Identity theft raises security worries

Over 10,000 former and current students, faculty and staff received word from Yale last month that their Social Security numbers had been compromised after two computers were stolen from the Yale College Dean’s Office. Now, the identity of at least one of those people has been stolen — and he doesn’t think it’s a coincidence.

Connecticut Attorney General Richard Blumenthal LAW ’73 is asking questions, too. In a letter to Yale President Richard Levin last week, he called the University’s response to the theft “inadequate” and asked that it provide identity theft insurance to all of those involved.

The University defended its response but said it would cooperate with Blumenthal’s office, which gave Yale two weeks to provide answers to a dozen questions regarding the theft. While a University spokesman said the administration believes no one has hacked into the data on the computers, it has received reports that illegitimate credit cards were opened in the names of two individuals whose personal information was stored on the stolen equipment.

On Aug. 24, someone provided the full address and Social Security number of Chris Huffman ’05 — whose personal information was on the computers — to open a credit card in his name at a Kmart in Southbury, Conn., about 20 miles northwest of campus, according to a bill Huffman provided to the News. Another illegitimate credit card was opened at a nearby Wal-Mart but was not immediately used, said Huffman, who lives in South Carolina.

The Trumbull College alumnus said he was in Connecticut for two days this summer, and he thought his own credit card number could have been stolen when he used it at a local restaurant.

But that would not explain how his Social Security number, which is required by both stores to open a new credit card, was obtained — unless it came from the stolen computers.

“Obviously I can’t be 100 percent sure that this incident and the stolen computer are connected, but it seems fairly obvious to me given the timing and the fact that the new credit card was used in Connecticut,” Huffman said in an e-mail.

In August, the University disclosed that two computers stolen from the Yale College Dean’s Office in mid-July contained the Social Security numbers of more than 10,000 Yale affiliates. The data had been kept for no particular purpose and was overlooked in the University’s efforts to reduce the amount of personal information it keeps on file, officials said.

The computers were password-protected, and the University said it believes they were stolen for the value of the hardware and not for the personal data they hold. Explanatory letters were mailed to everyone whose information was stored on the computers.

In addition to Huffman’s complaint, Yale spokesman Tom Conroy said the University has received one additional report of a new credit card being opened in the name of someone whose information was on the stolen computers. But the two reports should not be cause for alarm, he said.

“Yale is watching this situation very closely, following up on every call, and is in contact with law enforcement authorities,” Conroy said. “As of right now, we do not believe the data has been accessed by someone with malicious intent. If that changes, we will send out additional advice immediately.”

Meanwhile, Blumenthal criticized the University for not responding to the thefts more actively. He suggested the University consider providing free credit monitoring, reimbursement for credit freeze expenses, and as much as $25,000 in insurance against identity theft to all those whose data were contained on the computers.

“Given the sensitive nature of information on the stolen computers, Yale’s measures so far to protect its approximately 10,200 current and former students and employees seem inadequate,” Blumenthal wrote in the letter, a copy of which the attorney general’s office provided to the News on Friday.

Blumenthal’s questions in the letter concerned details surrounding the thefts as well as the measures Yale has taken to notify and protect those whose identities were exposed. Conroy said the University will reply to Blumenthal’s questions promptly.

The incident is not an isolated one among colleges across the country. According to the Privacy Rights Clearinghouse, which tracks major data breaches, about a quarter of the more than 200 breaches this year have occurred at educational institutions. Such breaches include stolen computers or data tapes, hacked servers, or the mistaken posting of private information on public Web sites.

But Yale’s was not the highest-profile data breach in Connecticut this year. In July, a state Department of Revenue Services laptop containing the Social Security numbers for more than 100,000 Connecticut residents was stolen from the backseat of a car in Long Island, where an employee was vacationing. Lawmakers have scheduled a hearing on the matter later this month, and Gov. M. Jodi Rell has since ordered state agencies to limit the sensitive data they place on portable computers.

At Yale, concern about the storage of personal information is not new. In 2005, the University moved to eliminate the use of Social Security numbers to identify students because of security concerns.

“It’s both within higher education and elsewhere that Social Security numbers have been compromised, and the University wanted to get out in front of it before there was an incident here,” Ernst Huff, the associate vice president for student financial and administrative services, said at the time.

Comments