WASHINGTON D.C DATA THEFT HITS MANY UNIVERSITIES, STUDY SHOWS The Daily Colonial
By Eva Sylwester, Oregon Daily Emerald (U. Oregon)

(U-WIRE) EUGENE, Ore. -- Since February 2005, the personal data of more than 52 million Americans has been compromised, in many cases through breaches of computer systems at colleges and universities, Privacy Rights Clearinghouse reported this week.

Of 113 data breaches reported, 55 took place at colleges, universities and university-affiliated medical centers. Stolen data included Social Security numbers, account numbers and driver's license numbers, according to the Privacy Rights Clearinghouse Web site.

The University of Oregon was not one of the affected schools, but other institutions in the Pac-10 conference, such as University of California-Berkeley, Stanford University and the University of Washington Medical Center, were.

"We as an institution have not had any kind of system break-ins," University registrar Herbert Chereck said. "We've been very fortunate."

Privacy Rights Clearinghouse director Beth Givens said universities are vulnerable to these problems because they possess lots of data but often have it spread throughout various locations on campus, making it difficult to control who has access to the data.

"They're a classic decentralized environment," she said.

Givens said universities could do a better job of protecting students by encrypting student records, collecting less information about students and limiting use of Social Security numbers in student files. She said universities should especially avoid using Social Security numbers as student identification numbers.

In the past, the University used Social Security numbers as student identification numbers, but beginning in 2003, all new students were assigned randomly generated identification numbers beginning with 950, and the process of getting new identification numbers for all students and staff was completed in winter 2005, according to the University registrar's Web site.

Chereck said this was done as a preventative measure rather than as a response to problems. He added that the Computing Center does a good job putting technical safeguards in place, although he declined to give specifics about what processes the University uses.

Privacy Rights Clearinghouse, a San Diego-based nonprofit consumer advocacy group founded in 1992, began compiling a list of data breaches on Feb. 15, 2005 when information broker ChoicePoint announced that its data had been breached. Prior to that point, only California required organizations to disclose leaks of sensitive data. Because ChoicePoint had data from people throughout the country, the company announced the leak on a national scale, Givens said. Since then, other organizations with similar problems have followed suit.

As a result of increased attention to the issue, in December 2005, San Diego company ID Analytics, Inc. released a study of the level of misuse of identity information resulting from four actual data breaches. The study found that breaches of identity information are more likely than breaches of account information to lead to identity theft. But that even for identity information breaches, fewer than one in 1,000 people whose data is compromised will have their data fraudulently misused, according to the ID Analytics Web site.

The University of Washington Medical Center had two laptop computers, one containing information about medical center patients, stolen in a late-December break-in. Seattle police are currently investigating the matter, and University of Washington Medical Center spokeswoman Clare Hagerty said the medical center sent letters to all the affected patients, advising them to call the three major federal credit bureaus to check their credit status and visit the Federal Trade Commission and Washington State Attorney General's Web sites for more information.

"As of now, there's been no identity theft whatsoever," Hagerty said.

While absent computers are easy to detect, some data thefts are more covert. In the case of ChoicePoint, a Nigerian fraud ring infiltrated the database by pretending to be private investigators and debt collectors, ChoicePoint's usual customers. The scam was only caught when a ChoicePoint employee noticed that the supposed debt collectors were sending faxes from a copy shop chain rather than from their own office and became suspicious, Givens said.

Even if a person has data at an institution that is hacked into, Givens said it's not easy to make connections between identity theft and security breaches.

"Only about 50 percent of victims know how it happened," Givens said. "It is really difficult to connect the dots."

Givens recommended that people protect themselves from identity theft by checking their credit reports regularly, adding that everyone is allowed a free report from each of the three federal credit bureaus once a year.

"The more quickly you detect identity theft, the easier it is to recover," Givens said.