The Zbot, or Zeus, trojan infected a computer at Central Connecticut State University (CCSU) in New Britain to expose the Social Security numbers of thousands of people related to the college.

How many victims? 18,275 current and former faculty, staff and student workers.

What type of personal information? Social Security numbers.

What happened? A computer in the CCSU business office was infected with the trojan in December, and sat on the system for eight days before it was detected and removed. A forensic analysis could not conclude whether the information was stolen or used in a wrongful way.

What was the response? The university is in the process of corresponding names with the Social Security numbers in order to notify victims. The university will provide them with two years of free identity protection services.

Quote: "I deeply regret any inconvenience or anxiety this incident may cause you and your family," school President Jack Miller said. "All of us involved in responding to this incident understand how important one's personal information is and how critical it is to safeguard it."

Source: www.ccsu.edu, "CCSU warns of potential personal information breach," Feb. 16, 2012.

Hackers may have accessed the personal health data belonging to patients of Denver area-based Metro Community Provider Network, a nonprofit health care provider for low-income individuals and families.

How many victims? Approximately 2,000.

What type of personal information? Names, phone numbers, dates of birth, diagnoses and internal account numbers.

What happened? An employee responded to a phishing email that allowed hackers to steal credentials, giving them access to the corporate network.

What was the response? As the organization investigates, employees are being asked to change their login information.

Quote: "Metro Community Provider Network sincerely apologizes for the inconvenience and concern this incident causes," it said in a statement.

A thief broke into a doctor's car and stole a briefcase containing a flash drive that held personal data on patients of the University of Miami (UM) Miller School of Medicine.

How many customers? 1,219.

What type of personal information? Age, gender, diagnosis and treatment data, from 2005 to 2011.

What happened? On Nov. 24, vandals broke into a car belonging to a pathologist from the University of Miami Miller School of Medicine. A briefcase, which held a USB drive containing the patient data, was taken.

Details: Officials, in a statement, said no financial information or Social Security numbers were stored on the stolen drive. The statement also said that “there is no indication that the information was accessed or misused in any way.” However, the facility is following federal requirements to notify patients involved, and the theft was reported to local law enforcement for investigation, as well as to the U.S. Department of Health and Human Services.

Quote: “The university will continue to review and refine its physical and electronic safeguards to ensure that personal information remains secure.” – UM letter

Source: MiamiHerald.com, Jan. 30, 2012, "UM patient data stolen."

Malware may have allowed attackers to make off with the personal information of thousands of people connected to Indiana University Health Goshen Hospital.

How many victims? 12,374 job applicants and fewer than 500 patients.

What type of personal information? Names, addresses, and Social Security numbers of applicants, and Social Security numbers, insurance data and medical service information belonging to people who registered for  outpatient procedures and for the maternity unit.

What happened? On Dec. 22, a virus was discovered on a server. A security firm determined that hackers indeed did try to access the information, but it is unclear if they were successful.

What was the response? Letters were sent to victims, and the hospital plans to provide one year of free credit monitoring to them.

Source: chicagotribune.com, Associated Press, "N. Ind. hospital: Records may have been breached," Jan. 31, 2012. southbendtribune.com, "IU Health Goshen data hit by virus," Feb. 1, 2012.

A laptop storing patient data was stolen from the neurology department of Lexington Clinic on the night of Dec. 7, 2011.

How many customers? Lexington Clinic is sending letters to 1,018 patients.

What type of personal information? The computer stored patient names, contact information and diagnoses for some Lexington Clinic patients receiving services within the neurology department.

What happened? A laptop containing personally identifiable information of patients of Lexington Clinic was stolen overnight on Dec. 7, 2011. 

Details: Lexington Clinic, which operates offices in more than 25 locations throughout Central and Eastern Kentucky, said the stolen laptop did not contain the personal financial information of patients, such as Social Security, credit card or bank account numbers. Upon learning of the theft, the facility notified law enforcement authorities, and all door locks to the neurology department were changed. Additionally, the clinic publicly disclosed the breach to local media, and posted information about the breach on its website.

Quote: “There is no evidence thus far that any patient information has been misused..."

Source: Lexington Clinic release, Jan. 30, 2012, Lexington Clinic Notifying Patients of Information Security Breach

Unauthorized individuals gained access to the personal data belonging to customers of New York State Electric & Gas (NYSEG) and Rochester Gas & Electric (RG&E), which are owned by Iberdrola USA. But an outside contractor is to blame.

How many customers? The companies did not disclose how many people were affected, but reports said the two utilities have about 1.8 million customers between them.

What type of personal information? Social Security numbers, birth dates and, in some cases, bank account numbers.

What happened? For unknown reasons, an employee at a third-party software development consulting firm permitted unauthorized access to one of the company's customer information systems.

Details: There is thus no far no reason to believe that any of the information has been misused or that there was malicious intent on behalf of the employee.

Quote: “Public utilities are custodians of a great deal of personal customer information,” New York State Public Service Commission Chairman Garry Brown said. “As a result of this apparent data security breach, I have asked staff of the Department of Public Service to immediately initiate an investigation of the facts and circumstances surrounding this event.”

Source: NYSEG news release, Jan. 23, 2012. thedailynewsonline.com, The Daily News, RG&E, "NYSEG say customer information compromised," Jan. 23, 2012.

Fingers are being pointed at criminal networks based in Russia and China as the culprits behind the more-than-decade-long siphoning of personal banking information from students, faculty and staff of the City College of San Francisco.

How many victims? Perhaps tens of thousands.

What type of personal information? Personal banking information.

What happened? Following the Thanksgiving holiday, the college's data security monitoring service, USDN, detected at least seven viruses activated each day at 10 p.m. that trawled the college's system (including its administrative, instructional and wireless networks), relaying data back to servers in Russia, China and several other countries.

What was the response? Victims, according to state law, must be notified. The college's CTO, David Hotchkiss, shut down the computer lab where the virus was originally detected and notified officials. An investigation is ongoing.

Source: www.sfgate.com, San Francisco Chronicle, "Viruses stole City College of S.F. data for years," Jan. 13, 2012

The private medical records belonging to some 1,300 patients and/or their guarantors at Loma Linda University Medical Center in California were compromised when a former hospital employee violated policy and brought the data home.

How many victims? 1,336.

What type of personal information? Birth dates, addresses, medical record numbers, driver's license numbers and, in some cases, Social Security numbers.

What happened? It is unclear how the worker accessed the data or whether it was used for fraud (or intended to be), but the records have since been secured.

What was the response? The worker was fired, and the hospital is investigating. Victims will receive one year of credit monitoring services.

Source: www.pe.com, The Press-Enterprise, "Loma Linda: Security breach affects 1,300-plus patients," Dec. 28, 2011.

Hackers breached the systems of New York-based food services wholesaler Restaurant Depot, and stole hundreds of thousands of credit and debit card numbers.

How many victims? More than 200,000, according to reports. 

What type of personal information? Names, credit and debit card numbers, expiration dates and verification codes.

What happened? The thieves inserted malware into the company's credit and debit card processing systems, according to a Finextra report. The malware collected card information as it was processed and then sent it to a remote server in Russia.

Details: The breach affected those who shopped at Restaurant Depot wholesale outlets from Sept. 21 to Nov. 18. Some customers have been the victims of credit card fraud as a result of the breach.

What was the response?  The company hired a computer forensic firm to investigate the incident and has taken unspecified steps to better protect card data. Restaurant Depot is offering affected individuals free credit monitoring and said it would reimburse victims for any breach-related costs they “reasonably incur.”

Source: Restaurant Depot letter to customers, Nov. 25, 2011.

Hackers compromised cash registers at campus dining locations at the University of California, Riverside to hijack credit and debit card numbers.

How many victims? 5,000.

What types of personal information? Cardholder names, card numbers, expiration dates and encrypted versions of debit card PINs.

What happened? It is not clear how the hackers were able to compromise the registers.

What was the response? People who used their credit or debit cards at UC Riverside Dining Services locations from this past summer through Nov. 16 are being advised to monitor their credit card activity and report any fraud. The college has set up an information hot line.

Quote: "We are doing everything we can think of to notify people." Vice Chancellor Gretchen Bolar said.

Source: UCR Newsroom press release, "UC Riverside experiences a credit/debit card security breach," Nov. 29, 2011.