Security Lapses, Lost Equipment Expose Students to Possible ID Theft

A missing hard drive containing personal information on 23,500 students, faculty and staff in the California State University system is only the latest example of how campus computers can expose individuals to identity theft.

Although the hard drive was lost at Cal State San Marcos, 13,500 of those affected are linked to Cal Poly San Luis Obispo, Cal State officials said. The other state universities affected are Dominguez Hills, Fullerton, Monterey Bay, San Diego and Sonoma.

“I got a letter informing me of the risk,” said Teresa Hendrix, a Cal Poly public affairs spokeswoman. “My daughter got one too.”

The concern is about the potential for identity fraud, where somebody has access to a name, address, Social Security number and other identifiers used in credit applications.

The Cal State case is by no means isolated and is not even the biggest example this year of a mass notification of a security breach. Since January, at least 580,000 individuals with information in university computers have been notified of similar risks.

That includes 380,000 current and former students, applicants, staff, faculty and alumni at UC San Diego and 178,000 at San Diego State. In both cases, hackers got into computers for other reasons, but had access to files containing personal information, officials at both universities said.

At Cal Poly, Dawn K., a 21-year-old student from Monterey, is so leery of strangers that she asked that her full name not be published. But as she sat in the University Union, she worried aloud about being twice confronted with the possibility of identity theft.

She is not sure yet if she faces identity theft exposure from Cal Poly, but she has received a letter from UC San Diego related to her application there in November 2000.

“Since I didn’t even get into UC San Diego, why am I still stuck in their system? Why don’t they just throw my information away?” she asked. “I didn’t even apply online. I did the paper application and sent it in. Somebody had to put me in a computer, and leave me there.”

Officials from the Cal State system and UC San Diego say they have no proof that either incident has resulted in the use of identity theft to open credit card accounts or to otherwise defraud students and staff.

While these cases give the impression that vulnerability to identity theft is high, it was not until July 2003 that legislation went into effect requiring notification.

“There’s no reason to assume that suddenly in July 2003 all these computer security breaches started occurring,” said Joanne McNabb of the Office of Privacy Protection in the state Department of Consumer Affairs. “It’s just that we know about them now, when we didn’t hear before.”

Cal State officials said that an auditor from the chancellor’s office lost a small external hard drive for a laptop while visiting Cal State San Marcos in late June. The auditor, who had been traveling from campus to campus for audits, is not even certain that the hard drive was not thrown away by accident, officials report. But notification is still required by law.

The hacker at UCSD seemed to be storing large files, possibly for DVDs, on the campus computer system.

“This seems to be a common practice with hackers,” said Dolores Davies, a spokeswoman for UC San Diego. “They look for sources who have a huge amount of disk space, which we of course have, and they break in.”

Davies said it has taken months to try to track down all 380,000 individuals to warn them by letter, and the university has yet to tally the cost of the effort.

McNabb said the goal of the law is better security and consumer protection, not financially burdening businesses and public institutions.

Problems have been numerous. As many as 145,000 UCLA blood donors started receiving notification in June about a possible security breach after a laptop was reported stolen there. Banks, credit unions -- even the California Employment Development Department -- have had smaller incidents.

Usually, the letters explain the problem, apologize and suggest placing a fraud alert on a credit report with one of the three major credit bureaus, Equifax, Experian and Trans Union, all accessible through the Internet.

Donald Girard, an Experian spokesman, said the alerts are free, last up to 90 days and are shared by the three leading credit agencies.

“The whole key with identification fraud is to discover it right away. Otherwise it can be so time-consuming to clean up,” he said.

Experts say students can be particularly vulnerable: They change addresses often, they are often lax in financial matters, and their institutions define them by their Social Security number.

Brett Larson, a 23-year-old Cal Poly student who is one class away from earning his accounting degree, agrees.

“In fact, I just don’t keep track of anything very well myself,” he said while sitting on campus. “They could do a lot of damage with your Social Security number. That controls everything. They used to have the Social on your student ID, but they don’t anymore. But I still use it to get into the gym or the library. I use it all the time.”