Protection?,” CQ
Researcher, June 10, 2005.

the 100 million mark.”¹¹ The New York Times wrote an article discussing this
landmark and questioned the usefulness of computing such data breaches.
[T]he bigger picture here may be that we are now slicing and dicing the niceties
of data breaches against a running tally so large, that it has lost nearly any
meaning at all... ‘The threat of identity theft from data losses is being greatly
exaggerated,’ Fred H. Cate, the director of the Center for Applied Cybersecurity
Research at Indiana University in Bloomington, told this newspaper not long ago.
‘And that’s because a lot of people have fallen into the trap of equating data loss
with identity theft.’ Whether or not that is true is open to debate, but what all
this data loss does represent, however, is the potential for identity theft — one
that will never go away. Sure, it’s a game of odds. There is only so much a crook
can do with a few hundred thousand names and Social Security numbers. But
once they are out there, they are out there for good. Names don’t change.
Neither do Social Security numbers or dates of birth. And as long as it remains
easy enough to fashion that trifecta into a car loan, a home, a credit card, work¹²
papers, that would seem to be a bit of a long-term problem.
The Identity Theft and Assumption Deterrence Act of 1998¹³ established the
Federal Trade Commission (FTC) as the government entity charged with developing
“procedures to ... log and acknowledge the receipt of complaints by individuals,” as
well as educate and assist potential victims.¹⁴ The FTC compiles annual reports and
charts of aggregated statistics on these events, but does not identify which
corporations, organizations, or other entities have been victims of security breaches.
In February 2007, FTC issued its annual report on fraud complaints consumers have
filed with the agency. For the seventh year in a row, identity theft topped the list,
accounting for 36% of the 674,354 complaints received between January 1 and
December 31, 2006.¹⁵ Credit card fraud was the most common form of reported
identity theft, followed by phone or utilities fraud, bank fraud, and employment
fraud.
A number of federal agencies (e.g., the FTC, Department of Justice, Secret
Service, U.S. Postal Service, and Social Security Administration), state attorneys
general, and nonprofit organizations (such as the Electronic Privacy Information
Center) are involved with data privacy investigations or related consumer assistance.

¹¹ Kevin Poulsen, “Data Spills: 100 Million Served,” 27B Stroke 6, December 14, 2006, at
[http://blog.wi red.com/27bstroke6/2006/12/data_spills_100.html ].
¹² Tom Zeller, “An Ominous Milestone: 100 Million Data Leaks,” New York Times,
December 18, 2006, p. C3.
¹³ Identity Theft and Assumption Deterrence Act, as amended by P.L. 105-318, 112 Stat.

3007 (October 30, 1998), at [http://www.ftc.gov/os/statutes/itada/itadact.htm].

¹⁴ For an overview of the federal laws that could assist victims of identity theft with purging
inaccurate information from their credit records and removing unauthorized charges from
credit accounts, as well as federal laws that impose criminal penalties on those who assume
another person’s identity through the use of fraudulent identification documents, see CRS
Report RL31919, Remedies Available to Victims of Identity Theft, by Gina Marie Stevens.
(Relevant state laws are also discussed.)
¹⁵ Federal Trade Commission press release, “FTC Issues Annual List of Top Consumer
Complaints,” February 7, 2007, at [http://www.ftc.gov/opa/2007/02/topcomplaints.htm].

None of them maintain a comprehensive itemized list of data security breaches.¹⁶
However, the Privacy Rights Clearinghouse maintains a frequently updated
chronology of data breaches from February 2005 to the present.¹⁷
The United States Computer Emergency Readiness Team (US-CERT) interacts
with federal agencies, industry, the research community, state and local governments,
and others to collect reasoned and actionable cybersecurity information and to
identify emerging cybersecurity threats. US-CERT has recently begun monitoring
trends involving the acquisition of personally identifiable information (PII) by
unauthorized, malicious users. Based on the information reported in the first quarter
of FY2007, US-CERT identified the following cybersecurity trends: phishing¹⁸ made
up the bulk of security threats reported to US-CERT, accounting for almost 75% of
all incidents handled. The number of reports grew by more than 500%, with just over
16,000 reports in FY2006 Q1, compared with over 103,000 in FY2007 Q1. The
second highest category was “others,” the bulk of which generally fell into two main
areas: investigations, which were incidents found by US-CERT analysts combing
through data, and incidents involving PII, both cyber and non-cyber in nature. The
remaining 8% of incidents were spread across malware, equipment theft/loss, policy
violations, and suspicious network activity.¹⁹
Data Security Breaches in Federal Agencies
In reports to Congress since 1997, GAO has identified information security as
a government-wide high-risk issue.²⁰ In their FY2006 financial statement audit
reports, 21 out of 24 agencies indicated that they had significant weaknesses in
information security controls. As shown in reports by GAO and agency inspectors

¹⁶ For a brief discussion of federal and state data security laws, see CRS Report RS22374,
Data Security: Federal and State Laws, by Gina Marie Stevens.
¹⁷ Privacy Rights Clearinghouse, A Chronology of Data Breaches at
[http://www.privacyrights.org/ar/ChronDataBreaches.htm]. The Privacy Rights
Clearinghouse (PRC) is a nonprofit consumer organization which seeks to raise consumers’
awareness of how technology affects personal privacy, and to document privacy complaints.
The chronology “begins with ChoicePoint’s 2/15/05 announcement of its data breaches
because it was a watershed event in terms of disclosure to the affected individuals.”
¹⁸ Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking
email in an attempt to gather personal and financial information from recipients. Typically,
the messages appear to come from well-known and trustworthy websites. Websites that are
frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America
Online. (Source: SearchSecurity.com(powered by whatis.com), at
[http://searchsecurity.techtarget.com/sDefinition/ 0,290660,sid14_gci916037,00.html ].
¹⁹ US-CERT, Quarterly Trends and Analysis Report, March 1, 2007, at
[http://www.us-cert.gov/press_room/trendsandanalysisQ107.pdf]. This report summarizes
and provides analysis of incident reports submitted to US-CERT during the first quarter of
FY2007 (October 1, 2006, to December 31, 2006).
²⁰ Government Accountability Office, Information Security: Persistent Weaknesses
Highlight Need for Further Improvement, GAO-07-751T, April 19, 2007, at
[ h t t p : / / www.ga o.gov/ n ew.i t e ms / d07751t .pdf ] .

general (IG), the weaknesses persist in major categories of controls — including, for
example, access controls, which ensure that only authorized individuals can read,
alter, or delete data; and configuration management controls, which provide
assurance that only authorized software programs are implemented. “Organizations
can reduce the risks associated with intrusions and misuse if they take steps to detect
and respond to incidents before significant damage occurs, analyze the causes and
effects of incidents, and apply the lessons learned.”²¹
In February 2007, the Federal Bureau of Investigation (FBI) reported that 160
laptop computers were lost or stolen in less than four years (February 2002 to
September 2005), including at least 10 that contained sensitive or classified
information — one of which held “personal identifying information on FBI
personnel.”²² According to the report, the FBI failed to report 76% of the missing
laptops to the Justice Department as required. ²³
A number of data security breaches by federal agencies revealed many agencies
do not have adequate security controls in place²⁴ (see Table 3, below). In 2006, the
list of agencies with incidents of potentially compromised data included the
Departments of Agriculture, Defense, Energy, Veterans Affairs, and Transportation,
the Federal Trade Commission, the Internal Revenue Service, the Government
Accountability Office, the National Institutes of Health, and the Department of the
Navy. The State Department also suffered a series of hacking attacks. In FY2006,
5,146 incidents were reported to the Department of Homeland Security’s incident
response center for six categories of incidents, a substantial increase in the number
of incidents (3,600) reported the prior year, including 706 instances of unauthorized
access and 1,465 cases of malicious computer code, according to a yearly OMB²⁵
report.
[E]xperts say the federal government faces special challenges because of the
variety of sensitive information it keeps, the increasingly mobile nature of the
federal workforce and the pervasive use of contractors, which allow thousands
of individuals with varying levels of security clearance to access government
databases from remote sites. A 2004 government survey on the work practices
of 1.8 million federal workers found that more than 140,000 had clearance to
connect with government computer systems from home. The IRS says 50,000 of
its employees have laptops allowing them to access personal and business tax
information from anywhere. And 133 Education Department personnel can

²¹ Ibid., p.2.
²² U.S. Department of Justice, Office of the Inspector General, Audit Division, The Federal
Bureau of Investigation’s Control over Weapons and Laptop Computers Follow-up Audit,
Audit Report 07-18, February 2007, at [http://www.usdoj.gov/oig/reports/FBI/a0718/
final.pdf].
²³ Ibid., p. 6.
²⁴ Rebecca Adams, “Data Drip: How the Feds Handle Personal Data,” CQ Weekly, July 10,

2006, p. 1846.

²⁵ Office of Management and Budget, FY 2006 Report to Congress on Implementation of
The Federal Information Security Management Act of 2002, March 1, 2007 at
[ h t t p : / / www.whi t e house.go v/ omb/ i n f o r e g/ r e por t s / 2006_f i s ma _r epor t .pdf ] .

access more than 10,000 records containing student loan recipients’ personal²⁶
information.
In a report released in October 2006, the House Government Reform
Committee²⁷ summarized information provided to the Committee by 19 federal
departments and agencies regarding the loss or compromise of personal information
since January 2003. The report finds that every agency has experienced at least one
such breach and that the agencies do not always know what information has been lost
or how many individuals could be affected. ²⁸
In June, 2006, the Office of Management and Budget issued new security
guidelines requiring federal civilian agencies to implement new measures to protect
sensitive personal information held by federal agencies.²⁹ To comply with the new
policy, agencies will have to encrypt all data on laptop or handheld computers unless
the data are classified as “non-sensitive” by an agency’s deputy director. Agency
employees also would need two-factor authentication — a password plus a physical
device such as a key card — to reach a work database through a remote connection,³⁰
which must be automatically severed after 30 minutes of inactivity.
The President’s Identity Theft Task Force,³¹ which was established by Executive
Order on May 10, 2006,³² is now composed of 18 federal agencies and departments.
After a year of study, the Identity Theft Task Force released its final
recommendations in April 2007.³³ The recommendations include the following:
^!Reduce the unnecessary use of Social Security numbers by federal
agencies,
^!Establish national standards that require private sector entities to
safeguard the personal data they compile and maintain and to

²⁶ Zachary Goldfarb, “To Agency Insiders, Cyber Thefts And Slow Response Are No
Surprise,” Washington Post, July 18, 2006, at [http://www.washingtonpost.com/
wp-dyn/content/article/2006/07/17/AR2006071701170.html ].
²⁷ In the 110^th Congress, the House Government Reform Committee was renamed the House
Committee on Oversight and Government Reform.
²⁸ U.S. House of Representatives. Committee on Government Reform, Staff Report Agency
Data Breaches since January 1, 2003 at [http://oversight.house.gov/story.asp?ID=1127].
See also Agency response letters at House Committee on Government Reform website at
[http://oversight.house.gov/ story.asp?ID=1127].
²⁹ Office of Management and Budget Memorandum for the Heads of Departments and
Agencies, Protection of Sensitive Agency Information, June 23, 2006, at
[ h t t p : / / www.whi t e house.go v/ OMB/ me mo r a nda/ f y2006/ m06-16.pdf ] .
³⁰ Ibid.
³¹ Identity Theft Task Force website at [http://www.usdoj.gov/ittf/].
³² Executive Order 13402, “Strengthening Federal Efforts to Protect Against Identity Theft,”
May 10, 2006, at [http://www.whitehouse.gov/news/releases/2006/05/20060510-3.html].
³³ The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan,
April 2007 at [http://www.identitytheft.gov/reports/StrategicPlan.pdf].

provide notice to consumers when a breach occurs that poses a
significant risk of identity theft,
^!Implement a broad, sustained awareness campaign by federal
agencies to educate consumers, the private sector, and the public
sector on methods to deter, detect, and defend against identity theft,
and
^!Create a National Identity Theft Law Enforcement Center to allow
law enforcement agencies to coordinate their efforts and information
more efficiently, and investigate and prosecute identity thieves more
effect i v el y.³⁴
In June 2006, a group of government agencies, corporations, and universities
launched a research center dedicated to the study of identity fraud. The Center for
Identity Management and Information Protection is dedicated to furthering a national
research agenda on identity management, information sharing, and data protection.³⁵
Congress considered legislation in the 109^th Congress to address data security
following a series of high-profile data security breaches at major financial services
firms and data brokers, including ChoicePoint and LexisNexis. Multiple measures
were introduced in 2005 and 2006, and several were reported out of committee, but
none were brought to the floor. For information on proposed data security legislation
in the 110^th Congress, see CRS Report RL33273, Data Security: Federal Legislative
Approaches, by Gina Marie Stevens.
For a discussion of legislative and other issues on this topic, see
^!CRS Report RS22374, Data Security: Federal and State Laws, by
Gina Marie Stevens;
^!CRS Report RL33273, Data Security: Federal Legislative
Approaches, by Gina Marie Stevens;
^!CRS Report RS22484, Identity Theft Laws: State Penalties and
Remedies and Pending Federal Bills, by Tara Alexandra Rainson;
^!CRS Report RL33005, Information Brokers: Federal and State
Laws, by Angie A. Welborn;
^!CRS Report RL33612, Department of Veterans Affairs: Information
Security and Information Technology Management Reorganization,
by Sidath Viranga Panangala;
^!CRS Report RL31919, Remedies Available to Victims of Identity
Theft by Gina Marie Stevens; and
^!CRS Report RS22082, Identity Theft: The Internet Connection, by
Marcia S. Smith.

³⁴ Ibid.
³⁵ Center for Identity Management and Information Protection, at [http://www.utica.edu/
academic/institutes/cimi p/].

Data Security Breaches: Highlights
Tables 1 through 5 summarize selected data security or identity theft breaches
reported in the press since 2000. A few highlights compiled from the report include
the following.
^!More than half of the security breaches occurred at institutions of
higher education. (A Chronicle of Higher Education article
examines why this is so, noting that while colleges have become
better at detecting electronic break-ins, security practices,
particularly password protections, are lax.³⁶ In addition, academic
culture embraces the open exchange of information and provides a
target-rich environment for data breaches — an abundance of
computer equipment filled with sensitive data and a pool of
financially naive students.³⁷) In September 2006, Louisiana State
University (LSU), under a year-long agreement with Equifax Inc.,
provided students, faculty and staff members with free daily
monitoring of their credit reports and $2,500 in identity-theft
insurance. LSU claims this is the first agreement of its kind between
a credit agency and a higher-education institution. The university
will pay Equifax, Inc. $150,000.³⁸
^!Other prevalent targets for identity theft are financial institutions
(banks, credit card companies, securities companies, etc.), and
government agencies (international, federal, state, and local).
^!The AARP analyzed 244 publicly disclosed security breaches from
January 1, 2005 through May 26, 2006, identified by the Identity
Theft Resource Center (ITRC).³⁹ An examination of the most
frequent cause of reported security breaches reveals that a third of all
breaches were caused by hackers who broke into computer systems
to gain access to sensitive personal information. The analysis finds
that educational institutions are more likely than any other type of
entity to report having had a security breach. In fact, educational
institutions were more than twice as likely to report suffering a
breach as any other type of entity. Physical theft of computers,
computer equipment, or paper files is the next most common cause
of security breaches, followed by improper display (allowing

³⁶ Dan Carnevale, “Why Can’t Colleges Hold On to Their Data?,” Chronicle of Higher
Education, May 6, 2005, p. A35.
³⁷ Reuters, “U.S. Colleges Struggle to Combat Identity Theft,” eWeek, August 17, 2005, at
[ h t t p : / / www.f i ndar t i c l e s.com/ p/ ar t i c l e s/ mi _zdewk/ i s _200508/ ai _n14906864] .
³⁸ Andrea L. Foster, “Louisiana State U. Signs Deal to Protect Students and Employees in
Case of Data Breach,” Chronicle of Higher Education, September 13, 2006, at
[http://chronicle.com/ daily/2006/09/2006091301t.htm] .
³⁹ AARP, “Into the Breach: Security Breaches and Identity Theft,” July 2006, at
[ ht t p: / / www.aar p.or g/ r e sear ch/ f r a uds-s cams / f r a ud/ dd142_secur i t y_br each.ht ml ] .

sensitive personal information to be viewed by those who should not
have access (for example, printing of Social Security numbers on
address labels, inadvertently making sensitive personal information
accessible on Internet sites viewable by the general public, or not
properly disposing of files containing sensitive personal
information).

CRS-11
Table 1. Data Security Breaches in Businesses (2000-2007)
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^hnny^{’s Se}^l^e^c^t^e^d^Se^e^d^s^March²⁰⁰⁷^cu^s^t^om^ers^11,500^credi^t^{card i}ⁿ^f^o^rm^atⁱ^oⁿ^“^S^ecu^rity^L^o^g^,^”^C^o^m^put^er^W^o^r^l^d^,
ⁿ^s^l^ow^{, ME) -}^h^ack^{er brok}^e^March^{8, 2007.}
^w^e^b^s^ite^No^te:^{20 s}^t^ol^en^{card n}^u^m^bers
^h^a^v^e^been^u^s^{ed f}^r^au^du^len^tly
^Max^x^{date breach}^(s^{ee below}⁾^F^e^bru^a^ry²⁰⁰⁷^cu^s^t^om^ers^uⁿ^dⁱ^s^cl^os^ed^dri^v^ers^’^lⁱ^cen^s^eⁿ^u^m^bers^,^Green^em^{eir, L}^a^rry^{, “}^T^.^J^.^Max^x^P^r^obe
ⁱ^{ki/CRS-RL33199}^r^s^e^t^h^aⁿ^p^r^e^vⁱ^o^usl^y^t^h^o^ught^.^{ile th}^{e co}^m^p^an^y^p^r^ev^io^u^s^ly^na^m^e^s,^a^d^d^r^e^sse^{s w}^e^r^e^c^o^mp^r^o^mi^s^e^d^f^o^r^t^h^e^l^a^s^t^f^o^u^r^R^e^v^eals^{Data B}^r^each^W^o^rs^{e T}^h^an^O^rⁱ^gⁱⁿ^a^l^l^y^T^h^o^ught^,^”^Iⁿ^fo^rma^tioⁿ
^g/w^liev^e^d^th^{at th}^{e in}^tr^u^s^ioⁿ^to^o^k^m^oⁿ^t^h^s^of^{2003 an}^{d May}^an^d^W^eek^{, F}^e^bru^a^ry^{21, 2007 at}
^s^.or^r^om^May^{2006 to Jan}^u^a^ry^Juⁿ^e²⁰⁰⁴^[^h^t^t^p^:^/^/^www.ⁱⁿ^f^o^r^m^a^tⁱ^oⁿ^w^e^e^k^.^c^o^m^/^s^t^o
^le^ak^J^Xⁿ^o^w^belⁱ^e^v^e^sⁱ^t^s^ry^/^s^h^o^w^A^rtⁱ^c^l^e^.j^h^t^m^l^?^a^rtⁱ^c^l^e^ID⁼¹⁹⁷⁰⁰
^p^u^t^{er s}^y^s^t^em^w^a^s^h^ack^{ed in}^7754&^ci^d=R^S^S^f^eed_IWK^_N^ew^s^]^.
^://wiki^l^y^{2005 an}^{d on}^v^a^ri^ou^s
^h^ttp^bs^equ^eⁿ^t^dat^e^sⁱⁿ^2005.
^H^o^m^e^-^s^t^ol^en^com^p^u^t^er^Jan^u^a^ry²⁰⁰⁷^cu^s^t^om^ers²^,700ⁿ^a^m^e^s^,^S^S^N^s^of^peopl^{e w}^h^o^R^u^pon^{, Kris}^ty^{, “}^K^{B Hom}^e^w^a^rn^s^of
^h^a^d^vⁱ^sited^th^{e sales o}^f^fⁱ^{ce f}^o^r^I^D^th^ef^{t r}ⁱ^sk^{: Ho}^m^e^b^u^ild^er^issu^es
^Fo^xb^a^{nk P}^l^aⁿ^t^a^tⁱ^o^n,^a^ne^w^{alert to cu}^s^t^om^ers^af^{ter com}^p^u^t^{er is}
^h^o^m^e^com^m^uⁿ^ityⁱⁿ^B^e^rk^eley^s^t^olen^f^r^om^com^p^an^y^’^s^C^h^arles^t^on
^Co^unt^y^sa^le^s,^”^T^h^{e St}^at^e^(C^ol^u^m^bi^{a, S}^C^),
^Jan^u^a^ry^{18, 2007.}

CRS-12
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
ⁿ^w^id^{e Mu}^tu^{al I}ⁿ^su^r^aⁿ^{ce -}^Jan^u^a^ry²⁰⁰⁷^cu^s^t^om^ers^of^h^eal^t^h²⁸^,²⁷⁹^na^m^e^s,^SSNs,^ho^sp^ita^{l sta}^y^Babcock^,^C^h^arl^e^s^,^“^D^a^t^a^Oⁿ^28,279
^lock^box^con^t^ainⁱⁿ^gⁱⁿ^su^r^aⁿ^{ce u}ⁿ^{it, Natio}ⁿ^w^id^eⁱⁿ^f^o^r^m^atioⁿ^.^T^o^fⁱⁿ^d^th^e^Nation^w^{ide C}^u^s^t^om^ers^Stolen^,
^s^t^om^{er in}^f^o^rm^ation^back^u^p^Health^P^l^an^sⁱⁿ^f^o^r^m^atioⁿ^oⁿ^th^{e tap}^e^s^Iⁿ^fo^rma^tioⁿ^W^eek^{, Jan}^u^a^ry^{25, 2007,}
^s^t^{ored at}^s^u^bcon^t^r^act^or^requ^ires^“^a^v^e^ry^s^p^ecifⁱ^c^at
ⁿ^cen^{ta P}^r^ef^{erred Sy}^s^t^em^s^hⁱ^g^h^-^tech^{tape reader w}^ith^[^h^t^t^p^:^/^/^www.ⁱⁿ^f^o^r^m^a^tⁱ^oⁿ^w^e^e^k^.^c^o^m^/^s^t^o
^a^y^m^o^ut^h,^M^A⁾^o^ffi^c^e^m^a^tchⁱⁿ^g^so^f^t^w^a^r^e^{,” th}^{at p}^o^lice^ry^/^s^h^o^w^A^rtⁱ^c^l^e^.j^h^t^m^l^?^a^rtⁱ^c^l^e^ID⁼¹⁹⁷⁰⁰
^coⁿ^c^lu^d^e^d^w^a^{s u}ⁿ^lik^ely^to^b^e^0630&^ci^d=R^S^S^f^eed_IWK^_N^ew^s^]^.
^acces^sⁱ^{ble to th}^{e th}^iev^e^s
ⁱ^{ki/CRS-RL33199}^J^.^M^a^xx,^M^a^r^s^ha^l^l^s^,^Jan^u^a^ry²⁰⁰⁷^cu^s^t^om^ers^uⁿ^dⁱ^s^cl^os^ed^credi^t^{card, debi}^t^{card, ch}^eck^,^Vij^a^y^aⁿ^,^J^a^ik^u^m^{ar, “}^B^reach^{at T}^J^X
^g/w^m^e^G^oods^{, A}^.^{J. Wri}^g^h^t^{, an}^d^an^{d m}^e^rch^aⁿ^dⁱ^s^{e ret}^u^rn^P^u^{ts Car}^d^Iⁿ^f^o^{at Risk}^{; Netw}^o^r^k
^s^.or^sⁱ^bl^y^Bob’^s^S^t^oresⁱⁿ^U^.^S^.^&^tr^an^sactioⁿ^sⁱⁿ^tr^u^s^ioⁿ^sh^o^w^{s I}^T^secu^r^ity^{still n}^o^t
^le^ak^{erto R}ⁱ^{co — W}ⁱⁿⁿ^e^rs^an^d^u^p^to^sn^u^f^f^{at so}^m^e^r^e^tailer^s^{, d}^e^sp^ite
^e^Sen^s^{e s}^t^oresⁱⁿ^C^aⁿ^a^{da —}^pu^s^h^f^o^{r s}^t^ron^g^e^{r prot}^ectⁱ^oⁿ^s^,”
^://wiki^{d pos}^sⁱ^bl^y^T^.^K^.^Max^x^s^t^oresⁱⁿ^Co^m^p^u^t^e^r^wo^rld^{, Jan}^u^a^ry^{17, 2007.}
^h^ttp^{d Irelan}^{d -}^T^J^{X C}^o^m^p^an^ies
^{c. ex}^perien^{ced an}
ⁿ^a^u^t^h^o^rⁱ^zedⁱⁿ^tr^u^s^ioⁿ^”ⁱⁿ^to^its
^p^u^t^{er s}^y^s^t^em^s^th^{at proces}^s
^{d s}^t^{ore cu}^s^t^om^{er tran}^s^action^s
^{ia (}^p^ar^en^{t co}^m^p^an^y^o^f^P^h^illp^Jan^u^a^ry²⁰⁰⁷^pas^t^an^{d pres}^en^t^18,000ⁿ^a^m^e^s^,^S^S^N^s^,^s^a^l^a^ri^es^{, dat}^e^s^of^J^oⁿ^e^{s, Ch}^ip^{. “}^A^ltr^{ia em}^p^l^o^y^ees’^d^a^ta
^s^/^K^raf^t^F^oods^{) v}ⁱ^a^em^ploy^ees^bi^rt^h^mⁱ^ssin^g^{/ P}^e^r^s^oⁿ^{al in}^f^o^r^m^atioⁿ^w^a^{s o}ⁿ
^nsul^t^a^nt^T^o^w^e^r^s^P^e^r^rⁱⁿ⁽^N^e^w^l^a^pt^{op t}^a^k^eⁿ^f^r^om^fⁱ^rmⁱⁿ^N^e^w^Y^o^rk^,
^rk^{, N}^Y⁾^-^fⁱ^v^e^s^t^ol^en^l^a^pt^ops^no^t^e^:^em^ploy^{ee w}^a^s^arres^t^ed^{police s}^a^y^,^”^Ri^chm^{ond T}ⁱ^m^e^s^-
^an^{d ch}^arg^e^{d w}^ith^th^ef^t^Dⁱ^s^pat^ch^{, Jan}^u^a^ry^{12, 2007, p. B1.}

CRS-13
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^ein^g⁽^S^{eattle, W}^A⁾^-^lap^t^o^p^Decem^ber^cu^rren^{t an}^{d f}^o^rm^er^400,000ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^,^ph^on^e^W^a^{llace, J}^a^m^e^s^,^“^W^ork^e^{r Fired ov}^er
^f^r^om^em^ploy^ee’^s^car²⁰⁰⁶^em^ploy^eesⁿ^u^m^bers^{, dat}^e^s^of^bi^rt^h^,^s^a^l^a^ry^Lo^st^La^p^t^o^p^;^B^o^eⁱ^{ng M}^a^na^ge^r^s^t^o^B^e
ⁱⁿ^f^o^r^m^atioⁿ^R^e^pri^m^an^{ded f}^o^{r L}^eavⁱⁿ^g^Em^pl^oy^ees
^Vu^ln^erable,”^S^e^a^{ttle Po}^st-
^no^t^e^:^Boeiⁿ^g^fⁱ^{red em}^pl^oy^ee^Iⁿ^tellig^en^cer^{, Decem}^{ber 15, 2006.}
^w^h^os^{e l}^a^pt^{op w}^a^s^s^t^ol^en^an^d
^so^m^e^m^aⁿ^a^g^e^r^s^w^{ill b}^e
^dⁱ^scip^lin^ed
ⁱ^{ki/CRS-RL33199}^b^u^ck^{s (}^S^{eattle, W}^A⁾^-^f^o^u^r^No^v^e^m^b^er^cu^rren^{t an}^{d f}^o^rm^er^60,000ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^H^arri^s^,^C^r^ai^g^,^“^S^t^a^rbu^c^k^s^D^a^t^a
^g/w^mⁱ^s^p^{laced f}^r^om²⁰⁰⁶^em^ploy^ees^Mi^s^sⁱⁿ^g^;^C^o^m^p^an^y^S^a^y^s^L^a^pt^ops
^s^.or^arters^w^ith^Em^ploy^ees^’^R^ecords^A^r^{e L}^o^s^t^,”
^le^ak^S^e^a^{ttle Po}^st-^Iⁿ^t^ellig^en^cer^{, Nov}^e^m^b^er
^{4, 2006, p. E1.}
^://wiki^m^boree^(San^Fran^cis^c^{o, C}^A^{) -}^O^c^t^{ober 2006}^em^pl^oy^ees^20,000ⁿ^a^m^e^s^,^S^S^N^s^“^G^y^m^{boree g}^u^m^s^h^oe^hunt^{s t}^hⁱ^e^f,^”
^h^ttp^{ice in}^on^{e w}^eek^{, th}^{ree laptops}^{San Fr}^anci^s^{co C}^h^r^oni^cl^e^{, O}^c^t^{ober 27,}
^en^f^r^om^h^eadqu^art^e^rs^{2006, p. D}¹^.
^Mo^b^{ile USA}⁽^B^ellev^u^e^{, W}^A⁾^-^O^c^t^{ober 2006}^cu^rren^t^an^{d f}^o^rm^er^43,000ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^,^h^o^m^e^R^o^g^o^w^a^y^,^Mi^k^e^{, “}^T^-^M^obi^l^e^report^s
^{op di}^s^a^{ppeared f}^r^om^em^ploy^ees^ph^on^{e n}^u^m^bers^{, dat}^e^s^of^bi^rt^h^,^I^D^-t^he^ft^rⁱ^sk,^”^T^h^{e O}^r^egoni^an
^p^l^o^y^e^e^’^{s c}^h^e^c^k^e^d^l^ugga^ge^salar^yⁱⁿ^f^o^r^m^atioⁿ⁽^P^or^t^l^and)^{, O}^c^t^{ober 20, 2006.}

^{op w}^a^s^prot^ect^{ed by}
^s^w^ord)

CRS-14
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^e^{ral Electric (Frairf}ⁱ^{eld, C}^T^{) -}^S^e^pt^em^ber^cu^rren^{t an}^{d f}^o^rm^er^50,000ⁿ^a^m^e^s^,^SSNs^Aⁿ^d^ers^oⁿ^,^{Eric an}^{d R}ⁱ^ck^C^l^em^en^s^oⁿ^,
^{op s}^t^ol^en^f^r^om^l^o^ck^{ed h}^o^t^e^l²⁰⁰⁶^em^ploy^ees^“^{50,000 am}^on^g^mⁱ^s^sⁱⁿ^g^at^G^E^;
^(com^pu^t^e^{r w}^a^s^pas^s^w^ord^N^a^m^e^sⁱⁿ^s^t^ol^en^l^a^pt^{op h}^a^v^e^retⁱ^r^ee
^qu^es^tionⁱⁿ^g^com^p^an^y^’^sⁿ^{eed f}^o^r
^sen^s^itiv^{e lists,”}^Times-Un^ioⁿ
⁽^A^l^bany)^{, S}^e^pt^em^{ber 27, 2006, p. A}¹^.
^&^T^-^h^ack^ers^brok^{e in}^to^A^ugust²⁰⁰⁶^cu^s^t^om^ers^w^h^{o pu}^rch^a^s^e^d^19,000^credi^t^{card dat}^a^As^s^o^{ciated Pr}^es^s^{, “}^H^ack^ers^Gain^Data
ⁱ^{ki/CRS-RL33199}^p^u^t^{er s}^y^s^t^em^DSL^equⁱ^pm^en^{t f}^r^om^A^T^&^T^on^lⁱⁿ^{e s}^t^ore^on^A^T^&^T^S^h^oppers^,”^Ne^w^Yo^rkTimes.co^m^,^A^ugust³⁰^,^2006.
^g/w
^s^.or^to^m^a^ted^{Data P}^r^o^cessin^g^Ju^l^y²⁰⁰⁶ⁱⁿ^di^vⁱ^du^alⁱⁿ^v^e^s^t^ors^wⁱ^t^h^hund^r^e^d^s^o^f^na^m^e^s,^a^d^d^r^e^sse^s,^num^b^e^r^o^f^S^p^an^g^l^{er, T}^{odd, “}^A^D^P^D^u^{ped i}ⁿ^t^o
^le^ak^DP^{) (R}^os^el^an^{d, NJ) -}^“^aⁿ^{60 com}^p^an^iesⁱⁿ^clu^dⁱⁿ^g^th^o^u^san^d^s^sha^r^e^s^he^l^d^o^fⁱ^nve^st^o^r^s^Disclo^sin^g^Data,”B^a^selin^eMag^.co^m^,
^ut^ho^rⁱ^z^e^d^p^a^r^t^yⁱ^m^p^e^r^s^oⁿ^a^t^e^d^Fid^e^lity^{, UB}^{S, Mo}^r^g^an^Ju^l^y^{10, 2006, at}
^://wiki^fⁱ^cer^{s” to}^o^b^t^ainⁱⁿ^f^o^r^m^atioⁿ^oⁿ^Stan^ley^{, B}^{ear Stearn}^s^,^[^h^t^t^p^:^/^/^www.^b^a^s^e^lⁱⁿ^e^m^a^g^.^c^o^m^/^a^r^tⁱ^c^l^e²
^h^ttp^st^o^r^s^Citig^r^o^u^p^{, Mer}^r^{ill L}^yⁿ^c^h^/⁰^{,1540,1986655,00.as}^p].
ⁱ^s^{er H}^M^O^-^s^t^ol^en^l^a^pt^op^Ju^l^y²⁰⁰⁶^H^M^O^s^u^bs^cri^b^ers^t^o^160,000ⁿ^a^m^e^s^,^ph^on^{e n}^u^m^bers^{, K}^aⁱ^s^er^Singe^l,^Ry^aⁿ^,^“^K^aⁱ^se^r^J^o^{ins L}^o^st
^Kais^{er h}^ealth^plan^num^b^e^r^s^L^a^pt^{op C}^r^ow^d,”^Iⁿ^fo^S^ecu^rity^{, J}^u^ly^30,
^{2006, at}
^[^h^ttp^://in^f^o^secu^r^ity^.u^s/m^a^m^b^o^//coⁿ^ten^t
^/^vⁱ^e^w^/^90/^49/^].
^{S. Stars}⁽ⁱⁿ^s^u^r^an^{ce con}^t^{ractor) -}^Ju^l^y²⁰⁰⁶ⁱⁿ^j^u^{red N}^e^w^Y^o^rk^s^t^at^e^540,000^S^S^N^s^,ⁿ^a^m^e^s^,^addres^s^e^s^Hⁱⁿ^es^{, Mat}^t^,^“^Iⁿ^s^u^r^an^{ce C}^o^m^p^an^y
^t^com^p^u^t^{er con}^t^ainⁱⁿ^g^w^o^r^k^er^{s (}^c^laimⁱⁿ^g^L^o^s^e^s^{540,000 N}^.^Y^Em^pl^oy^ee
^rk^ers^’^records^c^o^m^p^eⁿ^sa^tⁱ^o^{n fund}^s)^R^ecords^,^{” eWeek}^{, Ju}^l^y^{26, 2006, at}
^[^h^t^t^p^:^/^/^www.^e^w^e^e^k^.^c^o^m^/^a^r^tⁱ^c^l^e²^/⁰^,¹⁸
^{95,1994416,00.as}^p].

CRS-15
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
ⁿ^a^{l A}^sso^ciatioⁿ^o^f^J^u^ly²⁰⁰⁶^s^ecu^rities^dealers^w^h^o⁷³^{SSNs o}^f^secu^r^{ities d}^ealer^{s, p}^l^u^s^J^a^mⁱ^e^s^oⁿ^,^D^a^n,^“Rul^e^Li^ke^l^y^oⁿ
^r^{ities Dealer}^{s (}^N^A^S^D)^-^w^e^{re th}^{e s}^u^bj^{ect of}ⁱⁿ^activ^{e accou}ⁿ^tⁿ^u^m^bers^of^Notif^ication^of^{Data B}^r^each^es^{, Som}^e
^a^t^oⁿ^,^F^L^{) -}^{10 s}^t^ol^enⁱⁿ^v^e^stig^atioⁿ^sⁱⁿ^v^o^lvⁱⁿ^g^abou^t^{1,000 con}^s^u^m^ers^S^a^y^;^T^h^ef^t^of^N^A^S^D^L^a^pt^ops^R^aⁱ^s^es
^ops^pos^sⁱ^bl^{e m}ⁱ^s^c^on^du^ct^.^Qu^estioⁿ^s^ab^o^u^{t Reg}^u^l^ato^r^s’
^s^ecu^rity^,”^Inves^{tment N}^e^w^s^{, J}^u^ly^10,
^{2006, p. 2.}
^erican^R^e^{d C}^r^os^s^,^Farm^ers^Ju^l^y²⁰⁰⁶^regⁱ^on^al^bl^{ood don}^ors⁸^,000ⁿ^a^m^e^s^,^S^S^N^s^,^bi^rt^h^dat^e^s^,^Sch^r^{eier, L}^a^u^r^{a, “}^D^on^{or Data Stolen}
ⁱ^{ki/CRS-RL33199}^an^ch^(Dallas^,^T^X^{) -}^{3 s}^t^olen^ops^m^e^dⁱ^{cal in}^f^o^r^m^atioⁿ^{at L}^o^{cal R}^e^{d C}^r^os^s^Ex^clu^s^iv^{e: 3}^L^a^ptops^f^r^om^Farm^ers^B^r^an^ch^Of^fⁱ^ce
^g/w^{Held En}^cry^p^{ted R}^ecords^,^”^Da^lla^s
^s^.or^M^o^rⁿⁱ^{ng N}^e^w^s^{, Ju}^l^y^{1, 2006, p. 1A}^.
^le^ak
^s^y^s^G^r^ou^{p In}^c.(R^os^el^an^{d, N}^J^{) -}^Ju^l^y²⁰⁰⁶^h^e^dg^{e f}^uⁿ^d^don^ors^61,000^S^S^N^s^of^{35,000 i}ⁿ^di^vⁱ^du^al^s^C^l^aⁱ^r^{, C}^h^ri^s^,^“^Bⁱ^s^y^s^Dⁱ^s^c^l^o^s^e^s^D^a^t^a
^://wiki^ploy^ee’^s^tru^c^k^carryⁱⁿ^g^T^h^ef^t,”^H^e^dgeW^o^r^l^{d D}^aⁱ^l^y^N^e^w^s^{, J}^u^ly
^h^ttp^c^kup^ta^p^e^{s w}^a^{s sto}^l^eⁿ^{6, 2006 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.
^er^ican^Iⁿ^terⁿ^atioⁿ^a^{l Gr}^o^u^p^Juⁿ^e²⁰⁰⁶^em^pl^oy^ees^of^v^a^ri^ou^s^970,000ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^,^Sm^ith^{, Ellio}^{t B}^l^air^,^“^A^I^G^{: P}^e^r^s^oⁿ^al
^IG)-^bu^rg^l^a^ry^of^{a f}ⁱ^l^e^s^e^rv^er^com^p^an^ies^w^h^os^e^m^e^dⁱ^{cal in}^f^o^r^m^atioⁿ^D^a^t^a^on^{970,000 L}^o^s^tⁱⁿ^Bu^rg^l^a^ry^;
ⁱⁿ^su^r^aⁿ^{ce in}^f^o^r^m^atioⁿ^w^a^s^Iⁿ^su^r^e^r^{Has Yet to}^A^l^er^{t T}^h^o^s^e
^su^b^m^itted^to^A^I^G^A^f^f^{ected by}^March^{31 B}^r^eak^-ⁱⁿ^,^”^US^A
^T^oday^{, Ju}ⁿ^e^{19, 2006, p. 5B.}
^nst^{& Y}^o^{ung- st}^o^l^eⁿ^l^a^p^t^o^p^J^une²⁰⁰⁶^Hotels^.com^cu^s^t^om^ers^243,000ⁿ^a^m^e^s^,^{credit card n}^u^m^bers^R^e^illy^{, Dav}ⁱ^{d, “}^H^otels^.^com^C^r^edit-
^C^a^{rd D}^a^t^a^L^o^s^tⁱⁿ^S^t^ol^en^L^a^pt^op
^Co^m^p^ute^r^,^”^W^a^l^l^St^r^eet^Jour^nal^,^J^une
^{2, 2006, p. A}^14.

CRS-16
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
ⁱ^oⁿ^Paci^fⁱ^c-^s^t^ol^en^l^a^pt^op^Juⁿ^e²⁰⁰⁶^em^pl^oy^ees^of^t^h^{e rai}^l^r^oad^30,000^pers^on^al^dat^a^Vⁱ^j^a^y^aⁿ^,^Jai^k^u^m^{ar an}^{d T}^{odd Wei}^s^s^,
^com^p^an^y^“^F^lu^rry^of^New^{Data B}^r^each^es
^Dⁱ^s^c^l^o^s^e^{d,” C}^o^m^p^u^t^erw^o^rl^{d, Ju}ⁿ^e^19,
^{2006 at}
^[^h^t^t^p^:^/^/^www.^c^o^mp^u^t^e^r^wo^r^l^d^.^c^o^m/^a^c^tⁱ
^oⁿ^/ar^ticle.d^o^?^co^m^m^aⁿ^d^=v^iew^A^r^ticleB
^asⁱ^c^&^a^rtⁱ^c^l^e^Id=9001282].
ⁱ^{ki/CRS-RL33199}^s^s^-^Sⁱ^m^m^oⁿ^s^-^{data breach}^A^p^{ril 2006}^cu^s^t^om^ers^uⁿ^d^is^clos^ed^{credit card n}^u^m^bers^{, f}ⁱⁿ^aⁿ^c^ialⁱⁿ^f^o^rm^atⁱ^oⁿ^,^ot^h^e^{r pers}^on^al^“^R^os^s^-^Sim^oⁿ^s^Say^s^Secu^rity^B^r^each^Ex^pos^es^C^u^s^t^om^ers^,^{” C}^o^m^p^u^t^erw^o^rld,
^g/wⁱⁿ^f^o^r^m^atioⁿ^A^p^ri^l^{12, 2006, at}
^s^.or^[^h^t^t^p^:^/^/^www.^c^o^mp^u^t^e^r^wo^r^l^d^.^c^o^m/^s^e^c^u
^le^ak^ri^t^y^t^opi^cs^/^s^ecu^ri^t^y^/^s^t^o^ry^/⁰^,10801,1104
^25,00.h^t^m^l^?^s^ou^rce=x^3888].
^://wiki
^h^ttp^ay^-^h^ack^ers^h^a^rv^es^tin^g^an^d^March²⁰⁰⁶^cu^s^t^om^ers^uⁿ^d^is^clos^ed^accouⁿ^tⁱⁿ^f^o^rm^ation^N^{iccolai, Jam}^e^s^,^“^R^u^s^sⁱ^an^{Web S}^ite
^g^u^s^erⁱⁿ^f^o^r^m^atioⁿ^Of^f^e^{red eB}^ay^A^ccouⁿ^t^In^f^o^f^o^{r $5,”}
^C^o^m^p^u^t^erw^o^rl^{d, March}^{24, 2006, at}
^[^h^t^t^p^:^/^/^www.^c^o^mp^u^t^e^r^wo^r^l^d^.^c^o^m/^s^e^c^u
^r^ity^to^pⁱ^cs/secu^r^ity^/cy^b^er^cr^im^e/sto^r^y^/⁰^,
^{10801,109881,00.h}^t^m^l^].
^{itte &}^T^o^u^c^h^e^-^uⁿ^eⁿ^c^r^y^p^t^ed^F^e^bru^a^ry²⁰⁰⁶^al^l^U^.^S^.^an^{d C}^aⁿ^a^di^an^9,200ⁿ^a^m^e^s^,^S^S^N^s^,^McA^f^{ee s}^t^ock^Ku^r^u^v^{ila, Matth}^{ai C., “}^S^ecu^r^ity
^l^e^f^t^on^{a pl}^an^e^em^ploy^ees^of^McA^f^ee^ho^l^dⁱ^ngs^Gian^t’^{s Data L}^o^st,”^S^ilicoⁿ^Va^lley^,
^S^o^f^t^w^a^{re h}ⁱ^{red bef}^o^re^F^e^bru^a^ry^{24, 2006.}

^A^p^ri^l²⁰⁰⁵

CRS-17
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^{tis Reso}^r^t^-^th^ef^{t f}^r^o^m^th^e^Jan^u^a^ry²⁰⁰⁶^cu^s^t^om^ers^55,000ⁿ^a^m^e^s^,^addres^s^e^s^,^credi^t^card^“^I^D^s^of^{50,000 Bah}^a^m^a^s^R^e^s^o^rt
^tel’^{s d}^a^tab^a^se^d^e^{tails, SSNs, d}^r^iv^er^’^s^licen^se^Gu^es^ts^Stolen^{,” C}^N^{et New}^s^{, J}^aⁿ^u^a^ry
ⁿ^u^m^bers^{, ban}^k^accouⁿ^t^data^{10, 2006.}
^idan^{ce Sof}^t^w^a^re-^h^ack^er^Decem^ber^s^ecu^rity^res^earch^ers^an^d^3,800^{credit card n}^u^m^bers^Krebs^,^B^r^ian^,^“^H^ack^ers^B^r^eak^In^to
²⁰⁰⁵^law^en^f^o^rcem^en^{t ag}^en^cies^C^o^m^p^u^t^er-^S^ecu^rity^Firm^’^s^C^u^s^t^om^er
^wo^r^l^d^wⁱ^d^e^Datab^a^se,”^W^a^s^hⁱ^ngt^{on Pos}^t
^Decem^{ber 19, 2005, p. D5.}
ⁱ^{ki/CRS-RL33199}^m’^s^C^l^u^b^-^“^c^a^r^d^-^s^kⁱ^mmiⁿ^g^”^Decem^ber^c^u^st^o^m^e^r^{s w}^h^o^b^o^ught⁶⁰⁰^{credit card in}^f^o^rm^ation^V^ij^ay^an^{, J}^a^ik^u^m^{ar, “}^C^{ard Sk}^im^m^e^rs
^g/wⁱ^ces²⁰⁰⁵^f^u^{el at its g}^a^{s statio}ⁿ^s^Ey^edⁱⁿ^Sam^’^{s Clu}^b^{Data T}^h^ef^t,”
^s^.or^bet^w^een^S^e^pt^em^{ber 21 an}^d^C^o^m^p^u^t^erw^o^{rld, Decem}^{ber 14, 2005,}
^le^ak^O^c^t^{ober 2.}^at
^[^h^t^t^p^:^/^/^www.^c^o^mp^u^t^e^r^wo^r^l^d^.^c^o^m/^d^a^t^a
^://wiki^bas^e^t^opi^cs^/^d^at^a/^s^t^ory^/^{0,10801,107067}
^h^ttp^,00.h^t^m^l^].
^r^io^{tt Vacatio}ⁿ^Clu^b^Decem^ber^cu^s^t^om^ers^an^{d em}^pl^oy^ees^206,000^addres^s^e^s^an^{d credi}^t^card^“^M^ar^rⁱ^o^{tt Vacatio}ⁿ^Clu^b^r^e^p^o^r^ts
^terⁿ^atioⁿ^a^l-^mⁱ^ssin^g^d^a^{ta tap}^e^s²⁰⁰⁵ⁱⁿ^f^o^r^m^atioⁿ^mⁱ^s^sⁱⁿ^g^dat^a^t^a^pes^,^{” C}^o^m^p^u^t^erw^o^rl^d,
^Decem^{ber 26, 2005, at}
^[^h^ttp^://co^m^p^u^ter^w^o^r^ld^.co^m^/secu^r^ity^to
^pi^cs^/^s^ecu^ri^t^y^/^s^t^o^ry^/⁰^{,10801,107366,00}
^.h^t^m^l^?^S^K^C⁼^s^ecu^ri^t^y^-^107366].
^o^m^p^an^y^-^s^t^olen^Decem^ber^cu^rren^{t an}^{d f}^o^rm^{er Ford}^70,000ⁿ^a^m^e^s^an^{d SSNs}^“^T^ech^C^r^im^{e Gets}^P^e^rs^on^{al at Ford,”}
^p^u^t^er²⁰⁰⁵^em^ploy^ees^C^{NN Mon}^e^y^,^Decem^{ber 22, 2005, at}
^[h^ttp://m^on^ey^.cnⁿ^.^com^/^2005/12/22/n^e
^w^s^/^f^ort^uⁿ^e^500/^f^o^rd_t^h^e^f^t^/^]^.

CRS-18
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^f^e^w^a^y^-^com^p^an^y^l^a^pt^{op s}^t^ol^en^No^v^e^m^b^er^em^pl^oy^ees^1,200ⁿ^a^m^e^s^,^S^S^N^s^,^hⁱ^{re dat}^e^s^an^d^A^k^k^a^{d, Dan}ⁱ^{a, “}^S^af^ew^ay^Dis^c^los^e^s
^m^m^a^na^ge^r^’^{s ho}^m^e²⁰⁰⁵^w^o^r^k^lo^catioⁿ^s^Secu^rity^B^r^each^,”^M^ont^er^{ey C}^ount^y
^Hera^ld^{, N}^o^v^e^m^b^{er 5, 2005 (n}^{o pag}^e
^gi^veⁿ⁾^.
^ein^g^-^th^ef^{t of}^com^p^an^y^No^v^e^m^b^er^cu^rren^{t an}^{d f}^o^rm^{er B}^o^ein^g^161,000ⁿ^a^m^e^s^,^S^o^ci^al^S^ecu^ri^t^yⁿ^u^m^bers^Bow^e^rm^as^t^e^{r, Dav}ⁱ^{d an}^{d Dom}ⁱⁿⁱ^c
^p^u^t^er²⁰⁰⁵^wo^r^k^e^r^s⁽^SSNs)^,^so^m^e^bⁱ^r^t^{h d}^a^te^{s a}ⁿ^d^Gates^an^{d Melis}^s^a^A^llis^on^{, “}^161,000
^b^a^nki^{ng i}ⁿ^fo^r^m^a^tⁱ^o^{n fo}^r^Work^ers^’^Pers^on^al^D^a^t^a^on^PC^S^t^ol^en
ⁱ^{ki/CRS-RL33199}^em^ploy^ees^w^h^{o elected to u}^s^e^di^rect^deposⁱ^t^of^pay^r^ol^l^f^r^om^B^o^ein^g^,^”^S^e^a^{ttle Times}^,^N^o^v^e^m^b^{er 19, 2005, p. A}¹^.
^g/w
^s^.or^t^m^aⁿ^K^odak^-^l^a^pt^{op s}^t^ol^en^Juⁿ^e²⁰⁰⁵^f^o^rm^{er Eas}^t^m^aⁿ^K^odak^5,800ⁿ^a^m^e^s^,^{Social Secu}^rity^D^a^vⁱ^{a, Joy}^,^“^K^odak^Warn^s^of^D^a^t^a
^le^ak^{a con}^s^u^ltan^t^’^s^lock^{ed car}^wo^r^k^e^r^sⁿ^u^m^bers^{, bi}^rt^h^dat^e^s^an^d^T^h^ef^t,”^Roches^ter^Democr^{at and}
^b^eⁿ^e^f^{its in}^f^o^r^m^atioⁿ^C^h^r^{onicle (}^N^ew^Yor^k⁾^,^Juⁿ^e^{22, 2005,}
^://wiki^{p. 8D}^.
^h^ttp
^m^e^Warn^{er -}^l^o^s^s^of⁴⁰^May²⁰⁰⁵^cu^rren^t^an^{d f}^o^rm^er^600,000ⁿ^a^m^e^s^,^S^S^N^s^Z^el^l^e^{r, T}^o^m^,^“^Tⁱ^m^{e Warn}^{er S}^a^y^s^D^a^t^a
^p^u^t^{er back}^u^p^tapes^em^ploy^ees^{, s}^o^m^e^of^th^eir^on^Em^pl^oy^ees^Is^L^o^s^t^,”^Ne^{w Yo}^rk
ⁿ^t^ainⁱⁿ^g^sen^s^itiv^{e d}^a^{ta w}^h^ile^depen^d^en^t^s^an^d^Times^{, May}^{3, 2005, p. C}⁴^.
ⁿ^g^s^hⁱ^{pped by}^Iron^Mouⁿ^t^aiⁿ^ben^e^fⁱ^ciaries^,^an^d
^of^f^s^{ite s}^t^orag^{e cen}^terⁱⁿ^di^vⁱ^du^al^s^w^h^{o prov}ⁱ^d^ed
^s^e^rv^ices^f^o^{r th}^{e com}^p^an^y
^{I -}^l^a^pt^{op s}^t^ol^en^f^r^om^{a car}^May²⁰⁰⁵^cu^rren^t^an^{d f}^o^rm^er^16,500ⁿ^a^m^e^s^an^{d S}^S^N^s^Y^o^ung,^Sha^w^n,^“M^CI^Re^p^o^r^t^s^Lo^ss
^a^s^park^{ed in}^th^{e g}^a^rag^e^at^em^ploy^ees^Of^Em^p^l^o^y^{ee Data On}^Sto^l^en
^ho^m^e^o^f^a^M^C^I^fi^na^ncⁱ^a^l^L^a^pt^op,”^W^a^l^l^St^r^eet^Jour^nal^{, May}
^aly^s^t^{23, 2005, p. A}²^.

CRS-19
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^{XIS/NEXIS -}ⁱⁿ^tru^d^{ers u}^s^ed^March²⁰⁰⁵^cu^s^t^om^ers^32,000^na^m^e^s,^a^d^d^r^e^sse^s,^p^a^ssw^o^r^d^s^,^El-^R^as^hⁱ^{di, Yas}^mⁱⁿ^{e, “}^L^ex^is^Nexⁱ^s
^ssw^o^r^d^s^o^f^leg^itim^ate^(s^u^b^s^e^qu^en^t^SSNs,^d^r^ive^r^{s lic}^eⁿ^se^R^e^ports^{Data B}^r^each^{; P}^e^rs^on^al
^s^t^om^ers^{to g}^e^{t acces}^s^{to a}ⁱⁿ^v^e^stig^atioⁿ^R^ecords^A^r^{e Hack}^{ed as}^C^oⁿ^cern^s
^{t d}^a^tab^a^{se called}^A^ccu^rⁱⁿ^t^,^rev^eals^th^{e actu}^a^l^A^b^o^u^{t Secu}^r^ity^an^d^I^d^en^tity^T^h^ef^t
^ich^{sells r}^e^p^o^r^{ts to}^num^b^e^rⁱ^s^Iⁿ^ten^s^if^y^,^”^W^a^l^l^St^r^eet^Jour^nal^,
^-^en^f^o^rcem^en^{t ag}^en^cies^an^d^310,000)^March^{10, 2005, p. A}³^;^an^d
^sine^sse^s.^L^a^te^r^aⁿ^a^l^y^s^is
^ter^mⁱⁿ^ed^th^{at its d}^a^tab^a^{ses h}^a^d^Kr^im^{, J}^oⁿ^a^th^an^{, “}^L^ex^isNexⁱ^{s Data}
ⁱ^{ki/CRS-RL33199}^f^r^au^du^len^tly^breach^{ed 59}^es^u^sⁱⁿ^g^s^t^ol^en^pas^s^w^ords^.^B^r^each^Bⁱ^g^g^e^{r T}^h^an^Es^tim^ated:^{310,000 C}^oⁿ^s^u^m^ers^May^Be
^g/w^A^f^f^{ected, Firm}^Say^s^,”^W^a^s^hⁱ^ngt^on
^s^.or^Pos^t^{, A}^p^ri^l^{13, 2005, p. E1.}
^le^ak
^{W S}^h^oe^Wa^re^h^o^u^s^e^s^t^ore^-^March²⁰⁰⁵^cu^s^t^om^ers^of^{103 of}^t^h^eⁱⁿ^itially^{credit card in}^f^o^rm^ation^As^s^o^{ciated Pr}^es^s^{, “}^D^{SW ID T}^h^ef^t
^://wiki^o^rm^ation^s^t^olen^f^r^om^com^p^u^t^er^ch^aiⁿ^’^s^{175 s}^t^ores^“hund^r^e^d^s^o^f^May^A^f^f^ect^O^v^{er 100,000,”}^C^hⁱ^c^ago
^h^ttp^a^bas^e^ov^{er 3-}^m^oⁿ^t^h^peri^od^tho^u^sa^nd^s,^”^theⁿ^T^rⁱ^bune,^March^{11, 2005, p. 4;}^an^d
^r^a^ised^to¹^.⁴
^m^illioⁿ^“^F^ir^m^{Raises Data T}^h^ef^{t Co}^uⁿ^t^,”
^W^a^s^hⁱ^ngt^{on Pos}^t^{, A}^p^ri^l^{19, 2005, p.}
^E2.
^Mo^b^{ile -}^h^ack^erⁱⁿ^tr^u^s^ioⁿⁱⁿ^to^F^e^bru^a^ry²⁰⁰⁵^T^-^Mobi^l^e^cu^s^t^om^ers⁴⁰⁰^cu^s^t^om^{er records}^,^pas^s^w^ords^,^P^o^ul^se^n,^K^e^vi^n,^“K^no^wⁿ^H^o^l^e^Aⁱ^d^e^d
^p^an^y^databas^e^SSNs^,^priv^{ate e-}^m^a^{il an}^d^T^-^{Mobile B}^r^each^,”Wⁱ^{red New}^s^,
^can^di^{d cel}^ebri^t^y^ph^ot^os^F^e^bru^a^ry^{28, 2005, at}
^[^h^t^t^p^:^/^/^www.^wi^r^e^d^.^c^o^m/ⁿ^e^ws^/^p^rⁱ^v^a^c^y^/
^no^t^e^{: d}^a^{ta o}^f^f^e^r^e^d^f^o^r^{sale v}ⁱ^a^{0,1848,66735,00.h}^t^m^l^].

^oⁿ^lin^{e f}^o^r^u^m

CRS-20
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^to^r^o^{la -}^T^h^iev^e^{s b}^r^o^k^{e in}^to^th^e^Juⁿ^e²⁰⁰⁵^Mot^o^rol^a^em^pl^oy^ees^{34,000 i}ⁿ^U^.^S^.^S^S^N^s^an^{d pers}^on^alⁱⁿ^f^o^rm^atⁱ^oⁿ^“^T^w^{o C}^o^m^p^u^t^ers^S^t^ol^en^wⁱ^t^h
^fⁱ^{ces o}^f^A^f^f^iliated^Co^m^p^u^t^er^Mo^to^r^o^{la Staf}^f^{Data,” Reu}^t^er^{s, J}^uⁿ^e
^ices^(A^C^S^{), a prov}^{ider of}^{10, 2005.}
^m^an^res^o^u^r^ces^s^e^rv^ices^{, an}^d
^{o com}^p^u^t^ers
^oiceP^oin^t^-^crimⁱⁿ^als^u^s^{ed f}^a^k^e^F^e^bru^a^ry²⁰⁰⁵^con^s^u^m^ers^30,000-^{35,000 i}ⁿ^na^m^e^s,^a^d^d^r^e^sse^s,^SSNs,^c^r^e^d^it^P^e^{rez, Ev}^an^{, “}^C^h^o^iceP^oin^t^Is^P^r^es^s^e^d
ⁱ^{ki/CRS-RL33199}^m^en^t^a^tⁱ^oⁿ^t^o^open⁵⁰^du^len^t^accouⁿ^t^s^{to acces}^s^Calif^o^rⁿⁱ^a;^145,000^report^s^{to Ex}^plain^Databas^e^B^r^each^,”^Wa^l^l^St^r^eet^Jour^nal^,^F^e^bru^a^ry^{5, 2005, p.}
^g/w^nsum^e^r^d^a^t^aⁿ^a^tioⁿ^w^id^e^A6^.
^s^.or
^le^ak^f^iliated^Co^m^p^u^t^er^Ser^v^{ices -}^O^c^t^{ober 2004}^couⁿ^t^y^em^pl^oy^ees⁹⁰⁰ⁿ^a^m^e^s^,^bi^rt^h^dat^e^s^,^S^S^N^s^,^ban^k^W^h^aley^{, Mon}^t^{e, “}^F^B^I^on^W^e^ld
^a^{te h}^ack^edⁱⁿ^to^co^uⁿ^t^y^accouⁿ^t^rou^tin^gⁿ^u^m^bers^an^d^ID-^T^h^e^f^t^C^a^s^e^Feds^{to A}ⁿ^aly^{ze Data}
^://wiki^a^bas^e^ch^eckⁱⁿ^g^accouⁿ^tⁿ^u^m^bers^f^r^om^C^e^l^l^of^In^m^a^t^e^Wh^{o H}^ack^ed
^h^ttp^Co^m^p^ute^r^,^”^Denver^Pos^t^,^Nov^e^m^b^er
^{11, 2004, p. B1.}
^w^e^’^s^(h^om^{e i}^m^prov^em^en^t^Juⁿ^e²⁰⁰⁴^cu^s^t^om^ers^unkno^wⁿ^skim^m^e^d^cr^ed^{it acco}^unt^R^oberts^,^P^a^u^l^{, “}^W^ireles^s^Hack^er
^h^ack^{er u}^s^{ed v}^u^lⁿ^e^rableⁱⁿ^f^o^r^m^atioⁿ^f^o^r^ev^er^y^P^l^ead^{s Gu}^ilty^{: Man}^A^d^m^{its Usin}^g
^r^e^{less n}^e^tw^o^r^k^to^attem^p^{t to}^tran^s^action^proces^s^e^{d at a}^Sto^r^e’^{s W}ⁱ^r^e^{less Netw}^o^r^k^to^Steal
^f^o^partⁱ^c^u^l^{ar L}^o^w^e^’^s^s^t^ore^C^r^edi^t^C^a^{rd In}^f^o^{,” P}^C^Worl^d^,^J^une⁷^,
^{2004, at}
^[^h^ttp^://m^sn^.p^cw^o^r^ld^.co^m^/n^ew^s/ar^ticle/
^0,ai^{d,116411,00.as}^p].

CRS-21
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^ay^-^h^ack^ers^trick^e^{d on}^lin^e^March²⁰⁰⁴^s^e^v^e^ral^eBay^m^e^rch^aⁿ^t^s^c^om^pan^y^di^d^cu^s^t^om^{er n}^a^m^e^s^,^e-^m^a^il^Kirby^,^C^a^{rrie, “}^N^ew^Scam^T^h^{reat at}
^r^c^ha^nt^{s w}^h^o^use^d^t^h^e^P^a^y^P^a^lⁿ^o^{t d}ⁱ^sclo^se^a^d^d^r^e^sse^s,^ho^m^e^a^d^d^r^e^sse^{s a}ⁿ^d^eB^ay^{/ Hack}^ers^Obtain^{ed In}^f^o^rm^ation
^y^m^eⁿ^{t p}^r^o^c^e^{ssing sy}^ste^m^into^tr^an^sactioⁿ^s^on^S^o^m^e^C^u^s^t^om^ers^,^”^{San Fr}^anci^s^co
^l^o^si^{ng t}^h^eⁱ^r^use^r^na^m^e^{s a}ⁿ^d^C^h^r^onicle,^March^{16, 2004, p. C}¹^.
^s^w^ords^{, t}^h^en^l^o^g^g^e^{d on}^t^o^t^h^e
^rch^aⁿ^t^s^’^accouⁿ^t^s
^k^o^’^s^-^h^ack^{er in}^s^t^{alled a k}^e^y^No^v^e^m^b^er^C^u^s^t^om^ers^{at In}^tern^et⁴⁵⁰^S^S^N^s^,ⁿ^a^m^e^s^,^pas^s^w^ords^{, credi}^t^{Napoli, L}ⁱ^s^a^{, “}^A^Hack^{er Mas}^t^ers
ⁱ^{ki/CRS-RL33199}^g^e^{r to record ev}^ery^ch^aracter^{13 K}ⁱⁿ^k^o^’^s^com^p^u^t^ers²⁰⁰³^ter^mⁱⁿ^{als at 1}³^Kin^k^o^’^s^copy^s^h^opsⁱⁿ^Man^h^a^t^t^aⁿ^cards^{, ban}^k^accouⁿ^t^data^Key^s^tr^o^k^{e T}^h^ef^{t: P}^e^r^s^oⁿ^{al Data}^S^t^ol^en^f^r^om^{450 V}ⁱ^ctⁱ^m^s^,^”
^g/w^no^t^e^:^d^a^ta^w^a^{s so}^ld^Int^e^r^natⁱ^onal^H^e^r^a^l^d^T^rⁱ^bune,^A^ugust
^s^.or^{9, 2003, p. 1.}
^le^ak
^xi^o^m⁽^m^a^r^ke^tⁱ^{ng c}^o^m^p^aⁿ^y⁾^-^A^ugust²⁰⁰³^clⁱ^eⁿ^t^sⁱⁿ^cl^u^d^{e 14 of}^t^h^e^10%^of^clⁱ^eⁿ^t^el^e^pas^s^w^ords^{, pers}^on^al^{, f}ⁱⁿ^aⁿ^cⁱ^a^l^,^L^{ee, W}^.^A^.^“^H^ack^{er B}^r^each^es^A^c^xⁱ^om
^://wiki^{er dow}ⁿ^l^{oaded dat}^a^{top 15 credit card}⁽ⁿ^o^to^{tal n}^u^m^b^e^r^an^{d com}^p^an^yⁱⁿ^f^o^rm^ation^Data,”^Am^erⁱ^c^{an Banker}^,^A^ugust¹¹^,
^h^ttp^com^p^anⁱ^e^s^,^{5 of}^t^h^{e t}^{op 6}^gi^veⁿ⁾^{2003, p. 5.}
^r^e^{tail b}^aⁿ^k^s^{, I}^B^M,
^Mi^cros^of^t^,^an^{d f}^e^deral
^go^ve^rⁿ^m^e^nt
^{V -}^h^ack^{er s}^t^{ole trade}^A^p^ri^l²⁰⁰³^Dⁱ^recT^V^s^u^bs^cri^b^ers^50,000^d^e^{tails ab}^o^u^{t th}^{e d}^e^sigⁿ^an^d^“^U^{. o}^f^{C. Stu}^d^en^{t P}^l^ead^{s Gu}^ilty^to
^f^o^{r acces}^s^card^cu^s^t^om^ers^u^s^ed^arch^itectu^r^{e of}^DirecT^V’^s^T^h^ef^{t of}^{Direc T}^V^C^a^{rd Data ; T}^r^ade
^couⁿ^t^erf^e^it^“^P^eri^{od 4” cards}^Secrets^En^{ded u}^p^on^Hack^{er Site,}
^acces^s^cards^to^En^ablin^g^{Free A}^cces^s^,^”^C^hⁱ^c^{ago Sun-}
^wa^t^c^h^no^t^e^{: d}^a^{ta w}^a^{s so}^ld^Times^{, A}^p^ri^l^{30, 2003, p. 16.}

^prog^ram^mⁱⁿ^g
^w^ith^o^u^{t p}^a^yⁱⁿ^g

CRS-22
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^I^h^e^lp^-^d^esk^w^o^r^k^er^so^ld^clien^t^No^v^e^m^b^er^{credit reportin}^g^bu^reau^{15,000 (Wi}^r^ed^na^m^e^s,^a^d^d^r^e^sse^s,^SSNs,^c^r^e^d^it^Delio^{, Mich}^{elle, “}^C^o^p^s^B^u^{st Massiv}^e
^s^codes^{to tw}^{o oth}^e^rs^{, w}^h^o²⁰⁰²^cu^s^t^om^ers^New^s⁾^card^{ID T}^h^ef^{t R}ⁱⁿ^g^,^{” W}ⁱ^{red New}^s^,
^u^s^{ed th}^{e codes}^{to obtain}^{30,000 (}^S^e^a^ttle^N^o^v^e^m^b^{er 25, 2002, at}
^{re t}^h^an^{15,000 cu}^s^t^om^{er credi}^t^Times⁾^[^h^t^t^p^:^/^/^www.^wi^r^e^d^.^c^o^m/ⁿ^e^ws^/^p^rⁱ^v^a^c^y^/
^{0,1848,56567,00.h}^t^m^l^];^an^d
^no^t^e^:^dat^a^s^o^l^d^{, f}^o^{r $60 per}^M^a^st^e^r^s,^B^r^o^o^k^e^,^“H^uge^I^D^-T^he^ft
^record^Rⁱⁿ^g^Brok^en^;^{30,000 C}^oⁿ^s^u^m^ers^at
ⁱ^{ki/CRS-RL33199}^Risk^{; Men}^Ch^ar^g^e^d^w^ith^Stealin^g^P^e^r^s^oⁿ^{al, Fin}^aⁿ^c^{ial Data ,”}^S^e^a^ttle
^g/w^Times^{, N}^o^v^e^m^b^{er 26, 2002, p. A}¹^.
^s^.or
^le^ak^es^{t Ex}^pres^s^Aⁱ^rlin^es^an^d^A^p^ri^l²⁰⁰²^Mi^dw^es^t^Ex^pres^s^Aⁱ^rlⁱⁿ^es^unkno^wⁿ^p^a^sse^nge^r^na^m^e^{s a}ⁿ^d^aⁱ^r^p^o^r^t^L^a^rs^on^{, V}ⁱ^rgⁱ^l^,^“^C^om^pu^t^e^{r H}^ack^ers
^e^r^a^{l A}^v^iatioⁿ^A^d^mⁱⁿⁱ^str^a^tioⁿ^cu^s^t^om^ers^;^FA^A^(tw^o^secu^r^ity^scr^eenⁱⁿ^g^r^e^su^lts^B^r^each^Midw^es^{t Ex}^pres^s^Sy^s^t^em^s^,^”
^://wiki^ack^ers^pos^t^e^{d l}ⁱ^s^t^of^cu^s^t^om^er^sep^a^r^a^{te in}^cid^eⁿ^t^s)^O^m^{aha W}^o^r^l^d-H^e^r^a^l^d^{, A}^p^r^{il 2}²^,
^h^ttp^m^e^{s to}^w^e^b^s^{ite an}^d^p^o^s^ted^{a list}^{2002, p. 1D}^.
^{airport s}^ecu^rity^s^c^reenⁱⁿ^g
^{lts tak}^eⁿ^f^r^o^m^th^{e FA}^A^’^s
^ste^m
^oi^cePoiⁿ^t^-^Nⁱ^g^e^ri^an^-^born²⁰⁰²^unkno^wⁿ⁷^,^000-^10,000^nam^e^{s and}^SSNs^As^s^o^{ciated Pr}^es^s^,^“Choⁱ^c^e^P^oⁱ^nt
^h^e^{r an}^{d s}ⁱ^s^t^{er pos}^{ed as}ⁱⁿ^q^u^ir^{ies o}ⁿ^Su^f^f^e^{red P}^r^ev^iou^s^B^r^each^{: T}^w^{o ID}
^itim^{ate b}^u^sin^e^{sses to}^{set u}^p^na^m^e^{s a}ⁿ^d^SSNs,^T^hⁱ^e^v^e^s^A^rres^t^{ed i}ⁿ^{2002 f}^o^{r T}^a^ppiⁿ^g
^oiceP^oin^t^accouⁿ^t^s^th^en^u^s^edⁱⁿ^to^{Data” MSNB}^{C, Feb}^r^u^a^r^y³^,
^id^en^{tities to}^no^t^e^:^d^a^ta^w^a^{s so}^ld^{2005, at}
^com^m^{it f}^r^au^d^[^h^t^t^p^:^/^/^www.^msⁿ^b^c^.^msⁿ^.^c^o^m/ⁱ^d^/⁷⁰⁶⁵
^902/^].

CRS-23
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^w^Y^o^rk^Cⁱ^t^y^res^t^au^ran^t^bu^s^boy^March²⁰⁰¹^chⁱ^e^f^ex^ecu^tⁱ^v^es^,²⁰⁰^S^S^N^s^,^h^o^m^e^addres^s^e^s^an^d^Hay^s^{, T}^o^m^,^“^B^u^s^b^o^y^Hack^{s On}^ly^th^e
^{ped credi}^t^reportⁱⁿ^g^com^p^anⁱ^e^s^celeb^r^{ities an}^d^ty^co^oⁿ^s^bi^rt^h^dat^e^s^,^credi^t^{card n}^u^m^bers^Rⁱ^ch^es^{t, Us}^{ed Forbes}^’^Lⁱ^s^tⁱⁿ^P^l^{ot to}
^p^r^o^v^idⁱⁿ^g^d^e^tailed^cr^ed^it^f^r^om^Forbes^lis^{t of}^rich^es^t^{Steal I}^d^en^tity^{, Cr}^ed^{it I}ⁿ^f^o^{, B}ⁱ^g
^s^A^m^erican^s^B^u^ck^s^,^”^Pittsb^u^r^g^h^Po^st-^G^a^z^ette^,
^March^{21, 2001, p. A}^11.
^{d Econ}^omⁱ^c^F^o^ru^m^-^F^e^bru^a^ry²⁰⁰¹^at^t^eⁿ^d^ees^3,200^pas^s^portⁿ^u^m^bers^{, cel}^l^ph^on^e^Hig^gⁱⁿ^s^{, A}^l^ex^an^{der, “}^H^ack^ers^Steal
^ers^brok^{e in}^{to com}^p^u^t^erⁿ^u^m^bers^{, credit card n}^u^m^bers^,^W^o^{rld L}^eaders^’^P^e^rs^on^{al Data,”}
ⁱ^{ki/CRS-RL33199}^ex^{act arriv}^a^{l an}^{d departu}^r^e^tim^{es, h}^o^{tel n}^a^m^e^{s, r}^o^o^m^C^hⁱ^c^{ago Sun-T}ⁱ^m^e^s^{, F}^e^bru^a^ry^6,^{2001, p. 20.}
^g/w^num^b^e^r^s^,^num^b^e^r^o^f^o^v^e^rⁿⁱ^ght^s,
^s^.or^se^ssioⁿ^{s a}^tte^nd^e^d^,^p^l^us
^le^akⁱⁿ^f^o^rm^atⁱ^oⁿ^on^{27,000 peopl}^e
^w^h^o^ha^ve^a^t^t^e^nd^e^d^t^h^e^gl^o^b^a^l
^://wiki^f^o^ru^mⁱⁿ^recen^{t y}^ears
^h^ttp
^terⁿ^atioⁿ^a^{l cr}^ed^{it car}^d^rⁱⁿ^g^ad^d^s^Jan^u^a^ry²⁰⁰¹^In^t^e^rn^et^s^h^oppiⁿ^g^sⁱ^t^e^s^unkno^wⁿ^c^r^e^dⁱ^t^c^a^r^d^num^b^e^r^s^J^a^m^e^s^,^Mich^{ael, “}^S^m^a^ll-^tim^{e T}^h^ef^ts
^du^l^eⁿ^t^ch^arg^e^s^of²⁷⁷^R^eap^Bⁱ^g^{Net Gain}^T^eⁿ^s^o^f
^s^sⁱ^an^ru^bl^es^($5-^{10) t}^o^credi^t^T^h^ou^s^aⁿ^d^s^of^Ph^on^y^$5-^$10
^no^t^e^:^d^a^ta^w^a^{s so}^ld^Cr^ed^it-^Car^d^Ch^ar^g^e^{s Rak}^eⁱⁿ^Millioⁿ^s
^f^o^{r Hack}^ers^,^”^O^r^l^{ando Sent}ⁱⁿ^el^,
^Jan^u^a^ry^{27, 2001, p. E5.}

CRS-24
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^g^h^{ead -}^h^ack^{er attack}^ed^Decem^ber^cu^sto^m^er^s³^.5^m^illioⁿ^cr^ed^it^{credit card in}^f^o^“^S^ay^{er, P}^e^{ter, “}^E^g^g^h^{ead Say}^s
^p^u^t^{er s}^y^s^t^em²⁰⁰⁰^{card accou}ⁿ^t^s^;^C^u^s^t^om^{er Data Saf}^e^A^f^{ter Hack}
^{7500 of}^w^hⁱ^c^h^A^ttack^{,” P}^C^World^,^Jan^u^a^ry^{8, 2001}
^sho^w^e^d^at
^“^s^u^s^pected^[^h^ttp^://m^sn^.p^cw^o^r^ld^.co^m^/n^ew^s/ar^ticle/
^fr^a^u^d^u^l^e^nt^0,ai^{d,37781,00.as}^p].
^activ^ity^”
ⁱ^{ki/CRS-RL33199}^e^s^t^ern^Un^ion^-^h^ack^ers^m^a^deⁱ^{c copies}^of^th^{e credit an}^d^S^e^pt^em^ber²⁰⁰⁰^cu^s^t^om^ers^w^h^{o tran}^s^f^erred^m^oⁿ^e^y^on^{a com}^p^an^y^15,700^credi^t^an^{d debi}^t^cardⁱⁿ^f^o^r^m^atioⁿ^C^{obb, A}^l^an^{, “}^H^ack^ers^S^t^eal^C^r^edi^t^Car^d^Iⁿ^f^o^f^r^o^m^W^e^sterⁿ^Un^ioⁿ^Site,”
^g/w^b^{it car}^dⁱⁿ^f^o^r^m^atioⁿ^w^e^b^s^ite^C^hⁱ^c^{ago Sun-T}ⁱ^m^e^s^{, S}^e^pt^em^{ber 11,}
^s^.or^{2000, p. 22.}
^le^ak
^{erica On}^lin^{e -}^A^O^L^Juⁿ^e²⁰⁰⁰^cu^s^t^om^ers^{500 records}^w^e^reⁿ^a^m^e^s^,^addres^s^e^s^,^an^{d credit}^“^H^ack^ers^B^r^each^Secu^rity^A^t^A^m^erica
^://wiki^s^t^om^er-^s^ervⁱ^{ce repres}^en^tativ^es^vⁱ^ew^ed^{card n}^u^m^bers^On^lin^{e In}^c,”^W^a^l^l^St^r^eet^Jour^nal^,^J^une
^h^ttp^s^t^ak^en^l^y^dowⁿ^l^{oaded an}^e-^m^aⁱ^l^{19, 2000, p. A}^34.
^m^eⁿ^t^s^eⁿ^t^by^h^ack^ers
^o^B^r^itish^teen^{s in}^tr^u^d^edⁱⁿ^to⁹^March²⁰⁰⁰^cu^s^t^om^ers^{26,000 credi}^t^{credit card data}^Sn^if^f^eⁿ^,^Mich^{ael, “}²^T^een^s^A^ccu^s^e^d
^m^e^{rce w}^e^bs^itesⁱⁿ^th^e^{card accou}ⁿ^t^s^o^f^Hackⁱⁿ^g^Ch^ar^g^e^dⁱⁿ^$³^Millioⁿ
^ited^{States, Can}^a^d^a^{, T}^h^ailan^d^,^no^t^e^:^s^o^m^e^dat^a^w^a^s^pos^t^e^{d on}^C^r^{edit C}^a^{rd T}^h^ef^t,”^C^hⁱ^c^{ago Sun-}
^p^aⁿ^an^d^B^r^itain^th^{e W}^e^b^Times^{, March}^{25, 2000, p. 9.}
^Un^iv^ers^e^(on^lin^{e m}^u^sⁱ^{c s}^t^ore)^Jan^u^a^ry²⁰⁰⁰^cu^s^t^om^ers^300,000^credi^t^{card n}^u^m^bers^As^s^o^{ciated Pr}^es^s^,^“^H^ack^{er Said to}
^ack^{er s}^t^{ole credit card n}^u^m^bers^S^t^eal^{300,000 C}^a^{rd N}^u^m^b^ers^,^”
^{d releas}^{ed th}^ou^s^aⁿ^d^s^of^th^em^no^t^e^{: Max}^u^s^Cr^ed^{it Car}^d^Arⁱ^z^{ona Republ}ⁱ^c^{, Jan}^u^a^ry^{11, 2000,}
^{a w}^e^bs^{ite w}^h^en^th^{e com}^p^an^y^Pⁱ^p^e^lin^{e W}^e^b^s^{ite p}^o^s^ted^u^p^to^{p. A}³^.

^u^s^e^{d t}^o^pay^{a $100,000 ran}^s^om^{25,000 s}^t^ol^enⁿ^u^m^bers

CRS-25
^B^u^sine^{ss Inc}ⁱ^de^nt^s^Da^te^Publicized^{Who Was}^Affected^Num^b^er^Affected^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
ⁱ^{c B}^e^{ll -}^16-^y^ear-^o^ld^Jan^u^a^ry²⁰⁰⁰^s^u^bs^cribers^{63,000 accou}ⁿ^t^s^p^a^ssw^o^r^d^s^Gettlem^aⁿ^,^J^e^f^f^r^ey^{, “}^P^assw^o^r^d^s^o^f
^ag^{er h}^ack^{ed in}^{to s}^e^rv^{er an}^d^w^e^{re decry}^p^ted;^P^acB^{ell Net A}^ccouⁿ^t^s^Stolen^;
^{e pas}^s^w^ords^330,000^Co^m^p^u^t^er^{s: A}^u^th^o^r^{ities Say}
^cu^sto^m^er^{s to}^ld^to^16-^y^ear-^o^{ld Hack}^{er T}^ook^th^{e Data f}^o^r
^ch^an^g^e^F^uⁿ^.^T^h^ef^t^A^f^f^ect^s^63,000
^pas^s^w^ords^Custo^m^e^r^s,^”^Lo^{s A}ⁿ^g^e^{les Times}^,
^Jan^u^a^ry^{12, 2000, p. 2.}

ⁱ^{ki/CRS-RL33199}
^g/w
^s^.or
^le^ak
^://wiki
^h^ttp

CRS-26
Table 2. Data Security Breaches in Education (2000-2007)
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^Mexⁱ^{co State Un}^iv^.^A^p^ri^l²⁰⁰⁷^s^t^u^d^en^t^s^5,600ⁿ^a^m^e^s^,^S^S^N^s^A^s^s^o^ci^at^{ed Pres}^s^,^“^P^ers^oⁿ^a^l^dat^a^of^N^M^S^U^s^t^u^d^en^t^s
^as^C^r^u^ces^{, NM) -}^pers^on^al^pos^t^e^{d on}^lⁱⁿ^{e,” A}^p^ri^l^{19, 2007.}
^o^r^m^atioⁿ^p^o^s^ted^to^sch^o^o^l^’^s
^b^s^ite
ⁱ^{ki/CRS-RL33199}^iv^er^sity^o^f^Calif^o^rⁿⁱ^{a, San}^A^p^ri^l²⁰⁰⁷^res^earch^3,000ⁿ^a^m^e^s^,^S^S^N^s^,^an^{d f}^o^{r s}^o^m^e^R^a^u^b^{er, C}^h^ris^,^“^U^C^{SF res}^earch^{data on}^{at leas}^{t 3,000}
^g/w^cis^c^{o -}^com^p^u^t^{er f}^ile^rv^{er s}^t^olen^f^r^om^lock^ed^sub^j^e^c^t^{s in}^clin^{ical stu}^d^iesⁱⁿ^di^vⁱ^du^al^s^,^pers^on^al^h^eal^t^hⁱⁿ^f^o^r^m^atioⁿ^{people m}ⁱ^s^sⁱⁿ^gⁱⁿ^s^e^rv^{er th}^ef^t,”^{San Fr}^anci^s^co^B^u^sin^e^{ss Time}^s^{, A}^p^ri^l^{18, 2007.}
^s^.or^c^e
^le^ak
^://wiki^io^{State Un}^iv^er^sity^ol^u^m^bu^s^,^O^H⁾^-^t^w^{o l}^a^pt^ops^A^p^ri^l²⁰⁰⁷^ch^emⁱ^s^t^r^y^stud^eⁿ^ts^3,500ⁿ^a^m^e^s^,^S^S^N^s^,^em^pl^oy^{ee ID}^num^b^e^r^s^,^bⁱ^r^t^{h d}^a^t^e^s,^gr^a^d^e^s^B^u^sh^{, B}^{ill, “}^H^ack^er^{, th}^iev^e^{s g}^e^{t OSU I}^D^d^a^{ta: A}^b^o^u^t^{14,000 f}^acu^l^t^y^an^{d s}^t^af^f^an^{d 3,500 s}^t^u^d^en^t^s^af^f^ect^ed,”
^h^ttp^en^f^r^om^prof^es^s^o^r’^s^h^o^u^s^e^C^o^l^u^m^bus^Dⁱ^s^pat^ch^{, A}^p^ri^l^{17, 2007.}
^e^bru^a^ry²⁰⁰⁷
^io^{State Un}^iv^er^sity^A^p^ri^l²⁰⁰⁷^cu^rren^t^an^d^17,500ⁿ^a^m^e^s^,^S^S^N^s^,^em^pl^oy^{ee ID}^B^u^sh^{, B}^{ill, “}^H^ack^er^{, th}^iev^e^{s g}^e^{t OSU I}^D^d^a^{ta: A}^b^o^u^t
^olu^m^bu^s^,^{OH) -}^h^ack^er^f^o^rm^{er s}^t^af^fⁿ^u^m^bers^{, bi}^rt^h^dat^e^s^{14,000 f}^acu^l^t^y^an^{d s}^t^af^f^an^{d 3,500 s}^t^u^d^en^t^s^af^f^ect^ed,”
^{ng fo}^r^eⁱ^{gn I}ⁿ^t^e^rⁿ^e^t^a^d^d^r^e^s^s^me^mb^e^r^s^C^o^l^u^m^bus^Dⁱ^s^pat^ch^{, A}^p^ri^l^{17, 2007.}
^o^k^e^t^h^r^o^{ugh c}^o^m^p^ut^e^r
^e^w^a^l^l
ⁱ^cag^{o Pu}^blⁱ^c^S^c^h^ool^s^-^t^w^o^A^p^ri^l²⁰⁰⁷^cu^rren^t^an^d^40,000ⁿ^a^m^e^s^,^SSNs^W^alberg^{, Matth}^ew^{, “}^L^aptops^w^ith^teach^{er data}
^en^l^a^pt^ops^fo^r^m^e^r^sto^l^eⁿ^,^”^C^hⁱ^c^{ago T}^rⁱ^bune^{, A}^p^ri^l^{7, 2007.}

^em^ploy^ees

CRS-27
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^iv^er^sity^o^f^Calif^o^rⁿⁱ^{a, San}^A^p^ri^l²⁰⁰⁷^s^t^u^d^en^t^s^,^46,000ⁿ^a^m^e^s^,^SSNs^,^ban^k^accouⁿ^t^s^L^azaru^s^{, Dav}ⁱ^{d, “}^S^ecu^rity^B^r^each^{ed at UC}^SF,”^San
^cis^c^{o -}^cam^pu^s^s^e^rv^er^f^acu^lty^{, an}^d^Fr^anci^s^{co C}^h^r^oni^cl^e^{, A}^p^ri^l^{15, 2007, p. D}¹^.
^mp^r^o^mi^s^e^d^s^t^af^f^as^s^o^ciated
^w^ith^{UCSF o}^r
^{UCSF Med}ⁱ^cal
^C^eⁿ^t^{er ov}^{er th}^e
^pas^t^t^w^{o y}^ears
ⁱ^{ki/CRS-RL33199}^iv^er^sity^o^f^Misso^u^r^i,^s^earch^B^o^{ard Gran}^t^Feb^r^uar^y²⁰⁰⁷^res^earch^ers^,^f^acu^lty^3,799ⁿ^a^m^e^s^,^S^S^N^s^“^H^ack^{er h}ⁱ^t^s^MU^dat^a^bas^e^:^Pers^on^alⁱⁿ^f^o^s^t^{ored i}ⁿ^com^p^u^t^{er s}^y^s^t^em^,”^C^o^l^u^m^bⁱ^a^D^aⁱ^l^y^T^rⁱ^bune
^g/w^p^licatioⁿ^Sy^stem^me^mb^e^r^s^,^(Mi^s^s^o^u^rⁱ⁾^{, F}^e^bru^a^ry^{2, 2007.}
^s^.or^olu^m^{bia, MO) -}^{a h}^ack^er^com^p^u^t^{er u}^s^ers
^le^ak^{e in}^{to com}^p^u^t^{er s}^e^rv^er
^://wiki^r^gⁱ^{a I}ⁿ^stitu^{te o}^f^Feb^r^ur^ar^y^cu^rren^{t an}^d^3,000ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^,^ot^h^e^r^“^H^ack^ers^h^{it Georg}ⁱ^{a T}^ech^an^{d s}^t^{eal pers}^on^{al in}^f^o^,”
^h^ttp^c^hno^l^o^gy⁽^A^t^l^a^nt^a^,^G^A⁾^-²⁰⁰⁷^fo^r^m^e^r^sen^s^itiv^{e in}^f^o^r^m^atioⁿ^At^l^ant^{a Bus}ⁱ^nes^s^C^h^r^oni^cl^e^{, F}^e^bru^a^ry^{21, 2007.}
^a^u^t^h^o^{rized acces}^s^to^em^pl^oy^ees^of
^p^u^t^{er accou}ⁿ^t^S^c^h^ool^of
^{Electrical an}^d
^Co^m^p^ute^r
^E^ngi^ne^e^rⁱⁿ^g
^ngua^r^d^Uⁿⁱ^v^e^r^si^t^y⁽^C^o^s^t^a^Jan^u^a^ry²⁰⁰⁷^fⁱⁿ^aⁿ^cⁱ^a^l^ai^d^5,105ⁿ^a^m^e^s^,^S^S^N^s^,^dat^e^s^of^bi^rt^h^,^Ed^d^s^{, Kim}^b^er^ly^{, “}^C^o^m^p^u^ter^th^ef^{t p}^u^{ts f}ⁱⁿ^aⁿ^c^{ial d}^a^ta
^a^{, C}^A^{) -}^tw^{o com}^p^u^t^ers^applican^ts^f^o^r^ph^on^{e n}^u^m^bers^{, dri}^v^er’^s^at^ri^s^k^f^o^{r 5,105 s}^t^u^d^en^t^s^;
^en^f^r^om^fⁱⁿ^aⁿ^cⁱ^a^l^ai^{d of}^fⁱ^ce^2005-^{2006 an}^d^licen^{se n}^u^m^b^e^r^s^{, lists o}^f^assets^C^o^s^t^{a Mes}^a^{police of}^fⁱ^{cer s}^a^y^s^s^t^olen^equⁱ^pm^en^t
^2006-²⁰⁰⁷^h^o^ld^{s ex}^ten^s^iv^{e in}^f^o^r^m^atioⁿ^oⁿ^aid^ap^p^lican^{ts at}
^s^c^h^ool^y^ears^V^a^ngua^r^d^,^”^O^r^{ange C}^ount^{y Regi}^s^t^er^(C^A⁾^{, Jan}^u^a^ry
^{27, 2007.}

CRS-28
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
ⁿ^I^llin^oⁱ^{s Un}^iv^er^sity^Jan^u^a^ry²⁰⁰⁷^m^e^m^b^ers^hⁱ^p^1,400^SSNs^,^birth^d^ates^{, addres}^s^e^s^U^{.S. State New}^s^{, “}^C^o^m^p^u^t^{er T}^h^ef^{t R}^e^s^u^ltsⁱⁿ
^h^a^rl^es^t^oⁿ^,^IL^{) -}^s^t^ol^en^r^o^ste^r^{s o}^f^o^f^the^Secu^rity^B^r^each^{; Stu}^d^en^ts^Notif^{ied,” J}^aⁿ^u^a^ry^26,
^k^t^o^p^Un^iv^er^sity^’^s²³^2007.
^f^r^aterⁿ^{ities an}^d
^so^r^o^r^ities
ⁱ^v^ersⁱ^t^y^of^Idah^{o (Mos}^cow^,^Jan^u^a^ry²⁰⁰⁷^uⁿⁱ^v^e^rsⁱ^t^y^70,000ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^P^riⁿ^{ce, Bri}^aⁿ^,^“^Uⁿⁱ^v^e^rsⁱ^t^y^of^Idah^{o R}^e^port^s^C^o^m^p^u^t^er
⁾^-^th^ef^{t o}^f^th^r^{ee d}^e^sk^to^p^al^u^mⁿⁱ^{, don}^ors^,^T^h^ef^t^s^{,” eWeek}^.com^{, Jan}^u^a^ry^{12, 2007 at}
ⁱ^{ki/CRS-RL33199}^p^u^t^ers^s^t^u^d^en^ts^an^d^em^ploy^ees^[^h^t^t^p^:^/^/^www.^e^w^e^e^k^.^c^o^m^/^a^r^tⁱ^c^l^e²^/⁰^,^{1759,2082796,00.a}^s^p^?^k^c=EWR^S^S^03129T^X¹^K^0000614].
^g/w
^s^.or^t^an^{a State Un}^iv^ers^ity^Decem^ber^stud^eⁿ^{ts w}^h^o²⁵⁹ⁿ^a^m^e^s^,^SSNs^A^s^s^o^{ciated P}^r^es^s^,^“^Uⁿⁱ^v^e^rs^ity^apolog^izes^f^o^r
^le^ak^ozem^an^{, MT}^{) -}^s^t^u^d^en^t²⁰⁰⁶^h^a^{d pai}^d^of^f^mⁱ^s^t^ak^en^ly^s^h^arin^g^s^t^u^d^en^{t in}^f^o^rm^ation^,^{” Decem}^ber
^r^kⁱⁿ^gⁱⁿ^lo^an^o^f^fⁱ^ce^th^{eir s}^t^u^d^en^t^{27, 2006.}
^://wiki^s^t^ak^en^ly^s^eⁿ^t^pers^on^al^lo^an^s
^h^ttp^o^r^m^atioⁿ^to^o^t^h^e^r^stu^d^en^ts
ⁱ^ssissip^pⁱ^Sta^t^e^Unive^r^sity^Decem^ber^s^t^u^d^en^ts^an^d^2,400ⁿ^a^m^e^s^,^S^S^N^s^,^s^o^m^e^dat^e^s^of^L^a^k^e^{, Rich}^ar^d^,^“^M^{SU Data P}^u^{t On}^lin^{e in}^Mish^ap^,”
^soⁿ^,^MS)^-ⁱⁿ^f^o^r^m^atioⁿ²⁰⁰⁶^em^ploy^ees^bi^rt^h^C^l^arⁱ^on-L^e^dger⁽^J^acks^{on, M}ⁱ^s^sⁱ^s^sⁱ^ppi⁾^{, Decem}^{ber 20,}
^v^e^r^t^en^tly^p^u^b^lish^e^d^oⁿ^{2006, p. 1A}^.
^b^s^ite
^iv^er^sity^o^f^Co^lo^r^a^d^o^Decem^berⁱⁿ^di^vⁱ^du^al^s^w^h^o^17,500ⁿ^a^m^e^s^,^SSNs^D^anⁿ^a^{, Nicole, “}^U^{. C}^o^{lorado s}^ecu^rity^breachⁿ^o^{t u}^s^ed
^ou^{lder) -}^s^e^rv^{er h}^ack^ed²⁰⁰⁶^atten^d^ed^f^o^{r n}^e^f^a^riou^s^pu^rpos^es^{,” Un}^iv^ers^ity^Wⁱ^{re, Decem}^ber
^o^r^ien^t^atioⁿ^{19, 2006.}

^se^ssioⁿ^{s fr}^o^m
^{2002 t}^o²⁰⁰⁴

CRS-29
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^ve^r^sⁱ^d^e^Hⁱ^{gh Sc}^ho^o^l^Decem^ber^em^ploy^ees^“^t^h^o^u^s^an^ds^”ⁿ^a^m^e^s^,^SSNs^D^{opart, B}^r^ianⁿ^e^{, “}^S^tu^den^t^s^accu^s^e^{d of}^h^ackⁱⁿ^g^DP^S;
^ur^ha^m^,^N^C⁾^{- t}^w^o^st^ud^eⁿ^t^s²⁰⁰⁶^(uⁿ^s^pecifⁱ^ed)^T^w^{o told teach}^{er abou}^{t s}^ecu^rity^breach^f^o^uⁿ^d^du^rin^g
^s^e^{d of}^h^ackⁱⁿ^gⁱⁿ^to^com^p^u^t^{er clas}^s^,^”^H^e^r^a^l^d^{-Sun (}^D^ur^ham^{, N}^C⁾^,
^a^bas^e^s^Decem^{ber 15, 2006, p. B1.}
^gⁱⁿ^{ia Co}^m^m^oⁿ^w^ealth^Decem^ber^s^t^u^d^en^t^s^{561 s}^t^u^d^en^t^s^na^m^e^s,^SSNs,^a^d^d^r^e^sse^s,^gr^a^d^e^Ro^b^e^r^t^soⁿ^,^Gar^y^{, “}^E^-^m^{ail in}^clu^d^{es d}^a^{ta o}ⁿ
^iv^er^sity⁽^R^ich^m^oⁿ^d^,^VA⁾^-²⁰⁰⁶ⁱⁿ^th^{e Co}^lleg^e^poin^t^av^erag^es^stud^eⁿ^ts,^”^Ri^chm^{ond T}ⁱ^m^e^s^{- D}ⁱ^s^pat^{ch (}^Vⁱ^r^giⁿⁱ^a)^,
^r^s^oⁿ^{al in}^f^o^r^m^atioⁿ^of^Decem^{ber 9, 2006.}
ⁱ^{ki/CRS-RL33199}^v^e^r^t^en^tlyⁱⁿ^clu^d^edⁱⁿ^tw^o^a^{il attach}^m^eⁿ^t^s^Hu^m^aⁿ^ities^an^{d Scien}^ces
^g/w
^s^.or^iv^er^sity^o^f^T^e^x^a^{s (}^D^allas)^-^Decem^ber^cu^rren^{t an}^d^{5,000 -}^6,000ⁿ^a^m^e^s^,^S^S^N^s^,^an^{d i}ⁿ^s^o^m^e^Hack^{er, Holly}^{, “}^U^T^D^com^p^u^t^{er attack}^w^o^rs^{e th}^an
^le^ak^m^p^ut^e^r^ne^t^w^o^r^{k i}ⁿ^t^r^usi^oⁿ²⁰⁰⁶^f^o^rm^{er s}^t^u^d^en^ts^,^cas^es^{, addres}^s^e^s^,^e-^m^a^il^fⁱ^rs^t^t^h^ou^g^h^t^:^C^a^m^p^u^s^of^fⁱ^ci^al^sⁿ^o^w^s^a^y^{6,000 at}^ri^s^k
^f^acu^lty^{, s}^t^af^f^,^addres^s^e^s^an^{d t}^e^l^e^ph^on^e^o^f^id^en^tity^th^ef^t,”^Da^lla^{s Mo}^rnⁱⁿ^g^Ne^ws^{, Decem}^ber
^://wiki^an^{d ot}^h^e^rs^num^b^e^r^s^{14, 2006.}
^h^ttp
^Co^m^m^uⁿ^ity^Co^lleg^e^Decem^ber^{all reg}ⁱ^s^t^ered^21,000ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^,^ph^on^e^Wⁱⁿ^s^lo^w^,^Oliv^{ia, “}^C^o^lleg^e^lo^{ses d}^a^ta;
^ar^d^eⁿ^City^{, NY)}^-^th^ef^{t o}^f²⁰⁰⁶^stud^eⁿ^ts^num^b^e^r^s^P^rⁱⁿ^ted^{list w}^ith^p^e^r^s^oⁿ^{al in}^f^o^r^m^atioⁿ^o^f^Nassau
^p^u^t^{er prin}^tou^t^Co^m^m^uni^t^y^Co^l^l^e^ge^st^ud^eⁿ^t^s^go^ne^mⁱ^ssi^ng,^o^ffi^cⁱ^a^l^s
^sa^y^,^”^N^e^w^s^day^{, Decem}^{ber 6, 2006, p. A}⁹^.
^lif^ornⁱ^{a State Un}^iv^ers^ity^No^v^e^m^b^er^stud^eⁿ^ts,^2,534ⁿ^a^m^e^s^,^S^S^N^s^,^cam^pu^s^{US States}^New^s^{, “}^E^du^cation^C^o^lleg^e^A^l^erts^T^each^er
^o^s^A^nge^le^s)^{- sto}^l^eⁿ^USB²⁰⁰⁶^applican^ts^,^id^en^tif^icatioⁿⁿ^u^m^b^e^r^s⁽^C^I^N⁾^,^Cr^ed^en^{tial A}^p^p^lican^{ts o}^f^Iⁿ^f^o^r^m^atioⁿ^Secu^r^ity
ⁱ^v^e^c^o^nt^aⁱⁿⁱ^{ng une}^nc^r^y^p^t^e^d^f^acu^lty^ph^on^{e n}^u^m^bers^{, e-}^m^aⁱ^l^In^ci^den^t^{,” N}^o^v^e^m^b^{er 28, 2006.}

^on^al^dat^a^s^u^pervⁱ^s^ors^addres^s^e^s

CRS-30
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^een^v^illeCo^uⁿ^t^y^Sch^o^o^l^No^v^e^m^b^er^s^t^u^d^en^ts^an^d^101,000ⁿ^a^m^e^s^,^S^S^N^s^,^dat^e^s^of^bi^rt^h^,^B^a^rⁿ^{ett, Ro}ⁿ^,^“^S^tu^d^eⁿ^t^{Data L}^e^f^t^oⁿ^So^ld
ⁱ^{ct (}^G^r^een^v^{ille, SC)}^-²⁰⁰⁶^em^ploy^ees^addres^s^e^s^,^ph^on^{e n}^u^m^bers^,^C^o^m^p^u^t^ers^,^”^Gr^{eenville N}^e^w^s⁽^{South C}^a^r^o^lina)^,
^p^u^t^ers^con^t^ainⁱⁿ^g^pers^on^al^con^t^{act in}^f^o^rm^ation^N^o^v^e^m^b^{er 27, 2006, p. 1A}^.
^o^r^m^atioⁿⁱⁿ^ad^v^e^r^t^en^tly^so^ld
^ction^s
ⁱ^cag^{o Pu}^blⁱ^c^S^c^h^ool^Dⁱ^s^t^ri^ct^No^v^e^m^b^er^f^o^rm^{er s}^c^h^ool^1,740ⁿ^a^m^e^s^,^SSNs^,^h^o^m^e^addres^s^e^s^F^lyⁿⁿ^,^C^o^u^r^tn^ey^{, “}^T^each^ers^’^IDs^m^a^{iled by}^mⁱ^s^t^ak^e:
^t^{ractor m}ⁱ^s^t^ak^en^ly^m^a^iled²⁰⁰⁶^em^ploy^ees^{1,740 S}^o^ci^al^S^ecu^ri^t^yⁿ^u^m^bersⁱⁿ^cl^u^d^{ed i}ⁿ^ci^t^y
ⁱ^{ki/CRS-RL33199}^on^alⁱⁿ^f^o^rm^atⁱ^oⁿ^as^part^ofⁱⁿ^su^r^aⁿ^ce-ⁱⁿ^f^o^r^m^atioⁿ^s^c^h^ools^’^pack^ets^,^”^C^hⁱ^c^{ago T}^rⁱ^bune^{, Nov}^e^m^b^{er 27,}^2006.
^g/w^ag^e
^s^.or
^le^ak^am^s^{State C}^o^lleg^e^O^c^t^ober^hi^{gh sc}^ho^o^l¹⁸⁴^uⁿ^s^p^ecifⁱ^ed^p^e^r^s^oⁿ^{al d}^a^ta^Sm^ith^{, Er}ⁱⁿ^{, “}^S^to^len^A^S^{C lap}^t^o^p^h^o^ld^{s stu}^d^en^{t d}^a^ta,”
^l^a^m^o^s^a^{, C}^O^{) -}^s^t^ol^en^l^a^pt^op²⁰⁰⁶^O^u^t^w^a^r^d^B^o^und^Pu^eb^lo^Ch^ieftaⁱⁿ^{, O}^c^t^{ober 10, 2006.}
^://wiki^stud^eⁿ^ts
^h^ttp
^nno^r^s^St^a^t^e^No^v^e^m^b^er^stud^eⁿ^{ts w}^h^o^22,500^S^S^N^s^an^{d ot}^h^e^{r (u}ⁿ^s^peci^fⁱ^ed)^Si^m^p^so^n,^Susa^n,^“St^o^l^e^{n c}^o^m^p^ut^e^r^c^o^nt^aⁱ^ne^d^st^ud^eⁿ^t
^l^l^e^ge⁽^W^a^r^ne^r^,^O^K⁾^{- st}^o^l^eⁿ²⁰⁰⁶^receiv^e^id^en^tif^yⁱⁿ^gⁱⁿ^f^o^r^m^atioⁿ^dat^a^,”^D^aⁱ^l^y^O^k^l^ahom^an^{, N}^o^v^e^m^b^{er 15, 2006.}
^op^Ok^lah^o^m^a
^Hⁱ^ghe^r^Le^a^rⁿⁱ^ng
^A^cces^s^P^r^og^ram
^sc^ho^l^a^r^s^hi^p^s
^iv^er^sity^o^f^Minⁿ^e^so^ta^O^c^t^ober^st^ud^eⁿ^t^s²⁰⁰^na^m^e^s,^uni^ve^r^sⁱ^t^y^I^D^s,^gr^a^d^e^s^T^o^st^o^,^P^a^ul^,^“Se^c^o^nd^l^a^p^t^o^p^wⁱ^t^h^st^ud^eⁿ^t^d^a^t^a^w^a^s
^paiⁿ^{) -}^l^a^pt^{op s}^t^ol^en^f^r^om^a²⁰⁰⁶^s^t^olen^{: No Social Secu}^rityⁿ^u^m^bers^com^p^romⁱ^s^e^d,”
^lty^m^e^m^b^er^oⁿ^{a tr}^ip^to^Pi^oneer^Pr^es^s⁽^S^t^.^Paul^{, M}ⁱ^nnes^o^t^a⁾^{, O}^c^t^{ober 20,}
^ain^2006.

CRS-31
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^iv^er^sity^o^f^T^e^x^a^s^O^c^t^ober^st^ud^eⁿ^t^s²^,⁵⁰⁰^na^m^e^s,^SSN^s,^uni^ve^r^sⁱ^t^y^I^D^s,^“U^.^T^e^xa^s-A^r^lⁱ^ngt^oⁿ^st^ud^eⁿ^tⁱⁿ^fo^oⁿ^st^o^l^eⁿ
^rlin^g^t^on^{) -}^s^t^olen^com^p^u^t^ers²⁰⁰⁶^g^r^ades^{, em}^ails^com^p^u^t^ers^,^{” U}ⁿⁱ^v^ersⁱ^t^y^Wi^{re, O}^c^t^{ober 12, 2006.}
^{n J}^u^aⁿ^Ca^pⁱ^st^r^a^no^Uⁿⁱ^fⁱ^e^d^O^c^t^ober^e^m^p^l^o^y^e^e^s^unkno^wⁿ^unkno^wⁿ^M^c^D^o^na^l^d^,^J^o^hn,^“Co^m^p^u^t^e^r^s^st^o^l^eⁿ^fr^o^m^o^ffi^c^e^s^o^f
^h^ool^Dⁱ^s^t^ri^ct^(C^A⁾^-^t^h^ef^t^of²⁰⁰⁶^C^a^pis^t^ran^o^s^c^h^{ool dis}^t^{rict; th}^{e f}ⁱ^v^e^m^achⁱⁿ^es^{, v}^a^lu^ed
^p^u^t^ers^at^{$5,000, m}^a^y^h^a^v^e^con^t^aiⁿ^e^{d con}^fⁱ^d^en^tⁱ^a^l
ⁱⁿ^f^o^rm^ation^on^em^ploy^ees^{, a s}^pok^es^w^o^m^aⁿ^s^a^y^s^,”
^Or^{ange C}^{ounty Regis}^t^er⁽^C^aliforⁿ^ia)^{, O}^c^t^{ober 6,}
ⁱ^{ki/CRS-RL33199}^{2006, p. S}^o^u^t^h^_^B.
^g/w^o^y^A^t^he^{ns H}ⁱ^{gh Sc}^ho^o^l^O^c^t^ober^alu^mⁿⁱ⁴^,⁴⁰⁰ⁿ^a^m^e^{s, ad}^d^r^{esses, SSNs}^L^ew^{is, Sh}^awⁿ^,^“^A^lu^mⁿ^{i w}^{ill g}^e^{t cr}^ed^{it w}^a^tch^;
^s^.or^roy^,^{MI) -}^s^t^ol^en^h^a^{rd dri}^v^e²⁰⁰⁶^In^w^a^k^e^of^l^o^s^t^dat^a^{, T}^r^oy^di^s^t^ri^ct^of^f^e^rs^{14 m}^oⁿ^t^h^s^of
^le^ak^f^r^{ee id}^en^tity^th^ef^{t p}^r^o^t^ectioⁿ^,^{” Detr}^o^{it New}^s^{, Octo}^b^e^r
^{23, 2006.}
^://wiki
^h^ttp^iv^er^sity^o^f^I^o^w^a^Dep^a^r^t^m^eⁿ^t^S^e^pt^em^ber^sub^j^e^c^t^{s w}^h^o^14,500^SSNs^“^Un^iv^ers^ity^of^Iow^a^C^oⁿ^t^acts^R^e^s^earch^Su^bj^ects
^P^s^y^c^h^o^l^o^g^y^(Iow^{a C}ⁱ^t^y^{, IA}⁾²⁰⁰⁶^p^a^r^ticip^atedⁱⁿ^abou^t^C^o^m^p^u^t^{er In}^t^r^u^sⁱ^oⁿ^,^{” U}^S^F^e^{d N}^e^w^s^{, S}^e^pt^em^ber
^p^u^t^{er attack}^res^earch^s^t^u^d^ies^{29, 2006.}

^on^m^a^tern^{al an}^d
^ch^ild^h^ealth
^f^r^om^{1995 u}ⁿ^tⁱ^l
^th^{e pres}^en^t.

CRS-32
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^e^sterⁿ^I^llin^oⁱ^{s Un}^iv^er^sity^-^Ju^l^y²⁰⁰⁶^s^t^u^d^en^t^s^,^180,000^S^S^N^s^,^pers^on^al^dat^a^{, credi}^t^M^a^gui^r^e^,^J^o^hn,^“A^l^u^m^s^J^u^st^T^o^l^d^o^f^Co^m^p^ut^e^r
^{er acces}^s^e^{d s}^e^v^e^ral^cu^s^t^om^ers^of^th^e^car^dⁱⁿ^f^o^r^m^atioⁿ^Breach^{: Data on}^{180,000 w}^ith^Tⁱ^es^{to WIU Hack}^{ed a}
ⁱ^{c s}^t^u^d^en^{t s}^e^rv^ices^uni^ve^r^sⁱ^t^y^’s^M^o^nt^{h A}^g^o^,^”^C^hⁱ^c^{ago Sun-T}ⁱ^m^e^s^{, Ju}^l^y^{5, 2006, p. 8.}
^ste^m^s^oⁿ^lin^e
^book^s^t^ore,
^gue^{sts o}^f^the
^uni^ve^r^sⁱ^t^y^ho^t^e^l
ⁱ^{ki/CRS-RL33199}^iv^er^sity^o^f^T^eⁿⁿ^e^{ssee -}^{er brok}^{e in}^{to UT}^Ju^l^y²⁰⁰⁶^pas^t^an^{d cu}^rren^t^em^ploy^ees^36,000^S^S^N^s^,ⁿ^a^m^e^s^,^addres^s^e^s^H^erriⁿ^g^t^on^{, A}ⁿ^gⁱ^{e, “}^U^T^N^o^tⁱ^fⁱ^e^s^Work^ers^of^C^o^m^p^u^t^{er Hack}ⁱⁿ^g^,^”^C^hat^t^{anooga T}ⁱ^m^e^s^Fr^{ee Pr}^es^s^,
^g/w^p^u^t^er^Ju^l^y^{7, 2006, p. O}^.
^s^.or
^le^ak^r^t^h^w^esterⁿ^Un^iv^er^sity^Ju^l^y²⁰⁰⁶^s^t^u^d^en^t^s^an^d¹⁷^,⁰⁰⁰^na^m^e^s,^a^d^d^r^e^sse^s,^SSNs^“^Ha^c^k^e^r^{s b}^r^e^a^k^into^{NU A}^d^mⁱ^ssioⁿ^s,^Fina^nc^ia^{l A}ⁱ^d
^hⁱ^cag^{o) -}^h^ack^ers^brok^{e in}^to^ap^p^lican^{ts to}^th^e^C^o^m^p^u^t^ers^,^”^C^hⁱ^c^{ago Sun T}ⁱ^m^e^s^,^Ju^l^y^{15, 2006, at}
^://wiki^d^e^skt^o^p^c^o^m^p^ut^e^r^{s i}ⁿ^t^h^e^s^c^h^ool^[^h^t^t^p^:^/^/^www.^s^uⁿ^tⁱ^m^e^s^.^c^o^m^/^c^gⁱ^-^bⁱⁿ^/^p^rⁱⁿ^t^.^c^gⁱ^?^g^e^t^R^e^f^e^r^r
^h^ttp^e^o^f^A^d^mⁱ^ssioⁿ^{s a}ⁿ^d^e^r⁼^[^h^t^t^p^:^/^/^www.^s^uⁿ^tⁱ^m^e^s^.^c^o^m^/^o^u^t^p^u^t^/ⁿ^e^w^s^/^c^s^t^-ⁿ^w^s^-
^na^ncⁱ^a^l^Aⁱ^d^h^ack^15.h^t^m^l^].
^{e P}^a^rk^T^echⁿⁱ^cal^Ju^l^y²⁰⁰⁶^appren^tⁱ^ces^hⁱ^p^1,500ⁿ^a^m^e^s^,^addres^s^e^s^,^ph^on^e^“^N^ew^s^Su^m^m^a^ries^Ozau^k^{ee an}^{d W}^a^s^hⁱⁿ^g^t^on
^lleg^e^s^t^u^d^en^ts^back^to^num^b^e^r^s^,^SSN^s^Co^uⁿ^ties,”^Milw^{aukee Jour}^{nal Sentinel,}^Ju^l^y^16,
^eav^{er Dam}^,^Fon^d^du^L^{ac, &}¹⁹⁹³^{2006, p. Z}³^.

^e^{st B}^e^nd^,^W^I⁾^{- m}ⁱ^ssing
^p^u^t^{er dis}^k

CRS-33
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^ta^w^b^a^Co^unty^Sc^ho^o^l^s^Juⁿ^e²⁰⁰⁶^s^t^u^d^en^t^s^w^h^o⁶¹⁹ⁿ^a^m^e^s^,^S^S^N^s^,^t^e^s^t^s^c^ores^S^h^aiⁿ^,^Aⁿ^drew^{, an}^{d H}^aⁿⁿ^a^h^Mi^t^c^h^e^l^l^,^“^{619 S}^t^u^d^en^t^s^’
^ew^toⁿ^,^NC)^-^w^e^b^s^ite^ha^d^t^a^keⁿ^Secu^{re Data R}^e^v^{ealed On}^lin^{e: Goog}^{le P}^a^g^e^Sh^ow^ed
^pos^{ed pers}^on^al^dat^a^ke^y^b^o^a^r^dⁱ^{ng a}ⁿ^d^{Social Secu}^rity^Nu^m^b^ers^,^T^e^s^t^Scores^,^Ch^a^r^lo^tte
^com^p^u^t^er^Ob^se^rv^e^r^{, Ju}ⁿ^e^{24, 2006, p. 1B.}
^ap^p^licatioⁿ^s
^placem^en^{t tes}^t
^d^u^rⁱ^{ng t}^h^e
^2001-^{02 s}^c^h^ool
ⁱ^{ki/CRS-RL33199}^y^ear
^g/w^Fran^cis^c^{o State Un}^iv^ers^ity^Juⁿ^e²⁰⁰⁶^cu^rren^t^an^d^3,000ⁿ^a^m^e^s^,^S^S^N^s^,^ph^on^{e n}^u^m^bers^A^s^im^o^v^{, Nanette, “}^{SFSU stud}^ents’^inf^o^r^m^atioⁿ
^s^.or^acu^lty^m^e^m^b^er’^s^laptop^f^o^rm^{er s}^t^u^d^en^ts^an^{d g}^r^{ade poin}^t^av^erag^es^.^sto^l^eⁿ^;
^le^ak^l^eⁿ^S^c^h^ool^al^ert^s^{3,000 af}^f^ect^{ed by}^t^h^ef^t^of^f^acu^l^t^y
^l^a^pt^op,”^{San Fr}^anci^s^{co C}^h^r^oni^cl^e^{, Ju}ⁿ^e^{23, 2006, p.}
^://wiki^B5.
^h^ttp
ⁱ^v^e^r^si^t^y^o^f^K^e^nt^uc^ky^{- st}^o^l^eⁿ^Juⁿ^e²⁰⁰⁶^cu^rren^t^an^d⁶^,⁵⁰⁰^SSNs^K^ierⁿ^an^{, Vin}^cen^{t, “}^Iⁿ^c^id^en^{ts at T}^w^o^Un^iv^er^{sities P}^u^t
^m^{b dri}^v^e^f^o^rm^{er s}^t^u^d^en^ts^{More T}^h^an^{200,000 S}^t^u^d^en^t^s^at^Rⁱ^s^k^of^D^a^t^a^T^h^ef^t^,^”
^T^h^{e C}^h^r^oni^cl^{e of}^Hⁱ^gher^Educatⁱ^oⁿ^{, Ju}ⁿ^e^{19, 2006, p.}
^A^21.

CRS-34
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^io^Un^iv^er^sity⁽^A^th^en^{s, OH)}^May²⁰⁰⁶ⁱⁿ^di^vⁱ^du^al^s^an^d^300,00^S^S^N^s^,^pers^on^alⁱⁿ^f^o^rm^atⁱ^oⁿ^,^Vij^a^y^aⁿ^,^J^a^ik^u^m^ar^{, “}^O^hⁱ^o^Un^iv^er^sity^Rep^o^r^{ts T}^w^o
^ack^ers^breach^s^e^rv^ersⁱⁿ^tw^o^o^r^gaⁿⁱ^z^a^tⁱ^o^ns^bi^og^raphⁱ^calⁱⁿ^f^o^rm^atⁱ^oⁿ^,^{Separate Secu}^rity^B^r^each^es^{,” C}^o^m^p^u^t^erw^o^{rld, May}^3,
^a^r^a^{te in}^cid^eⁿ^t^s^listedⁱⁿ^th^e^p^a^ten^t^d^a^{ta, in}^tellectu^a^l^{2006, at}
^a^l^umⁿⁱ^d^a^t^a^b^a^se^,^propert^y^fⁱ^l^e^s^[^h^t^t^p^:^/^/^www.^c^o^mp^u^t^e^r^wo^r^l^d^.^c^o^m/^a^c^tⁱ^oⁿ^/^a^r^tⁱ^c^l^e^.^d^o^?^c^o
^owⁿ^e^rs^of^m^m^aⁿ^d^=vⁱ^e^w^A^rtⁱ^c^l^e^Basⁱ^c&^artⁱ^c^l^e^Id=111113&ⁱⁿ^t^s^rc
^pat^eⁿ^t^s^an^d^=artⁱ^c^l^e^_pot^s^_bot^].
^ot^h^e^r
ⁱⁿ^tellectu^a^l
ⁱ^{ki/CRS-RL33199}^propert^y
^g/w^iv^ers^ity^-^May²⁰⁰⁶^s^t^u^d^en^t^s^an^d^135,000^pers^on^alⁱⁿ^f^o^rm^atⁱ^oⁿ^,^S^S^N^s^S^an^dov^al^{, G}^r^eg^{, “}^S^{acred H}^eartⁱ^s^L^a^t^e^s^t^Uⁿⁱ^v^ersⁱ^t^y^t^o
^s^.or^ersⁱⁿ^tru^d^{e s}^y^s^t^em^so^m^e^{be H}^ack^{ed,” C}^N^et^N^e^w^s^{, May}^{26, 2006, at}
^le^akⁱⁿ^di^vⁱ^du^al^sⁿ^o^t^[h^ttp://n^ew^s^.^com^.^co^m^/^2100-^7349_3-^6077212.h^t^m^l^].
^as^s^o^{ciated w}^ith
^://wiki^t^h^e^uni^ve^r^sⁱ^t^y
^h^ttp
^iv^er^sity^o^f^T^e^x^a^{s, A}^u^stin^-^A^p^ri^l²⁰⁰⁶^s^t^u^d^en^t^s^,^200,000^S^S^N^s^,^bi^og^raphⁱ^cal^m^a^t^e^ri^al^s^A^sso^cⁱ^a^t^e^d^P^r^e^ss,^“Uⁿⁱ^ve^r^sⁱ^t^y^o^f^T^e^xa^{s P}^r^o^b^e^s
^alu^mⁿⁱ^{, f}^acu^lty^,^C^o^m^p^u^t^{er Breach}^{,” MS}^NBC^,^A^p^{ril 24, 2006, at}
^an^{d s}^t^af^f^of^t^h^e^[^h^t^t^p^:^/^/^www.^msⁿ^b^c^.^msⁿ^.^c^o^m/ⁱ^d^/^12459840/^].
^b^u^sine^{ss sc}^ho^o^l
^iv^ers^ity^of^A^r^izon^a-^h^ack^ers^Feb^r^uar^y^j^o^ur^na^lⁱ^s^m^uⁿ^d^is^clos^edⁿ^oⁿ^e^s^o^f^a^r^G^ros^s^m^an^{, Dj}^am^{ila, “}^R^om^an^ian^Hack^{er B}^r^eak^sⁱⁿ^to
^eakⁱⁿ^to^j^o^u^rⁿ^a^lism²⁰⁰⁶^stud^eⁿ^ts^U^A^J^o^ur^na^lⁱ^s^m^Co^m^p^ut^e^r^s,^”^Arⁱ^z^{ona D}^aⁱ^l^y^St^ar^,
^eⁿ^t^’^s^com^p^u^t^{er s}^y^s^t^em^F^e^bru^a^ry^{14, 2006, p. B2.}

CRS-35
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^e^-^h^ack^ers^attack^Jan^u^a^ry²⁰⁰⁶^al^u^mⁿⁱ^an^d^uⁿ^d^is^clos^ed^SSNs^,^{credit card n}^u^m^bers^,^R^oberts^,^P^a^u^l^{F., “}^H^ack^ers^T^a^rg^{et Notre Dam}^e
^r^v^e^r^ot^h^e^{r don}^ors^t^o^ch^eck^im^ag^es^D^oⁿ^o^rs^{,” eWeek}^{, Jan}^u^a^ry^{24, 2006, at}
^t^h^e^uni^ve^r^sⁱ^t^y^[^h^t^t^p^:^/^/^www.^e^w^e^e^k^.^c^o^m^/^a^r^tⁱ^c^l^e²^/⁰^,^{1895,1915087,00.a}
^sp^]^.
^dⁱ^an^{a Un}^iv^er^sity^-^m^a^licio^u^s^No^v^e^m^b^er^K^e^l^l^y^S^c^h^ool^of^5,300^pers^on^al^s^t^u^d^en^tⁱⁿ^f^o^rm^atⁱ^oⁿ^As^s^o^{ciated Pr}^es^s^,^”^I^U^Fⁱ^nd^{s ‘M}^a^lⁱ^cⁱ^o^{us’ S}^o^ft^w^a^r^e^,^”
^f^t^w^a^{re prog}^ram^sⁱⁿ^s^t^al^l^e^{d on}²⁰⁰⁵^B^u^sine^ss^F^o^rt^Wayⁿ^e.com^,^N^o^v^e^m^b^{er 18, 2005, at}
^sine^{ss instr}^u^c^t^o^r^{’s c}^o^m^p^ute^r^stud^eⁿ^ts^[^h^t^t^p^:^/^/^www.^f^o^r^t^wa^yⁿ^e^.^c^o^m/^ml^d^/^f^o^r^t^wa^yⁿ^e^/ⁿ^e^ws^/^l^o^c^a
ⁱ^{ki/CRS-RL33199}^en^r^o^lledⁱⁿⁱⁿ^t^r^odu^ct^ory^l^/^13202338.h^t^m^]^.
^g/w^b^u^sine^{ss c}^o^ur^se
^s^.or^bet^w^een^2001-
^le^ak²⁰⁰⁵
^://wiki^iv^er^sity^o^f^T^eⁿⁿ^e^ssee^No^v^e^m^b^er^p^a^tien^t^{s w}^h^o^3,800ⁿ^a^m^e^s^an^{d S}^S^N^s^“^U^T^Patⁱ^eⁿ^t^s^Warn^{ed of}^S^t^ol^en^C^o^m^p^u^t^er,”
^h^ttp^cal^C^eⁿ^t^{er -}^l^a^pt^op²⁰⁰⁵^receiv^e^d^C^hat^t^{anooga T}ⁱ^m^e^s^Fr^ee-Pr^es^s^{, N}^o^v^e^m^b^{er 2, 2005,}
^p^u^t^{er s}^t^olen^tr^eatm^eⁿ^tⁱⁿ^{p. B2.}
²⁰⁰³
^r^gⁱ^{a I}ⁿ^stitu^{te o}^f^No^v^e^m^b^er^pas^t^{, pres}^en^t^,^13,000^S^S^N^s^,^bi^rt^h^dat^e^s^,ⁿ^a^m^e^s^,^Kan^t^{or, A}^r^cadiy^{, “}^G^eorg^{ia T}^ech^C^o^m^p^u^t^{er T}^h^ef^t
^c^hno^l^o^gy^O^ffi^c^e^o^f²⁰⁰⁵^an^{d pros}^pectⁱ^v^e^addres^s^e^s^C^o^mp^r^o^mi^s^e^s^S^t^u^d^eⁿ^t^D^a^t^a^,^”^T^h^{e T}^echni^que^(vⁱ^a
^r^o^llm^en^{t Ser}^v^{ices -}^stud^eⁿ^ts^Uⁿⁱ^v^ersⁱ^t^y^Wi^{re), N}^o^v^e^m^b^{er 11, 2005 at}
^p^u^t^{er th}^ef^t^[^h^t^t^p^:^/^/^www.ⁿⁱ^q^u^e^.ⁿ^e^t^/ⁱ^s^s^u^es^/^2005-^11-^11/ⁿ^e^w^s^/³^].

CRS-36
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^iv^er^sity^o^f^T^eⁿⁿ^e^{ssee -}^O^c^t^ober^s^t^u^d^en^ts^an^d^1,900ⁿ^a^m^e^s^an^{d SSNs}^“^{State B}^r^ief^s^{: UT}^Stu^d^en^ts^’^P^r^iv^{ate Data P}^o^s^t^{ed on}
^d^ve^r^t^eⁿ^t^p^o^s^tⁱ^{ng o}^f^na^m^e^s²⁰⁰⁵^em^ploy^ees^th^{e ‘}^N^et,”^Th^e^T^eⁿⁿ^e^s^s^ean^.com^{, O}^c^t^{ober 29, 2005, at}
^{d Social Secu}^rityⁿ^u^m^bers^to^[^h^ttp^://tenⁿ^e^ssean^.co^m^/ap^p^s^/p^b^c^s.d^ll/ar^ticle?^A^I^D^=/2⁰
^terⁿ^{et lists}^051029/^N^E^WS^01/^510290327/^1006/^N^E^WS^01].

^iv^ers^ity^of^Georgⁱ^{a -}^h^ack^er^S^e^pt^em^ber^cu^rren^{t an}^d^1,600^SSNs^S^im^m^oⁿ^s^{, Kelly}^{, “}^H^ack^ers^B^r^each^Databas^e^at
^em^ploy^{ee records}^s^e^rv^er²⁰⁰⁵^fo^r^m^e^r^UGA^,”^Th^{e Atla}ⁿ^t^a^Jo^u^rⁿ^a^l^-^Coⁿ^s^titu^tioⁿ^,
ⁱ^{ki/CRS-RL33199}^em^pl^oy^ees^of^uni^ve^r^sⁱ^t^y^’s^S^e^pt^em^{ber 29, 2005, p. C}²^.
^g/w^Co^lleg^e^o^f
^s^.or^A^g^rⁱ^cu^ltu^r^a^{l an}^d
^le^ak^E^nvi^r^o^nm^eⁿ^t^a^l
^Scien^ces
^://wiki
^h^ttp^{i Un}^iv^er^sity⁽^O^hⁱ^o⁾^-^S^e^pt^em^ber^stu^d^en^ts²¹^,⁷⁶²^{SSNs, g}^r^ad^es^Gio^r^d^aⁿ^o^{, J}^o^{e, “}^M^iamⁱ^Un^iv^er^sity^{, Oh}^io^{, Fin}^d^{s Hu}^g^e
^o^r^t^c^o^nt^aⁱⁿⁱ^{ng SSN}^{s a}ⁿ^d²⁰⁰⁵^On^lin^{e Secu}^rity^B^r^each^,”^Jour^nal^-N^ew^s⁽^H^amⁱ^l^t^on,
^ades^of^m^o^{re t}^h^an^20,000^OH)^{, S}^e^pt^em^{ber 16, 2005 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.
^d^en^ts^h^a^s^been^acces^sⁱ^ble
^h^{e In}^t^e^rn^et^sⁱⁿ^{ce 2002}
^t^{State Un}^iv^ers^ity^-^fⁱ^v^e^S^e^pt^em^ber^s^t^u^d^en^ts^an^d^100,000ⁿ^a^m^e^s^,^S^S^N^s^,^g^r^ades^G^oⁿ^zal^{ez, Jen}ⁿⁱ^f^e^{r, “}^S^t^u^den^t^{, F}^acu^l^t^y^D^a^t^a^on^S^t^ol^en
^k^t^{op com}^p^u^t^ers^s^t^ol^en^f^r^om²⁰⁰⁵^prof^es^s^o^rs^C^o^m^p^u^t^ers^,^”^Pl^ai^{n D}^e^al^er⁽^C^leveland)^{, S}^e^pt^em^ber
^pu^s^{10, 2005, p. B1.}

CRS-37
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^o^m^a^{State Un}^iv^ers^ity^-^A^ugust²⁰⁰⁵^peopl^{e w}^h^o⁶¹^,⁷⁰⁹^na^m^e^s,^SSN^s^P^a^r^k,^Ro^hne^r^t^,^“H^a^c^k^e^r^{s H}ⁱ^t^Co^l^l^e^ge^Co^m^p^ut^e^r
ⁱⁿ^g^eith^er^atten^d^ed^,^Sy^stem^{: I}^d^en^tity^T^h^ef^{t Fear}^{s at So}ⁿ^o^m^a^State,”^San
^applⁱ^e^d,^Fr^anci^s^{co C}^h^r^oni^cl^e^,^A^ugust⁹^,^{2005, p. B2.}
^gr^a^d^ua^t^e^d^o^r
^w^o^rk^{ed at th}^e
^s^c^h^ool^f^r^om
^{1995 t}^o²⁰⁰²
ⁱ^{ki/CRS-RL33199}^lif^ornⁱ^{a State Un}^iv^ers^ity^-^fⁱ^{ce of}^th^{e C}^h^an^{cellor m}^a^y^A^ugust²⁰⁰⁵^s^t^u^d^en^t^s^w^h^o^receiv^e^fⁱⁿ^aⁿ^c^ial¹⁵⁴ⁿ^a^m^e^s^,^SSNs^“^C^a^lif^ornⁱ^{a State Un}^iv^ers^ity^C^h^an^cellor’^s^Of^fⁱ^ce^Ex^perien^ces^P^o^ten^{tial C}^o^m^p^u^t^{er Secu}^rity
^g/w^ve^e^x^p^e^rⁱ^eⁿ^c^e^d^una^ut^ho^rⁱ^z^e^d^{aid an}^{d tw}^o^B^r^each^,”^U^.^{S. St}^at^es^N^e^w^s^,^A^ugust²⁹^,^{2005 (n}^{o pag}^e
^s^.or^s^{to on}^{e of}^its^com^p^u^t^ers^fi^na^ncⁱ^a^l^aⁱ^d^gi^veⁿ⁾^.
^le^ak^admⁱⁿⁱ^s^t^rators
^://wiki^iv^er^sity^o^f^Flo^r^id^{a Health}^A^ugust²⁰⁰⁵^patⁱ^eⁿ^t^s^an^d^3,851ⁿ^a^m^e^s^,^S^S^N^s^,^dat^e^s^of^bi^rt^h^,^Chun,^Dⁱ^aⁿ^e^,^“3^,^{851 Pat}ⁱ^eⁿ^t^s^at^Rⁱ^s^k^of^ID^T^h^ef^t^,^”
^h^ttp^ces^C^eⁿ^t^er/C^h^a^rtOn^{e -}^p^h^y^s^ician^s^m^e^{dical records}^Gaⁱⁿ^esville.co^m^,^A^ugust²⁷^,^{2005 at}
^en^l^a^pt^op^[^h^t^t^p^:^/^/^www.^g^aⁱⁿ^e^s^v^ille.co^m^/ap^p^s^/p^b^c^s.d^ll/ar^ticle?^A^I
^D⁼^/^20050827/^L^O^C^A^L^/^208270336/^1078/ⁿ^e^w^s^].
^iv^er^sity^o^f^Co^lo^r^a^d^o^-^A^ugust²⁰⁰⁵^s^t^u^d^en^t^s^an^d^36,000^uⁿⁱ^v^e^rs^ity^accouⁿ^t^s^an^d^Uh^{ls, A}ⁿⁿ^a^{, “}^U^{. Co}^lo^r^a^d^o^stu^d^en^{ts g}^e^ttin^g
ⁱⁿ^gⁱⁿ^{to cam}^pu^s^C^a^rd^f^acu^lty^p^e^r^s^oⁿ^{al in}^f^o^r^m^atioⁿ^{(re)carded,”}^Uⁿⁱ^ver^sⁱ^t^y^Wⁱ^r^e^/^C^ol^or^{ado D}^aⁱ^l^y^,^A^ugust
^fⁱ^{ce (creates}^IDs^f^o^{r s}^t^af^f^{4, 2005 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.

^{d s}^t^u^d^en^ts⁾

CRS-38
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^iv^er^sity^o^f^No^r^t^h^T^e^x^a^{s -}^A^ugust²⁰⁰⁵^cu^rren^t^,^f^o^rm^er^38,607ⁿ^a^m^e^s^,^addres^s^e^s^,^t^e^l^e^ph^on^e^T^e^s^s^y^m^aⁿ^,^{Neal, “}^H^ack^ers^{Steal Stu}^d^en^{t In}^f^o^f^r^om^U.
ⁱⁿ^g^an^{d pros}^pectⁱ^v^e^num^b^e^r^s^,^SSN^s,^st^ud^eⁿ^t^N^o^r^t^{h T}^e^xa^s,^”^Un^{iversity W}ⁱ^re,^A^ugust¹¹^,^{2005 (n}^o
^stud^eⁿ^ts^id^en^tif^icatioⁿⁿ^u^m^b^e^r^s^{, stu}^d^en^t^p^a^ge^gi^veⁿ⁾^.
^ID^pas^s^w^ords^{, s}^t^u^d^en^t
^classifⁱ^catioⁿⁱⁿ^f^o^r^m^atioⁿ^an^d
^pos^sⁱ^bl^y^{524 credi}^t^card
^num^b^e^r^s
ⁱ^{ki/CRS-RL33199}^iv^er^sity^o^f^Co^lo^r^a^d^o^-^ers^t^a^{pped i}ⁿ^t^o^{a dat}^a^bas^e^A^ugust²⁰⁰⁵^s^t^u^d^en^t^records^f^r^om^Juⁿ^e¹⁹⁹⁹^49,000ⁿ^a^m^e^s^,^S^S^N^s^,^addres^s^e^s^,^ph^on^e^num^b^e^r^s^Mccrim^m^oⁿ^,^{Katie Kerw}ⁱⁿ^{, “}^H^ack^ers^T^a^{p C}^U^R^e^gⁱ^s^t^rar’^s^D^a^t^a^bas^e^;^Pri^v^acy^of^{49,000 S}^t^u^d^en^t^s
^g/w^{e r}^e^gⁱ^str^a^r^’^{s o}^f^fⁱ^ce^t^o^May²⁰⁰¹^P^o^ten^tially^In^v^a^{ded in}^B^r^each^,”^{Rocky M}^ountain
^s^.or^an^{d f}^r^om^f^a^l^l^Ne^ws⁽^D^e^nve^r⁾^,^A^ugust²⁰^,^{2005, p. 20A}^.
^le^ak^{2003 t}^o^s^u^m^m^e^r
^2005.
^://wiki
^h^ttp^lif^ornⁱ^{a State Un}^iv^ers^ity^,^A^ugust²⁰⁰⁵^s^t^u^d^en^t^w^o^rk^ers⁹⁰⁰ⁿ^a^m^e^s^,^S^S^N^s^T^ogⁿ^e^ri^{, C}^h^ri^s^,^“^H^ack^{er Break}^sⁱⁿ^t^o^S^t^an^S^t^at^e
^islau^s^-^h^ackⁱⁿ^g^Co^m^p^ute^r^,^”^M^odes^t^{o Bee}^,^A^ugust¹⁶^,^{2005, p. B1.}
^iv^er^sity^o^f^So^u^t^h^e^rⁿ^Ju^l^y²⁰⁰⁵^applⁱ^can^t^s^270,000ⁿ^a^m^e^{, addres}^s^,^S^S^N^s^,^e-^m^aⁱ^l^Haw^kⁱⁿ^s^,^Steph^aⁿⁱ^{e, “}^H^ack^{er Hits}^A^pplication
^lif^ornⁱ^{a -}ⁱⁿ^divⁱ^du^{al h}^ack^ed^addres^s^,^ph^on^{e n}^u^m^{ber, dat}^e^of^Sy^s^t^em^{at USC}^,^”^Un^{iversity W}ⁱ^{re/ Da}^{ily Tro}^j^aⁿ^,
^USC’^{s o}ⁿ^lin^{e ap}^p^licatioⁿ^bⁱ^r^t^h^,^lo^gⁱⁿⁱⁿ^f^o^r^m^atioⁿ^A^ugust¹⁸^,^{2005 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.

^ste^m

CRS-39
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^o^rⁿⁱ^{a P}^o^ly^techⁿⁱ^c,^Ju^l^y²⁰⁰⁵^uⁿⁱ^v^e^rsⁱ^t^y³¹^,⁰⁷⁷ⁿ^a^m^e^{s, SSNs}^R^uⁱ^{z, Ken}ⁿ^e^th^{, “}^H^ack^er^{s I}ⁿ^f^iltr^{ate Cal P}^o^ly^,”^W^h^ittier
^moⁿ^a^-^t^w^o^c^o^mp^u^t^e^r^s^applican^ts^an^d^Da^{ily News (}^C^A)^,^A^ugust⁵^,^{2005 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.
^ed^cu^rren^{t an}^d
^f^o^rm^{er f}^acu^lty^,
^st^a^{ff a}ⁿ^d
^stud^eⁿ^ts
^iv^er^sity^o^f^Co^lo^r^a^d^o^,^Ju^l^y²⁰⁰⁵^s^t^u^d^en^t^s^an^d^29,000^S^S^N^s^,ⁿ^a^m^e^s^,^ph^ot^og^raph^s^As^s^o^{ciated Pr}^es^s^{, “}^H^ack^ers^B^r^eakⁱⁿ^{to C}^U^C^o^m^p^u^t^ers
ⁱ^{ki/CRS-RL33199}^u^l^{der -}^h^ack^ers^brok^{e in}^{to a}^p^u^t^{er s}^e^rv^{er con}^t^ainⁱⁿ^g^prof^es^s^o^rs^s^t^u^d^en^ts^an^d^7,000^Co^nt^aⁱⁿⁱ^{ng 3}⁶^k^Re^c^o^r^d^s,^”^A^ugust¹^,^2005.
^g/w^o^r^m^atioⁿ^u^s^ed^to^issu^e^prof^es^s^o^rs
^s^.or^tif^icatioⁿ^car^d^s
^le^ak
^ig^an^{State Un}^iv^ers^ity^-^Ju^l^y²⁰⁰⁵^s^t^u^d^en^t^s^27,000ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^,^A^sso^cⁱ^a^t^e^d^P^r^e^ss,^“^S^tu^den^t^s^In^f^o^rm^{ed Social Secu}^rity
^://wiki^of^{a s}^e^rv^{er in}^th^e^co^u^r^{se in}^f^o^r^m^atioⁿ^,^p^e^r^s^oⁿ^al^N^u^m^b^ers^Pos^sⁱ^bl^y^C^o^m^p^romⁱ^s^e^{d,” Ju}^l^y^{7, 2005.}
^h^ttp^lleg^e^o^f^Ed^u^catioⁿ^id^en^tif^icatioⁿⁿ^u^m^b^e^r^s
^iv^er^sity^o^f^Calif^o^rⁿⁱ^{a, San}^Ju^l^y²⁰⁰⁵^s^t^u^d^en^t^s^{, s}^t^af^f^,^3,300^SSNs^,^driv^{er licen}^s^e^an^{d credit}^“^S^{D UC}^{SD Hack}^ers^,^”^{City News S}^e^rvice^{, J}^u^ly^1,
^{o -}^h^ack^ers^brok^{e in}^to^f^acu^lty^w^h^{o h}^a^d^{card n}^u^m^bers^{2005 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.
^ve^r^sⁱ^t^y^se^r^v^e^r^atten^d^ed^o^r
^w^o^rk^{ed at}
^UC^SD
^Ex^ten^s^ioⁿⁱⁿ^th^e
^pas^t^fⁱ^v^e^y^ears
^lif^ornⁱ^{a State Un}^iv^ers^ity^Ju^l^y²⁰⁰⁵^s^t^u^d^en^t^s⁹⁶¹³ⁿ^a^m^e^s^,^S^S^N^s^A^sso^cⁱ^a^t^e^d^P^r^e^ss,^“^H^ack^ers^crack^com^p^u^t^ers^,^acces^s
^mⁱⁿ^g^u^{ez Hills -}^h^ackⁱⁿ^g^pri^v^at^{e s}^t^u^d^en^tⁱⁿ^f^o^rm^atⁱ^oⁿ^,^{” Ju}^l^y^{29, 2005.}

CRS-40
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^iv^er^sity^o^f^Coⁿⁿ^ecticu^t^-^Juⁿ^e²⁰⁰⁵^s^t^u^d^en^t^s^{, s}^t^af^f^,^72,000ⁿ^a^m^e^s^,^S^S^N^s^,^dat^e^s^of^bi^rt^h^,^Narain^{e, R}^y^an^{, “}^U^C^oⁿⁿ^Fin^d^s^R^ootk^{it in}^Hack^ed
ⁱⁿ^g^-^r^o^o^t^k^{it (}^c^o^llectioⁿ^o^f^an^{d f}^acu^lty^ph^on^{e n}^u^m^bers^an^{d addres}^s^e^s^S^e^rv^{er,” eWeek}^{, Ju}ⁿ^e^{27, 2005, at}
^ram^s^th^{at a h}^ack^{er u}^s^es^to^[^h^t^t^p^:^/^/^www.^e^w^e^e^k^.^c^o^m^/^a^r^tⁱ^c^l^e²^/⁰^,^{1759,1831892,00.a}
^skⁱⁿ^tr^u^s^ioⁿ^an^d^o^b^t^ain^sp^]^.
ⁱⁿⁱ^s^t^rator-^lev^e^{l acces}^s^{to a}
^p^u^t^{er or com}^p^u^t^er
^tw^ork⁾^{placed on}^s^e^rv^{er on}
^t^{ober 26, 2003, bu}^tⁿ^o^t
ⁱ^{ki/CRS-RL33199}ⁿ^{til J}^u^ly^{20, 2005}
^g/w^t^{State Un}^iv^er^sity^-^lap^t^o^p^Juⁿ^e²⁰⁰⁵^f^u^l^l^-^tⁱ^m^{e f}^acu^l^t^y^1,400ⁿ^a^m^e^s^,^SSNs^H^am^{pp, Dav}ⁱ^{d, “}^K^en^{t State U. Facu}^lty^A^f^f^{ected by}
^s^.or^f^r^om^em^ploy^ee’^s^car^me^mb^e^r^s^sⁱⁿ^c^e^Stolen^C^o^m^p^u^t^er,”^D^aⁱ^l^y^K^e^nt^St^at^er⁽^v^{ia Un}^iv^er^sity
^le^ak²⁰⁰¹^Wi^{re), Ju}ⁿ^e^{22, 2005 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.
^://wiki^{io State Un}^iv^ers^ity^Medical^Juⁿ^e²⁰⁰⁵^patⁱ^eⁿ^t^s^15,000^patⁱ^eⁿ^tⁿ^a^m^e^s^,^admⁱ^s^sⁱ^on^an^d^Cr^an^{e, Misti, “}^L^ap^to^p^Coⁿ^t^ainⁱⁿ^g^P^a^tien^t^s’^B^illin^g
^h^ttpⁿ^t^{er -}^t^w^{o s}^t^ol^en^l^a^pt^ops^di^s^c^h^a^rg^{e dat}^e^s^,^w^h^et^h^e^{r t}^h^e^Iⁿ^f^o^r^m^atioⁿ^Sto^l^en^;
^p^a^tien^t^h^a^dⁱⁿ^su^r^aⁿ^{ce, to}^tal^Bⁱ^r^t^h^{Dates, So}^{cial Secu}^r^ity^Nu^m^b^er^{s No}^{t in}^Data
^ch^arg^e^s^an^{d adj}^u^s^t^m^eⁿ^t^s^{to th}^e^T^a^ke^{n fr}^o^m^Co^nsul^t^a^nt^,^O^s^{u Sa}^y^s^,^”^C^o^l^u^m^bus
^accouⁿ^t^.^Disp^a^t^ch⁽^OH)^{, Ju}ⁿ^e^{30, 2005, p. 4C}^.
^iv^er^sity^o^f^Haw^a^{ii -}^Juⁿ^e²⁰⁰⁵^s^t^u^d^en^t^s^,^150,000^S^S^N^s^,^addres^s^e^s^an^{d ph}^on^e^A^sso^cⁱ^a^t^e^d^P^r^e^ss,^“^{UH W}^a^rⁿ^{s o}^f^P^o^ssib^{le I}^d^en^tity
^oⁿ^{est lib}^r^a^r^y^w^o^r^k^er^f^acu^lty^{, s}^t^af^f^num^b^e^r^s^T^h^ef^t^,^{” Ju}ⁿ^e^{19, 2005.}

^f^e^{deral ch}^arg^e^s^of^an^{d l}ⁱ^b^rary
ⁿ^k^f^r^au^d^r^e^lated^to^id^en^tity^pat^r^on^s^at^an^y^of
^t^th^{e 10 cam}^pu^s^e^s
^bet^w^een¹⁹⁹⁹
^an^{d 2003}

CRS-41
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^soⁿ^Co^m^m^uⁿ^ity^Co^lleg^e^May²⁰⁰⁵^em^pl^oy^ees^an^d^8,000^SSNs^“^C^o^m^p^u^t^{er C}^r^im^{e: Hack}^{er May}^Hav^e^Stolen^Social
^h^ack^{er break}^sⁱⁿ^to^stu^d^en^{ts o}^f^th^e^Secu^rity^Nu^m^b^ers^From^J^ack^s^oⁿ^C^o^m^m^uⁿ^ity
^p^u^t^{er s}^y^s^t^em^co^lleg^e^C^o^lleg^ea,”^C^o^mputer^C^r^{ime Res}^e^ar^{ch C}^e^nter^{,” May}
^{29, 2005 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.
ⁿ^eg^{ie Mello}ⁿ^Un^iv^er^sity^-^May²⁰⁰⁵^g^r^adu^a^t^e^s^of^t^h^e^5,000^S^S^N^s^an^{d pers}^on^alⁱⁿ^f^o^rm^atⁱ^oⁿ^As^s^o^{ciated Pr}^es^s^,^“Ca^r^ne^gi^e^M^e^l^l^o^{n Re}^p^o^r^t^s
^rity^breach^of^s^c^h^ool’^s^T^e^{pper S}^c^h^ool^C^o^m^p^u^t^{er Breach}^{,” MS}^NBC^,^A^p^{ril 21, 2005, at}
^p^u^t^{er n}^e^tw^ork^o^f^B^u^sine^ss^[h^ttp://m^sⁿ^bc.m^sⁿ^.com^{/id/7590506/].}
ⁱ^{ki/CRS-RL33199}^f^r^om^{1997 t}^o^2004;^cu^rren^t
^g/w^gr^a^d^ua^t^e
^s^.or^stud^eⁿ^ts;
^le^ak^ap^p^lican^{ts to}^th^e
^doct^o^ral
^://wiki^prog^ram^f^r^om
^h^ttp^{2003 t}^o^2005;
^ap^p^lican^{ts to}^th^e
^MBA^prog^ram
^f^r^om^{2002 t}^o
^2004;^an^d
^ad^mⁱⁿⁱ^str^a^tiv^e
^em^ploy^ees
^f^o^{rd Un}^iv^ers^ity^-^com^p^u^t^er^May²⁰⁰⁵^s^t^u^d^en^t^s^an^d^9,600^S^S^N^s^,^res^u^m^e^s^,^fⁱⁿ^aⁿ^cⁱ^a^l^dat^a^,^Mu^s^{il, Stev}^en^{, “}^F^B^I^P^r^obes^Netw^ork^B^r^each^at
^s^t^em^breach^r^ecr^u^iter^s^o^f^th^e^go^ve^rⁿ^m^e^ntⁱⁿ^fo^r^m^a^tⁱ^oⁿ^S^t^an^f^o^{rd,” C}^N^et^N^e^w^s^{, May}^{25, 2005.}

^uni^ve^r^sⁱ^t^y

CRS-42
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^r^id^{a I}ⁿ^terⁿ^atioⁿ^a^l^May²⁰⁰⁵^f^acu^l^t^y^unkno^wⁿ^SSN^s,^c^r^e^dⁱ^t^c^a^r^d^num^b^e^r^s^Le^y^d^eⁿ^,^J^o^hn,^“Fl^o^rⁱ^d^a^Uⁿⁱ^v^oⁿ^B^r^o^w^{n A}^l^e^r^t^a^f^t^e^r
^iv^ers^ity^{(FIU) -}^{a h}^ack^er^an^{d s}^t^u^d^en^ts^Hack^A^ttack^,”^{The Regis}^t^er^{, A}^p^ri^l^{29, 2005, at}
ⁱ^{red u}^s^{er n}^a^m^e^s^an^d^[^h^t^t^p^:^/^/^www.^t^h^e^r^e^gⁱ^s^t^e^r^.^c^o^m/^2005/^04/^29/^fⁱ^u^_ⁱ^d_f^rau^d
^s^w^ords^f^o^{r 165 com}^p^u^t^ers^_^a^ler^t/]^.
^cam^pu^s
^r^t^h^w^esterⁿ^Un^iv^er^sity^May²⁰⁰⁵^f^acu^l^t^y^,^17,500^u^s^{er IDs}^an^{d pas}^s^w^ords^Meg^{lio, Fran}^ces^{ca Di, “}^H^ack^{er B}^r^eak^-^Iⁿ^,^”^C^o^m^put^er
^el^l^o^g^S^c^h^ool^of^s^t^u^d^en^ts^{, an}^d^C^r^{ime Res}^e^ar^{ch C}^e^nter^{, May}^{23, 2005 (n}^{o pag}^e
ⁱ^{ki/CRS-RL33199}^a^na^ge^m^e^nt⁾^{- c}^o^m^p^ut^e^r^tw^ork^breach^a^l^umⁿⁱ^gi^veⁿ⁾^.
^g/w
^s^.or^iv^er^sity^o^f^Calif^o^rⁿⁱ^{a, San}^A^p^ri^l²⁰⁰⁵^s^t^u^d^en^t^s^{, f}^acu^l^t^y^7,000ⁿ^a^m^e^s^an^{d SSNs}ⁿ^u^m^bers^L^azaru^s^{, Dav}ⁱ^{d, “}^Aⁿ^o^th^{er In}^ciden^t^f^o^{r UC}^,”^San
^le^ak^cis^c^{o -}^h^ack^{er g}^aⁱⁿ^ed^an^{d s}^t^af^f^Fr^anci^s^{co C}^h^r^oni^cl^e^{, A}^p^ri^l^{6, 2005, p. C}¹^.
^s^{to s}^e^rv^{er u}^s^{ed by}
^://wikiⁿ^tin^g^an^{d pers}^onⁿ^e^l
^h^ttp^m^eⁿ^t
^{fts Unive}^r^sity^{- p}^o^ssib^l^e^A^p^ri^l²⁰⁰⁵^al^u^mⁿⁱ^106,000^S^S^N^s^an^{d ot}^h^e^{r u}ⁿ^s^peci^fⁱ^ed^R^obert^s^,^Pau^l^{, “}^T^u^f^t^s^Warn^s^{106,000 A}^l^u^mⁿⁱ^{, D}^oⁿ^o^rs
^rity^breachⁱⁿ^an^alu^mⁿⁱ^p^e^r^s^oⁿ^{al in}^f^o^r^m^atioⁿ^of^Secu^rity^B^r^each^{: P}^e^rs^on^{al Data on}^{a Serv}^{er Us}^ed
^{d don}^{or dat}^a^bas^e^af^t^e^r^fo^r^Fund^Raⁱ^sⁱ^{ng M}^a^y^H^a^ve^B^e^eⁿ^E^x^p^o^s^e^d^,^”
^o^rm^{al activ}^ity^on^th^{e s}^e^rv^er^C^o^m^p^u^t^erw^o^rl^{d, A}^p^ri^l^{13, 2005, at}
^{d Decem}^ber,^[^h^t^t^p^:^/^/^www.^c^o^mp^u^t^e^r^wo^r^l^d^.^c^o^m/^s^e^c^u^rⁱ^t^y^t^o^pⁱ^c^s^/^s^e^c^u^rⁱ
^t^y^/^p^ri^v^acy^/^s^t^o^ry^/⁰^{,10801,101043,00.h}^t^m^l^?^s^ou^rce=x¹⁰
^].

CRS-43
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^iv^er^sity^o^f^Nev^a^d^a^{, L}^a^s^March²⁰⁰⁵^cu^rren^t^an^d^5,000^pers^on^al^records^,ⁱⁿ^cl^u^dⁱⁿ^g^Lⁱ^pk^{a, Sara, “}^H^ack^{er B}^r^eak^s^In^{to Databas}^e^f^o^r
^a^s^-^h^ack^ers^acces^s^e^d^f^o^rm^{er s}^t^u^d^en^ts^bi^rt^h^dat^e^s^,^couⁿ^t^ri^es^of^ori^gⁱⁿ^,^T^r^ackⁱⁿ^g^Iⁿ^terⁿ^atioⁿ^a^{l Stu}^d^en^{ts at UNL}^V,”^C^h^r^oni^cl^e
^h^ool’^s^Stu^d^en^{t an}^{d Ex}^ch^an^g^e^an^d^pas^s^portⁿ^u^m^bers^{, an}^d^of^Hⁱ^gher^Educatⁱ^oⁿ^{, March}^{21, 2005, p. A}^43.
^sⁱ^t^o^{r In}^f^o^rm^atⁱ^oⁿ^S^y^s^t^em^f^acu^lty^SSNs
^EVIS^{) dat}^a^bas^e
^lif^ornⁱ^{a State Un}^iv^ers^ity^,^March²⁰⁰⁵^s^t^u^d^en^t^s^{, f}^o^rm^er^59,000^S^S^N^s^As^s^o^{ciated Pr}^es^s^{, “}^H^ack^ers^Gain^P^e^rs^on^al
^{ico -}^h^ack^ers^brok^{e in}^to^stud^eⁿ^ts,^In^f^o^rm^ation^of^{59,000 P}^e^{ople A}^f^f^{iliated w}^ith
ⁱ^{ki/CRS-RL33199}^r^v^e^r^s^pros^pectⁱ^v^e^s^t^u^d^en^ts^{, an}^d^Calif^o^rⁿⁱ^{a Un}^iv^er^sity^,”^G^r^{and Rapi}^ds^Pr^es^s^{, March}^{22, 2005, p. A}²^.
^g/w^f^acu^lty
^s^.or
^le^ak^iv^er^sity^o^f^Calif^o^rⁿⁱ^a,^March²⁰⁰⁵^al^u^mⁿⁱ^,^100,000^S^S^N^sⁿ^u^m^bers^{, n}^a^m^e^s^;^Lⁱ^ed^tk^{e, Mich}^{ael, “}^L^ap^to^p^T^h^ef^{t Cau}^s^{es I}^d^en^tity
^el^ey^l^a^pt^{op s}^t^ol^en^f^r^om^gr^a^d^ua^t^e^addres^s^e^s^,^an^{d bi}^rt^h^dat^e^s^f^o^r^F^r^au^{d Worry}^,”^Da^{ily Breeze}^(T^orran^{ce, C}^A^{), March}
^://wiki^t^{ricted area of}^cam^pu^s^s^t^u^d^en^ts^{, an}^d^1/^{3 of}^af^f^ect^{ed peopl}^e^{28, 2005, p. A}^10.
^h^ttp^c^e^pas^t^applⁱ^can^t^s
^r^g^e^Masoⁿ^Un^iv^er^sity^-^Jan^u^a^ry²⁰⁰⁵^f^acu^l^t^y^{, s}^t^af^f^,^30,000ⁿ^a^m^e^s^,^ph^ot^os^{, S}^S^N^s^,^an^d^McC^u^llag^h^,^Declan^{, “}^H^ack^ers^{Steal ID In}^f^o^f^r^om
^ers^g^aⁱⁿ^{ed acces}^s^to^an^{d s}^t^u^d^en^ts^cam^pu^s^IDⁿ^u^m^bers^Vⁱ^rgⁱⁿⁱ^a^Uⁿⁱ^v^ersⁱ^t^y^{,” Wi}^{red N}^e^w^s^{, Jan}^u^a^ry^{10, 2005,}
^o^r^m^atioⁿ^at
^[h^ttp://n^ew^s^.^com^.^co^m^/^2100-^7349_3-^5519592.h^t^m^l^].
^iv^er^sity^o^f^Calif^o^rⁿⁱ^{a, San}^Jan^u^a^ry²⁰⁰⁵^s^t^u^d^en^t^s^an^d^3,500ⁿ^a^m^e^s^,^SSNs^Y^an^g^,^Elean^{or, “}^H^ack^{er B}^r^each^es^C^o^m^p^u^t^ers^T^h^at
^{o (UC}^S^{D) -}^h^ack^er^a^l^umⁿⁱ^o^f^St^o^r^e^U^C^SD^E^x^t^e^nsi^o^{n St}^ud^eⁿ^t^,^A^l^umⁿⁱ^D^a^t^a^,^”^San
^{ed com}^p^u^t^{er s}^y^s^t^em^UC^SD^Dⁱ^{ego U}ⁿⁱ^{on T}^rⁱ^bune,^Jan^u^a^ry^{18, 2005, p. B3.}

^Ex^ten^s^ioⁿ

CRS-44
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^iv^er^sity^o^f^Calif^o^rⁿⁱ^a,^O^c^t^ober^Calif^o^rⁿⁱ^an^s¹^.⁴^m^illioⁿ^SSNs,^na^m^e^s,^a^d^d^r^e^sse^s,^p^h^oⁿ^e^R^e^u^t^ers^,^“^H^ack^{er Strik}^e^s^Un^iv^ers^ity^C^o^m^p^u^t^er
^rk^eley^-^h^ack^er²⁰⁰⁴^p^a^r^ticip^atin^gⁱⁿⁱⁿ^di^vⁱ^du^al^sⁿ^u^m^bers^{, an}^{d dat}^e^s^of^bi^rt^h^S^y^s^t^em^,”C^N^ET^N^e^w^s^{, O}^c^t^{ober 19, 2004, at}
^m^p^r^o^mⁱ^se^d^t^h^e^uni^ve^r^sⁱ^t^y^’s^Calif^o^rⁿⁱ^a’^s^[h^ttp://n^ew^s^.^com^.^co^m^/^2100-^7349_3-^5418388.h^t^m^l^].
^p^u^t^{er s}^y^s^t^em^In^-^H^om^e
^S^u^pportⁱ^v^e
^Serv^ices
^prog^ram^sⁱⁿ^c^e
²⁰⁰¹
ⁱ^{ki/CRS-RL33199}^lif^ornⁱ^{a State -}^au^{ditor f}^r^om^A^ugust²⁰⁰⁴^{380,000 cu}^rren^t^23,500ⁿ^a^m^e^{, addres}^s^,^S^S^N^s^C^onⁿ^e^l^l^,^S^a^l^l^y^Aⁿⁿ^,^“^S^ecu^ri^t^y^L^a^ps^es^{, L}^o^s^t
^g/w^an^cellor’^s^of^fⁱ^{ce los}^t^h^a^rd^an^{d f}^o^rm^er^Eq^uⁱ^p^m^en^{t Ex}^p^o^s^{e Stu}^d^en^{ts to}^P^o^ssib^l^{e I}^D^T^h^ef^{t; in}
^s^.or^{e con}^t^ainⁱⁿ^g^pers^on^al^stud^eⁿ^ts,^th^{e L}^a^{test I}ⁿ^cid^eⁿ^t^{, a Cal State Har}^d^Dr^iv^{e w}^ith^Data
^le^ak^o^r^m^atioⁿ^applican^ts^{, s}^t^af^f^,^on^{23,500 In}^di^vⁱ^du^al^s^Is^Mi^s^sⁱⁿ^g^,^”^L^o^s^Angel^e^s
^f^acu^lty^an^d^Times,^A^ugust²⁹^,^{2004, p. B4.}
^://wiki^a^l^umⁿⁱ^a^t^U^C
^h^ttp^San^Dieg^{o an}^d
^{178,000 at}^S^aⁿ
^Dieg^{o State}
^iv^er^sity^o^f^Calif^o^rⁿⁱ^{a, L}^o^s^Juⁿ^e²⁰⁰⁴^bl^{ood don}^ors^145,000ⁿ^a^m^e^s^,^bi^rt^h^dat^e^s^an^{d S}^S^N^s^B^eck^{er, D}^a^vⁱ^{d, “}^U^C^L^A^L^a^pt^{op T}^h^ef^t^Ex^pos^es^ID
^g^e^l^e^s^-^s^t^ol^en^l^a^pt^{op w}^/^In^f^o^,”C^N^ET^N^e^w^s^{, O}^c^t^{ober 6, 2004, at}
^{or i}ⁿ^f^o^[^h^ttp^://n^ew^s.co^m^.^co^m^/^UCL^A^+lap^to^p⁺^th^ef^t+ex^p^o^s^es+
^ID⁺ⁱⁿ^f^o/^2100-^1029_3-^5230662.h^t^m^l^?^t^ag⁼ⁿ^l^]^.

CRS-45
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^iv^er^sity^o^f^Calif^o^rⁿⁱ^{a, San}^A^p^ri^l²⁰⁰⁴^U^C^S^D^s^t^u^d^en^t^s^,^380,000^S^S^N^s^,^an^{d dri}^v^{er l}ⁱ^cen^s^e^Sⁱ^den^e^{r, Jon}^a^t^h^an^{, “}^S^D^S^u^percom^pu^t^e^{r C}^eⁿ^t^er
^{o (UC}^S^{D) -}^h^ack^ers^alu^mⁿⁱ^{, f}^acu^lty^,^num^b^e^r^s^A^m^oⁿ^g^Victim^{s o}^f^Iⁿ^tr^u^s^ioⁿ^,^”^{San D}ⁱ^{ego U}ⁿⁱ^oⁿ
^{ed s}^ecu^rity^{at th}^{e San}^em^ploy^ees^an^d^T^rⁱ^bune^{, A}^p^ri^l^{15, 2004, p. B3.}
^eg^{o S}^u^percom^pu^t^e^{r C}^eⁿ^t^er^applican^ts
^d^th^{e Un}^iv^er^sity^’^s^B^u^sin^e^ss
^d^Fin^aⁿ^c^{ial Ser}^v^ices
^a^rtm^eⁿ^t
ⁱ^{ki/CRS-RL33199}^r^gⁱ^{a I}ⁿ^stitu^{te o}^f^c^hno^l^o^gy^March²⁰⁰³^pat^r^on^s^of^art^an^{d th}^eatre^57,000^{credit card n}^u^m^bers^L^e^m^o^s^,^R^{obert, “}^D^{ata T}^h^iev^e^s^Strik^e^Georgⁱ^{a T}^ech^,”^Wi^re^{d N}^e^w^s^,^March^{31, 2003, at}
^g/w^prog^ram^[^h^ttp^://n^ew^s.co^m^.^co^m^/^Data+thⁱ^ev^es+str^ik^e+Geo^r^gⁱ^a+
^s^.or^T^ech^/^2100-^1002_3-^994821.h^t^m^l^?^t^ag⁼ⁿ^l^]^.
^le^ak
^iv^er^sity^o^f^T^e^x^a^{s, A}^u^stin^-^March²⁰⁰³^cu^rren^t^an^d^55,200ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^,^em^ai^l^R^{ead, B}^r^ock^,^“^H^ack^ers^{Steal Data From}^{U. of}^T^e^x^a^s
^://wiki^p^u^t^{er h}^ack^ers^brok^{e in}^to^f^o^rm^{er s}^t^u^d^en^t,^addres^s^e^s^,^of^fⁱ^{ce ph}^on^e^Datab^a^se,”^C^h^r^oni^cl^{e of}^Hⁱ^gher^Educatⁱ^on,^March^21,
^h^ttp^tab^a^{se o}ⁿ^m^u^ltip^{le o}^ccasioⁿ^s^f^acu^lty^an^{d s}^t^af^f^num^b^e^r^s^{2003, p. 35.}
^me^mb^e^r^s^,^a^s
^w^e^{ll as j}^o^b^no^t^e^:^{perpetrator claim}^e^{d h}^e
^applican^ts^di^{d n}^o^t^di^s^t^ri^bu^t^e^t^h^{e n}^u^m^bers
^aⁿ^d^ha^d^no^t^use^d^t^h^e^m^“t^o
^an^y^oⁿ^e^’^s^d^e^tr^im^en^t”
^iv^ers^ity^of^Kan^s^as^-^h^ack^er^Jan^u^a^ry²⁰⁰³^f^o^rei^gⁿ^s^t^u^d^en^t^s^1,400^S^S^N^s^,^pas^s^portⁿ^u^m^bers^,^A^rⁿ^oⁿ^e^{, Mich}^{ael, “}^H^ack^{er Steals}^P^e^rs^on^{al Data on}
^-ⁱⁿ^{to Stu}^d^en^{t an}^d^couⁿ^t^ri^es^of^ori^gⁱⁿ^{, an}^{d bi}^rt^h^Fo^r^eⁱ^{gn St}^ud^eⁿ^t^s^a^t^U^.^o^f^K^a^nsa^s^,^”^C^h^r^oni^cl^{e of}
^ch^an^g^e^Vi^sⁱ^t^o^{r In}^f^o^rm^atⁱ^oⁿ^dat^e^s^.^Hⁱ^gher^Educatⁱ^oⁿ^{, Jan}^u^a^ry^{24, 2003 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.

^stem⁽^S^E^V^I^S⁾

CRS-46
^Educa^t^io^{n Incident}^s^D^a^t^e^Who^Wa^s^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Publicized^Affected^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^lleg^e^o^f^th^{e Can}^y^oⁿ^s^O^c^t^ober^cu^rren^{t an}^d^36,000ⁿ^a^m^e^s^,^SSNs^,^an^{d ph}^otog^raph^s^M^is^try^,^B^h^avⁿ^a^{, “}^I^den^tity^T^h^ef^{t A}^l^{ert Is}^s^u^{ed at}
^alif^ornⁱ^{a) -}^com^p^u^t^{er h}^a^rd²⁰⁰¹^f^o^rm^{er s}^t^u^d^en^ts^Co^lleg^e^,”^Lo^{s An}^g^e^{les Da}^{ily News}^{, O}^c^t^{ober 21, 2001,}
^{e con}^t^ainⁱⁿ^g^pers^on^al^{p. N}⁷^.
^d^en^{t in}^f^o^r^m^atioⁿ^sto^l^en
^iv^er^sity^o^f^W^a^shⁱⁿ^g^t^oⁿ^Decem^ber^cardi^ol^og^y^an^d^5,000ⁿ^a^m^e^s^,^addres^s^e^s^,^bi^rt^h^dat^e^s^,^“^H^ack^{er Steals}^P^a^tien^t^R^ecords^,^”^{San D}ⁱ^{ego U}ⁿⁱ^on-
^eⁿ^t^{er -}^h^ack^{er brok}^e²⁰⁰⁰^r^e^h^a^b^ilitatioⁿ^heⁱ^ght^{s a}ⁿ^d^w^eⁱ^ght^s,^SSN^s,^aⁿ^d^T^rⁱ^bune^{, Decem}^{ber 9, 2000, p. A}³^.

^p^u^t^{er s}^y^s^t^em^p^a^tien^t^s^th^{e m}^e^{dical procedu}^r^e
ⁱ^{ki/CRS-RL33199}^und^e^r^go^ne
^g/w
^s^.or
^le^ak
^://wiki
^h^ttp

CRS-47
Table 3. Data Security Breaches in Financial Institutions (2001-2007)
^Fina^ncia^{l Inst}^it^ut^io^ns^Da^te^{Who Was}^Affected^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^Ho^rizoⁿ^s^C^o^m^m^uⁿ^ity^A^p^ri^l²⁰⁰⁷^credi^t^uⁿⁱ^on^9,000^loan^accouⁿ^tⁱⁿ^f^o^rm^ation^S^tates^New^s^Serv^{ice, “}^N^ew^Horizon^s
^ed^{it Un}^ioⁿ⁽^D^en^v^e^r^,^CO)^-^me^mb^e^r^s^Co^m^m^uⁿ^ity^{CU T}^a^k^e^{s A}^c^tioⁿ^af^ter
^en^l^a^pt^{op. N}^o^t^e^:^com^p^u^t^er^P^o^ten^{tial Data B}^r^each^{; Mem}^b^ers
^s^prot^ect^{ed by}^t^w^{o l}^a^y^e^rs^of^In^f^o^rm^{ed of}^Prot^ectⁱ^oⁿ^s^{,” A}^p^ri^l^{11, 2007.}
^rity^{, a u}ⁿⁱ^qu^e
^er^-ⁱ^d^eⁿ^tif^ier^,^an^d^a
ⁱ^{ki/CRS-RL33199}^ltip^le-^c^h^a^r^acter^,
^g/w^a-ⁿ^u^m^eri^c^pas^s^w^ord.
^s^.orⁿ^e^y^G^r^a^m^Iⁿ^terⁿ^atioⁿ^a^{l -}^Jan^u^a^ry²⁰⁰⁷^cu^s^t^om^ers^79,000ⁿ^a^m^e^s^,^addres^s^e^s^,^ph^on^{e n}^u^m^bers^,^On^aran^{, Yalm}^an^an^{d Elizabeth}^Hes^t^er,
^le^ak^rv^{er u}ⁿ^l^aw^f^u^lly^acces^s^e^d^an^{d in}^s^o^m^e^cas^es^{, ban}^k^accouⁿ^t^s^“^B^reach^af^f^ects^{79,000 Mon}^e^y^G^ram
^://wiki^acco^uⁿ^t^{s; Mo}ⁿ^e^y^-^tran^sf^{er an}^d^b^ill-^p^a^yⁱⁿ^g^s^e^rv^{ice does}ⁿ^’^t^kⁿ^o^w^if^h^ack^ers^s^t^ole
^h^ttp^pers^on^al^dat^a^,^”^Sai^nt^Paul^Pi^oneer^Pr^es^s
⁽^Mⁱ^nnes^o^t^a⁾^{, Jan}^u^a^ry^{13, 2007, p. 1C}^.
ⁱ^e^{r Ban}^k^-^report^s^t^ol^en^Decem^ber^cu^s^t^om^ers¹^,8000ⁿ^a^m^e^s^,^accouⁿ^tⁿ^u^m^bers^of^Sorkⁱⁿ^{, Mich}^{ael, “}^B^aⁿ^k^{data s}^t^olen^ou^t
^m^t^r^uc^k²⁰⁰⁶^cu^s^t^om^ers^w^h^{o open}^e^{d accou}ⁿ^t^sⁱⁿ^of^ex^ec’^s^v^e^hⁱ^{cle: Nam}^e^s^w^ith^accouⁿ^t
^O^c^t^{ober, 2006}ⁿ^u^m^b^e^r^s^w^e^r^eⁱⁿ^tr^u^c^k^o^u^tsid^{e aw}^ar^d
^cerem^on^y^,^”^St^{. L}^oui^s^Pos^t^-Dⁱ^s^pat^ch^,
^Decem^{ber 6, 2006, p. C}¹^.

CRS-48
^Fina^ncia^{l Inst}^it^ut^io^ns^Da^te^{Who Was}^Affected^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^A^m^{eritrade -}^crimⁱⁿ^als^,^Decem^ber^c^u^st^o^m^e^r^s^unkno^wⁿ^;^na^m^e^s,^a^d^d^r^e^sse^s,^bⁱ^r^t^{h d}^a^te^s,^SSNs^Green^em^{eier, L}^a^rry^,^“^C^y^b^ercrook^s^Get
ⁱⁿ^g^s^t^olen^cu^s^t^om^{er accou}ⁿ^t^s²⁰⁰⁶^com^p^an^y^h^a^s^Sm^{arter; E-}^T^r^{ade an}^{d T}^D^A^m^eritrade
ⁱ^{red f}^r^om^{a h}^ack^ed⁶^m^illioⁿ^w^e^{re v}ⁱ^ctim^s^of^an^on^lin^{e brok}^erag^e
^p^u^t^{er, drov}^{e u}^p^th^{e prices}^clien^t^s^no^t^e^:^T^D^A^m^{eritrade h}^a^{d to cov}^e^{r $4}^p^u^m^p^-a^nd^-d^um^p^sc^he^m^e^,^”^W^a^{ll S}^t^{reet &}
^l^o^w^-^pri^{ced s}^t^ock^s^t^h^rou^g^h^m^illioⁿⁱⁿ^f^r^au^d^u^len^t^tr^an^sactioⁿ^s^f^o^r^T^echnol^ogy^{, Decem}^{ber 1, 2006, p. 14.}
^l^u^m^e^p^u^r^c^ha^se^{s a}ⁿ^d^its^m^o^s^t^recen^{t qu}^arter
^s^o^{ld th}^os^{e s}^h^ares^{at a}
ⁱ^t
ⁱ^{ki/CRS-RL33199}^aⁿ^c^{ial Ser}^v^ices-^sto^l^en^Juⁿ^e²⁰⁰⁶^Dⁱ^s^t^ri^ct^of^C^o^l^u^m^bⁱ^a^13,000^S^S^N^s^,^pers^on^al^dat^a^D^w^y^e^{r, T}ⁱ^m^o^t^h^y^,^“^I^N^G^Fⁱⁿ^aⁿ^cⁱ^a^l^t^o
^g/w^op^go^ve^rⁿ^m^e^nt^w^o^r^k^e^r^s^No^tif^y^P^o^ten^{tial I}^d^en^tity^T^h^ef^{t Victim}^s,”
^s^.or^an^{d retirees}^W^a^s^hⁱ^ngt^{on Pos}^t^{, Ju}ⁿ^e^{19, 2006, p. B4.}
^le^ak
ⁱ^f^a^x^In^c.-^s^t^ol^en^l^a^pt^op^Juⁿ^e²⁰⁰⁶ⁿ^earl^y^al^l^t^h^{e U}^.^S^.^2,500ⁿ^a^m^e^s^,^S^S^N^s^S^t^e^m^p^el^{, Jon}^a^t^h^an^{, “}^E^quⁱ^f^ax^S^a^y^s
^://wiki^em^pl^oy^ees^of^t^h^e^L^a^pt^{op Wi}^t^h^Em^pl^oy^{ee D}^a^t^a^Was
^h^ttp^cr^ed^{it r}^e^p^o^r^tin^g^S^t^ol^en^{,” eWeek}^{, Ju}ⁿ^e^{20, 2006, at}
^bu^reau^[^h^t^t^p^:^/^/^www.^e^w^e^e^k^.^c^o^m^/^a^r^tⁱ^c^l^e²^/⁰^,^1759,
^{1979296,00.as}^p?^k^c^=EWR^S^S^03129T^X¹
^K^0000614].
^e^lity^Iⁿ^v^e^stm^eⁿ^t^s-^sto^l^en^March²⁰⁰⁶^H^e^w^l^et^t^-^Pack^ard^196,000^pers^on^{al data}^Hin^e^s^,^{Matt, “}^S^tolen^Fidelity^L^a^ptop
^op^em^ploy^ees^Ex^pos^es^HP^W^o^rk^ers^,^{” eW}^eek^{, March}
^{23, 2006, at}
^[^h^t^t^p^:^/^/^www.^e^w^e^e^k^.^c^o^m^/^a^r^tⁱ^c^l^e²^/⁰^,^1895,
^{1942049,00.as}^p].

CRS-49
^Fina^ncia^{l Inst}^it^ut^io^ns^Da^te^{Who Was}^Affected^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^{nk o}^f^A^m^e^rⁱ^c^a^,^W^a^shi^ngt^oⁿ^Feb^r^uar^y^cu^s^t^om^ers^u^sⁱⁿ^g^200,000^debi^t^{card i}ⁿ^f^o^rm^atⁱ^oⁿ^w^hⁱ^c^h^w^a^s^S^aⁿ^dov^al^{, G}^r^eg^“^W^{eb of}^In^t^rⁱ^g^u^e^Wi^den^s
^tu^al-^{debit cards}^can^celled²⁰⁰⁶^debi^t^cardsⁱ^s^s^u^{ed by}^u^s^{ed to accru}^e^f^r^au^du^len^t^ch^arg^e^sⁱⁿ^Deb^it-^Car^d^T^h^ef^{t Case,” CNet New}^s^,
^th^{e tw}^o^b^aⁿ^k^s^at^F^e^bru^a^ry^{13, 2006, at}
^Sa^m^’^{s Cl}^ub^ga^s^[^h^ttp^://n^ew^s.co^m^.^co^m^/^W^e^b⁺^o^f⁺ⁱⁿ^t^rⁱ^g^u^e⁺
^s^t^ation^s^an^{d Of}^fⁱ^ce^wⁱ^den^s⁺ⁱⁿ⁺^debi^t^-^card+t^h^ef^t⁺^cas^e/^2100-¹
^Max^029_3-^6038405.h^t^m^l^].
^er^ip^rⁱ^{se Fin}^aⁿ^c^ial-^lap^t^o^p^Jan^u^a^ry²⁰⁰⁶^cu^s^t^om^ers^an^d^230,000ⁿ^a^m^e^s^,^S^S^N^s^,ⁱⁿ^tern^{al accou}ⁿ^t^Da^sh,^E^r^ic^,^“^A^m^e^rⁱ^p^r^ise^L^o^se^{s Da}^ta^oⁿ
ⁱ^{ki/CRS-RL33199}^t^ad^vⁱ^ser^s^w^ith^th^e^fi^na^ncⁱ^a^l^fi^r^m^num^b^e^r^s^{230,000 C}^u^s^t^om^ers^an^{d A}^d^vⁱ^s^e^rs^,”^Ne^w^Yo^{rk Times}^{, Jan}^u^a^ry^{25, 2006.}
^g/w
^s^.or^R^B^l^ock^-^{Social Secu}^rity^Jan^u^a^ry²⁰⁰⁶^reci^pi^en^t^s^of^t^h^e^uⁿ^d^isclo^s^ed^SSNs^G^ilb^er^{t, A}^l^o^r^{ie, “}^H^&^R^B^l^o^c^k^B^l^uⁿ^d^er
^le^ak^m^b^e^r^s^p^rⁱⁿ^ted^oⁿ^uⁿ^s^o^licited^com^p^an^y^’^s^tax^Ex^pos^es^C^oⁿ^s^u^m^{er Data,” C}^N^{et New}^s^,
^ag^es^con^t^ainⁱⁿ^g^f^r^ee^preparation^s^o^f^t^w^a^re^Jan^u^a^ry^{3, 2006, at}
^://wiki^ftw^a^r^e^[^h^ttp^://n^ew^s.co^m^.^co^m^/^H3⁸^R^+B^lo^ck^+b^lu
^h^ttpⁿ^d^er+ex^pos^es^+con^s^u^m^e^r+dat^a^/^2100-¹⁰²
^9_3-^6016720.h^t^m^l^].
^a^USA^D^ecem^ber^c^u^sto^m^e^r^{s w}^{ith Visa}^uⁿ^d^isclo^s^ed^cr^ed^{it car}^dⁱⁿ^f^o^r^m^atioⁿ^W^ein^s^tein^{, Natalie, “}^V^{isa Deals W}^ith
²⁰⁰⁵^cards^f^r^om^v^a^ri^ou^s^P^o^s^sⁱ^{ble Data B}^r^each^{,” C}^N^{et New}^s^,
^fⁱⁿ^aⁿ^c^{ial in}^stitu^tioⁿ^s^Decem^{ber 24, 2005, at}
^usi^{ng a}^m^u^t^u^a^l^[h^ttp://n^ew^s^.^com^.^com^/^2100-^1029_3-⁶⁰⁰
^m^e^r^c^ha^nt^7759.h^t^m^l^].

CRS-50
^Fina^ncia^{l Inst}^it^ut^io^ns^Da^te^{Who Was}^Affected^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^c.-ⁱⁿ^tern^{et h}^ack^er^Decem^ber^cu^s^t^om^ers^of^th^e^140,000ⁿ^a^m^e^s^,^bi^rt^h^dat^e^s^,^dri^v^ers^lⁱ^cen^s^e^“^H^ack^ers^R^e^v^eal^{140,000 C}^u^s^t^om^er
²⁰⁰⁵^s^t^ock^brok^erag^{e f}ⁱ^rmⁿ^u^m^bers^{, ph}^on^{e n}^u^m^bers^{, ban}^k^ID’^s^,”^C^o^mputer^C^r^{ime Res}^e^ar^ch
^na^m^e^s,^b^a^{nk r}^o^utⁱ^{ng num}^b^e^r^s^,^b^a^nk^Ceⁿ^t^e^r^,^Decem^{ber 2, 2005 (n}^{o pag}^e
^accouⁿ^tⁿ^u^m^bers^{, an}^{d Scottrade}^gi^veⁿ⁾^.
^accouⁿ^tⁿ^u^m^bers
^an^s^Uⁿⁱ^on^(credi^t^reportⁱⁿ^g^No^v^e^m^b^er^cu^s^t^om^ers³^,600^SSNs^an^{d pers}^on^{al credit in}^f^o^rm^ation^P^au^{l, P}^e^{ralte, “}^C^{redit B}^u^reau^B^u^rg^lary
^reau^{) -}^s^t^ol^en^des^k^t^o^p²⁰⁰⁵^L^eav^es^{3,600 V}^u^lⁿ^erabl^e^,”^At^l^ant^a
ⁱ^{ki/CRS-RL33199}^p^u^t^er^Jour^{nal and C}^ons^titution^{, Nov}^e^m^b^{er 11,}^{2005, p. 5G}^.
^g/w
^s^.or^oi^cepoiⁿ^t^-^Mi^amⁱ^-^D^a^de^S^e^pt^em^ber^con^s^u^m^ers⁵^,103^SSNs^,^driv^er’^s^licen^s^eⁱⁿ^f^o^rm^ation^H^u^s^{ted, B}^{ill, “}^Aⁿ^o^th^{er B}^r^each^of
^le^ak^unt^y^P^o^lⁱ^c^e^D^e^p^a^r^t^m^e^nt^m^a^y²⁰⁰⁵^R^ecords^Feared;
^v^e^mⁱ^s^u^s^e^{d t}^h^{e depart}^m^eⁿ^t^’^s^C^h^oi^cepoiⁿ^t^T^e^l^l^s^{5,103 C}^u^s^t^om^ers^abou^t
^://wiki^uⁿ^t^to^illeg^a^lly^access^In^ci^den^t^,”^Atlaⁿ^t^a^Jo^u^rⁿ^a^l^-^C^oⁿ^s^titu^tioⁿ^,
^h^ttp^s^u^m^{er records}^S^e^pt^em^{ber 17, 2005, p. 1H}^.
ⁿ^k^of^A^m^{erica -}^s^t^olen^S^e^pt^em^ber^Vⁱ^sa^B^{uxx c}^a^r^d^use^r^s^undⁱ^s^c^l^o^s^e^d^na^m^e^s,^c^r^e^dⁱ^t^c^a^r^d^num^b^e^r^s^,^b^a^nk^McMillan^,^Ro^b^e^r^t^{, “}^B^an^k^o^f^A^m^er^ica
^op²⁰⁰⁵^accouⁿ^tⁿ^u^m^bers^{, rou}^tin^g^tran^sⁱ^t^N^o^tⁱ^f^yⁱⁿ^g^C^u^s^t^om^ers^A^f^t^e^{r L}^a^pt^op
^num^b^e^r^s^T^h^ef^t^,^{” C}^o^m^p^u^t^erw^o^rl^{d, O}^c^t^{ober 7,}
^{2005, at}
^[^h^t^t^p^:^/^/^www.^c^o^mp^u^t^e^r^wo^r^l^d^.^c^o^m/^s^e^c^u^rⁱ^t
^y^t^opi^cs^/^s^ecu^ri^t^y^/^s^t^o^ry^/⁰^{,10801,105246,0}
^0.h^t^m^l^].
^.^Morg^an^(Dallas⁾^-^s^t^olen^A^ugust²⁰⁰⁵^clⁱ^eⁿ^t^s^unkno^wⁿ^p^e^r^s^oⁿ^{al and}^fⁱ^{nancial inf}^o^r^m^atioⁿ^“^S^ecur^ity^B^r^{each at J}^.^P^.^Mo^r^g^{an P}^r^ivate
^op^B^a^nk,^”^{AFX Int}^e^r^natⁱ^onal^Focus^,^A^ugust
^{30, 2005 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.

CRS-51
^Fina^ncia^{l Inst}^it^ut^io^ns^Da^te^{Who Was}^Affected^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^r^o^u^p^-^{a b}^o^x^o^f^co^m^p^u^t^er^Juⁿ^e²⁰⁰⁵^pers^on^al^an^{d h}^o^m^e³^.⁹^m^illioⁿⁿ^am^{es, ad}^d^r^{esses, SSNs an}^d^Kr^im^{, J}^oⁿ^a^th^an^{, “}^C^u^s^to^m^e^r^{Data L}^o^st,
^w^ith^accouⁿ^tⁱⁿ^f^o^rm^ation^eq^u^ity^lo^an^loan^-^accouⁿ^t^data^Citig^r^o^u^p^Un^{it Say}^s^:3^.9^Millioⁿ^A^f^f^ected
^r³^.⁹^m^illioⁿ^cu^sto^m^er^{s w}^a^s^cu^s^t^om^ers^A^s^Firm^s^’^Secu^rity^L^a^ps^es^A^{dd Up,}
^sh^ip^m^eⁿ^t^b^y^W^a^s^hⁱ^ngt^{on Pos}^t^{, Ju}ⁿ^e^{7, 2005, p. A}¹^.
^an^{cial, a u}ⁿ^{it o}^f
^r^o^u^p
^e^s^e^credi^t^cardh^ol^ders^-^Juⁿ^e²⁰⁰⁵^cu^s^t^om^ers^of²⁶^unkno^wⁿ^unkno^wⁿ^“J^a^p^aⁿ^Ca^r^d^ho^l^d^e^r^{s ‘H}ⁱ^t^’^b^y^T^h^e^f^t^,^”^BBC
ⁱ^{ki/CRS-RL33199}^ers^behⁱⁿ^d^{U.S. data th}^ef^t^{y h}^a^v^e^c^o^mp^r^o^mi^s^e^d^t^h^e^dom^es^tⁱ^c^Japan^e^s^e^{credit card f}ⁱ^rm^s^Ne^ws^{, Ju}ⁿ^e^{21, 2005 at}^[^h^ttp^://n^ew^s.b^b^c^.co^.^u^k^/²^/^h^i/b^u^sⁱⁿ^ess/4¹¹
^g/w^a^of^Japan^e^s^e^cardh^ol^ders^,^4252.s^t^m^]^.

^s^.or^g^{to th}^{e g}^o^v^e^rn^m^eⁿ^t^.
^le^ak^a^u^d^u^l^e^nt^t^r^aⁿ^sa^c^tⁱ^o^{ns ha}^ve
^w^e^m^e^r^ge^dⁱⁿ^J^a^p^a^n.
^://wiki
^h^ttp

CRS-52
^Fina^ncia^{l Inst}^it^ut^io^ns^Da^te^{Who Was}^Affected^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^t^erC^a^{rd -}^breach^occu^rred^Juⁿ^e²⁰⁰⁵^Mas^t^erC^a^{rd credi}^t⁴⁰^m^illioⁿⁿ^a^m^e^{s, acco}^uⁿ^tⁿ^u^m^b^e^{rs, secu}^rity^Krim^{, J}^oⁿ^a^th^an^an^{d Mich}^{ael B}^a^rbaro,
^{a proces}^sⁱⁿ^g^cen^t^e^r^{card an}^{d s}^o^m^e^debi^t^codes^,^ex^pi^ratⁱ^oⁿ^dat^e^s^“⁴⁰^Millioⁿ^Cr^ed^{it Car}^d^Nu^m^b^er^s
^u^cs^on^operat^e^{d by}^{card cu}^s^t^om^ers^Hack^{ed: Data B}^r^each^{ed at P}^r^oces^sⁱⁿ^g
^d^Sy^stem^{s So}^lu^tioⁿ^s^{, o}ⁿ^{e o}^f^Ce^nte^r^,^”^W^a^s^hⁱ^ngt^{on Pos}^t^{, Ju}ⁿ^e^{18, 2005,}
^e^r^a^{l co}^m^p^an^{ies th}^{at h}^aⁿ^d^le^{p. A}¹^;
^s^f^ers^of^pay^m^en^{t betw}^een
^k^of^{a credit card-}^u^sⁱⁿ^g^Z^e^ller^,^T^o^m^an^d^Er^{ic Dash}^{, “}^M^aster^C^ar^d
^s^u^m^{er an}^{d th}^{e ban}^k^of^th^e^Say^s⁴⁰^Millioⁿ^{Files P}^u^{t at Risk}^,”^Ne^w
ⁱ^{ki/CRS-RL33199}^rch^aⁿ^t^w^h^{ere a pu}^rch^a^s^e^w^a^s^{de. C}^a^rdSy^s^t^em^s^’^com^p^u^t^ers^Yo^{rk Times}^{, Ju}ⁿ^e^{18, 2005, p. A}¹^;^an^d
^g/w^{re breach}^{ed by}^m^a^liciou^s^Ev^ers^,^Jori^s^,^“^C^redi^t^C^a^{rd S}^uⁱ^t^Now
^s^.or^{at allow}^e^{d acces}^s^to^Seek^s^Dam^a^g^e^s^,^{” C}^N^ET^New^s^.com^{, J}^u^ly
^le^ak^s^t^om^{er data.}^{7, 2005, at}
^://wiki^[^h^ttp^://n^ew^s.co^m^.^co^m^/^Cr^ed^it+car^d⁺^su^it+ⁿ^o^w⁺^s^eek^s⁺^dam^a^g^e^s^/^2100-^7350_3-⁵⁷⁷⁷
^h^ttp^818.h^t^m^l^].
^k^of^A^m^eri^{ca -}^l^a^pt^op^Juⁿ^e²⁰⁰⁵^C^a^lif^ornⁱ^{a cu}^s^t^om^ers^18,000ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^,^L^azaru^s^{, Dav}ⁱ^{d, “}^B^reach^esⁱⁿ^S^ecu^rity
^f^r^om^{car in}^W^a^ln^u^t^R^e^q^uⁱ^r^e^N^e^{w L}^a^ws^,^”^{San Fr}^anci^s^co
^e^e^k^,^CA^C^h^r^oni^cl^e^{, Ju}ⁿ^e^{29, 2005, p. C}¹^.

CRS-53
^Fina^ncia^{l Inst}^it^ut^io^ns^Da^te^{Who Was}^Affected^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^Jers^ey^cy^bercri^m^e^riⁿ^g^May²⁰⁰⁵^cu^s^t^om^ers^of^f^o^u^r^700,000ⁿ^a^m^e^s^,^S^S^N^s^,^ban^k^accouⁿ^t^Wei^s^s^,^T^{odd, “}^S^{cope of}^Ban^k^D^a^t^a^T^h^ef^t
ⁱⁿ^aⁿ^c^{ial records}^f^r^om^b^a^{nks (}^C^ha^r^l^o^t^t^e^,ⁱⁿ^f^o^r^m^atioⁿ^G^r^ow^s^t^o^{676,000 C}^u^s^t^om^ers^:^Ban^k
^k^accouⁿ^t^s^Nort^h^C^a^rolⁱⁿ^a-^bas^e^d^Em^ploy^ees^Us^{ed C}^o^m^p^u^t^{er Screen}
^B^aⁿ^k^of^A^m^{erica an}^d^no^t^e^:^b^a^{nk e}^m^p^l^o^y^e^e^s^so^l^d^fi^na^ncⁱ^a^l^C^a^ptu^r^es^{to Sn}^ag^C^u^s^t^om^{er Data,”}
^W^ach^ov^{ia, C}^h^erry^records^{to collec}^tion^ag^en^cies^an^d^C^o^m^p^u^t^erw^o^rl^{d, May}^{20, 2005, at}
^{Hill, New}^law^fⁱ^r^m^s.^[^h^t^t^p^:^/^/^www.^c^o^mp^u^t^e^r^wo^r^l^d^.^c^o^m/^s^e^c^u^rⁱ^t
^J^e^rs^ey^-^b^as^ed^y^t^opi^cs^/^s^ecu^ri^t^y^/^c^y^b^ercri^m^e/^s^t^ory^/^0,1080
^C^o^m^m^e^{rce B}^aⁿ^k^,^an^d^{1,101903,00.h}^t^m^l^].
ⁱ^{ki/CRS-RL33199}^P^N^{C B}^a^{nk o}^f^P^ittsb^u^r^g^h⁾
^g/w
^s^.or^er^itr^ad^{e (}^s^ecu^r^{ities b}^r^o^k^er⁾^-^A^p^ri^l²⁰⁰⁵^A^m^eri^t^r^{ade cu}^rren^t^200,000^accouⁿ^tⁱⁿ^f^o^rm^ation^“^A^m^{eritrade L}^o^s^e^s^C^u^s^t^om^{er A}^ccouⁿ^t
^le^ak^e^{s w}^ith^b^ack^-^u^p^an^{d f}^o^rm^er^In^f^o^{,” C}^N^N^Mon^e^y^,^A^p^ri^l^{19, 2005, at}
^o^r^m^atioⁿ^oⁿ^cu^sto^m^er^cu^s^t^om^ers^[h^ttp://m^on^ey^.cnⁿ^.^com^/^{2005/04/19/tech}ⁿ
^://wikiⁿ^t^s^olog^y^/^am^eritrade/in^dex^.^h^t^m^]^.
^h^ttp
^BC^(g^l^obal^ban^k⁾^s^eⁿ^t^ou^t^A^p^ri^l²⁰⁰⁵^h^o^l^d^ers^of^G^eⁿ^e^ral^180,000^credi^t^{card i}ⁿ^f^o^rm^atⁱ^oⁿ^“^S^ecu^ri^t^y^S^{care H}ⁱ^t^s^H^S^BC^’^s
^rⁿⁱⁿ^g^letter^sⁿ^o^tif^yⁱⁿ^g^Motors^Mas^t^erC^a^rd^Ca^r^d^s,^”^B^B^C^Ne^ws^{, A}^p^ri^l^{14, 2005, at}
^s^t^om^ers^th^{at crim}ⁱⁿ^als^m^a^y^w^h^{o h}^a^{d s}^h^{opped at}^[^h^ttp^://n^ew^s.b^b^c^.co^.^u^k^/²^/^h^i/b^u^sⁱⁿ^ess/4⁴⁴
^v^e^g^aⁱⁿ^{ed acces}^s^{to credit}^P^o^lo^Ralp^h^L^a^u^r^en^4477.s^t^m^]^;^an^d
^f^o^sto^r^e^s
^Vⁱ^j^a^y^aⁿ^,^Jai^k^u^m^{ar, “}^U^pdat^e^:^S^c^{ope of}
^C^r^{edit C}^a^{rd Secu}^rity^B^r^each^Ex^pan^d^s^,^”
^C^o^m^p^u^t^erw^o^rl^{d, A}^p^ri^l^{15, 2005, at}
^[^h^t^t^p^:^/^/^www.^c^o^mp^u^t^e^r^wo^r^l^d^.^c^o^m/^s^e^c^u^rⁱ^t
^y^t^opi^cs^/^s^ecu^ri^t^y^/^s^t^o^ry^/⁰^{,10801,101101,0}
^0.h^t^m^l^].

CRS-54
^Fina^ncia^{l Inst}^it^ut^io^ns^Da^te^{Who Was}^Affected^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
ⁿ^k^of^A^m^{erica -}^com^p^u^t^er^Feb^r^uar^y^GSA^ch^arg^e^card¹^.²^m^illioⁿ^c^u^s^to^m^e^{r an}^d^acco^uⁿ^tⁱⁿ^f^o^rm^atioⁿ^C^arrn^{s, A}ⁿⁿ^,^“^B^an^k^o^f^A^m^{erica Is}
^{ta tap}^e^{s lo}^{st d}^u^rⁱⁿ^g^sh^ip^m^eⁿ^t²⁰⁰⁵^prog^ram^(Vⁱ^s^{a cards}^Mⁱ^{ssing T}^a^p^e^{s W}^{ith Ca}^r^d^Da^ta^,^”^Wa^l^l
^issue^d^to^fe^d^e^r^a^l^St^r^eet^Jour^nal^,^F^e^bru^a^ry^{28, 2005, p. B2.}
^em^ploy^ees⁾
^e^lls^Farg^{o -}^com^p^u^t^ers^s^t^olen^No^v^e^m^b^er^m^o^r^t^ga^ge^aⁿ^d^com^p^an^y^c^u^sto^m^e^r^{s’ na}^m^e^s,^a^d^d^r^e^sse^s,^aⁿ^d^B^r^ey^{er, R}^.^Mich^{elle, “}^W^ells^Farg^o
^Wel^l^s^F^a^rg^{o v}^eⁿ^dor²⁰⁰⁴^stu^d^en^t-^lo^an^w^o^ul^d^no^t^SSNs^,^an^{d accou}ⁿ^tⁿ^u^m^bers^C^u^s^t^om^{er Data Stolen}ⁱⁿ^C^o^m^p^u^t^{er T}^h^ef^t
^cu^s^t^om^ers^dⁱ^sc^lo^se^,”^Aus^tⁱⁿ^-Am^e^rⁱ^{can St}^at^es^m^an,^No^v^e^m^b^er
ⁱ^{ki/CRS-RL33199}^{3, 2004, p. D}¹^.
^g/w^e^lls^Farg^{o -}^h^ack^{er arres}^t^ed^No^v^e^m^b^er^cu^s^t^om^ers^w^ith^com^p^an^yⁿ^a^m^e^s^,^addres^s^e^s^,^accouⁿ^t^an^{d SSNs}^“^Su^s^p^{ect Is}^A^rres^t^{ed in}^T^h^ef^{t of}^B^aⁿ^k
^s^.or^s^t^olen^com^p^u^t^ers^an^d²⁰⁰³^pers^on^al^lⁱⁿ^es^of^w^o^ul^d^no^t^Data,”^Lo^{s A}ⁿ^g^e^le^{s Time}^s,^N^o^v^e^m^b^{er 27,}
^le^ak^op^{credit u}^s^{ed f}^o^r^dⁱ^sc^lo^se^{2003, p. C}²^.
^con^s^u^m^{er loan}^s^an^d
^://wiki^ov^erdraf^t^prot^ectⁱ^oⁿ
^h^ttp
^e^ich^e^r^t^Fin^aⁿ^c^{ial Ser}^v^{ices -}^May²⁰⁰³^clⁱ^eⁿ^t^s³^,774^credi^t^report^s^{, dri}^v^er’^s^lⁱ^cen^s^eⁱⁿ^f^o^As^s^o^{ciated Pr}^es^s^{, “}^P^{air A}^ccu^s^e^{d of}
^{it p}^r^o^f^{iles w}^e^r^e^uⁿ^l^aw^f^u^lly^Fr^au^dⁱⁿ^Cr^ed^{it Rep}^o^r^ts’^T^h^ef^t:
^s^e^{d f}^r^omⁱⁿ^tern^al^A^l^l^e^g^e^dl^y^U^s^{ed D}^a^t^a^t^o^Bu^y^G^oods^ov^er
^p^u^t^{er s}^y^s^t^em^th^{e I}ⁿ^terⁿ^et,”^{The Recor}^d^(Berg^eⁿ
^C^o^uⁿ^t^y^,^N^J^{), May}^{2, 2003, p. A}^10.

CRS-55
^Fina^ncia^{l Inst}^it^ut^io^ns^Da^te^{Who Was}^Affected^Num^b^er^Ty^pe^o^f^D^a^t^a^Source(s⁾
^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^a^{, Mas}^t^erC^a^{rd, A}^m^erican^Feb^r^uar^y^{credit card cu}^s^t^om^ers^P^NC^B^aⁿ^k^A^T^M/d^e^b^it/ch^eck^car^d^s^Sab^a^tin^{i, P}^a^tr^{icia, “}^P^{NC Can}^{cels 1}⁶^,⁰⁰⁰
^pres^s^an^{d Dis}^c^ov^{er accou}ⁿ^t²⁰⁰³^can^celled^C^a^rds^A^f^{ter Hack}ⁱⁿ^g^T^h^ef^{t In}^ciden^t^,”
^m^bers^-^h^ack^{er s}^t^{ole 8}^{16,000 cards}^;^Pittsb^u^r^g^h^Po^st-^G^a^z^ette^{, F}^e^bru^a^ry^20,
ⁿ^Citizen^{s B}^aⁿ^k^{2003, p. C}¹^.
^can^celled
^8,000-^10,000
^cards
ⁱ^{ki/CRS-RL33199}^ller^t^oⁿ^{, Calif}^o^rⁿⁱ^{a -}^b^o^g^u^s^t^{card ri}ⁿ^g^open^e^{d ban}^k^Juⁿ^e²⁰⁰¹ⁱ^m^pers^on^at^{ed m}^o^re^t^h^an^{1,500 peopl}^e^1,500^bi^rt^h^dat^e^s^,^S^S^N^s^,^m^o^t^h^ers^’^m^aⁱ^d^enⁿ^a^m^e^s^,^{credit cards}^{, driv}^er’^s^licen^s^e^s^,^B^r^o^wⁿ^,^A^l^d^rⁱⁿ^an^d^J^e^f^f^Co^llin^s,^“^S^u^s^pi^ci^ou^s^Mai^l^T^rⁱ^g^g^e^{red Probe of}
^g/wⁿ^t^s^,^{credit lin}^es^{, au}^{to an}^dⁿ^a^tioⁿ^w^id^{e an}^d^an^{d receipts}^f^o^{r car an}^{d h}^o^m^e^I^d^en^tity^T^h^ef^{t Cr}^im^{e L}^o^{sses f}^r^o^m^th^e
^s^.or^m^e^l^o^aⁿ^s^def^r^au^{ded 76}^p^u^r^c^ha^se^s.^A^l^l^e^ge^d^Ri^ng,^W^hⁱ^c^{h U}^s^e^d^D^a^t^a^St^o^l^eⁿ
^le^ak^fⁱⁿ^aⁿ^c^{ial in}^stitu^tioⁿ^s^as^{Far B}^ack^as^th^{e Early}^‘^90s^{, May}^Hit
^{$10 Million}^,^”^O^r^{ange C}^ount^{y Regi}^s^t^er^,
^://wiki^Juⁿ^e^{21, 2001 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.

^h^ttp

CRS-56
Table 4. Data Security Breaches in Local, State, and Federal Government (2003-2007)
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^an^sp^o^r^tatioⁿ^Secu^r^ity^May²⁰⁰⁷ⁱⁿ^di^vⁱ^du^al^s^100,000ⁿ^a^m^e^{, S}^S^N^{, dat}^e^of^bi^rt^h^,^Hu^{, Spen}^{cer, “}^T^SA^{Hard Driv}^{e W}^ith^Em^ploy^ee
^mⁱⁿⁱ^st^r^a^tⁱ^o^{n - m}ⁱ^ssi^ng^em^pl^oy^{ed by}^t^h^e^p^a^y^r^o^{ll in}^f^o^r^m^atioⁿ^,^b^aⁿ^k^D^a^t^a^Is^R^e^port^e^{d S}^t^ol^en^,”^W^a^s^hⁱ^ngt^{on Pos}^t^,
^tern^{al h}^a^{rd driv}^e^ag^en^cy^f^r^om^accouⁿ^t^an^{d rou}^tin^g^May^{5, 2007, p. A}⁹^.
^Jan^u^a^ry^{2002 u}ⁿ^tⁱ^lⁱⁿ^f^o^r^m^atioⁿ
^A^ugust²⁰⁰⁵
ⁱ^{ki/CRS-RL33199}^a^rtm^eⁿ^t^o^f^A^p^ri^l²⁰⁰⁷^reci^pi^en^t^s^of^l^o^an^s^{63,000 (f}ⁱ^r^s^t^SSNs^N^ak^as^hⁱ^m^a^{, Ellen}^,^“^U^{.S. Ex}^pos^{ed P}^e^rs^on^al
^g/w^rⁱ^cu^ltu^r^e^-^p^u^b^lic^o^r^m^atioⁿ^dⁱ^sclo^sed^f^o^r^m^o^r^e^o^r^o^t^he^r^fi^na^ncⁱ^a^l^a^ssistaⁿ^c^e^es^tim^{ate), th}^en^{38,700 (af}^t^er^Data;^C^eⁿ^s^u^s^Bu^reau^Pos^t^{ed 63,000 S}^o^ci^al^S^ecu^ri^t^y
^s^.or^{a decade on}^pu^blic^USDA^Nu^m^b^ers^On^lin^e,”^W^a^s^hⁱ^ngt^{on Pos}^t^{, A}^p^r^{il 2}^,
^le^ak^b^s^iteⁱⁿ^v^e^stig^atioⁿ⁾^{2007, p. A}⁵
^://wiki^an^d^P^rⁱⁿ^{ce, B}^r^ian^,^“^USDA^C^u^ts^Nu^m^b^{er A}^f^f^ected
^h^ttp^by^D^a^t^a^Ex^pos^u^r^e,”^eW^eek^{, A}^p^ri^l^{23, 2007.}
ⁱ^{a Secretary}^of^State^A^p^ri^l²⁰⁰⁷^F^u^l^t^oⁿ^C^o^uⁿ^t^y^75,000ⁿ^a^m^e^{, addres}^s^,^S^S^N^s^A^s^s^o^ci^at^{ed Pres}^s^,^“^{75,000 v}^o^t^e^{r reg}ⁱ^s^t^ratⁱ^oⁿ
^t^l^aⁿ^t^{a, G}^A^{) -}^{30 box}^es^of^vo^t^e^r^s^car^d^s^f^o^uⁿ^dⁱⁿ^tr^ash^bⁱⁿⁱⁿ^A^tlan^t^{a,” A}^p^r^{il 1}²^,
^t^e^r^r^e^gi^st^r^a^tⁱ^o^{n r}^e^c^o^r^d^s^2007.
^uⁿ^dⁱⁿ^tr^ash
^ild^{Net (}ⁿ^oⁿ^-^p^r^o^f^{it th}^{at r}^uⁿ^s^A^p^ri^l²⁰⁰⁷^adoptⁱ^v^{e an}^d^12,000^S^S^N^s^,^fⁱⁿ^aⁿ^cⁱ^a^l^an^{d credi}^t^dat^a^,^{Haas, B}^r^ian^,^an^d^B^{ill Hir}^s^ch^m^aⁿ^,^“^S^to^len
^{ard C}^o^uⁿ^t^y^’^s^chⁱ^l^d^f^o^s^t^er-^{care paren}^t^s^dri^v^er’^s^lⁱ^cen^s^e^dat^a^{, pas}^s^port^C^hⁱ^l^d^N^e^t^l^a^pt^{op pu}^t^s^{12,000 at}^ri^s^k^of^ID^t^h^ef^t^,^”
^l^f^{are prog}^ram^(F^ort^num^b^e^r^s^Sout^{h Fl}^orⁱ^{da Sun-Sent}ⁱⁿ^el^(F^ort^L^a^u^d^erdal^e^),
^ud^e^r^d^a^l^e^,^F^L⁾^{- fo}^r^m^e^r^A^p^ri^l^{12, 2007.}

^pl^oy^{ee al}^l^e^g^e^dl^y^s^t^ol^e
^op

CRS-57
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^{s A}^nge^l^e^{s Co}^unt^y^Chi^l^d^March²⁰⁰⁷^chⁱ^l^d^s^u^pport^243,000^{130,500 S}^S^N^s^(m^os^t^wⁱ^t^h^ou^t^R^o^s^eⁿ^b^l^a^t^t^,^S^u^s^aⁿⁿ^a^h^,^“^C^hⁱ^l^d^s^u^pport^dat^a^m^a^y
^pport^S^e^rvⁱ^ces^(L^os^clien^t^sⁿ^a^m^e^s^at^t^ach^{ed), abou}^t^12,000^{be at}^ri^s^k^;^L^.^A^.^C^o^uⁿ^t^y^ag^en^cy^t^e^l^l^s^243,000
^le^s,^CA⁾^{- thr}^e^e^mⁱ^ssingⁱⁿ^di^vⁱ^du^al^s^’ⁿ^a^m^e^s^an^d^clien^t^s^th^{at th}^{ree m}ⁱ^s^sⁱⁿ^g^laptops^m^a^y^con^t^ain
^ops^addres^s^e^s^,^an^{d m}^o^{re th}^an^pers^on^alⁱⁿ^f^o^,”^Lo^{s A}ⁿ^g^e^le^{s Time}^s^{, March}^30,
^{101,000 ch}ⁱ^l^d^s^u^pport^cas^e^{2007, p. B4.}
^num^b^e^r^s
^r^t^Mo^nr^o^e^March²⁰⁰⁷^civ^ilian^16,000ⁿ^a^m^e^s^,^S^S^N^s^,^pay^r^ol^l^Ho^w^e^{, Kev}ⁱⁿ^,^“^A^r^m^y^w^a^rⁿ^{s o}^f^d^a^{ta th}^ef^{t: lap}^t^o^p
ⁱ^{ki/CRS-RL33199}^ort^Mon^r^{oe, V}^A^{) -}^s^t^ol^en^m^y^l^a^pt^op^em^ploy^eesⁱⁿ^f^o^r^m^atioⁿ^w^ithⁱⁿ^f^o^rm^ation^of^{16,000 civ}^ilian^em^ploy^ees^sto^l^enⁱⁿ^Vir^gⁱⁿ^ia,”^M^ont^er^{ey C}^ount^{y H}^e^r^a^l^d
^g/w^(C^alⁱ^f^ornⁱ^{a), March}^{29, 2007.}
^s^.or
^le^ak^o^rⁿⁱ^{a Natio}ⁿ^a^{l Gu}^ar^d^March²⁰⁰⁷^C^a^lⁱ^f^ornⁱ^a^1,300ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^,^dat^e^s^A^s^s^o^{ciated P}^r^es^s^,^“^S^tolen^h^a^{rd driv}^{e con}^t^ain^s
^en^{to, C}^A^{) -}^s^t^olen^Natioⁿ^a^{l Gu}^ar^d^of^bi^rt^h^dat^a^f^o^{r C}^a^lⁱ^f^ornⁱ^{a G}^u^{ard t}^r^oops^{,” March}^10,
^://wiki^p^u^t^{er h}^a^{rd driv}^e^t^r^oops^depl^oy^{ed t}^o^2007.
^h^ttp^th^{e U.S.-}^M^ex^ico
^border
^a^rtm^eⁿ^t^o^f^Veteran^s^Feb^r^uar^y^v^e^t^e^ran^s^{535,000. H}^a^rd^na^m^e^s,^SSNs,^so^m^e^M^e^dⁱ^c^a^r^e^T^h^orn^t^on^{, W}^illiam^,^“^{535,000 on}^los^t^VA^driv^e:
^f^a^irs^,^VA^{Medical C}^eⁿ^t^er²⁰⁰⁷^driv^{e als}^o^m^a^y^b^illin^g^r^eco^r^dⁱⁿ^f^o^r^m^atioⁿ^an^d^A^g^en^cy^{to n}^o^tif^y^th^os^{e pos}^sⁱ^bly^af^f^ected,”
ⁱ^r^mⁱ^ngha^m^,^A^L⁾^{- m}ⁱ^ssi^ng^ha^veⁱⁿ^c^l^ud^e^d^b^illin^g^co^d^e^{s f}^o^r¹^.³^m^illioⁿ^Bi^r^mⁱ^ngham^N^e^w^s^(A^l^a^bam^a^{), F}^e^bru^a^ry^12,
^r^d^d^rⁱ^v^e^d^a^{ta, n}^o^{t all o}^f^it^doct^o^rs^2007.

^sen^s^itiv^{e, o}ⁿ
^ab^o^u^{t 1}^.³^m^illioⁿ
^no^n-V^A
^ph^y^sⁱ^cⁱ^aⁿ^s^{, bot}^h
^livⁱⁿ^g^an^{d dead}

CRS-58
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^nne^c^tⁱ^c^ut^{- p}^e^r^s^oⁿ^a^l^Feb^r^uar^y^s^t^at^{e em}^pl^oy^ees^1,700ⁿ^a^m^e^s^,^S^S^N^s^G^reen^em^ei^{r, L}^a^rry^,^“^S^t^{op &}^S^h^{op PIN}^Pads
^o^r^m^atioⁿⁱⁿ^ad^v^e^r^t^en^tly²⁰⁰⁷^B^r^each^{ed; C}^oⁿⁿ^ecticu^t^R^e^m^o^v^e^s^W^o^rk^{er Data}
^s^ted^to^{state A}^d^mⁱⁿⁱ^str^a^tiv^e^Fr^o^m^Site,”^Iⁿ^fo^rma^tioⁿ^W^eek^{, F}^e^bru^a^ry^20,
^rvⁱ^ces^Depart^m^eⁿ^t^’^s^w^e^bsⁱ^t^e^{2007, at}
^[^h^t^t^p^:^/^/^www.ⁱⁿ^f^o^r^m^a^tⁱ^oⁿ^w^e^e^k^.^c^o^m^/^s^t^o^r^y
^/^s^h^o^w^A^rtⁱ^c^l^e^.j^h^t^m^l^?^a^rtⁱ^c^l^e^ID^=197007473&^ci^d=
^R^S^S^f^eed_IWK^_N^ew^s^]^.
ⁱ^{ki/CRS-RL33199}^a^ssa^c^huse^t^t^s^D^e^p^a^r^t^m^e^nt^o^f^du^s^t^{rial A}^cciden^t^s^Feb^r^uar^y²⁰⁰⁷^accid^eⁿ^t^vⁱ^ctim^s¹^,2⁰⁰ⁿ^a^m^e^{s, SSNs}^M^u^r^p^h^y^,^Sean^{, “}^W^o^r^k^e^{r ch}^arg^e^d^w^ith^id^en^tity^th^ef^t,”^Bos^t^{on G}^l^obe^{, F}^e^bru^a^ry^{2, 2007.}

^g/w^os^ton^,^MA^{) -}^con^t^ractor
^s^.or^s^e^{d a w}^o^rk^ers^’
^le^ak^m^p^en^satioⁿ^d^a^{ta f}^{ile an}^d
^l^{e th}^{e id}^en^{tities o}^f^{at least}
^://wiki^{e, open}^e^{d credi}^t
^h^ttpⁿ^t^sⁱⁿ^th^{eir n}^a^m^e^s^,
^{d ch}^arg^e^{d t}^h^ou^s^aⁿ^d^s^of
^l^a^rs^f^o^{r j}^e^w^e^l^r^y^an^{d ot}^h^e^r
^rch^a^s^e^s

CRS-59
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^icag^{o B}^o^{ard of}^Election^s^-^J^aⁿ^u^a^ry²⁰⁰⁷^C^h^icag^{o v}^o^ters^{1.3 m}^illionⁿ^am^es^{, SSNs}^,^dates^of^birth^,^A^s^s^o^{ciated P}^r^es^s^,^{Social Secu}^rityⁿ^u^m^bers
^p^u^t^{er dis}^k^s^mⁱ^s^t^ak^en^ly^addres^s^e^s^di^s^t^ri^bu^t^e^{d on}^com^p^u^t^{er di}^s^c^s^,^{” Jan}^u^a^ry^23,
^t^ri^bu^t^e^{d t}^o^al^derm^en^an^d^2007.
^{rd com}^m^itteem^en
^te:^class-^actioⁿ^law^s^u^{it w}^a^s
^ain^s^{t th}^{e B}^o^{ard of}
ⁿ^sⁱⁿ^Co^o^k^Co^uⁿ^t^y
ⁱ^{ki/CRS-RL33199}^c^{uit Co}^ur^t
^g/w^t^e^rⁿ^a^l^Re^ve^nue^Se^r^vⁱ^c^e^,^Jan^u^a^ry²⁰⁰⁷^t^a^x^p^ay^ers^unkno^wⁿ^unkno^wⁿ⁽^p^o^t^eⁿ^tⁱ^a^l^l^y^c^o^nt^aⁱⁿ^H^o^rs^l^e^y^,^L^yⁿⁿ^e^{, “}^{26 IR}^S^t^a^pes^mⁱ^s^sⁱⁿ^g^f^r^om
^s^.or^s^as^C^ity^{, KS -}^{26 com}^p^u^t^er^ta^xp^a^y^e^r^{s’ na}^m^e^s,^SSNs,^b^a^nk^City^Ha^{ll: Re}^c^o^r^d^{s w}^e^r^e^d^e^live^r^e^d^{in A}^ugust.
^le^ak^e^{s m}ⁱ^ssing^accouⁿ^tⁿ^u^m^bers^{, or em}^ploy^er^T^r^{ail of}^w^h^{ere tax}^p^ay^{er data w}^eⁿ^t^is^uⁿ^d^er
ⁱⁿ^f^o^r^m^atioⁿ⁾ⁱⁿ^v^e^stig^atioⁿ^,^”^K^ans^as^Cⁱ^t^y^St^ar^,^J^a^nua^r^y¹⁹^,
^://wiki^te:^tapes^requ^{ire s}^p^ecial^{2007, p. A}¹^.
^h^ttpⁱ^pm^en^{t to read an}^d
^f^t^w^a^r^e^th^{at is n}^o^{t co}^m^m^oⁿ^l^y
^d
^dian^{a State Departm}^eⁿ^t^of^No^v^e^m^b^er^w^o^m^eⁿⁱⁿ^th^e^7,700ⁿ^a^m^e^{, addres}^s^,^S^S^N^{, m}^e^di^cal^A^s^s^o^{ciated P}^r^es^s^,^“^W^om^en^{alerted to pos}^sⁱ^ble
^vⁱ^{a Fam}^ily^Health²⁰⁰⁶^s^t^ate’^s^B^r^eas^{t an}^dⁱⁿ^f^o^r^m^atioⁿ^iden^tity^th^ef^{t,” Nov}^e^m^b^{er 26, 2006.}

^nt^e^r^o^f^Cl^a^r^{k Co}^unt^y^C^e^rv^{ical C}^aⁿ^cer
^f^e^r^s^oⁿ^v^{ille, I}^N⁾^-^tw^o^Pr^og^r^a^m
^com^p^u^t^ers

CRS-60
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^w^lin^g^Green^P^o^{lice Dept.}^No^v^e^m^b^er^vⁱ^ctim^{s o}^r²⁰⁰ⁿ^a^m^e^s^,^S^S^N^s^,^ph^on^{e n}^u^m^bers^F^eeh^an^{, Jen}ⁿⁱ^f^e^{r, “}^B^ow^lⁱⁿ^g^G^r^een^polⁱ^c^e
^o^w^lin^g^Green^{, OH) -}²⁰⁰⁶^susp^e^c^t^{s o}ⁿ^the^mⁱ^s^t^ak^en^ly^pu^{t priv}^{ate data on}^lin^e,”^Bl^ade
^v^e^r^t^en^{t p}^u^b^lishⁱⁿ^g^o^f^d^a^ily^b^l^o^tter⁽^T^ol^{edo, O}^hⁱ^o⁾^{, N}^o^v^e^m^b^{er 14, 2006.}
^on^al^dat^a^t^o^w^e^bsⁱ^t^e
^mⁱⁿⁱ^str^a^tioⁿ^f^o^r^Ch^ild^r^eⁿ^’^s^No^v^e^m^b^er^f^a^m^{ilies, so}^cial^{200 cas}^{e f}ⁱ^l^e^s^uⁿ^s^peci^fⁱ^{ed con}^fⁱ^d^en^tⁱ^a^l^Sch^a^{piro, R}ⁱ^ch^an^{d Nicole B}^{ode, “}^S^{ecret Sh}^am^e
^rvⁱ^ces^(New^York^{, NY) -}²⁰⁰⁶^w^o^rk^ers^an^dⁱⁿ^f^o^r^m^atioⁿ^f^o^r^A^{ll to}^{See. Co}ⁿ^f^id^en^{tial A}^c^{s Files Fo}^uⁿ^d
^e^d^d^e^d^fi^l^e^{s fo}^und^oⁿ^t^h^e^p^o^lice^Du^m^p^{ed on}^Street,”^Ne^{w Yo}^rk^D^a^ily^Ne^ws^,
ⁱ^{ki/CRS-RL33199}^{clear plas}^{tic g}^a^rbag^e^N^o^v^e^m^b^{er 20, 2006, p. 3.}
^g/w
^s^.or^t^y^of^L^u^bbock^(T^X⁾^-^No^v^e^m^b^er^j^{ob appl}ⁱ^can^t^s^5,800ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^,^R^oberts^,^P^a^u^l^{, “}^T^ex^as^T^ech^-^a^{re police dis}^c^ov^er
^le^ak^ers^brok^{e in}^{to city}^j^o^b²⁰⁰⁶^driv^ers^licen^s^eⁿ^u^m^bers^s^ecu^rity^breachⁱⁿ^city^databas^{e” (s}^ic),
^p^licatioⁿ^w^e^b^s^ite^Uⁿⁱ^v^ersⁱ^t^y^Wi^{re, N}^o^v^e^m^b^{er 9, 2006.}
^://wiki
^h^ttp^a^nha^t^t^a^{n V}^e^t^e^r^a^{ns A}^ffaⁱ^r^s^No^v^e^m^b^er^ve^t^e^r^a^{ns w}^h^o^1,600ⁿ^a^m^e^s^,^S^S^N^s^,^m^e^di^cal^Hu^tchⁱⁿ^s^oⁿ^{, B}^{ill, “}^Y^o^u^r^I^d^en^tity^May^B^e^Sto^l^en^,
^eⁿ^t^{er, New}^York²⁰⁰⁶^receiv^e^dⁱ^a^gno^se^s^Vets^A^r^{e W}^a^rn^ed,^Ne^{w Yo}^rk^D^a^ily^Ne^ws^,
^C^a^{re Sy}^s^t^em^pu^lm^on^ary^{care at}^N^o^v^e^m^b^{er 2, 2006, p. 19.}
^Yo^rk^{, NY) -}^th^{e f}^acility
^eⁿ^c^ry^pt^{ed s}^t^ol^en^l^a^pt^op
^aⁿ^s^A^f^f^a^ir^{s Ho}^sp^{ital an}^d^No^v^e^m^b^er^v^e^ter^aⁿ^s¹^,⁴⁰⁰ⁿ^a^m^e^{s, SSNs, b}^illin^g^T^h^o^rⁿ^t^oⁿ^{, T}^oⁿ^y^{, “}^V^A^h^o^sp^{ital lo}^{ses d}^a^{ta o}ⁿ
^l^ester^Clin^{ic -}^mⁱ^ssin^g²⁰⁰⁶ⁱⁿ^f^o^r^m^atioⁿ^p^a^tien^t^{s; No}ⁱⁿ^dⁱ^catioⁿ^o^f^mⁱ^su^{se, ag}^en^cy^say^s^,”
^m^p^ut^e^r^dⁱ^{sks (}^M^usko^ge^e^,^T^h^{e O}^k^l^ahom^an^{, N}^o^v^e^m^b^{er 2, 2006, p. 1A}^.

CRS-61
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^S^.^A^r^{my C}^a^d^e^t^C^o^mmaⁿ^d^No^v^e^m^b^er^hi^{gh sc}^ho^o^l^4,600ⁿ^a^m^e^s^,^addres^s^e^s^,^W-^{2 t}^a^x^Pet^k^of^s^y^{, A}ⁿ^drew^{, “}^R^O^T^C^applⁱ^can^t^s^’^dat^a^on
^ort^Mon^r^{oe, V}^A^{) -}^s^t^ol^en²⁰⁰⁶^stud^eⁿ^{ts w}^h^o^f^o^r^m^{s, SSNs}^s^t^olen^com^p^u^t^er,”^Ri^chm^{ond T}ⁱ^m^e^s^Dⁱ^s^pat^ch
^op^applⁱ^e^{d f}^o^{r A}^r^m^y⁽^Vⁱ^r^giⁿⁱ^a)^{, N}^o^v^e^m^b^{er 2, 2006, p. B6.}
^RO^T^C
^sc^ho^l^a^r^s^hi^p^s^.
^l^o^{rado D}^e^pt^{. of}^H^u^m^aⁿ^No^v^e^m^b^er^recen^tly^hⁱ^red^u^p^to¹^.⁴^m^illioⁿⁿ^am^{es, SSNs, b}ⁱ^r^t^h^d^a^tes^M^ig^o^y^{a, Dav}ⁱ^d^,^“^S^to^len^{state d}^a^tab^a^{se p}^u^{ts 1}^.⁴
^ices^vⁱ^{a priv}^{ate con}^t^ractor²⁰⁰⁶^em^ploy^ees^m^illioⁿ^{at I}^D^-^t^h^e^f^t^rⁱ^sk^,”^Denver^Pos^t^,
ⁱ^{ki/CRS-RL33199}^f^iliated^Co^m^p^u^t^er^Ser^v^ices^,^T^X^{) -}^s^t^olen^com^p^u^t^er^N^o^v^e^m^b^{er 2, 2006, p. B1.}
^g/w
^s^.or^r^t^o^f^{Seattle (}^S^{eattle, W}^A⁾^-^O^c^t^oberⁱⁿ^di^vⁱ^du^al^s^w^h^o^6,943^uⁿ^s^peci^fⁱ^{ed pers}^on^al^“^P^o^r^{t o}^f^{Seattle Hir}^e^{s I}^d^P^r^o^t^ectioⁿ^Ser^v^ice,”
^le^ak^{ssing CD-ROM}^S²⁰⁰⁶^applⁱ^e^{d f}^o^{r ai}^rportⁱⁿ^f^o^r^m^atioⁿ^Pa^{cific S}^hⁱ^p^p^e^r^{, O}^c^t^{ober 27, 2006.}
^s^ecu^rity^badg^es
^://wiki
^h^ttp^m^p^P^e^nd^l^e^t^o^{n M}^a^rⁱ^ne^Co^r^p^s^O^c^t^ober^Marⁱⁿ^e^{s w}^h^o^liv^e^2,400^uⁿ^s^peci^fⁱ^{ed pers}^on^al^H^o^el^l^w^ort^h^{, Joh}ⁿ^,^“^L^os^t^l^a^pt^{op con}^t^aiⁿ^s^2,400
^se^,^vi^a^Li^nc^o^l^{n B}^P²⁰⁰⁶^on^t^h^{e bas}^eⁱⁿ^f^o^r^m^atioⁿ^P^e^nd^l^e^t^o^{n M}^a^rⁱ^ne^{s’ i}ⁿ^fo^,^”^Ma^rin^e^Co^rp^{s Time}^s^,
^a^g^e^m^eⁿ^t⁽ⁿ^{ear Ocean}^sⁱ^de,^O^c^t^{ober 23, 2006, p. 13.}
^{) -}^mⁱ^s^sⁱⁿ^g^l^a^pt^op
^o^f^{Visalia, Recr}^eatioⁿ^O^c^t^ober^cu^rren^{t an}^d²⁰⁰ⁿ^a^m^e^{s, SSNs}^C^astelloⁿ^,^Davⁱ^d^,^“^T^o^ssed^r^eco^r^d^{s ar}^{e still a}
ⁱ^sioⁿ⁽^V^{isalia, CA}⁾^-^city²⁰⁰⁶^f^o^rm^{er em}^ploy^ees^m^y^s^t^ery^,^”^Visa^lia^Times-^Delta⁽^C^a^lifo^rn^ia⁾^,
^c^um^eⁿ^t^s^w^e^r^e^fo^und^O^c^t^{ober 17, 2006, p. 1C}^.

^{a city}^s^t^reet.

CRS-62
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^l^s^{bo D}^e^part^m^eⁿ^t^of^O^c^t^ober^citizen^s^proces^s^e^d^2,200ⁿ^a^m^e^s^,^addres^s^e^s^,^dri^v^ers^{US States New}^s^{, “}^S^m^a^{ll Dep}^a^rtm^eⁿ^t^o^f
^cen^sⁱⁿ^g^(Pou^l^s^{bo, WA}^{) -}²⁰⁰⁶^{at on}^{e w}^o^rk^s^t^ation^lⁱ^cen^s^e^ph^ot^os^Li^c^eⁿ^si^{ng D}^a^t^a^B^a^c^kup^D^e^vi^c^e^Mⁱ^ssi^ng,^”
^ssi^{ng d}^a^t^a^b^a^c^kup^d^e^vi^c^e^O^c^t^{ober 10, 2006.}
ⁿ^g^r^es^sⁱ^on^{al B}^u^dg^{et Of}^fⁱ^{ce -}^O^c^t^ober^s^u^bs^cribers^to^unkno^wⁿ^unkno^wⁿ^“^H^acker^{s B}^r^{each B}^u^d^g^{et Of}^fⁱ^ce’^{s Mailing L}ⁱ^st,^”
^ilin^g^{list h}^ack^ed^an^d²⁰⁰⁶^CB^O’^{s m}^a^ilin^g^N^a^tⁱ^onal^Jour^nal^{, T}^echnol^{ogy D}^aⁱ^l^y^,^O^c^t^ober
^is^hⁱⁿ^g^em^{ail th}^{at appeared}^list^{13, 2006.}
^o^m^e^fr^o^m^CB^{O w}^a^{s se}^nt
ⁱ^{ki/CRS-RL33199}^ev^elan^{d A}ⁱ^{r R}^o^u^t^{e T}^r^af^fⁱ^c^O^c^t^ober^{air traf}^fⁱ^c⁴⁰⁰ⁿ^a^m^e^s^,^SSNs^S^an^gⁱ^acom^o^{, Mich}^{ael, “}^F^A^A^{data in}^Oberlin
^g/wⁿ^t^r^o^{l Cen}^t^er⁽^O^b^e^r^lin^{, OH)}^-²⁰⁰⁶^coⁿ^t^r^o^ller^s^com^p^u^t^{er los}^t^Driv^es^h^a^{d n}^a^m^e^s^,^{Social Secu}^rity
^s^.or^p^u^t^{er h}^a^{rd driv}^{e s}^t^olen^num^b^e^r^s^,^”^C^l^{eveland Plain Dealer}^{, O}^c^t^{ober 6,}
^le^ak^{2006, p. B3.}
^://wiki^ori^d^{a D}^e^part^m^eⁿ^t^of^L^a^{bor -}^O^c^t^oberⁱⁿ^di^vⁱ^du^al^s^4,624ⁿ^a^m^e^s^,^S^S^N^s^,^S^a^m^p^l^e^s^,^Ev^{e, “}^M^{ore t}^h^an^{4,600 F}^l^ori^dⁱ^aⁿ^s^’
^h^ttp^r^s^oⁿ^{al in}^f^o^r^m^atioⁿ²⁰⁰⁶^en^r^o^lled^f^o^r^pers^on^{al data acciden}^t^ally^pos^ted,”^{Palm Beach}
^v^e^r^t^en^tly^p^o^s^ted^oⁿ^test^ser^v^{ices w}^ith^Pos^t^{, O}^c^t^{ober 11, 2006.}
^r^v^e^r^regⁱ^on^al
^w^o^rk^f^o^{rce boards}
^b^e^r^l^a^nd^Co^unt^y^,^P^A^-^O^c^t^ober^em^p^l^o^y^ees¹^,²⁰⁰ⁿ^a^m^e^{s, SSNs}^M^iller^,^{Matt, “}^E^m^p^lo^y^{ee n}^u^m^b^e^r^s^r^e^m^o^v^e^d
^{s i}ⁿ^m^e^e^tⁱ^{ng m}ⁱ^nut^e^s²⁰⁰⁶^f^r^om^Web,”^Pa^trio^t-^News^{, O}^c^t^{ober 3, 2006, p.}
^t^e^{d on}^w^e^bsⁱ^t^e^B1.

CRS-63
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^nt^uc^ky^P^e^r^s^o^nne^l^Ca^bⁱ^ne^t^S^e^pt^em^ber^em^ploy^eesⁱⁿ^s^t^ate^146,000^S^S^N^s^A^l^f^{ord, R}^o^g^e^{r, “}^S^t^a^t^e^s^eⁿ^d^s^ou^t^l^e^t^t^e^rs^wⁱ^t^h
^r^aⁿ^k^f^o^r^{t, KY)}^-^letter^s^sen^t^to²⁰⁰⁶^ag^en^cies^,^{Social Secu}^rityⁿ^u^m^bers^vⁱ^sⁱ^{ble,” A}^s^s^o^ciated
^pl^oy^ees^di^s^p^l^a^y^e^{d t}^h^ei^r^com^m^uⁿ^ity^an^d^Pres^s^,^S^e^pt^em^{ber 29, 2006.}
^N^s^on^f^r^on^t^techⁿⁱ^{cal colleg}^e^s^,
^sc^ho^o^l^dⁱ^strⁱ^c^t^s,
^h^ealth
^depart^m^eⁿ^t^s^an^d
^ot^h^e^{r of}^fⁱ^ces
ⁱ^{ki/CRS-RL33199}^cov^e^{red by}^t^h^e^sta^t^e^’^{s insur}^a^nc^e
^g/w^prog^ram
^s^.or
^le^ak^rth^C^a^ro^lin^{a Dep}^a^rtm^eⁿ^t^o^f^S^e^pt^em^ber^dri^v^ers^16,000ⁿ^a^m^e^s^,^S^S^N^s^,^dri^v^er’^s^lⁱ^cen^s^e^“^T^hⁱ^ev^es^tak^e^N.C^.^{DMV com}^p^u^t^{er w}^ith
ⁱ^cles^(L^ou^is^bu^rg^,²⁰⁰⁶ⁿ^u^m^bers^{, dat}^e^s^of^bi^rt^h^pers^on^{al in}^f^o^{,” A}^s^s^o^{ciated P}^r^es^s^,^Septem^{ber 28,}
^://wiki^{) -}^s^t^olen^com^p^u^t^er^2006.
^h^ttp
^S^.^D^e^p^a^r^t^meⁿ^t^o^f^C^o^mme^r^c^e^S^e^pt^em^ber^Ce^{nsus B}^u^r^e^a^u^{6,200 h}^o^u^s^eh^ol^ds^unkno^wⁿ^Si^p^r^e^ss,^A^l^aⁿ^,^“1^,^{100 L}^a^pt^ops^Mi^s^sⁱⁿ^g^f^r^om
^t^ol^en^{, l}^o^s^t^{, or m}ⁱ^s^sⁱⁿ^g²⁰⁰⁶^an^d^Natioⁿ^a^l^(es^tim^ated)^C^o^mme^r^c^e^D^e^p^t^.^,^”^W^a^s^hⁱ^ngt^{on Pos}^t^{, S}^e^pt^em^ber
^ops^Ocean^{ic an}^d^{22, 2006, p. A}³^.
^At^m^o^s^p^h^e^rⁱ^c
^A^d^mⁱⁿⁱ^str^a^tioⁿ
^a^rtm^eⁿ^t^o^f^Veteran^s^A^ugust²⁰⁰⁶^patⁱ^eⁿ^t^s^at^V^A^38,000^S^S^N^s^,ⁿ^a^m^e^s^,^addres^s^e^s^,^bi^rt^h^R^a^s^h^{, W}^a^yⁿ^{e, “}^Aⁿ^o^th^{er VA}^C^o^m^p^u^t^{er Goes}
ⁱ^r^{s - m}ⁱ^ssi^{ng c}^o^m^p^ut^e^r^h^o^sp^{itals in}^d^a^{tes, in}^su^r^aⁿ^{ce car}^rⁱ^er^{s, b}^illin^g^Mⁱ^ssing,^”^eW^eek^,^A^ugust⁷^,^{2006, at}
^m^c^o^nt^r^a^c^t^o^r^{’s o}^ffi^c^e^P^e^nnsy^l^vni^aⁱⁿ^f^o^r^m^atioⁿ^,^d^e^{tails o}^f^ser^v^ice^[^h^t^t^p^:^/^/^www.^e^w^e^e^k^.^c^o^m^/^a^r^tⁱ^c^l^e²^/⁰^,^1895,200026
^8,00.as^p].

CRS-64
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^a^rtm^eⁿ^t^o^f^A^ugust²⁰⁰⁶^dri^v^ers^lⁱ^cen^s^e^133,000^S^S^N^s^,ⁿ^a^m^e^s^,^addres^s^e^s^R^as^h^,^Wayⁿ^{e, “}^D^O^Tⁱ^s^t^h^{e L}^a^t^e^s^t^Vⁱ^ctⁱ^m^of
^an^s^port^a^tⁱ^oⁿ^-^s^t^ol^en^l^a^pt^op^records^of^F^l^ori^d^a^C^o^m^p^u^t^{er T}^h^ef^t,”^eW^eek^,^A^ugust¹⁰^,^{2006, at}
^resⁱ^den^t^s^[^h^t^t^p^:^/^/^www.^e^w^e^e^k^.^c^o^m^/^a^r^tⁱ^c^l^e²^/⁰^,^1895,200214
^8,00.as^p?^k^c^=EWN^A^V^EMN^L^081106EO^A^D^]^.
^a^rtm^eⁿ^t^o^f^Ed^u^catioⁿ^A^ugust²⁰⁰⁶^s^t^u^d^en^t^s^w^h^o^21,000ⁿ^a^m^e^s^,^bi^rt^h^dat^e^s^,^S^S^N^s^,^Y^eⁿ^,^H^{ope, “}^E^{d. D}^e^pt^{. of}^f^e^rs^f^r^{ee credi}^t
^pos^{ed loan}^data^borrow^e^{d m}^oⁿ^e^y^addres^s^e^s^,^ph^on^{e n}^u^m^bers^an^d^m^oⁿⁱ^t^o^rⁱ^ng,^”^H^ous^t^{on C}^h^r^oni^cl^e^,^A^ugust²⁴^,
^und^e^rⁱⁿ^s^o^m^e^cas^es^accouⁿ^t^{2006 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.
ⁱ^{ki/CRS-RL33199}^th^{e Federal Direct}^Stu^d^en^{t L}^o^anⁱⁿ^f^o^r^m^atioⁿ^f^o^r^h^o^ld^er^{s o}^f^f^e^{deral direct s}^t^u^d^en^{t loan}^s
^g/w^prog^ram
^s^.or
^le^ak^a^{l Saf}^e^ty^Cen^t^er^-^p^e^r^s^oⁿ^al^Ju^l^y²⁰⁰⁶^N^a^v^a^l^an^{d Mari}ⁿ^e^“^m^{ore th}^an^{SSNs, p}^e^r^s^oⁿ^{al in}^f^o^r^m^atioⁿ^“^Nav^a^{l Saf}^e^ty^Cen^t^er^Fin^d^{s P}^e^r^s^oⁿ^{al Data o}ⁿ
^a^ex^pos^{ed on}^w^e^bsⁱ^t^e^an^d^Co^r^p^{s av}^iato^r^s^100,000”^Websⁱ^t^e^{,” U}^.^S^.^D^e^part^m^eⁿ^t^of^D^e^f^eⁿ^s^{e pres}^s
^://wiki^{1,100 com}^p^u^t^{er di}^s^c^s^an^{d air crew}^{, both}^rel^eas^{e, Ju}^l^y^{8, 2006, at}
^h^ttp^iled^toⁿ^a^v^a^{l co}^m^m^aⁿ^d^s^activ^{e an}^{d res}^e^rv^e^[^h^t^t^p^:^/^/^www.ⁿ^e^ws^.ⁿ^a^v^y^.^m^il/sear^ch^/d^isp^l^ay^.asp^?^s
^t^o^ry^_i^d=24568].
^a^r^t^m^e^{nt -}^Ju^l^y²⁰⁰⁶^Was^hⁱⁿ^g^t^on^unkno^wⁿ^{access to}^d^a^{ta and}^p^a^ssw^o^r^d^s^“^S^tate^Dep^a^r^t^m^e^{nt Releases Details Of}
^ers^h^eadqu^arters^{, an}^d^C^o^m^p^u^t^{er Sy}^s^t^em^A^ttack^s^,^”^COMMW^E^B^{, J}^u^ly
^th^{e B}^u^reau^of^Eas^t^{13, 2006 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^{, an}^{d G}^r^een^em^ei^er,
^A^s^ian^an^{d P}^acifⁱ^c^L^a^rry^,^“^S^{tate Departm}^eⁿ^t^Hack^Es^calates
^Affaⁱ^r^s^Fed^e^r^a^{l Data I}ⁿ^secu^r^ity^{,” I}ⁿ^f^o^r^m^atioⁿ^W^eek^,
^Ju^l^y^{12, 2006, at}
^[^h^t^t^p^:^/^/^www.ⁱⁿ^f^o^r^m^a^tⁱ^oⁿ^w^e^e^k^.^c^o^m^/ⁿ^e^w^s^/^s^h^o^w^A
^rtⁱ^c^l^e^.j^h^t^m^l^?^a^rtⁱ^c^l^e^ID^=190302905].

CRS-65
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^deral^T^r^{ade C}^o^m^mⁱ^s^sⁱ^on^Juⁿ^e²⁰⁰⁶^s^u^bj^ect^s^of^l^a^w¹¹⁰^na^m^e^s,^a^d^d^r^e^sse^s,^SSNs,^Reuter^s^{, “}^F^T^C^L^a^pt^ops^S^t^ol^en^{, 110 Peopl}^{e at}
^en^f^o^rcem^en^t^fⁱⁿ^aⁿ^c^{ial accou}ⁿ^tⁿ^u^m^bers^Rⁱ^s^k^of^ID^T^h^ef^t^,^{” Bas}^e^lⁱⁿ^e.com^,^Juⁿ^e^{23, 2006}
ⁱⁿ^v^e^stig^atioⁿ^s⁽ⁿ^o^p^a^ge^gi^veⁿ⁾^.
^S^.^N^a^v^y^-^an^open^w^e^bsⁱ^t^e^Juⁿ^e²⁰⁰⁶^N^a^v^y^m^e^m^b^ers^30,000ⁿ^a^m^e^s^,^bi^rt^h^dat^e^s^an^{d S}^S^N^s^“^N^a^v^y^Pers^on^al^D^a^t^a^on^{Web Is}
^t^ain^e^{d f}ⁱ^v^e^s^p^reads^h^eet^an^{d depen}^d^en^t^s^Katrⁱⁿ^a-^r^e^lated^,^”^St^at^es^N^e^w^s^Ser^vⁱ^c^e^,^J^une²⁶^,
^ith^p^e^r^s^oⁿ^{al in}^f^o^r^m^atioⁿ^{2006 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.
^x^a^s^Gu^aran^{teed Stu}^d^en^t^Juⁿ^e²⁰⁰⁶^col^l^e^g^e^s^t^u^d^en^t^s¹^.³^m^illioⁿⁿ^am^{es, SSNs}^E^v^e^r^s^{, J}^o^rⁱ^{s, “}^L^o^aⁿ^Co^m^p^an^y^Rep^o^r^{ts L}^o^{ss o}^f
ⁱ^{ki/CRS-RL33199}^an^-^com^p^u^t^{er equ}ⁱ^pm^en^t^b^o^r^r^o^wⁱ^{ng m}^o^ne^y^{Data on}^{1.3 Million}^,^{” C}^N^{et New}^s^{, J}^uⁿ^e^{1, 2006,}
^g/w^f^r^o^m^th^{e lo}^an^at
^s^.or^com^p^an^y^[^h^ttp^://n^ew^s.co^m^.^co^m^/^L^o^an^+co^m^p^aⁿ^y^+r^ep^o^r^ts+
^le^ak^los^s⁺^of^+data+on⁺¹^.3+m^illion^/^2100-^1029_3-⁶⁰
^79261.h^t^m^l^].
^://wiki
^h^ttpⁿ^a^{l I}ⁿ^stitu^{tes o}^f^Health^Juⁿ^e²⁰⁰⁶^credi^t^uⁿⁱ^on^“^s^m^a^l^lⁿ^u^m^ber”^uⁿⁱ^den^tⁱ^fⁱ^e^{d pers}^on^al^T^r^ej^o^s^{, Nan}^c^y^,^“^I^d^eⁿ^tity^T^h^iev^e^{s Hit NI}^{H Cr}^ed^it
^e^r^a^{l Cr}^ed^{it Un}^ioⁿ^me^mb^e^r^sⁱⁿ^f^o^r^m^atioⁿ^Un^ioⁿ^;
^o^c^k^v^{ille, MD)}^Sch^e^m^e^Is^L^a^tes^tⁱⁿ^{Spate of}^B^r^each^es^A^f^f^ectin^g
^Millioⁿ^s^,”^W^a^s^hⁱ^ngt^{on Pos}^t^{, Ju}ⁿ^e^{29, 2006, p.}
^B3.
^a^rtm^eⁿ^t^o^f^Juⁿ^e²⁰⁰⁶^cu^rren^t^an^{d ret}ⁱ^r^ed^26,000ⁿ^a^m^e^s^,^S^S^N^s^,^em^pl^oy^ee^A^zarof^f^,^R^ach^{el, “}^H^ack^{er Mig}^h^t^Hav^e^B^r^each^ed
^ricu^ltu^re-^ex^tern^{al s}^ecu^rity^em^pl^oy^ees^of^t^h^e^p^h^o^t^o^s^{, in}^terⁿ^{al b}^u^ildⁱⁿ^g^P^e^rsoⁿ^{al Data at USDA}^,”^FC^W^{, Ju}ⁿ^e^{22, 2006,}
^of^{a w}^o^rk^s^t^ation^an^d^depart^m^eⁿ^t^lo^catioⁿ^s^at
^o^ser^v^er^s^[^h^t^t^p^:^/^/^www.^f^c^w.^c^o^m/^a^r^tⁱ^c^l^e^94991-^06-^22-^06-^W
^eb].

CRS-66
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
ⁱ^nne^so^t^a^D^e^p^a^r^t^m^e^nt^o^f^Juⁿ^e²⁰⁰⁶ⁱⁿ^di^vⁱ^du^al^s^an^d^{2,400 i}ⁿ^di^vⁱ^du^al^s^na^m^e^s,^a^d^d^r^e^sse^s,^SSNs,^M^N^D^e^p^a^r^t^m^e^nt^o^f^Re^ve^nue^,^“D^e^p^a^r^t^m^eⁿ^t^o^f
^ve^nue^b^u^sine^sse^s^an^{d 48,000}^em^pl^oy^m^eⁿ^t^dat^a^R^e^v^eⁿ^u^e^{to A}^s^sⁱ^s^t^T^a^x^p^ay^ers^W^h^os^{e P}^r^iv^ate
^t^.^P^a^ul^,^M^N⁾^{- m}ⁱ^ssi^{ng d}^a^t^a^(t^ax^pay^e^rs⁾^b^u^sine^sse^s^In^f^o^rm^ation^W^a^s^In^clu^d^{ed in}^{a P}^ack^ag^{e L}^o^s^tⁱⁿ
^e^t^h^{e Mai}^l^,^{” Ju}ⁿ^e^{28, 2006, at}
^[^h^t^t^p^:^/^/^www.^t^a^x^e^s^.^s^t^a^t^e^.^mn^.^u^s^/^t^a^x^e^s^/^p^u^b^lⁱ^c^a^tⁱ^oⁿ^s
^/p^r^e^ss_^r^e^leases/coⁿ^ten^t/tax^p^ay^er^_ⁱⁿ^f^o^r^m^a^tioⁿ^.^sh
^tm^l]
ⁱ^{ki/CRS-RL33199}
^g/w^part^m^eⁿ^t^of^En^erg^y^-^fⁱ^l^e^Juⁿ^e²⁰⁰⁶^em^pl^oy^ees^of^t^h^e^1,500ⁿ^a^m^e^s^,^S^S^N^s^,^bi^rt^h^dat^e^s^s^,^As^s^o^{ciated Pr}^es^s^{, “}^{DOE C}^o^m^p^u^t^ers^Hack^ed;
^s^.or^by^h^ack^er^En^erg^y^codes^s^h^owⁱⁿ^g^w^h^{ere t}^h^e^In^f^o^on^{1,500 T}^a^k^eⁿ^,^{” Ju}ⁿ^e^{11, 2006.}
^le^ak^Dep^a^rtm^eⁿ^t^’^s^em^ploy^ees^w^o^rk^{ed, codes}
^://wikiⁿ^u^c^{lear w}^eapon^s^ag^en^cy^sh^o^wⁱⁿ^g^th^eir^secu^r^ity^clearan^ce
^h^ttp
^v^e^rⁿ^m^eⁿ^t^A^cco^uⁿ^t^ab^ility^Juⁿ^e²⁰⁰⁶^D^o^D^em^pl^oy^ees^“^f^ew^{er t}^h^an^s^e^r^vⁱ^c^e^me^mb^e^r^s^’ⁿ^a^me^s^,^T^h^orm^e^y^e^{r, R}^{ob, “}^G^A^O^R^e^m^o^v^e^s^A^r^chⁱ^v^ed
^c^e⁽^G^AO⁾^-w^e^b^si^t^e^1,000”^SSNs,^a^d^d^r^e^sse^s^Pers^on^al^D^a^t^a^f^r^om^{Web S}ⁱ^t^e^,”
^pos^{ed dat}^a^f^r^om^au^di^t^Was^hⁱⁿ^g^t^on^T^echⁿ^o^l^o^g^y^.com^{, Ju}ⁿ^e^{27, 2006 at}
^s^on^D^e^f^eⁿ^s^{e D}^e^part^m^eⁿ^t^[^h^t^t^p^:^/^/^www.^wa^s^hⁱⁿ^g^t^oⁿ^t^e^c^hⁿ^o^l^o^g^y^.^c^o^m^/ⁿ^e^w^s^/¹
^el^v^o^u^c^h^e^rs^f^r^om^t^h^{e 1970s}^_1/^dai^l^y^_n^ew^s^/^28845-^1.h^t^m^l^].
^{ng Co}^unt^y^Re^c^o^r^d^s,^Juⁿ^e²⁰⁰⁶^cu^rren^t^an^d^unkno^wⁿ^SSNs^A^sso^cⁱ^a^t^e^d^P^r^e^ss,^“Co^uncⁱ^l^m^aⁿ^I^r^ke^d^b^y^D^a^t^a
^s^{, an}^{d L}ⁱ^cen^sⁱⁿ^g^f^o^rm^{er cou}ⁿ^t^y⁽^p^o^t^en^tially^Pos^tⁱⁿ^g^s^on^{Web,” Ju}ⁿ^e^{27, 2006.}

^ices^Divⁱ^sⁱ^on^resⁱ^den^t^s^tho^u^sa^nd^s)
^{eattle, W}^A⁾^-^w^e^b^s^ite
^pos^{ed pers}^on^al^dat^a

CRS-67
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^t^e^rⁿ^a^l^Re^ve^nue^Se^r^vⁱ^c^e^{- l}^o^st^Juⁿ^e²⁰⁰⁶^IR^S^em^pl^oy^ees²⁹¹ⁿ^a^m^e^s^,^bi^rt^h^dat^e^s^,^S^S^N^s^,^L^{ee, C}^h^ri^s^t^oph^{er, “}^I^R^S^L^a^pt^{op L}^o^s^t^wⁱ^t^h^D^a^t^a
^op^an^{d j}^{ob appl}ⁱ^can^t^s^fi^nge^r^p^rⁱ^nt^s^on^{291 Peopl}^e,”^W^a^s^hⁱ^ngt^{on Pos}^t^{, Ju}ⁿ^e^{8, 2006,}
^{p. A}⁴^.
^k^a^T^r^eas^u^r^er’^s^Of^fⁱ^ce^Juⁿ^e²⁰⁰⁶ⁱⁿ^di^vⁱ^du^al^s^an^d^300,000ⁿ^a^m^e^{s, SSNs, tax}^id^en^tif^icatioⁿ^Nebras^k^a^{State T}^r^eas^u^r^{er, “}^H^ack^{er Viru}^s
ⁱⁿ^coln^{, NE) -}^h^ack^{er brok}^e^em^pl^oy^ers^w^h^oⁱⁿ^di^vⁱ^du^al^s^an^d^num^b^e^r^s^fo^r^b^u^si^ne^sse^s^S^t^{opped by}^T^r^eas^u^r^er’^s^O^f^fⁱ^{ce,” Ju}ⁿ^e^{29, 2006,}
^o^{a ch}ⁱ^l^d^-^s^u^pport^com^p^u^t^er^pay^an^{d receiv}^e^{9,000 em}^pl^oy^ers^at
^ste^m^chⁱ^l^d^s^u^pport^[^h^t^t^p^:^/^/^www.^t^r^e^a^s^u^r^e^r^.^s^t^a^t^e^.ⁿ^e^.^u^s^/ⁱ^e^/^s^e^r^v^e^r^.^a^s^p^]
ⁱ^{ki/CRS-RL33199}^pay^m^en^t^s
^g/wⁿ^t^ag^on^{, T}^r^icare^May²⁰⁰⁶^D^e^f^eⁿ^s^e^14,000ⁿ^a^m^e^s^,^SSNs^,^{credit card}^B^a^{rr, Steph}^eⁿ^,^“^C^on^f^e^ren^{ce A}^tten^d^ees^’^P^e^rs^on^al
^s^.or^a^na^ge^m^e^nt^A^c^tⁱ^vⁱ^t^y^{- ha}^c^k^e^r^s^Dep^a^rtm^eⁿ^tⁿ^u^m^bers^{, em}^pl^oy^er^{Data May}^{Be at R}ⁱ^s^k^,”^W^a^s^hⁱ^ngt^{on Pos}^t^{, May}
^le^akⁱⁿ^{to s}^e^rv^er^con^f^eren^ce^id^en^tif^icatioⁿ^,^o^t^h^e^r^p^e^r^s^oⁿ^al^{12, 2006, p. D}⁴^.
^atten^d^eesⁱⁿ^f^o^r^m^atioⁿ
^://wiki
^h^ttp^part^m^eⁿ^t^of^V^e^t^e^ran^s^May²⁰⁰⁶^m^ilitary^v^e^teran^s^{26.5 m}^illionⁿ^am^es^{, birth}^dates^,^SSNs^L^{ee, C}^h^ris^t^oph^{er an}^{d Stev}^{e Vog}^e^{l, “}^P^ers^oⁿ^a^l
^f^aⁱ^r^s^-^l^a^pt^{op an}^{d ex}^t^e^rn^al^{Data o}ⁿ^Veter^aⁿ^s^{is Sto}^l^en^,”^W^a^s^hⁱ^ngt^{on Pos}^t^,
^{rd dri}^v^{e s}^t^ol^en^May^{23, 2006, p. A}¹^.
ⁿ^a^{l I}ⁿ^stitu^{tes o}^f^Health^O^c^t^ober^ap^p^lican^{ts to}^th^e^uⁿ^dⁱ^s^cl^os^ed^g^r^an^t^propos^al^s^an^{d ot}^h^e^{r g}^r^an^t^P^u^lley^,^J^o^hⁿ^L^{., “}^N^I^H^A^ccid^eⁿ^t^ally^P^o^sts
^I^H⁾^-^p^o^s^tin^g^o^f^coⁿ^f^id^en^tial²⁰⁰⁵^NIH^revⁱ^ew^m^a^t^e^ri^al^s^Coⁿ^f^id^en^{tial Gr}^an^{t A}^p^p^licatioⁿ^s^oⁿ^th^{e W}^e^b^,^”
^an^{t ap}^p^licatioⁿ^s^T^h^{e C}^h^r^oni^cl^{e of}^Hⁱ^gher^Educatⁱ^oⁿ^{, O}^c^t^{ober 31,}
^{2005 (n}^{o pag}^e^gⁱ^v^eⁿ⁾^.
ⁱ^{r Force -}^records^s^t^olen^A^ugust²⁰⁰⁵^of^fⁱ^cers^an^{d 19}^33,300^S^S^N^s^,^bi^rt^h^dat^e^s^,^an^{d ot}^h^e^r^Do^r^s^{ett, A}^m^y^,^“^I^d^eⁿ^tity^th^ef^{t T}^h^r^{eat Han}^g^s^o^v^er
^th^{e A}ⁱ^{r Force P}^e^rs^onⁿ^e^l^NC^Os^sen^s^itiv^{e in}^f^o^r^m^atioⁿ^A^F^Of^fⁱ^cers^,^”^{San Ant}^oni^{o Expr}^es^s^-^N^e^w^s^,
ⁿ^t^er’^s^on^lin^{e A}^s^sⁱ^gⁿ^m^en^t^A^ugust²⁴^,^{2005, p. 1A}^.

^a^na^ge^m^e^nt^Sy^st^e^m

CRS-68
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
ⁿ^Dⁱ^eg^{o C}^o^uⁿ^t^y^Em^pl^oy^ees^Ju^l^y²⁰⁰⁵^cu^rren^t^an^{d ret}ⁱ^r^ed^33,000^w^o^rk^ers^’ⁿ^a^m^e^s^,^S^o^ci^al^C^h^acon^,^Danⁱ^{el, “}^H^ack^ers^B^r^each^C^o^uⁿ^t^y^’^s
^em^en^{t A}^sso^ciatioⁿ^-^c^o^unt^y^S^ecu^ri^t^yⁿ^u^m^bers^{, addres}^s^e^s^Pers^on^al^R^ecords^;^{33,000 Peopl}^{e at}^Rⁱ^s^kⁱⁿ
^ers^brok^{e in}^{to tw}^o^go^ve^rⁿ^m^e^nt^an^{d dat}^e^s^of^bi^rt^h^R^e^tirem^en^{t A}^s^s^o^ciation^,^”^{San D}ⁱ^ego
^p^u^t^ers^em^ploy^ees^Uⁿⁱ^on-T^rⁱ^bune^{, Ju}^l^y^{30, 2005, p. B1.}
^deral^D^e^posⁱ^t^In^s^u^ran^c^e^Juⁿ^e²⁰⁰⁵^F^D^IC^cu^rren^t^an^d^6,000ⁿ^a^m^e^s^,^bi^rt^h^dat^e^s^,^S^S^N^s^,^an^d^Krim^{, J}^oⁿ^a^th^an^{, “}^F^DIC^A^l^erts^Em^ploy^ees^of
^rporation^-^com^p^u^t^{er breach}^f^o^rm^{er em}^ploy^ees^salar^yⁱⁿ^f^o^r^m^atioⁿ^{Data B}^r^each^”,^W^a^s^hⁱ^ngt^{on Pos}^t^{, Ju}ⁿ^e^{16 2005,}
^y^{2004. T}^h^{e ag}^en^cy^{or an}^y^oⁿ^e^{p. D}¹^.
ⁱ^{ki/CRS-RL33199}^{ote to em}^ploy^ees^th^{at it}^e^{d of}^th^{e breach}^on^ly^em^ploy^{ed at th}^e^ag^en^cy^as^of^J^u^ly
^g/w^tly^{”, bu}^{t did n}^o^{t ex}^plain^2002.
^s^.or^w^th^{e breach}^occu^{rred, as}^ide
^le^ak^m^statin^g^th^{at it w}^a^{s n}^o^{t th}^e
^u^{lt of}^{a com}^p^u^t^{er s}^ecu^rity
^://wiki^r^e^.
^h^ttp
^a^s^Co^unty⁽^O^H⁾^Child^r^eⁿ^Juⁿ^e²⁰⁰⁵^ag^en^cy^’^s⁴⁰⁰⁹⁰⁰ⁿ^a^m^e^s^,^t^e^l^e^ph^on^{e n}^u^m^bers^,^P^a^t^c^h,^D^a^vi^d^,^“Luc^a^s^Co^unt^y^Chi^l^d^r^e^{n Se}^r^vⁱ^c^e^s
^v^{ices -}ⁱⁿ^f^o^r^m^atioⁿ^f^r^o^m^cu^rren^{t em}^ploy^ees^SSNs^{Data Stolen}^,”^T^o^l^e^{do Bl}^ade^{, Ju}ⁿ^e^{28, 2005, p.}
^en^cy^’^s^pers^onⁿ^e^l^an^{d abou}^t⁵⁰⁰^B1.
^a^bas^e^w^a^s^com^pⁱ^l^e^{d an}^d^o^t^he^r^s^w^h^o^ha^ve
^a^iled^to^an^o^u^tsid^e^w^o^rk^{ed th}^ere
^p^u^t^er^sⁱⁿ^{ce 1991}
^{ers b}^r^each^ed^Illin^oⁱ^s^Feb^r^uar^y^peopl^{e w}^h^{o w}^o^rk^90,000^S^S^N^s^,^w^a^g^e^s^“^Hack^ers^Breach^S^t^{ate F}^iles^on^90,000,”
^pl^oy^m^eⁿ^t^D^e^v^e^l^opm^en^t²⁰⁰⁴^as^dom^es^tic^C^hⁱ^c^{ago T}^rⁱ^bune,^F^e^bru^a^ry^{15, 2004, p. 12.}

^m^eⁿ^t^s^e^rv^er^em^ploy^ees^an^d
^t^h^os^{e w}^h^{o em}^pl^oy
^th^em

CRS-69
^overn^m^eⁿ^t^(L^ocal^{, S}^t^ate^Da^te^Who^Wa^s^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^Source(s⁾
^a^{nd F}^e^dera^l)^Incident^s^Publicized^Affected^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed
^a^rtm^eⁿ^t^o^f^Def^eⁿ^s^{e -}^A^ugust²⁰⁰³^N^a^v^y^’^s^pu^rch^a^s^e^13,000^credi^t^{card n}^u^m^bers^R^e^ddy^{, A}ⁿⁱ^t^h^{a, “}^H^ack^ers^S^t^eal^{13,000 C}^r^edi^t
^ers^dowⁿ^l^{oaded N}^a^v^y^{card prog}^ram^,^C^a^rd^Nu^m^b^{ers; Nav}^y^Say^s^No^Frau^d^{Has B}^een
^u^s^{ed t}^o^order^Noticed,”^W^a^s^hⁱ^ngt^{on Pos}^t^,^N^o^v^e^m^b^{er 23,}
^rou^tin^{e of}^fⁱ^ce^{2003, p. E1.}
^su^p^p^lies
^oⁿ^x^id^en^tity^th^ef^{t r}ⁱⁿ^g^f^iled^Feb^r^uar^yⁱⁿ^co^m^e^tax^f^iler^sⁿ^o^{t sp}^ecifⁱ^ed^SSNs^W^e^iser^{, B}^eⁿ^j^amⁱⁿ^{, “}¹⁹^Ch^ar^g^e^dⁱⁿ^I^d^en^tity
^s^aⁿ^d^s^of^f^r^au^du^l^eⁿ^t²⁰⁰³^T^h^ef^{t T}^h^{at Netted}^$⁷^Millioⁿⁱⁿ^T^a^x^Ref^uⁿ^d^s,”
ⁱ^{ki/CRS-RL33199}^m^e^tax^r^e^tu^rⁿ^s^no^t^e^:^I^D^t^h^e^f^t^rⁱ^{ng o}^b^t^aⁱ^ne^d^$⁷^m^illioⁿⁱⁿ^tax^r^e^f^uⁿ^d^s^{New Yo}^{rk Times}^{, F}^e^bru^a^ry^{5, 2003, p. B3.}

^g/w
^s^.or
^le^ak
^://wiki
^h^ttp

CRS-70
Table 5. Data Security Breaches in Health Care (2003-2007)
^{Healthcare I}ⁿ^cidents^Da^te^Publicized^Who^Wa^s^Affected^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^orgⁱ^{a D}^e^pt^{. of}^C^o^m^m^uⁿⁱ^t^y^A^p^ri^l²⁰⁰⁷^s^t^at^{e h}^eal^t^h^care^2,900,000^S^S^N^s^,^addres^s^e^s^,^bi^rt^h^d^at^es^{, dat}^e^s^of^Miller^,^Aⁿ^d^y^{, an}^d^B^{ill Hen}^d^rⁱ^ck^,
⁽^A^tlan^t^{a, GA}⁾^an^d^recipien^ts^elig^ib^ility^{, f}^u^{ll n}^a^m^e^{s, Med}ⁱ^caid^o^r^“^G^eo^r^g^ian^s^’^p^e^r^s^oⁿ^{al d}^a^{ta lo}^st;
^iv^{ate co}ⁿ^t^r^acto^r^A^f^f^iliated^ch^ildren^’^s^h^ealth^{care recipien}^t^{Medicaid, P}^each^C^a^{re clien}^t^s^:^A
^m^p^u^t^{er Serv}^ices^(A^C^S^{) -}^id^en^tif^icatioⁿⁿ^u^m^b^e^r^s^com^p^u^t^{er dis}^kⁱⁿ^clu^dⁱⁿ^g^{Social Secu}^rity
^ssi^{ng c}^o^m^p^ut^e^r^dⁱ^skⁿ^u^m^b^e^r^s^oⁿ²^.⁹^m^illioⁿ^p^e^o^p^l^{e w}^a^{s lo}^st
ⁱⁿ^tr^an^sit,”^At^l^ant^{a Jour}^nal^and
ⁱ^{ki/CRS-RL33199}^Coⁿ^s^titu^tioⁿ^{, A}^p^ri^l^{11, 2007, p. 1A}^.
^g/w
^s^.or^{H Health}^Sy^stem^s^A^p^ri^l²⁰⁰⁷^em^pl^oy^ees^an^d⁶^,⁰⁰⁰^r^e^tir^em^en^{t b}^eⁿ^e^f^{it in}^f^o^r^m^atioⁿ^,^SSNs,^A^s^s^o^{ciated P}^r^es^s^{State &}^L^o^{cal W}ⁱ^re,
^le^ak^u^s^caloos^{a, A}^L^{) -}^los^t^r^e^tir^ees^oth^e^{r u}^s^pecifⁱ^{ed pers}^on^{al in}^f^o^rm^ation^“^T^u^s^cal^oos^a-^bas^e^{d D}^C^H^l^o^s^e^s^pers^on^al
^://wiki^p^u^t^{er dis}^k^an^{d docu}^m^en^ts^dat^a^on^em^pl^oy^ees^{,” A}^p^ri^l^{5, 2007.}
^h^ttp^ou^{p H}^eal^t^h^C^ooperatⁱ^v^e^March²⁰⁰⁷^patⁱ^eⁿ^t^s^an^d^31,000ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^,^g^r^ou^{p h}^eal^t^h^“^P^acifⁱ^{c North}^w^es^t,”^S^e^a^{ttle Times}^,
^C^a^{re Sy}^s^t^em^em^ploy^ees^num^b^e^r^s^March^{27, 2007, p. B3.}
^{eattle, W}^A⁾^-^tw^o^lap^t^o^p^s
^ssing
^e^ster^ly^Ho^sp^{ital (}^W^ester^l^y^,^March²⁰⁰⁷^patien^t^s²^,242ⁿ^a^m^e^s^,^S^S^N^s^,ⁱⁿ^s^u^ran^{ce in}^f^o^rm^ation^A^rm^en^{tal, Maria, “}^{Data breach}^at
⁾^-^p^a^tien^t^s’^coⁿ^f^id^en^tial^W^e^ster^ly^Ho^sp^ital,”^Pr^ovi^d^{ence Jour}^nal
^o^rm^atⁱ^oⁿ^pos^t^e^{d on}^pu^blⁱ^c^(R^h^{ode Is}^l^aⁿ^d^{), March}^{2, 2007.}

^b^s^ite

CRS-71
^{Healthcare I}ⁿ^cidents^Da^te^Publicized^Who^Wa^s^Affected^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^l^poiⁿ^t^{, In}^{c (IN}^-^bas^e^d^March²⁰⁰⁷^m^e^m^b^ers^ofⁱ^t^s^75,000ⁿ^a^m^e^s^,^S^S^N^s^,^h^eal^t^h^pl^an^Fr^eu^d^eⁿ^h^e^im^{, Milt, “}^M^ed^{ical Data o}ⁿ
ⁱⁿ^su^r^e^r⁾^-^lo^{st co}^m^p^act^Em^{pire Blu}^e^id^en^tif^icatioⁿⁿ^u^m^b^e^r^s^{, d}^e^scrⁱ^p^tioⁿ^s^Em^{pire B}^l^u^e^C^r^os^s^Mem^b^ers^May^B^e
^k^Cr^o^{ss a}ⁿ^d^B^l^ue^of^m^e^di^cal^s^e^rvⁱ^ces^back^t^o²⁰⁰³^Lo^s^t^,^”^Ne^{w Yo}^rk^Tim^e^s^{, March}^{14, 2007.}
^Sh^ield^uⁿ^{it in}^an^d
^te:^C^o^m^p^an^y^f^o^uⁿ^d^th^{e C}^D^New^Yo^rk^G^a^udⁱⁿ^,^Sha^r^oⁿ^,^{“ W}^e^l^l^P^oⁱ^nt^Fi^nd^s
^an^{a w}^eek^later^.^Mi^s^sⁱⁿ^g^C^D^Wi^t^h^D^a^t^a^Oⁿ^75,000
^e^llP^oin^t^{did n}^o^{t releas}^{e an}^y^P^e^ople,”^Iⁿ^fo^rma^tioⁿ^W^eek^{, March}^15,
^o^r^m^atioⁿ^oⁿ^w^h^er^{e th}^{e d}ⁱ^sk^{2007, at}
ⁱ^{ki/CRS-RL33199}^{s fo}^und^.^[^h^t^t^p^:^/^/^www.ⁱⁿ^f^o^r^m^a^tⁱ^oⁿ^w^e^e^k^.^c^o^m^/^s^t^o^r^y^/^s^h^o^w^A^rtⁱ^c^l^e^.j^h^t^m^l^?^a^rtⁱ^c^l^e^ID^=19800110
^g/w^5&^ci^d=R^S^S^f^eed_IWK^_N^ew^s^]^.
^s^.or
^le^akⁿ^Fam^ily^o^f^Ho^sp^itals^Feb^r^uar^y^p^a^tien^t^{s w}^h^o^7,800^S^S^N^s^,^dat^e^s^of^bi^rt^h^,ⁱⁿ^s^u^ran^c^e^Gau^dⁱⁿ^{, Sh}^ar^oⁿ^{, “}^Ho^sp^{ital L}^a^p^t^o^p
^u^s^tⁱⁿ^{, T}^X^{) -}^s^t^ol^en^l^a^pt^op²⁰⁰⁷^so^ught^c^a^r^e^a^s^prog^ramⁿ^u^m^bers^S^t^ol^en^;^In^f^o^Oⁿ^{7,800 Pat}ⁱ^eⁿ^t^s^A^t^Rⁱ^s^k^,”
^://wiki^part^of^an^Iⁿ^fo^rma^tioⁿ^W^eek^{, F}^e^bru^a^ry^{26, 2007, at}
^h^ttp^o^u^tp^atien^t^o^r^[^h^t^t^p^:^/^/^www.ⁱⁿ^f^o^r^m^a^tⁱ^oⁿ^w^e^e^k^.^c^o^m^/^s^t^o^r^y
^clin^{ic v}ⁱ^{sit sin}^c^e^/^s^h^o^w^A^rtⁱ^c^l^e^.j^h^t^m^l^?^a^rtⁱ^c^l^e^ID^=19700871
^Ju^l^y^{1, 2005}^1&^ci^d=R^S^S^f^eed_IWK^_N^ew^s^]^.
^hⁿ^s^Ho^p^kⁱⁿ^{s Un}^iv^er^sity^Feb^r^uar^y^ne^w^J^o^hns^{52,000 u}ⁿⁱ^v^e^rsⁱ^t^yⁱⁿ^f^o^r^m^atioⁿ^oⁿ^th^{e u}ⁿⁱ^v^e^r^s^ity^p^a^y^r^o^l^l^J^o^hⁿ^s^Ho^p^kⁱⁿ^{s I}ⁿ^stitu^tioⁿ^s^p^r^{ess r}^e^lease,
^U⁾^an^{d Joh}ⁿ^s^H^opkⁱⁿ^s²⁰⁰⁷^Ho^p^kⁱⁿ^{s Ho}^sp^ital^em^ploy^ees^an^d^tapesⁱⁿ^clu^d^{ed Social Secu}^rity^“^I^d^eⁿ^tity^A^l^er^{t: A}^J^oⁱⁿ^{t Statem}^en^{t f}^r^o^m
^sp^{ital (}^B^altim^o^r^{e, MD)}^-^p^a^tien^t^{s f}ⁱ^r^s^{t seen}^{83,000 h}^o^s^pⁱ^t^a^lⁿ^u^m^bers^an^{d, in}^s^o^m^e^cas^es^{, ban}^k^T^h^{e J}^o^hⁿ^s^Ho^p^kⁱⁿ^{s Un}^iv^er^sity^an^d
^b^a^c^kup^t^a^p^e^{s c}^o^nt^aⁱⁿⁱ^ng^b^e^tw^een^J^u^ly⁴^p^a^tien^t^s^accouⁿ^tⁱⁿ^f^o^rm^ation^f^o^{r pres}^en^{t an}^d^T^h^{e J}^o^hⁿ^s^Ho^p^kⁱⁿ^{s Ho}^sp^{ital, “}^Feb^r^u^a^r^y
^on^alⁱⁿ^f^o^rm^atⁱ^oⁿ^on^JH^U^an^{d D}^{ec. 18, 2006}^f^o^rm^{er em}^ploy^ees^{; in}^f^o^rm^ation^on^{7, 2007, at}
^ploy^ees^los^{t; on}^{e back}^u^p^h^o^sp^{ital p}^a^tien^t^{s in}^clu^d^edⁿ^a^m^e^{s an}^d^[^h^t^t^p^:^/^/^www.^j^h^u^.^e^d^u^/ⁱ^d^eⁿ^tity^aler^t/r^elease
^e^c^o^nt^aⁱⁿⁱ^{ng i}ⁿ^fo^r^m^a^tⁱ^oⁿ^dat^e^s^of^bi^rt^h^s^/^s^t^atem^en^t.h^t^m^l^].

^J^H^h^o^sp^{ital p}^a^tien^t^{s lo}^st

CRS-72
^{Healthcare I}ⁿ^cidents^Da^te^Publicized^Who^Wa^s^Affected^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^lf^C^o^as^{t Medical C}^eⁿ^t^er^Feb^r^uar^y^p^a^tien^t^s,^{1,900 i}ⁿ^di^vⁱ^du^al^sⁿ^a^m^e^s^,^SSNs^V^av^{ala, Don}ⁿ^a^{, “}^L^{aptop th}^ef^ts^cau^s^e
^ash^v^{ille, T}^N^&^T^a^llah^a^ssee,²⁰⁰⁷^em^ploy^ees^an^d^w^e^{re af}^f^{ected by}^a^alarm^:^Devⁱ^ces^con^t^ain^e^{d h}^o^s^p^ital
⁾^{- tw}^o^c^o^m^p^ute^r^{s m}ⁱ^ssing^f^o^rm^{er em}^ploy^ees^th^ef^{t in}^Nash^v^ille,^p^a^tien^t^{, em}^p^l^o^y^{ee in}^f^o^r^m^atioⁿ^;ⁿ^o^I^D
^o^sep^a^r^a^{te in}^cid^eⁿ^t^s^TNⁱⁿ^N^o^v^e^m^b^e^r^th^ef^{ts r}^e^p^o^r^ted^,^”^Ne^{ws H}^e^ra^ld^(P^an^am^a
^an^{d 8,000 w}^h^en^Cⁱ^t^y^{, F}^l^ori^d^{a), March}^{1, 2007.}
^an^oth^e^{r com}^p^u^t^er
^w^a^{s sto}^l^eⁿⁱⁿ
^T^a^llah^a^ssee
ⁱ^{ki/CRS-RL33199}^’^s^Hos^p^ital^Feb^r^uar^y^f^o^rm^{er an}^d^130,000ⁿ^a^m^e^s^,^S^S^N^s^,^dat^e^s^of^bi^rt^h^O^’^B^ri^en^{, D}^eⁿⁿⁱ^s^,^“^S^econ^d^H^o^s^pⁱ^t^a^l
^g/w^eon^a^rdt^o^wⁿ^{, MD) -}^s^t^ol^en²⁰⁰⁷^c^u^r^r^e^nt^ho^spⁱ^t^a^l^Rep^o^r^{ts L}^o^{st Data. St. Mar}^y^’^s^No^tif^ies
^s^.or^op^p^a^tien^t^s^{130,000, D}^a^y^s^af^t^e^{r H}^opkⁱⁿ^s^’^N^o^tⁱ^ce;
^le^ak^Secoⁿ^d^Md^{. Ho}^sp^{ital Rep}^o^r^{ts L}^o^{ss o}^f
^P^a^tien^t^s’^Data,”^Ba^ltimo^r^{e S}^uⁿ^,
^://wiki^F^e^bru^a^ry^{13, 2007, p. A}¹^.
^h^ttp
^e^l^l^p^oⁱ^nt^/^A^nt^he^m^B^l^ue^Cr^o^s^s^Feb^r^uar^y^Aⁿ^t^h^e^m^me^mb^e^r^s^196,000ⁿ^a^m^e^s^,^S^S^N^s^H^owⁱⁿ^g^t^on^{, Pat}^rⁱ^c^k^,^“^C^as^s^e^t^t^e^t^a^pes
^u^e^Sh^ield^-^{cassette tap}^e^s²⁰⁰⁷ⁱⁿ^K^e^nt^uc^ky^,^con^t^ainⁱⁿ^g^cu^s^t^om^{er in}^f^o^rm^ation^w^e^re
^en^f^r^om^{a l}^o^ck^box^h^e^l^d^by^In^dian^{a, Oh}^{io an}^d^s^t^ol^en^f^r^om^{a l}^o^ck^box^h^e^l^d^by^on^{e of}ⁱ^t^s
ⁿ^{dor C}^oⁿ^cen^{tra P}^r^ef^erred^Vir^gⁱⁿ^ia^ve^nd^o^r^s,^”^C^ourⁱ^e^r^-^Jour^nal⁽^L^o^u^isv^ille,
^stem^s^K^eⁿ^t^u^c^k^y^{), F}^e^bru^a^ry^{15, 2007.}
ⁱ^o^{Board of}^N^u^rsⁱⁿ^g^-^J^a^nua^r^yⁿ^e^w^l^y^licen^s^e^d^3,031ⁿ^a^m^e^s^,^S^S^N^s^H^oh^olⁱ^k^{, S}^u^zanⁿ^e^{, “}^E^{rror pu}^t^sⁿ^u^r^s^e^s^’
^bsⁱ^t^e^pos^t^e^{d n}^a^m^e^s^an^d²⁰⁰⁷^nur^se^s^pers^on^al^dat^a^on^lⁱⁿ^e,”^C^o^l^u^m^bus
^f^nur^se^{s tw}^ic^e^{in o}ⁿ^e^Disp^a^t^ch⁽^OH)^{, Jan}^u^a^ry^{25, 2007.}

ⁿ^t^h

CRS-73
^{Healthcare I}ⁿ^cidents^Da^te^Publicized^Who^Wa^s^Affected^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^edis^h^{Medical C}^eⁿ^t^er,^O^c^t^ober^p^a^tⁱ^e^nt^s¹^,¹⁰⁰^na^m^e^s,^d^a^t^e^{s o}^f^bⁱ^r^t^h,^SSN^s^S^o^ng,^K^y^ung,^“3^Sw^e^dⁱ^s^{h p}^a^tⁱ^e^nt^{s sa}^y
^llar^d^Cam^p^u^s⁽^S^{eattle, W}^A⁾²⁰⁰⁶^IDs^s^t^olen^{at B}^a^{llard cam}^pu^s^;^w^o^rk^er
^ploy^{ee u}^s^{ed patien}^t^s^’^fⁱ^red;^Em^pl^oy^{ee al}^l^e^g^e^dl^y^open^e^{d credi}^t
^r^s^oⁿ^{al in}^f^o^r^m^atioⁿ^to^o^p^eⁿ^car^d^s^{; Ho}^sp^{ital w}^a^rⁿ^{s p}^a^tien^t^{s to}^w^a^tch
ⁿ^t^s^f^o^r^activ^ity^oⁿ^th^eir^cr^ed^{it r}^e^p^o^r^ts,”
^S^e^a^{ttle Times}^{, O}^c^t^{ober 25, 2006, p. B4.}
^t^ers^of^{St. Fran}^cis^Health^O^c^t^ober^p^a^tien^t^s,^260,000ⁿ^a^m^e^s^,^SSNs^L^{ee, Dan}ⁱ^{el, “}^L^os^{t an}^{d f}^o^uⁿ^d^{: in}^f^o^on
ⁱ^{ki/CRS-RL33199}^ices^vⁱ^{a A}^d^v^aⁿ^ced^a^bles^Strateg^y²⁰⁰⁶^em^ploy^ees^,^p^h^y^s^ician^s^an^d^patⁱ^eⁿ^t^s^an^{d 6,200}^em^ploy^ees^{260,000 pat}ⁱ^eⁿ^t^s^,^”^Indi^anopolⁱ^s^St^ar^,^O^c^t^{ober 25, 2006.}
^g/w^dⁱ^aⁿ^a^polⁱ^s^{, IN) -}^con^t^ract^or^B^o^a^r^d^me^mb^e^r^s
^s^.or^v^e^r^t^en^tly^lef^t^CDs
^le^akⁿ^t^ainⁱⁿ^g^coⁿ^f^id^en^{tial b}^illin^g
^o^r^m^atioⁿⁱⁿ^{a n}^e^w
^://wiki^p^u^t^{er bag}^s^h^{e pu}^rch^a^s^e^d
^h^ttp^{t later}^r^e^tu^rⁿ^ed^to^{a sto}^r^e
^lan^g^e^r^Health^Sy^stem^S^e^pt^em^ber^cu^rren^t^an^d^4,150ⁿ^a^m^e^s^,^S^S^N^s^B^erry^{, Em}ⁱ^l^y^{, “}^E^rl^an^g^e^{r l}^o^s^e^s^com^p^u^t^er
^ha^t^t^a^no^o^g^a^,^T^N⁾^{- m}ⁱ^ssi^ng²⁰⁰⁶^f^o^rm^{er em}^ploy^ees^devⁱ^{ce, pers}^onⁿ^e^l^dat^a^,”^C^hat^t^anooga
^a^devⁱ^ce^Times^/^Fr^{ee Pr}^es^s^{, S}^e^pt^em^{ber 24, 2006.}
^c^o^Health^So^lu^tioⁿ^s^-^March²⁰⁰⁶^O^hⁱ^o^s^t^at^e^4,600^S^S^N^s^,^bi^rt^h^dat^e^s^W^ei^s^s^,^T^{odd R}^{., “}^V^en^{dor Wai}^t^e^{d S}ⁱ^x
^en^l^a^pt^op^em^ploy^ees^an^d^W^eek^{s to}^No^tif^y^Oh^io^Of^fⁱ^{cials o}^f^Data
^t^h^ei^{r depen}^d^en^t^s^B^r^each^{,” C}^o^m^p^u^t^erw^o^{rld, March}^1,
^{2006, at}
^[^h^t^t^p^:^/^/^www.^c^o^mp^u^t^e^r^wo^r^l^d^.^c^o^m/^p^rⁱⁿ^t^t^h
ⁱ^s^/^2006/^{0,4814,109116,00.h}^t^m^]^.

CRS-74
^{Healthcare I}ⁿ^cidents^Da^te^Publicized^Who^Wa^s^Affected^Num^b^{er Affected}^Ty^pe^o^f^D^a^t^a^R^e^l^e^as^ed^/^C^om^p^r^omⁱ^s^ed^Source(s⁾
^ild^r^eⁿ^’^{s Health}^Co^uⁿ^c^il,^S^e^pt^em^ber^p^a^tien^t^s,^5,000-^6,000^ps^y^c^hⁱ^at^ri^{c records}^,^ev^al^u^a^tⁱ^oⁿ^s^an^d^W^a^ls^h^,^Dian^{a, “}^D^{ata Stolen}^f^r^om
^{n J}^o^se^,^Ca^lⁱ^f^o^rⁿⁱ^a^{- st}^o^l^eⁿ²⁰⁰⁵^em^ploy^ees^{, an}^d^SSN^s;^a^l^so^p^a^y^r^o^l^l^d^a^t^a^oⁿ^hund^r^e^d^s^Chi^l^d^r^e^{n’s P}^s^y^c^hi^a^t^rⁱ^c^Ce^nt^e^r^,^”^San
^c^kup^t^a^p^e^paren^t^s^of^patⁱ^eⁿ^t^s^of^cu^rren^{t an}^{d f}^o^rm^{er em}^ploy^ees^an^d^Fr^anci^s^{co C}^h^r^oni^cl^e^{, S}^e^pt^em^{ber 20,}
^{credit card in}^f^o^rm^ation^f^r^om^paren^t^s^{2005, p. B8.}
^of^patⁱ^eⁿ^t^s
ⁿ^Jos^e^Medi^cal^G^r^ou^p^Ap^rⁱ^l^f^o^r^m^er^p^a^tien^t^s^185,000ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^,^con^fⁱ^d^en^tⁱ^a^l^Wei^s^s^,^T^{odd, “}^U^pdat^e^:^S^t^ol^en
^a^na^ge^m^e^nt^{- d}^e^skt^o^p²⁰⁰⁵^fr^o^m^la^{st se}^veⁿ^m^e^dⁱ^{cal in}^f^o^r^m^atioⁿ^C^o^m^p^u^t^ers^C^oⁿ^t^aiⁿ^D^a^t^a^on^185,000
ⁱ^{ki/CRS-RL33199}^p^u^t^ers^s^t^olen^f^r^om^lock^edⁱⁿⁱ^s^t^rativ^{e of}^fⁱ^ce^y^ears^P^a^tien^t^{s,” Co}^m^p^u^t^er^w^o^r^l^d^,^A^p^r^{il 8}^,^{2005, at}
^g/w^[^h^t^t^p^:^/^/^www.^c^o^mp^u^t^e^r^wo^r^l^d^.^c^o^m/^d^a^t^a^b^a
^s^.or^s^e^t^opi^cs^/^d^at^a/^s^t^ory^/^{0,10801,100961,00.h}
^le^ak^tm^l]^.
^://wiki^iW^{est Health}^car^{e A}^llian^{ce -}^Decem^ber^m^ilitar^y^p^e^r^s^oⁿⁿ^e^l^500,000ⁿ^a^m^e^s^,^addres^s^e^s^,^S^S^N^s^G^orm^aⁿ^,^T^o^m^,^“^R^ew^{ard O}^f^f^e^{red i}ⁿ
^h^ttp^{t of}^{a databas}^e^con^t^ainⁱⁿ^g²⁰⁰²^an^{d th}^eir^Hu^g^e^T^h^ef^{t o}^f^I^d^en^tity^{Data; Sto}^l^en
^e^{s and}^SSNs^depen^d^en^t^s^C^o^m^p^u^t^ers^{Had Nam}^e^s^,^{Social Secu}^rity
^Nu^m^b^ers^of^{500,000 M}^ilitary
^Fam^ilies,”^Lo^{s A}ⁿ^g^e^le^{s Time}^s^,^J^a^nua^r^y¹^,
^{2003, p. 14.}
The tables were prepared by CRS from publicly available and news media sources.
e: URLs are listed for exclusively online sources; other publications are identified by name and date.

For Additional Reading
CRS Report RS22374. Data Security: Federal and State Laws, by Gina Marie
Stevens.
CRS Report RL33273. Data Security: Federal Legislative Approaches, by Gina
Marie Stevens.
CRS Report RS22484. Identity Theft Laws: State Penalties and Remedies and
Pending Federal Bills, by Tara Alexandra Rainson.
CRS Report RL33005. Information Brokers: Federal and State Laws, by Angie A.
Welborn.
CRS Report RL33612. Department of Veterans Affairs: Information Security and
Information Technology Management Reorganization, by Sidath Viranga
Panangala.
CRS Report RL31919. Remedies Available to Victims of Identity Theft, by Gina
Marie Stevens.
CRS Report RS22082. Identity Theft: The Internet Connection (archived), by Marcia
S. Smith^.