Most people know to be careful with their Social Security numbers by now.
But universities, government agencies, large companies and other big groups often have decades worth of personal information pegged to those nine important digits, dating back well before the phrase “identity theft” was ever uttered. And when they have a security breach – such as Wednesday’s announcement of a computer theft at the University of Idaho – it can expose a lot of people.
“It truly is a problem of epidemic proportions,” said Beth Givens, director of the Privacy Rights Clearinghouse, a California-based nonprofit that specializes in consumer protection issues. “We hear of security breaches daily.”
The UI announced that three desktop computers were stolen from the university’s fundraising office in Moscow, Idaho, over the Thanksgiving break. While officials couldn’t say precisely what information was on the computers’ databases, an investigation showed that the names, addresses and Social Security numbers of about 70,000 students, employees, alumni and donors had been stored on the computers six months before the burglary.
A smaller theft occurred from Eastern Washington University in November, when a portable storage device with information on about 500 instructors from 2001-02 was stolen along with an employee’s purse.
In neither case has there been a report of any fraudulent activity tied to the thefts – but Givens notes that victims of identity theft often can’t trace the exact source of the problem.
“Fifty percent of the victims of identity theft don’t know how it happened,” she said. “So we really don’t know if security breaches are resulting in identity theft or not.” Both the UI and EWU have stopped using Social Security numbers in most cases as a way to track personal information – but they also have that information for students, employees and others dating back for decades. In the wake of the theft, officials at both schools said they were reviewing their data storage to look at ways, such as encryption, to better protect sensitive information.
Chris Murray, the UI’s vice president for advancement, said that the information on the hard drives wouldn’t be easily usable by a thief.
“The likelihood of somebody using this negatively is very, very small,” he said. “But we want to make sure people know the information may be in somebody’s hands.”
The UI said it delayed announcing the information publicly after consulting with police investigators but is now notifying everyone whose personal information was accessed by the office where the burglary occurred – more than 331,000 people. The information was stored in databases in the office of advancement services and used for a variety of purposes, from communicating with students and staff to contacting alumni for support.
The university is e-mailing a notice to Idaho residents and mailing notices to out-of-state residents in the database, and has set up a Web site to help people protect themselves, www.identityalert.uidaho.edu.
“We deeply regret this incident and the worry and inconvenience it may cause, but we want to assure donors, alumni, students and employees that the University of Idaho is strengthening its processes for securing and storing our sensitive data,” said President Tim White in a written statement.
Though identity theft and related crimes are not uncommon for the Latah County Sheriff’s Office, this case is unusually large in terms of the number of people potentially exposed, said Detective Jennifer McFarland.
“This is the first time in recent memory that the Sheriff’s Office has dealt with something of this scale,” she said.
The data breach is just the latest example of problems with securing personal information in large batches at universities and other big organizations. In December, UCLA announced that hackers had gained sustained access for more than a year to the school’s main database. The Privacy Rights Clearinghouse says that more than 100 million “data records” have been lost in computer security breaches in the last two years.
“You would think that given the extensive news about security threats over the last couple of years that companies, universities and government agencies would already be taking steps to protect against this kind of problem,” Givens said.
Murray and UI officials said that Idaho is improving its data storage procedures in several ways.
“We’re using this as a way to say to ourselves, ‘it’s an unfortunate situation and let’s get better at all facets’ ” of data storage, he said.