November 1, 2012

Breach on Cornell Computer Exposes Personal Data for Five Days

Print More

Clarification appended

The personal information of up to 2,000 people was exposed to the public for five days on a computer in Cornell’s athletics department, a University administrator confirmed Thursday.

Donald Sevey, director of information systems, said that the University discovered that a file server containing “confidential data” about thousands of people was accessible by the public for a period of time. He said that he does not know if anyone maliciously used the data while it was exposed.

“We don’t know if the data was breached. We just know that there was an incident where a file server was opened to the public, and when … we actually looked at it and saw what kind of data was on the server, we found that there was confidential data,” Sevey said.

Sevey could not say who, if anyone, had been affected by the incident, but said that the University examined the data and notified all individuals whose information had been exposed.

“I don’t know the status of the records. I just know that we went through and identified people by name and social security number and notified [them],” he said. “We don’t know if there were students, staff.”

Sevey said that, in addition to contacting all the individuals who may have been affected, the University is treating the incident “very seriously.”

Matt Varble ’00 was first shocked, then angered, when he received the letter from Cornell notifying him of the security breach.

The letter, dated Oct. 18, said: “Regrettably, we determined that from September 5, 2012 to September 10, 2012 some personal information was accessible via the web, from a computer used in the Athletics department. Our examination of the computer revealed that your name and Social Security number may have been put at risk.”

The letter said that the University has “taken steps consistent with industry best practices to secure this data against unauthorized access.”

It went on to offer Varble free access to “IDTheftSmart Service,” an online credit-monitoring service from risk-consulting company Kroll Advisory Solutions.

Varble said he was confused as to why a computer in the University’s athletics department contained his personal information — 12 years after he graduated from Cornell.

“What does the athletics department have to do with this? I was not an athlete and there was information on their computers,” he said.

Varble’s anger over the breach was heightened by the fact that, three days before he received the letter from Cornell, his bank account in Wells Fargo was locked because someone had tried to access it multiple times.

“Obviously, I’m not happy, because I connected the two events,” he said, admitting he had no proof that the two were connected. “Because I got contacted electronically by Wells Fargo saying my account was locked out … it made me concerned that it was related.”

Sevey said that the University has responded with due diligence to the incident.

Varble, however, remained incensed.

“As an [alumnus], it makes me really disappointed with the University. I’m not happy,” he said.

Clarification: A previous version of this headline stated that a breach in “Cornell Information Technology” caused the personal information of up to 2,000 people to be exposed. While it is true that information technology at Cornell was responsible for the breach, “Cornell Information Technology” is also the name of a department at the University that did not oversee the computer from which the information was leaked. The headline has been revised to clarify that Cornell’s CIT department was not responsible for the breach.

Original Author: Akane Otani