College Loses Unencrypted Personal Data on Over 93,000 Students Contained on Stolen Laptop

Metropolitan State College in Denver has apparently lost sensitive personal data on more than 93,000 students as a result of the theft of one of the school’s laptop computers.

An employee had been using the information, including student names and Social Security numbers, to write a grant proposal at home, where the computer was stolen, the college said Thursday.

The employee was also using the reportedly unencrypted data to write a master’s degree thesis, the school said.

Denver police requested that the school wait until March 1 to disclose the theft, which took place on February 25, in order to help with the ongoing investigation.

The college has sent a letter to students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester to notify them of the incident, the college said.

It is not known whether the sensitive information was still stored on the computer when it was stolen, according to college President Stephen Jordan. “The employee does not recall whether he had deleted those files from the laptop.”

A second issue is whether writing a masters thesis warrants an employee to remove sensitive information about students from school grounds. The college is “investigating whether the employee had obtained permission … to use the data in his thesis,” the college said.

According to Jordan, the college is now reviewing its policies regarding laptops and unencrypted data.

As we recently reported, over the past year the vulnerability of personal information has never been more apparent.

It has become painfully clear, to millions of “victims,” that once they entrust their Social Security number, banking information, credit card numbers and security codes, and other forms of personal identification and financial data to stores, online merchants, government agencies, employers, and financial institutions, they lose all control over it and have no idea of where it might ultimately wind up.

In terms of lost and stolen computer records, 2005 was a very bad year; and 2006 is not going to be much better unless and until security is ramped up to the point where private individuals and companies can safely entrust electronic data to third-parties for processing, storage, billing, or other transactions.

Many experts believe that until there is accountability for the loss of sensitive data through negligence or inadequate security, thieves and other opportunists will continue to feast upon the wealth of electronic data floating unprotected through cyberspace or in unsecured or inadequately protected storage and shipping facilities.

Corporate and even government agency failures in terms of safeguarding personal and business financial information is a significant problem that needs to be addressed immediately.

As 2005 drew to a close, Ford Motor Co. started notifying some 70,000 current and former white-collar workers that their sensitive personal and financial data has been stolen. The information, which included the employees’ names, addresses, and Social Security numbers, was contained on a computer that was stolen in November.

Although the company maintained that there was no evidence that any of the information had been misused or utilized for the purpose of identity theft, there was certainly no guarantee that it would not be. Thus, Ford notified the FBI, the Federal Identity Theft Task Force, the U.S. Secret Service, and the three major credit reporting services (Equifax, TransUnion, and Experian) of the theft.

In an incident quite similar to the one involving Metropolitan State College, Ameriprise Financial, the 2005 spin-off from American Express, recently announced that it had “lost” unencrypted personal financial data belonging to some 230,000 customers and financial advisers.

The information was stored on a laptop belonging to the company that was stolen from an employee’s car near the end of December 2005. The unprotected data included over 70,000 Social Security numbers belonging to current and former financial advisers and the internal account numbers of some 158,000 customers.

Although company rules explicitly prohibited the unencrypted storage of such sensitive data, there is nothing startling about the apparent negligence in the storage and safeguarding of third-party financial information.

In 2005, there were several high-profile database thefts or losses that put millions of people at risk for identity theft. Whether the information was stolen directly, bought from a dishonest employee, or lost through the negligence of the organization itself, inadequate security practices were at the heart of the each loss.

These ongoing security lapses are leading lawmakers to push for tighter rules for U.S. data aggregators. The following is a brief recap of the high-profile security breaches which put some 5,800,000 individuals at risk for some form of identity theft within the past year.

• March 2005: A security breach at LexisNexis – an information broker database containing addresses, driver’s licenses, and Social Security numbers- allowed outsiders to access personal data files of as many as 310,000 people.
• Just prior to the LexisNexis breach, there was a security breach at ChoicePoint Inc., a company which sells access to personal databases. A con artist was able to call the company and gain access to the personal data of thousands of people. Information on nearly 145,000 people nationwide was no longer protected and authorities said that at least 800 people had been defrauded. ChoicePoint later increased the estimate of affected individuals to 163,000.

• April 2005: British financial giant HSBC PLC notified at least 180,000 people of a scam involving General Motors-branded MasterCards. Apparently, when these cards were used to make purchases at Polo Ralph Lauren, criminals obtained access to their credit-card information.

• February 2005: Bank of America reported that a small number of backup tapes containing records of the personal financial information of government employees were lost in a shipment to their backup center.

• April 2005: Time Warner Inc. reported that a container of computer tapes containing information on 600,000 current and former employees was lost during a truck ride to a data storage facility. Foul play has not been ruled out.

• March 2005: An eBay scam set up by “phishers” used a coin collector’s eBay account to sell about $780,000 worth of coins, many of which never existed. Fees for the fraudulent action had been financed with $300 from the coin collector’s personal PayPal account. His eBay identity was stolen and while the victim was able to change his credit card numbers, he has yet to recover some of the online fees charged by the phishers to his account as well as the $7,500 worth of merchandise that he had purchased but the phishers has shipped to a different address in order to steal them.

• April 2005: A former Blockbuster Video store employee was indicted on charges of stealing customers’ identities and then using them to buy more than $117,000 in trips, electronics, and even a new Mercedes-Benz. The former employee was able to steal credit card numbers, Social Security numbers, and other private information from 65 customers in 2003 using the store’s online database. He was then able to open up new retail store and credit card accounts and make outlandish purchases. According to the indictment, the man had one accomplice and is now facing 47 to 51 months in prison if convicted.

• April 2005: Administrators at the University of California, Berkeley, disclosed that a computer laptop containing the names and Social Security numbers of nearly 100,000 people had been stolen. Just three days earlier, Northwestern University reported that hackers broke into the computers at the Kellogg School of Management and potentially gained access to information on more than 21,000 students, faculty, and alumni.

• April 2005: A man in Hackensack, New Jersey, was accused of conducting a massive scheme to steal 500,000 bank accounts and personal information and sell it to bill collectors. His accomplices included branch managers and employees from some of New Jersey’s biggest banks, including Bank of America, Wachovia, and Commerce Bank. All are accused of selling bank account numbers and balance information for $10 per customer. In some cases, the bank employees printed out entire customer computer screens and turned them over to the ringleader.

On June 6, financial giant Citigroup announced that United Parcel Service had somehow “misplaced” a box of computer tapes containing personal data on approximately 3.9 million Citigroup customers.

While a spokesperson for United Parcel Service claimed the company is “proud of its record in service and reliability,” he declined to discuss what security measures had been taken to protect the sensitive package.

Citigroup released a statement that it intended to start sending data electronically in an encrypted form and that it had “no reason to believe this information has been used inappropriately.”

It is clear, however, that when massive computer thefts are involved, there is no real way for the bank, credit card company, employer, or data aggregator to ensure that missing Social Security numbers, personal information, bank account and credit card numbers, and other sensitive records will not be used to fraudulently obtain credit cards, loans, and other indebtedness in the names of Citigroup’s customers.

Unlike individual cases of identity theft, which are often the product of inattentiveness on the part of the victim or which cannot be attributed to a lack of security, today’s enormous data thefts or losses may very well start resulting in civil liability on the part of the organization for negligence or for failing to have adequate security measures in place.

Some measure of accountability has been achieved in the ChoicePoint data loss with the Federal Trade Commission’s (FTC) announcement that the company has agreed to settle data security breach charges by paying $10 million in civil penalties and $5 million for consumer redress

According to the FTC release: “Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026.”

Significantly, the agency’s Chairman, Deborah Platt Majoras issued the following admonition to those entrusted with sensitive information: “The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves. Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America.”

If you have been the victim of identity theft of any kind, you should take action immediately. Here are the things you can do to minimize the impact on your life:

  1. File a report with your local police.
  2. Don’t change your Social Security Number. (It will probably cause more problems than it will solve.)
  3. Don’t cancel your credit cards. It may be very difficult for you to get new ones. You are better off reporting the fraud and getting new security codes, putting a fraud alert on the account and making sure that the issuer does not change your address without your personal instruction to do so.
  4. Contact the fraud departments of each of the three major credit bureaus.
    Get a copy of your credit report, which is free to ID theft victims. Ask that your file be flagged with a “fraud alert tag” and a “victim’s statement.” That will limit the thief’s ability to open new credit accounts, as new creditors will call you before granting credit, generally. Insist, in writing, that the fraud alert remain in place for the maximum of seven years.
  5. Contact the Federal Trade Commission to report the situation. The telephone number is 1-877-ID THEFT (877-438-4338). The address is Consumer Response Center, FTC, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.
  6. Contact the Social Security Administration at 1-800-269-0271.
  7. Contact the I.R.S. at 1-800-829-0433.
  8. Call the fraud units of the three major credit reporting companies. Equifax – 1-800-525-6285 – P.O. Box 740250, Atlanta, GA 30374-0250. Experian (formerly TRW) – 1-888-EXPERIAN or fax to 1-800-301-7196 – P.O. Box 1017, Fullerton, CA 92634.
  9. Contact creditors you believe are affected.
  10. Contact your bank(s). Place stop payment orders on any outstanding checks. You may have to close your accounts and open new ones.

11. Contact the major check verification companies if necessary. CheckRite 1-800-766-2748. ChexSystems 1-800-428-9623. CrossChek 1-800-552-1900. Equifax 1-800-437-5120. SCAN 1-800-262-7771. National Processing Co. (NPC) 1-800-526-5380.

  1. Obtain an Identity Theft Survival Kit at that contains vital information about how to survive what can be a very aggravating and frustrating situation
  2. Consult other sources for information and assistance: U.S. Postal Service – 1-800-275-8777 – U.S. Secret Service – U.S. Social Security Administration – 1-800-269-0271 – – CALPIRG Consumer organization – 1-310-397-3404 – or USPIRG – 202-546-9707 – – VOIT (Victims of Identity Theft Support Group – – U.S. Dept. of Justice –
This entry was posted in Consumer Fraud, Legal News. Bookmark the permalink.

© 2005-2016 Parker Waichman LLP ®. All Rights Reserved.