KENTUCKY FOLLOW UP INFORMATION ON COMPUTER THEFT AT UNIVERSITY http://www.courier-journal.com/apps/pbcs.dll/article?AID=/20060617/NEWS0104/606170391

UK student data apparently stolen Second recent security breach
By Mark Pitschmpitsch@courier-journal.comThe Courier-Journal
In its second recent security breach, the University of Kentucky notified 6,500 current and former students yesterday that their names, grades and Social Security numbers may have been stolen.

No arrests have been made, and no one has reported that personal information has been used, a school official said.

"This is a regrettable incident and we are deeply sorry that it has occurred," Patricia Terrell, UK's vice president for student affairs, said in a statement issued yesterday.

Last month, UK mistakenly allowed access on its Web site to the Social Security numbers, phone numbers and e-mail addresses of 1,300 current and former employees. The information was available for about three weeks before it was discovered and removed.

Some students said yesterday that they were not worried that the security breaches reflect a larger problem at the school.

"I don't think it is too big of a concern. I haven't had any security problems while I have been in college," said Paige Spangler, 20, a senior business major from Bowling Green. She didn't think she was one of the students whose information was taken.

School officials said the two incidents have prompted them to re-examine the security of personal information on campus computers. UK is forming a committee to review the use and security of personal information.

UK also is in the midst of a $60 million technology upgrade that will provide better security once it's fully implemented, including reducing the number of times the school will use Social Security numbers, said Jay Blanton, a UK spokesman.

The school no longer uses Social Security numbers to identify faculty and staff, except for payroll purposes, Blanton said.

And it will assign students new identification numbers in October to replace Social Security numbers, although they will be used for financial aid purposes, he said.

Among the issues the UK committee will review is what kind of information faculty should keep on their computers and for how long, he said.

He said hundreds of individual faculty members could have the names and personal information of thousands of current and former students oncomputer hard drives, disks or portable memory devices.

How it happened

On May 26 a professor in the School of Human Environmental Sciences told campus police that a "thumb drive," a small, portable computer memory device, had been stolen from a classroom, Blanton said.

The drive possibly contained the names, grades and Social Security numbers of about 6,500 of the professor's current and former students, he said.

The professor copied documents and data from his desktop computer, including student information, onto the thumb drive, which he used in a portable computer, Blanton said.

But he said it's unclear how many student names were actually on the thumb drive.

"We thought the most prudent and complete way to go would be to contact all those people on his class rosters back to 1988," Blanton said.

Delay in reporting

UK sent the letters yesterday rather than immediately after the theft was reported because it needed to find addresses for all of the current and former students potentially affected, Blanton said.

No disciplinary action is expected against the professor, who left the thumb drive in the classroom and discovered it missing when he returned to retrieve it, Blanton said.

"Obviously, it was an accident. It was a mistake. He regrets it, but it's also the kind of thing that can happen and has happened at other institutions," he said.

Blanton declined to identify the professor.

UK's first incident

In UK's other breach, the names, Social Security numbers, phone numbers and e-mail addresses of 1,300 current and former staff members were accessible on the school's Web site between May 8 and May 26.

Blanton said there were 41 hits on the site, about half of them from UK computers. The school has received no complaints that personal information obtained from the site had been used, he said.

School technology officials are conducting a "comprehensive scan across campus" to see if the personal information of students or employees is contained elsewhere on the school's Web site.

According to the Privacy Rights Clearinghouse, about 70 U.S. colleges and universities have reported a major security breach since February 2005.

There have been no major security breaches at the University of Louisville, said Bruce Edwards, information security officer.
Edwards said U of L doesn't use Social Security numbers to identify students or employees.

Reporter Mark Pitsch can be reached at (502) 875-5136.