June 24, 2009

Security Breach Leaves 45,000 at Risk of Identity Theft

Print More

On Tuesday Cornell informed more than 45,000 current and former members of the University community that their sensitive personal information — including name and social security number — had been exposed when a University-owned laptop was stolen earlier this month.

The breach exposes many Cornellians to the possibility of identity theft, and the University said it will provide protective services to those affected, including free credit reporting, credit monitoring and identity theft restoration services to those affected by the breach.

A University employee, described as “a member of the Cornell technical staff” had access to a computer containing the sensitive data for the purposes of correcting file-processing transmission errors, according to the University.

The files on the computer containing the names and social security numbers were not encrypted and the laptop was left in a physically unsecure environment, which violates University policy, according to Simeon Moss ’73, director of Cornell University Press Relations.

Moss said that the data on the laptop contained “no other sensitive data elements” besides names and social security numbers and the University is “confident” that it has identified everyone whose data was on the computer.

The stolen computer stored the social security numbers of 22,546 students (10,597 of whom are alumni) and 22,731 faculty and staff members (of whom 4,284 are retirees or other separated employees), according to Moss.

New York State Police have launched an investigation to find the thief and locate the computer.

State Police Investigator Aaron Lewis told The Sun on Wednesday that there is a chance that the person who stole the laptop does not know that it contains such sensitive information.

“There is no indication that this is a sophisticated type of operation to steal people’s identities,” Lewis said. “It appears to be more of a crime of opportunity.”

Lewis said that investigators have interviewed people involved in the incident as well as the Cornell employee who had custody of the computer. Thus far, however, there are no further leads and the case remains open, he said.

The employee who had the computer is not a suspect in the investigation, Lewis added.

Cornell officials have only said that the employee violated University policy by leaving the laptop in a physically unsecured location, and characterized the person’s actions as “unintentional.” They have declined to comment on whether the person was still employed or has been the subject of any disciplinary action.

Lewis also cautioned that since the breach has been widely reported in the media, there is now a greater chance that someone will realize that the laptop contains the sensitive data.

“It’s obviously a Cornell computer and has a Cornell sticker,” Lewis said.

Laptop thefts on college campuses like Cornell occur somewhat frequently, he said, and most never get recovered.

Both Lewis and University officials declined to comment on when and from where the laptop was stolen.
“Cornell informed us within a few days that [the laptop] possibly has sensitive information on it,” Lewis said.

“It did take the university some time to make sure that they knew all the information that was on the computer,” Moss said.

Moss said that while Cornell Police would assist other law enforcement agencies, they are not involved in the investigation. The Ithaca Police Department said it was not involved in the case.

While officials said there has been no indication that the exposed data has been abused, the incident shines light on the broader issue of security and the vulnerability of private information in the digital age.

Last June, a computer at Cornell used for administrative purposes was hacked, and the University alerted 2,500 students and alumni that their personal information had potentially been stolen. In 2005, the University alerted over 900 individuals that their personal information was stored on a computer that had been inappropriately accessed.

Lewis said that those affected by the recent data breach should follow Cornell’s protocol. There is no need to call local or state authorities unless one’s information is stolen and used in an unauthorized way, he added.

Cornell said it will provide credit monitoring and identity theft restoration services through Kroll, Inc. at no charge to affected individuals. The University said it will provide those individuals with more information about how to access the services in a letter sent via U.S. mail.

Moss said on Wednesday that the cost to the University of providing these services was not available and likely unknown at this point.

“Given the importance that Cornell places on data security, this is truly an unfortunate situation,” Vice President for University Communications Tommy Bruce said in a statement on Wednesday. “We apologize to all those who have been affected, and we are dedicated to resolving this matter fully.”

Continue to check cornellsun.com for updates on this story.

More information:

University press statement & e-mail sent to affected members of the Cornell community

University’s “FAQ” page about the incident