News
Security Breach Leaves 45,000 at Risk of Identity Theft
June 23, 2009 - 11:00pm
On Tuesday Cornell informed more than 45,000 current and former members of the University community that their sensitive personal information — including name and social security number — had been exposed when a University-owned laptop was stolen earlier this month.
The breach exposes many Cornellians to the possibility of identity theft, and the University said it will provide protective services to those affected, including free credit reporting, credit monitoring and identity theft restoration services to those affected by the breach.
A University employee, described as “a member of the Cornell technical staff” had access to a computer containing the sensitive data for the purposes of correcting file-processing transmission errors, according to the University.
The files on the computer containing the names and social security numbers were not encrypted and the laptop was left in a physically unsecure environment, which violates University policy, according to Simeon Moss '73, director of Cornell University Press Relations.
Moss said that the data on the laptop contained “no other sensitive data elements” besides names and social security numbers and the University is “confident” that it has identified everyone whose data was on the computer.
The stolen computer stored the social security numbers of 22,546 students (10,597 of whom are alumni) and 22,731 faculty and staff members (of whom 4,284 are retirees or other separated employees), according to Moss.
New York State Police have launched an investigation to find the thief and locate the computer.
State Police Investigator Aaron Lewis told The Sun on Wednesday that there is a chance that the person who stole the laptop does not know that it contains such sensitive information.
“There is no indication that this is a sophisticated type of operation to steal people’s identities,” Lewis said. “It appears to be more of a crime of opportunity.”
Lewis said that investigators have interviewed people involved in the incident as well as the Cornell employee who had custody of the computer. Thus far, however, there are no further leads and the case remains open, he said.
The employee who had the computer is not a suspect in the investigation, Lewis added.
Cornell officials have only said that the employee violated University policy by leaving the laptop in a physically unsecured location, and characterized the person’s actions as “unintentional.” They have declined to comment on whether the person was still employed or has been the subject of any disciplinary action.
Lewis also cautioned that since the breach has been widely reported in the media, there is now a greater chance that someone will realize that the laptop contains the sensitive data.
“It’s obviously a Cornell computer and has a Cornell sticker,” Lewis said.
Laptop thefts on college campuses like Cornell occur somewhat frequently, he said, and most never get recovered.
Both Lewis and University officials declined to comment on when and from where the laptop was stolen.
“Cornell informed us within a few days that [the laptop] possibly has sensitive information on it,” Lewis said.
“It did take the university some time to make sure that they knew all the information that was on the computer,” Moss said.
Moss said that while Cornell Police would assist other law enforcement agencies, they are not involved in the investigation. The Ithaca Police Department said it was not involved in the case.
While officials said there has been no indication that the exposed data has been abused, the incident shines light on the broader issue of security and the vulnerability of private information in the digital age.
Last June, a computer at Cornell used for administrative purposes was hacked, and the University alerted 2,500 students and alumni that their personal information had potentially been stolen. In 2005, the University alerted over 900 individuals that their personal information was stored on a computer that had been inappropriately accessed.
Lewis said that those affected by the recent data breach should follow Cornell’s protocol. There is no need to call local or state authorities unless one’s information is stolen and used in an unauthorized way, he added.
Cornell said it will provide credit monitoring and identity theft restoration services through Kroll, Inc. at no charge to affected individuals. The University said it will provide those individuals with more information about how to access the services in a letter sent via U.S. mail.
Moss said on Wednesday that the cost to the University of providing these services was not available and likely unknown at this point.
"Given the importance that Cornell places on data security, this is truly an unfortunate situation,” Vice President for University Communications Tommy Bruce said in a statement on Wednesday. “We apologize to all those who have been affected, and we are dedicated to resolving this matter fully."
Continue to check cornellsun.com for updates on this story.
More information:
University press statement & e-mail sent to affected members of the Cornell community
On Tuesday Cornell informed more than 45,000 current and former members of the University community that their sensitive personal information — including name and social security number — had been exposed when a University-owned laptop was stolen earlier this month.
The breach exposes many Cornellians to the possibility of identity theft, and the University said it will provide protective services to those affected, including free credit reporting, credit monitoring and identity theft restoration services to those affected by the breach.
A University employee, described as “a member of the Cornell technical staff” had access to a computer containing the sensitive data for the purposes of correcting file-processing transmission errors, according to the University.
The files on the computer containing the names and social security numbers were not encrypted and the laptop was left in a physically unsecure environment, which violates University policy, according to Simeon Moss '73, director of Cornell University Press Relations.
Moss said that the data on the laptop contained “no other sensitive data elements” besides names and social security numbers and the University is “confident” that it has identified everyone whose data was on the computer.
The stolen computer stored the social security numbers of 22,546 students (10,597 of whom are alumni) and 22,731 faculty and staff members (of whom 4,284 are retirees or other separated employees), according to Moss.
New York State Police have launched an investigation to find the thief and locate the computer.
State Police Investigator Aaron Lewis told The Sun on Wednesday that there is a chance that the person who stole the laptop does not know that it contains such sensitive information.
“There is no indication that this is a sophisticated type of operation to steal people’s identities,” Lewis said. “It appears to be more of a crime of opportunity.”
Lewis said that investigators have interviewed people involved in the incident as well as the Cornell employee who had custody of the computer. Thus far, however, there are no further leads and the case remains open, he said.
The employee who had the computer is not a suspect in the investigation, Lewis added.
Cornell officials have only said that the employee violated University policy by leaving the laptop in a physically unsecured location, and characterized the person’s actions as “unintentional.” They have declined to comment on whether the person was still employed or has been the subject of any disciplinary action.
Lewis also cautioned that since the breach has been widely reported in the media, there is now a greater chance that someone will realize that the laptop contains the sensitive data.
“It’s obviously a Cornell computer and has a Cornell sticker,” Lewis said.
Laptop thefts on college campuses like Cornell occur somewhat frequently, he said, and most never get recovered.
Both Lewis and University officials declined to comment on when and from where the laptop was stolen.
“Cornell informed us within a few days that [the laptop] possibly has sensitive information on it,” Lewis said.
“It did take the university some time to make sure that they knew all the information that was on the computer,” Moss said.
Moss said that while Cornell Police would assist other law enforcement agencies, they are not involved in the investigation. The Ithaca Police Department said it was not involved in the case.
While officials said there has been no indication that the exposed data has been abused, the incident shines light on the broader issue of security and the vulnerability of private information in the digital age.
Last June, a computer at Cornell used for administrative purposes was hacked, and the University alerted 2,500 students and alumni that their personal information had potentially been stolen. In 2005, the University alerted over 900 individuals that their personal information was stored on a computer that had been inappropriately accessed.
Lewis said that those affected by the recent data breach should follow Cornell’s protocol. There is no need to call local or state authorities unless one’s information is stolen and used in an unauthorized way, he added.
Cornell said it will provide credit monitoring and identity theft restoration services through Kroll, Inc. at no charge to affected individuals. The University said it will provide those individuals with more information about how to access the services in a letter sent via U.S. mail.
Moss said on Wednesday that the cost to the University of providing these services was not available and likely unknown at this point.
"Given the importance that Cornell places on data security, this is truly an unfortunate situation,” Vice President for University Communications Tommy Bruce said in a statement on Wednesday. “We apologize to all those who have been affected, and we are dedicated to resolving this matter fully."
Continue to check cornellsun.com for updates on this story.
More information:
University press statement & e-mail sent to affected members of the Cornell community
Cornell
Cornell should be ashamed of itself. If they can't responsibly handle confidential information...and they have shown repeatedly that they cannot, then they have no right to ask for it in the first place.
The damage done here is very long lasting as SS #s never change.
Cornell requires a total housecleaning, should be made to provide LIFETIME credit monitoring and remediation services and should reimburse every affected individual for their trouble.
Cornell Parent
How many times does this
How many times does this have to happen before we finally wake up?
I have a very hard time believing that the user data *had* to be stored locally (on the laptop) to be used. Sensitive information should _never_ be stored locally, not when VPNs are cheap, secure, and easy. Leave the data in the data center where it isn't subject to absent minded people leaving it by the wayside, where it is physically secured via access rights, where it is watched constantly.
Need your data? Then VPN in to the server via strong authentication and manipulate the data server side. Sheesh - this is easy!!!
The actions were "unintentional?" Well, I'm sure that will make everyone sleep better. "Oh, they didn't to do it? Well thatn, that's OK - easy come easy go"
Are you kidding me?
Am I the only reader that is flabbergasted how simple this would have been to avoid in the first place?
Computer Theft
The most obvious electronic protection is that critical personal information of this type should ONLY be kept in encrypted form, especially on a laptop. It is possible that the laptop was not even physically secured by a cable lock, which is minimum physical security precaution for a machine containing this type of information. I agree that lifetime credit protection/lock out is the minimum remedy for this type of sloppy behavior, but what about the hours lost and anxiety? People who have SS number stolen indeed face a lifetime of threats as it is impossible to change this.
So? This happened at
So? This happened at Northwestern, too. Twice.
Let's face it. We need to switch to fingerprinting or retina scans. Social security numbers are too insecure. We're all vulnerable to identity theft now. It's just a matter of luck whether or not you get targeted.
Possible Identity Theft
The University officials should pray for a future absence of the class action lawsuit
on behalf of the students and faculty affected by the dumb actions of Cornell employee.
Should have called LifeLock
Cornell should have gone with LifeLock instead of Kroll... Significantly better service and protection.
Growing incompetence of programmers.
As a programmer for over 40 years, I am appalled at the growing stupidity of those coming along. The deterioration started in 1992. The ability to write technical documentation has declined. The ability to construct artificial test environments has been totally lost since then. It was much crippled before then even.
There was no need to have real data or that much data for test cases. A very large quantity of private companies and government agencies only give lip service to security. They don't encrypt their data or their programs or their data descriptions or separate their programs to access their data from their data. Utter stupidity.
Why is the CAPTCHA case sensitive when many letters have the same form in both cases?
This couldn't have when I was a Cornell student
Ok, mostly it wouldn't have happened because all of the University's administrative computing happened on a mainframe located up near the airport, and it was too big to carry away by accident :-)
But more importantly, Cornell didn't use SSNs to track student identification - they used Student ID numbers for everything, and the SSNs only got used for the payroll (if you were an employee, which many grad students were) and similar tax functions, and maybe for health insurance, though that wasn't universally SSN-driven at the time. The school really should have its information systems designed to keep data that has to be private separate from data that's widely accessible, so it can adequately protect the information of students, faculty, employees, people applying to be students, etc.
Stolen computer
At least there are a few Cornell alums whose personal information probably won't get used by an unauthorized person.
Imagine some five-foot six pudgy guy walking into a Best Buy with a MasterCard with Ken Dryden's name on it...... :^D
Easy arrest...........
it's this simple
I know that if my identity ends up being stolen, Cornell will be sued for all losses due to their negligence. DIdn't they ever hear of random sampling? They couldn't fix the problem with like 100 people's info or fabricated info? THey needed FORTY FIVE THOUSAND DATA POINTS???
I am not even a Cornell
I am not even a Cornell student! I was accepted to Cornell last year and today I received a letter in mail informing me that I am a victim of this security breach. I am really disappointed that Cornell, as a premier university in the world, would allow such negligent acts to occur. This security breach was totally avoidable since our personal information should have never been stored on a laptop computer without encryption and that laptop should not be present at such an unsecured environment. I have lost my faith in Cornell and I will unlikely apply to Cornell for my graduate education.
id theft
Cornell should be ashamed of themselves. Using real data for a test??? are you insane???? There is no excuse for this stupidity. The head of IT security should be FIRED NOW. This is a major problem for a young person to have this early in life AND to have been the fault a a Major IVY League University. Heads need to roll. There should be LIFETIME credit monitoring because this will not go away. You can not change your SS #
Do the numbers...
45,000 names sold by one laptop thief to a network of say 10 identity thieves who sell the numbers to ten more. The SSN are good for a lifetime and can be resold many times over by everyone involved long after Kroll's minimal 1 year protection expires. If in year 2, each of the initial 100 thieves bilks the numbers for $1000, we're at $4.5 billion in losses. This doesn't include the out of pocket expenses or the massive time lost by the victims in trying to restore identities.
This is a neglegent loss of personal information. Cornell's response is purely in the interests of Cornell's risk and liability and is not in the interest of the victims. The story that an IT technician had all this information unsecured doesn't make sense. How about some transparency, Cornell!