Social Security numbers for over 10,000 current and former students, faculty and staff were compromised last month following the theft of two University computers, officials said Tuesday.
The computers were stolen from the Yale College Dean’s Office on July 17, in only the latest in a series of data security breaches that have plagued universities nationwide. The computers were password-protected, and were probably stolen to be sold rather than for the data stored on them, University officials said. Yale has sent letters to the individuals whose personal information may now be at risk.
A review of back-up tapes after the theft found files on the two computers that included names and Social Security numbers for approximately 10,000 current and former students and about 200 current and former faculty and staff members, but no financial account information.
So far, none of the contacted individuals has reported any misuse of the lost data, Yale spokesman Tom Conroy said.
“The University does not believe that this incident presents a significant danger of identity theft because the crime was almost certainly aimed at obtaining hardware for sale — not at exploiting the data that were on the computers,” the University said in a statement, adding that purchasers of stolen computers usually wipe the hard drives so as to hide their origin prior to resale.
The University sent letters to the affected individuals recommending that they check bank statements and credit reports, and set up a team to answer questions about the breach.
The lost files had not been maintained for any purpose, Conroy said, but were overlooked in the University’s efforts at reducing the amount of personal information it holds. Administrators are taking steps to ensure that any remaining files containing Social Security numbers are either eliminated or encrypted, the statement said.
Yale is far from the first university to have private data compromised. Of the more than 200 major data breaches tracked by the Privacy Rights Clearinghouse so far this year, about 60 have occurred at educational institutions. The recent computer thefts at the University were not on the Clearinghouse list as of Tuesday night.
Physically losing data stored on a computer is relatively uncommon for universities in comparison to other large organizations, according to Randy Marchany, director of the IT security laboratory at Virginia Polytechnic Institute and State University. Based on information he received from the California Office of Privacy Protection, nearly half of all data losses at universities reported to the office in 2005 were due to compromised servers, while losses at non-educational institutions were primarily due to lost laptops — only 11 percent of their breaches came from compromised systems. In an interview with the News last February, Marchany said the difference was most likely due to better staff training at universities so employees know not to leave unencrypted sensitive information on their laptops.
Though the rising tide of data breaches had not yet reached the University, Yale officials expressed concern in February about the risk of losing private information. Chief Information Officer Philip Long said Yale’s strategy to minimize that risk was to collect less personal information than the University had in the past. Yale no longer uses Social Security numbers to identify students, having replaced them with the homegrown University Personal Identifier system.
Long declined to comment on the breach Monday night.