Data Breaches

Data breach archive (2012-2017)

2018 Data Breaches

November 2018

Date Public Notified Date of Breach Company Data Stolen

November 30, 2018

Since 2014

Marriott International

Name, date of birth, address, phone number, email address, passport number, Starwood Preferred Guest account information, gender, arrival and departure information, reservation date, payment card numbers and payment card expiration dates.

Who's Affected Details

Approximately 500 million affected individuals including an unknown number of Wisconsin residents.

On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.

On November 30, 2018, Marriott started notifying affected individuals by email. Marriott is providing affected individuals one year of WebWatcher monitoring.

Marriott has set up a dedicated website to answer questions at https://Info.starwoodhotels.com and they can be reached at their call center at 877-273-9481.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

November 7, 2018

October 16, 2018

Healthcare.gov

Name, date of birth, address, sex, last four digits of the Social Security number, expected income, tax filing status, immigration document types and numbers, employer, insurance plan, premium, and dates of coverage.

Who's Affected Details

75,000 affected individuals including an unknown number of Wisconsin residents.

On October 16, 2018, Healthcare.gov found that a number of agent and broker accounts engaged in excessive searching for consumers, and through those searches, had access to the personal information of people who are listed on Marketplace applications. Healthcare.gov immediately shut off these accounts, and shut off the entire agent and broker function while changes were made to improve security.

Healthcare.gov is continuing to investigate this breach and putting additional security measures in place.

Healthcare.gov is offering 12 months of identity theft protection services through ID Experts® who can be contacted by calling toll-free (877) 916-8382 / International (616) 425-8364 / TTY (866) 405-2133 or going to https://secure.myidcare.com/enrollment/1?RTN=90000216. Agents are available Monday through Saturday from 9:00am – 9:00pm Eastern Time. The deadline to enroll is February 7, 2019.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

November 2, 2018

May 23, 2018

Five Guys Holdings, Inc.

Name, date of birth, Social Security number, address, hire date, termination date, and 401K contribution information.

Who's Affected Details

Approximately 19,000 affected individuals including approximately 600 Wisconsin residents.

On August 6, 2018, Five Guys learned they were a victim of a phishing email incident that resulted in unauthorized access to an employee’s email account. Five Guys immediately secured the email account and conducted an internal investigation, which determined the email inbox contained personally identifiable employee information.

Five Guys is offering a one year membership for Experian’s® IdentityWorks to affected individuals.

Five Guys can be contacted with questions at 1-888-842-3153, Monday through Friday between 9:00am and 9:00pm Eastern Time.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


October 2018

Date Public Notified Date of Breach Company Data Stolen

October 8, 2018

April 2018

Roadrunner Transportation Systems

Name, address, date of birth, and financial account number.

Who's Affected Details

Unknown number of affected individuals including an unknown number of Wisconsin residents.

On July 2, 2018, Roadrunner Transportation Systems became aware they were the target of a phishing attack and that several employees clicked on phishing emails. Roadrunner Transportation Systems conducted an investigation and determined there was unauthorized access to several employee email accounts in April 2018.

Roadrunner Transportation Systems notified all affected individuals by letter on October 8, 2018 and are offering 12 months of credit monitoring services through Kroll.

Roadrunner Transportation Systems can be contacted at 1-833-228-5713 Monday through Friday 9:00am to 6:00pm (EST).

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


August 2018

Date Public Notified Date of Breach Company Data Stolen

August 23, 2018

August 20, 2018

T-Mobile USA Inc.

Name, phone number, email address, account number, account type, and billing zip code.

Who's Affected Details

Unknown number of affected individuals including an unknown number of Wisconsin residents.

On August 20, 2018, T-Mobile USA Inc. discovered and shut down what it describes as unauthorized access to certain information. In an online statement, T-Mobile USA Inc. confirmed that Social Security numbers, financial data, and passwords were not involved in this breach.

T-Mobile USA Inc. customers can contact Customer Care by dialing 611 from your mobile phone. T-Mobile USA Inc. has posted an online disclosure at: https://www.t-mobile.com/customers/6305378821.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

August 10, 2018

January 1, 2013 through March 28, 2018

Adams County, WI

Name, Social Security number, Driver’s license number, date of birth, address, telephone number, email address, medical and health plan numbers, license plate numbers, fingerprints, full-face photos and more.

Who's Affected Details

258,120 affected individuals, an unknown number of these individuals are Wisconsin residents.

On March 28, 2018, Adams County became aware of questionable activity on the Adams County computer system and network. An investigation confirmed a data breach had occurred from January 1, 2013 through March 28, 2018.

On June 29, 2018, Adams County received a forensic report that there is evidence of unauthorized access and/or unauthorized acquisition of Personally Identifiable Information, Personal Health Information and/or Tax Intercept Information that was on the Adams County computer network and system during the time of this data breach.

You may contact Adams County with questions and concerns:

  1. by calling County Administrator Casey Bradley at (833) 236-0173 between the hours of 8:00 a.m. and 4:30 p.m.,

  2. sending an e-mail message to databreach@co.adams.wi.us, or

  3. addressing a letter to Adams County PO Box 102, Friendship WI 53934.

A notification letter can be viewed at the Adams County website http://www.co.adams.wi.us/data_breach/index.php.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


July 2018

Date Public Notified Date of Breach Company Data Stolen

July 30, 2018

March 14, 2018 through April 3, 2018

UnityPoint Health

Name, address, date of birth, Social Security number, driver’s license number, payment card, and bank account numbers, medical record numbers, insurance, medical, treatment, and surgical information, diagnoses, lab results, medications, providers, and dates of service.

Who's Affected Details

Approximately 1.4 million individuals affected, an unknown number of these individuals are Wisconsin residents.

On May 31, 2018, UnityPoint Health discovered a second phishing email attack this year that compromised its business email system. This attack may have resulted in unauthorized access to protected health information and other personal information for some patients. Upon learning of this attack, UnityPoint Health informed law enforcement agencies and launched an investigation to determine the size and scope of the attack, as well as the number of people potentially impacted.

On July 30, 2018, UnityPoint Health notified all impacted individuals by letter of the incident to their last known address.

UnityPoint Health will offer credit-monitoring services for one year to individuals whose Social Security number and/or driver’s license number were included in the compromised email accounts. UnityPoint Health has established a dedicated and confidential toll-free response line at (888) 266-9285 to answer additional questions.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

July 13, 2018

April 20, 2018 through May 22, 2018

ComplyRight, Inc.

Name, address, telephone number, email address, and Social Security number.

Who's Affected Details

662,000 including 12,155 Wisconsin residents.

On May 22, 2018, ComplyRight, Inc. became aware of a potential issue with their website. Upon learning of this issue, ComplyRight, Inc. disabled the platform and remediated the issue on the website. ComplyRight, Inc. initiated an investigation and concluded that there was unauthorized access to their website, which occurred between April 20, 2018 and May 22, 2018. The forensic investigation determined that personally identifiable information was accessed and/or viewed on the website.

On July 13, 2018, ComplyRight, Inc. notified affected individuals by mail and is providing credit monitoring services for 12 months through TransUnion.

ComplyRight, Inc. has set up a dedicated response line at 1-844-299-7772 that is staffed Monday through Friday 9:00am to 9:00pm (EST)

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

July 3, 2018

April 26, 2018

Macy's Inc.

First and last names; full addresses; phone numbers; email addresses; birthdays (not including year); and debit and credit card numbers with expiration dates.

Who's Affected Details

Unknown – it is undetermined at this time the number of individuals affected by this breach.

On June 11, 2018, Macy’s became aware of suspicious login activities related to Macys.com customer profiles. Macy’s believes that an unauthorized third party, from April 26, 2018, through June 12, 2018, used valid customer usernames and passwords to login into customer profiles. Macy’s believes the third party obtained these usernames and passwords from a source other than Macy’s. On June 12, 2018, Macy’s blocked profiles with suspicious logins and purged all payment card data.

On July 3, 2018, Macys notified affected customers by mail of this incident and is providing credit monitoring services to affected individuals for 12 months through www.allclearid.com.

Macy’s Support Agents can be contacted at 1-855-861-4018 to answer questions.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


June 2018

Date Public Notified Date of Breach Company Data Stolen

June 22, 2018

January 14, 2018

Manitowoc County, WI

First name, last name, Social Security number, address, date of birth, phone number, email address, health insurance information, diagnoses, prescription information, and client identification number.

Who's Affected Details

Approximately 450 Wisconsin residents.

On April 24, 2018, Manitowoc County became aware of unauthorized access to their email system. Manitowoc County suspects that a phishing attack on January 14, 2018, allowed an unauthorized third party access to county emails. Some of these emails contained personal protected health information related to treatment services.

Upon becoming aware of the incident, Manitowoc County immediately blocked access to the third party and initiated an investigation to determine what information had been disclosed.

Manitowoc County sent individual notices to all affected individuals that had updated contact information on file. An additional notice was posted to their website at http://www.co.manitowoc.wi.us/media/6336/notice-of-data-breach.pdf. Manitowoc County provided credit-monitoring services for one year to individuals whose Social Security number was included in the compromised emails.

For further information and assistance, please contact the Manitowoc County Corporation Counsel, Peter Conrad, at (888) 811-5636 between 9:00 a.m. - 4:00 p.m. CT

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

June 20, 2018

First week of May 2018

Educational Employees' Supplementary Retirement System of Fairfax County

Names, addresses, and Social Security numbers.

Who's Affected Details

3,332 affected individuals including 9 Wisconsin residents.

On May 7, 2018, the Educational Employees’ Supplementary Retirement system (ERFC) became aware of a data security incident that occurred in connection with the mailing of ERFC’s Spring 2018 Newsletters to certain retirees. The retiree’s Social Security numbers were included in the mailing label above the name and address.

Upon learning of the security incident, ERFC confirmed that the printing company, Master Print., destroyed all documents containing Social Security numbers. ERFC notified affected individuals by mail and has provided credit-monitoring services for one year through Experian IdentityWorks.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

June 7, 2018

April 8, 2018

RISE Wisconsin Inc.

Name, address, date of birth, Social Security number, and for some, limited health information.

Who's Affected Details

3,731 affected individuals, according to RISE Wisconsin the majority of these individuals are Wisconsin residents.

On April 8, 2018, RISE Wisconsin discovered that they had been the target of a ransomware attack. RISE Wisconsin immediately took action and took their systems offline. RISE Wisconsin engaged independent computer forensics experts to determine how the incident occurred and if an unauthorized intruder had accessed information. Although the investigation did not identify any evidence of access to anyone’s information, RISE Wisconsin could not rule out that personally identifiable information may have been compromised.

RISE Wisconsin has notified law enforcement and is cooperating with their investigation.

On June 7, 2018, RISE Wisconsin mailed letters to individuals potentially impacted by this event. RISE Wisconsin is offering identity protection services through Kroll to potentially impacted individuals at no cost.

RISE Wisconsin has established a toll-free call center to answer questions about the incident and related concerns. The call center is available Monday through Friday from 8:00 AM to 5:00 PM, Central Time at 1-800-733-9212.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


May 2018

April 2018

Date Public Notified Date of Breach Company Data Stolen

April 2018

March 23, 2018

Access Group Education Lending

Names, driver's license numbers, and Social Security numbers.

Who's Affected Details

Approximately 16,500 borrowers (unknown if any Wisconsin residents are affected).

On March 28, 2018, Access Group Education Lending became aware of a data breach that occurred on March 23, 2018 when one of its vendors sent out files containing personally identifiable information to another business. Access Group Education Lending is assured that the vendor who received the files deleted them and did not retain copies.

Access Group Education Lending notified those individuals affected by letter, and is offering free credit monitoring services for one year.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

April 16, 2018

November 1, 2017 through February 7, 2018

UnityPoint Health

Social Security Numbers, dates of birth, medical record numbers, treatment & surgical information, insurance, and other financial information.

Who's Affected Details

Approximately 16,000 individuals affected, an unknown number of these individuals are Wisconsin residents.

On February 15, 2018, UnityPoint Health discovered their email system was the victim of a phishing attack that compromised some employee email accounts.

Upon learning of the incident, UnityPoint Health promptly took action to secure the impacted email accounts, changed passwords, and engaged external cybersecurity professionals to analyze what information might have been contained in the impacted accounts.

On April 16, 2018, UnityPoint Health notified all impacted individuals by letter of the incident.

UnityPoint Health has established a dedicated and confidential toll-free response line at 855-331-3612 to answer additional questions.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

April 5, 2018

September 27 - October 12, 2017

Best Buy Co., Inc.

Payment card information.

Who's Affected Details

An unknown number of Best Buy customers, whether or not they used the computer chat support.

Best Buy announced that in late March a third-party vendor had notified them of an intrusion that occurred in the vendor’s system. The third-party vendor, [24]7.ai Inc, provides phone and computer chat support for Best Buy.

Malicious code was inserted into the third-party vendor’s system on September 26, 2017. The third-party vendor discovered and contained the code on October 17, 2017. The code may have allowed unauthorized users to gain access to payment information of consumers who shopped online during that time, regardless of whether or not the consumers used the computer chat support.

Best Buy is collaborating with their third-party vendor and have notified law enforcement. They are working to identify and notify affected consumers. Free credit monitoring services will be available to the impacted individuals.

Best Buy recommends consumers review their payment card account statements closely, and contact their card issuer if they notice any fraudulent charges. Consumers who have further questions can contact at 247incident@bestbuy.com.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

April 4, 2018

September 26, 2017 - October 12, 2017

Delta Airlines and [24]7.ai

Name, address, payment card number, CVV number, and expiration date.

Who's Affected Details

Unknown number of affected individuals.

On March 28, Delta was notified by [24]7.ai, a company that provides online chat services for Delta and many other companies, that [24]7.ai had been involved in a cyber-incident. The incident occurred at [24]7.ai from Sept. 26 to Oct. 12, 2017. During this time certain customer payment information for [24]7.ai clients, including Delta, may have been accessed.

Upon being notified of [24]7.ai’s incident, Delta immediately began working with [24]7.ai to understand the impact of the incident and has since confirmed that the incident was resolved by [24]7.ai last October.

Delta has established the following website to address customer questions and concerns: www.delta.com/response

Delta has partnered with AllClear ID to offer a suite of credit monitoring services to those who may be impacted, for two years, starting on April 7, 2018. Delta customers who believe they made a purchase on the delta.com desktop platform between Sept. 26 and Oct. 12, 2017 should visit delta.allclearid.com to enroll in the free protection services being offered.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

April 4, 2018

September 27 - October 12, 2017

Sears Holding Corp.

Payment card information.

Who's Affected Details

Less than 100,000 customers who completed an online order on Sears.com or Kmart.com.

Sears Holdings Corp announced that in late March a third-party vendor had notified them of an intrusion that occurred in the vendor’s system. The third-party vendor, [24]7.ai Inc, provides phone and computer chat support for Sears and Kmart.

Malicious code was inserted into the third-party vendor’s system on September 26, 2017. The third-party vendor discovered and contained the code on October 17, 2017. The code may have allowed unauthorized users to gain access to payment information of consumers who shopped online during that time, regardless of whether or not the consumers used the computer chat support.

Sears sent emails to affected consumers on April 6, 2017, and will follow up with a notification through the mail. Free credit monitoring services will be available to the impacted individuals.

Consumers who have further questions can find information at Searsholdings.com/update, or by calling toll-free at 888-488-5978.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

April 3, 2018

February 5, 2018

The Management Group working as a consultant for the Wisconsin Department of Health Services IRIS (Include, Respect, I Self-Direct) Program

Laptop which may have contained names, addresses, dates of birth, Medicaid numbers, financial information, and Social Security numbers.

Who's Affected Details

779 IRIS Program participants.

On February 5, 2018, a laptop with a workbag was stolen from a consultant for The Management Group. The Management Group is a business associate of the Wisconsin Department of Health Services and serves as a consultant agency for the IRIS Program. The laptop may have contained personal information for IRIS Program participants. While the laptop was encrypted to protect the information, the password to the laptop was in the stolen workbag.

Affected participants will be provided one year of complimentary identity theft protection services.

Participants who have additional questions can call (844) 864-8987 from 8 AM to 5 PM, Monday through Friday, or email ComplianceGuide@tmgwisconsin.com.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


Date Public Notified Date of Breach Company Data Stolen

April 1, 2018

Unknown

Hudson's Bay Company dba Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor

Payment card data

Who's Affected Details

Consumers who used credit or debit cards to make purchases at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America. There are no indications that it affected their e-commerce platform.

Hudson’s Bay Company says that payment card data may have been affected by a security incident.

Authorities and payment processors were notified about the incident. They are working with a data security investigators to obtain the information to accurately notify their customers of what information was affected. They will offer those customers impacted free identity theft protection services.

Hudson’s Bay Company is establishing a dedicated call center that will start on April 4, 2018. The call center’s phone number will be (855) 270-9187, and it will be staffed from 8 AM to 8 PM Central time, Monday-Saturday.

Individuals should review their statements and notify their financial institutions if they see unauthorized charges.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


March 2018

Date Public Notified Date of Breach Company Data Stolen

March 29, 2018

Late February 2018

UnderArmour dba MyFitnessPal

Usernames, email addresses, and hashed passwords

Who's Affected Details

Approximately 150 million user accounts.

On Thursday, March 25, 2018, Under Armour Inc dba MyFitnessPal discovered an unauthorized user acquired data associated with user accounts including user names, email addresses, and hashed passwords.

Under Armour Inc is conducting an ongoing investigation to determine the extent of the issue. They are working with a data security firm, and cooperating with law enforcement. Under Armour Inc is emailing affected users information on how to protect their data, and requiring affected users to change their passwords.

Consumers can visit https://content.myfitnesspal.com/security-information/notice.html for the most up to date information.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


February 2018

Date Public Notified Date of Breach Company Data Stolen

February 22, 2018

February 1, 2018

UW-Superior Alumni Association

Name, home address and Social Security number.

Who's Affected Details

1,758 Wisconsin residents who were members of the UW-Superior Alumni Association.

On Thursday, February 1, 2018, the UW-Superior Alumni Association sent out a Mississippi River Cruise brochure to its members. On February 5, 2018, the UW-Superior Alumni Association discovered that the ID number for our alumni who graduated during a certain time might have been the same as the student ID number (social security number) used while in attendance at UW-Superior. The personal information that may have been viewable on the brochure included first and last names, home addresses and social security numbers.

After learning of this situation, UW-Superior Alumni Association began cleaning the alumni and friend database and replacing "old" ID numbers, and worked with their travel vendor to delete all mailing data used for the brochure. UW-Superior Alumni Association is also providing one year of complimentary identify theft protection and credit monitoring services.

Any additional questions regarding the breach can be directed to UW-Superior Alumni Association at 715-394-8452.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.


January 2018

Date Public Notified Date of Breach Company Data Stolen

January 31, 2018

Between October 3rd and December 22nd, 2017

Travelocity

Payment card number and CVV.

Who's Affected Details

Three Wisconsin residents who used the travel rewards redemption program were affected by the breach.

On Friday January 5th, 2018 RBC-a travel rewards redemption platform operated by Travelocity, observed increased fraudulent payment activity on RBC-issued cards that were processed on the platform. The unauthorized access of the platform resulted in the exposure of payment card information and CVV numbers.

Upon learning of the incident, Travelocity took immediate steps to investigate with the assistance of a leading cybersecurity firm, contacted law enforcement and payment card processors and enhanced the security of the affected platform.

Travelocity has established a hotline at 1-800-204-4048 to address additional questions or concerns about the incident.

If you feel you are a victim of identity theft as a result of this breach, contact the Bureau of Consumer Protection at (800) 422-7128 or email us at DATCPWisconsinPrivacy@Wisconsin.gov.