2008 Data Breaches Via Employee Theft


Privacy Rights Clearinghouse is a nonprofit consumer information and advocacy organization that has maintained a list of data breaches affecting consumer information since January of 2005.  From the information they have compiled, they estimate that over 246,000,000 records containing sensitive personal information have been compromised either by hackers, employees, via stolen property or accident.  In 2008 alone, Privacy Rights Clearinghouse has documented 310 security breaches of sensitive data.  A percentage of those breaches have occurred due to employee theft.  Here are some of the highlights from the past year:

UCLA Medical Center (Los Angeles, CA) – March 19, 2008

UCLA Medical Center has moved to fire 13 employees and suspended six others for unauthorized access to confidential medical records.
UPDATE (8/5/08): The latest report said 127 workers peeked into celebrities’ medical records without permission, leading to several firings, suspensions and warnings. The report also detailed the case of one employee who looked at the records of about 900 patients “without any legitimate reason” and viewed Social Security numbers, health insurance information and addresses, from April 2003 to May 2007. 

Number of records – 900

Marine Corps Reserve Center (San Antonio, TX) – May 2, 2008

A former U.S. military contractor has pleaded guilty to exceeding authorized access to a computer and aggravated identity theft after he was accused of selling names and Social Security numbers of 17,000 military employees. 

Number of records – 17,000

State Street Corp/Investors Financial Services (Boston, MA) – May 29, 2008

Computer equipment containing personal information on customers and employees of a State Street unit was stolen. The computer equipment was stolen from a vendor hired by Investors Financial Services to provide legal support services. The personal information included names, addresses and social security numbers. 

Number of records – 45,500

Countrywide Financial Corp. (Calabasas, CA) – August 2, 2008

The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers. The breach occurred over a two-year period though July. The insider was a senior financial analyst at Full Spectrum Lending, Countrywide’s subprime lending division. The alleged data thief was said to have downloaded about 20,000 customer profiles each week and sold files with that many names for $500, according to the affidavit. He typically would e-mail the data in Excel spreadsheets to his buyers, often using computers at Kinko’s copying and business center stores. Some, perhaps most, and possibly all the names were being sold to people in the mortgage industry to make new pitches. 

Number of records – 2,000,000

Liberty McDonald’s Restaurant (Liberty, KY) – August 22, 2008

An employee at a Liberty McDonald’s restaurant, took credit or debit cards from drive-through customers and used a device she had hidden near the window to swipe the cards to record their numbers. The information on the device then was downloaded and used to make new cards either in the names of the persons to which the original cards belonged or in the names of the perpetrators. 

Number of records – Unknown

Ohio Police & Fire Pension System (Columbus, OH) – August 30, 2008

A former mailroom supervisor at the Ohio Police & Fire Pension System forwarded the names, addresses and Social Security numbers from his work e-mail address to his personal e-mail address before quitting his job. The file contains information for 13,000 of the approximately 24,000 retired members of the Ohio Police & Fire Pension System, most of whom are former police officers. 

Number of records – 13,000

Shell Oil Co. (Houston, TX) – October 27, 2008

An IT contractor used the personal data of four Shell workers as part of an unemployment insurance claims scam. Employees of a third-party contractor misused information stored in a corporate database. The database includes records for a majority of current and former Shell employees. Misused data included names, dates of birth and Social Security numbers. 

Number of records – Unknown 

The importance of performing background checks on your employees and contractors cannot be overstated.  The results you find may discourage you from hiring someone that, down the line, could be one of those that breach the security of your sensitive information.

For a complete listing of data breaches maintained by Privacy Rights Clearinghouse since January of 2005, click here.