What's the oldest data-loss incident on record involving social security numbers?

How about health-care industry records?

Well, there's no way to know for certain, but the Open Security Foundation's DataLossDB has just concluded a six-week contest that invited amateur sleuths to submit the oldest such loss incidents they could find. The results were announced this morning on the organization's blog.

Contest rules required that the incidents involve personally identifiable information, so there was particular interest in long-ago losses of Social Security numbers. Contest winner, Corey Chandler -- who provided answers to both of the questions above -- dug back into a New York Times article from 1953 (fee required) to learn of an episode that was apparently an inside job:

Officials of Local 338, International Longshoremen's Association, A.F.L., one of seven locals being investigated by Kings County District Attorney Miles F. McDonald's rackets bureau, reported to police yesterday that books and records had been stolen from their office. ... Two day books, containing receipts of dues from the 700 members of the local; a ledger listing the membership and the payment of dues by name; a dues book showing daily collection, and 700 index cards bearing the names, addresses and Social Security numbers of the members.

The good news is that the authorities apparently believed the "alleged burglary" to be more likely a case of evidence tampering than a prelude to identity theft.

As for the oldest incident found involving medical records, that one occurred a few months prior to Orville Wright's famous flight. From the Aug. 21, 1903 edition of the Los Angeles Times:

"The missing records for the Southern California Hospital for the Insane, alleged to have been purloined by ex-Steward C.N. Whitaker and ex-Druggist Fred W. Howard, have not yet been recovered. ... Yesterday was an anxious period for the ex-employees who have been making charges based on the missing books and papers, the fact of the Attorney General's office was taking a hand was being interpreted to mean all kinds of litigation, and perhaps a Grand Jury indictment."

Another inside job.

Among the more common submissions was the 1938 episode involving the wallet maker E.H. Ferree Company in Lockport, N.Y., whose vice president decided it would be a swell idea to demonstrate how Social Security cards fit inside its product by providing a sample document that featured the real SSN of Hilda Schrader Whitcher, his secretary.

From the Social Security Administration's Web site:

The wallet was sold by Woolworth stores and other department stores all over the country. Even though the card was only half the size of a real card, was printed all in red, and had the word "specimen" written across the face, many purchasers of the wallet adopted the SSN as their own. In the peak year of 1943, 5,755 people were using Hilda's number. SSA acted to eliminate the problem by voiding the number and publicizing that it was incorrect to use it. (Mrs. Whitcher was given a new number.) However, the number continued to be used for many years. In all, over 40,000 people reported this as their SSN. As late as 1977, 12 people were found to still be using the SSN "issued by Woolworth."

While impressive, contest rules held that to be eligible and incident needed to have victimized at least 10 people.

The second place entry involved hackers gaining access to a "Digital VAX 11/780 computer, which monitors the radiation treatment for 250 patients" at the Memorial Sloan-Kettering Cancer Center in New York. Interesting to see the perpetrators described as "pranksters" by Time magazine's headline writers.

Third place was from 1984 and involved hackers accessing 90 million TRW credit histories, a haul that has earned this incident a spot on the DataLossDB's all-time Top 10 list.

And, of course, there were the wise-guy submissions, such as: "Eve was socially engineered by a serpent resulting in total loss of records and denial of service attack against the tree of knowledge; the computer involved was an apple."

Sifting through the entries did give contest organizers an appreciation for how public awareness about data privacy has evolved over the years, says Kelly Todd, secretary/CCO of the Open Security Foundation.

"The biggest thing I noticed was that events that may have been headline news today generally weren't reported with as much detail and were usually given just a quick mention in a newspaper, magazine, or mail list," Todd says "One particular event in which a stolen computer contained 314,000 credit card records only warranted a short story in a couple of local newspapers, and online searches gave us virtually no other information. Today, such an event would be national news."