Chronology of Recent Data Thefts, FTC Comissioner Predicts Hell to Pay for Corporate America

Following is a chronology of recent data breaches courtesy BeSpacific.com and cataloged by the Privacy Rights Clearinghouse. One positive thing, at least for our industry, is that this list manages to put the recent thefts from data brokers such as Lexis Nexis or Choicepoint in the greater context of what is apparently the leaky sieve model of privacy found in corporate America and academia.

Last week the wonderfully named Orson Swindle, a commissioner at the Federal Trade Commission since 1997 provided his impromptu thoughts on the situation at a recent cyber-crime conference:

"Everybody's screaming, all the political figures up on Capitol Hill, about identity theft," he said. "It's not identity theft, it's the theft of information... While politicians raise hell about identity theft, what we're really talking about is the failure to protect valuable currency.... Corporate boards better start paying attention, because they haven't been."

Also, according to Swindle, the pattern of corporate data breaches "Indicates to me the industry has, to a great extent, been irresponsible, and somebody has got to pay." He suggested the first people to pay might be corporate lawyers. The lax data protection, according to Swindle, is being driven in part by those general counsels who sit around and say, "be careful about what you promise in privacy and information security because you might get sued for it."

DATE	NAME	TYPE OF BREACH	NUMBER
Feb. 15, 2005	ChoicePoint	ID thieves accessed	145,000
Feb. 25 , 2005	Bank of America	Lost backup tape	1,200,000
Feb. 25, 2005	PayMaxx	Exposed online	25,000
March 8, 2005	DSW/Retail Ventures	Hacking	100,000
March 10, 2005	LexisNexis	Passwords compromised	32,000
March 11, 2005	Univ. of CA, Berkeley	Stolen laptop	98,400
March 11, 2005	Boston College	Hacking	120,000
March 12, 2005	NV Dept. of Motor Vehicle	Stolen computer	8,900
March 20, 2005	Northwestern Univ.	Hacking	21,000
March 20, 2005	Univ. of NV., Las Vegas	Hacking	5,000
March 22, 2005	Calif. State Univ., Chico	Hacking	59,000
March 23, 2005	Univ. of CA, San Francisco	Hacking	7,000
April 8, 2005	San Jose Med. Group	Stolen computer	185,000
April 11, 2005	Tufts University	Hacking	106,000
April 12, 2005	LexisNexis	Passwords compromised	Additional 280,000
April 14, 2005	Polo Ralph Lauren/HSBC	Hacking	180,000
April 14, 2005	Calif. FasTrack	Dishonest Insider	4,500
April 18, 2005	DSW/ Retail Ventures	Hacking	Additional 1,300,000
April 20, 2005	Ameritrade	Lost backup tape	200,000
April 21, 2005	Carnegie Mellon Univ.	Hacking	19,000
April 26, 2005	Mich. State Univ's Wharton Center	Hacking	40,000
April 26, 2005	Christus St. Joseph's Hospital	Stolen computer	19,000
April 28, 2005	Georgia Southern Univ.	Hacking	"tens of thousands"
April 28, 2005	Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp	Dishonest insiders	680,000
April 29, 2005	Oklahoma State Univ.	Missing laptop	20,000
May 2, 2005	Time Warner	Lost backup tapes	600,000
May 4, 2005	CO. Health Dept.	Stolen laptop	1,600 (families)
May 16, 2005	Westborough Bank	Dishonest insider	750
May 18, 2005	Jackson Comm. College, Michigan	Hacker	8,000
May 20, 2005	Purdue Univ.	Hacker	11,000
TOTAL			5,476,150

Yikes. Bad times. Read the rest of the Swindle article here and for more on pending legislation relating to personal data theft, try privacyrights.org.

-- MDT