A non-encrypted hard drive containing the names and Social Security numbers of over 38,000 students, alumni, faculty and staff was reported stolen from the Student Affairs Office on the fifth floor of the Leavey Center on January 3. The University first notified students of the incident this past Monday, at first sending out an e-mail to potentially affected students, faculty and staff, then following with a campus-wide e-mail.
The University was able to reach 27,000 of the 38,000 victims by e-mail. Over the next week, the University will also notify everyone affected by mail, although neither e-mails nor addresses could be found for 28 victims. The mailing will include a website and a code allowing people to register for year-long credit reporting from Experian, paid for by the University. In addition, the University has set up a website and a toll-free hotline to help people protect their information.
The Department of Public Safety, the District of Columbia’s Metropolitan Police Department and the U.S. Secret Service are engaged in an on-going investigation. Vice President for Student Affairs Todd Olson would not comment on the investigation, saying only that, “we’re not eliminating any possibilities.”
At a meeting in ICC Auditorium yesterday, undergraduates, graduates, faculty and staff showed up to ask Olson and Vice President for Information Services and Chief Information Officer H. David Lambert questions about what measures they should take now, who from the University will be held accountable and why there was almost a month-long delay in notification about their stolen information.
“I don’t understand why this [hard drive] wouldn’t be protected better than it was—unencrypted, non-password-protected, open on a desk in an office,” a student who wished to remain anonymous said to Lambert and Olson. A few other students voiced similar sentiments, one girl adding that, had she let this happen at her summer internship, she would have been fired.
To one of these charges Lambert and Olson responded simultaneously, “we take this very seriously.”
Many Social Security numbers and names were on file from when students either accepted or waived the University health insurance.
“My concern was why it took three weeks to tell the student body,” Student Association President Ben Shaw (COL `08), who met with Olson on Monday before students were notified, said.
Olson spoke to this concern at the meeting, saying that as soon as the University discovered that the hard drive had been stolen, University Information Systems ran an extensive analysis to see what the hard drive contained, first trying to determine if indeed the nine-digit codes were Social Security numbers, and once they did, matching up those numbers with names and addresses.
“We worked as fast as we could,” Lambert said. Students were not notified earlier to avoid “initiat[ing] behaviors that would be counter-productive,” according to Lambert.
Olson and Lambert assured those at the meeting that steps have been and will continue to be taken to ensure better security of private information. Right now, Lambert said that the University’s “number one” priority is to ensure that “confidential information is not in a place where it shouldn’t be and is in places where it needs to be.” Lambert would not comment further on whether or not this particular hard drive should or should not have been in the Student Affairs office.
“It is definitely concerning,” Josh Dillon (COL ’09), whose information was stolen, said. “But it’s good that they’re offering free credit monitoring. It’s worrisome since it’s out of our control.”