DELAWARE COMPUTERS STOLEN FROM UNIVERSITYwww.delawareonline.com The News Journal Student ID data stolen from UD: "Student ID data stolen from UD
December theft wasn't reported until June audit

By BETH MILLER and SHARON CHO / The News Journal
07/16/2005University of Delaware officials acknowledged Friday that 343 students' Social Security numbers and class grades were lost in a computer theft at the school last December. But students weren't told about the theft until last month.

The Delaware students' numbers and grades were lost Dec. 3 when three computers were stolen from the university's Communication Department. In a posting on the university's Web site, officials said Elizabeth M. Perse, the department chair, was not aware personal information was on any of the computers until June. She then wrote to students whose information was stolen and pointed them to three government Web sites related to identity theft.

University spokesman John Brennan said no one has reported problems as a result of the theft."

Brennan said the problem came to light during a security audit of the department's computers in June. Auditors from the university's Information Technologies department have been conducting the audits since last fall, he said, and when they started the process at the Communication Department they learned of the theft. They told the chairman to notify the students affected.

Brennan said it was against university policy to store Social Security numbers on the computer.

"Someone made a mistake and put something on there when they shouldn't have," he said.

Andrew Coccia, 21, of Middletown, N.Y., did not find out he was one of the 343 students until Friday. The university sent Coccia a copy of the June 17 letter, but it was sent to his parents' address. When he asked his mother about it Friday, she told him she got the letter.

"This is something to worry about," he said.

Like many, Coccia said he does not know what to do.

"If I come into a problem, I'll definitely expect the university to come up with a solution," he said. "They should have notified us right away. It makes me wonder why they've waited that long."

Brennan said officials believe the computers were taken for their hardware value and not for the data on them because only one of the computers had the personal data, only one person had the passwords, and no one else would have known what data were on them.

The Delaware theft became No. 80 on Linda Foley's list of major security breaches publicly acknowledged this year. "Half of my list are colleges and universities," said Foley, executive director of the Identity Theft Resource Center, a nonprofit agency based in San Diego.

"We send children to college to give them a future. If we're not protecting their information, we've robbed them of a future. Financially, we have endangered them," she said.

Foley said some states -- New York and California, for example -- have ruled that Social Security numbers may not be used as student identification numbers.

Two layers of passwords protected the information, university officials said. But the data were not believed to be encrypted, Brennan said. Encryption scrambles information to make it harder to steal.

Social Security numbers can and have been used many ways by identity thieves, including opening lines of credit, obtaining mortgages, applying for driver's licenses and even getting government benefits.

"It can take months or years to cause damage, because someone might get a mortgage and then not default for several years," said Barbara Gadbois, director of the Consumer Protection Unit in the state Attorney General's Office. "It can often take a long time before it shows up on a credit report."

The damage also can start in the time it takes to make a phone call to apply for a credit card, Foley said.

"It can happen halfway across the world, too -- so add three more minutes," she said. "We're a global society. We see that information stolen in the United States ends up abroad quite frequently."

Once the data are breached, rapid response can help minimize damage. "There's a six-month lag time here -- and that is an opportune window," Foley said. "It's an opportunistic crime and these are prime targets. Students have fairly clean credit histories, they haven't maxed out their ability to use credit yet. They're perfect targets to take advantage of."

A new Florida law, which took effect July 1, imposes fines of up to $500,000 on those who do not give notice of such breaches within 45 days, unless police investigations would be compromised by the notification.

No deadline for notification of a breach is on the books in Delaware, Gadbois said.

"Certainly you'd hope they would act as quickly as possible to notify people so they can be on the lookout on credit-card statements, charges for merchandise they didn't order, and credit reports," she said. "Prompt notification if personal information has been compromised is really vital. ... But it's important that people realize they don't have to panic over this"

UD student Ravi Gupta, 19, of Scarsdale, N.Y., said he got his letter about the breach at the end of June. After reading it, he said, he felt upset and uncomfortable.

"I was pretty upset by the fact that people out there had my info," Gupta said. "Nothing has happened to me yet, but overall, I feel unsafe. They should have notified us sooner."

Contact Beth Miller at 324-2784 or bmiller@delawareonline.com. Contact Sharon Cho at 324-2553 or scho@delawareonline.com.