Sometime during the night of Aug. 14 or early Aug. 15, two desktop computers were stolen from locked offices in Lind Hall, which houses the Institute of Technology and Student Support Services.
The computers contained about 13,000 student records, including the students’ names, addresses, phone numbers and University ID numbers, and academic and personal information.
For 603 former Institute of Technology students, Social Security numbers were associated with their student records, according to a letter sent to IT students.
The information came from students enrolled as freshmen in 1991 to students admitted to the Institute for fall 2006, although University officials said the student data with Social Security attached came from the earliest records.
In late August, the University began sending out letters to affected students; for students whose record included their Social Security number, the University sent a variation of the letter that included information on how to identify and prevent identity theft.
Steve Cawley, the University’s chief information officer and associate vice president, said the purpose of the theft was to obtain the computers themselves and not the stored information.
“It’s pretty unlikely that anyone who stole these computers stole them for data,” he said.
However, the database containing the student records was not encrypted, according to Cawley.
Cawley said it is not University practice to store Social Security numbers on desktop computers, and called the incident “a very unfortunate error.”
The University is now requiring all private data to be centralized, he said. In addition, the University created a mandatory online training course on data security for University staff in efforts to increase awareness about data security and privacy.
“This is a theft – this isn’t an Internet hack, it’s someone breaking into the office and stealing a computer,” he said. “All the same, there are steps we can take to make the data more secure.”
August’s theft is the largest – though not the only – breach in the University’s data security in years.
Frequently, faculty laptops containing student information are stolen, and notifications are sent to students, although Social Security numbers are not included in the information, Cawley said.
Dan Wolter, director of news and public information for University Relations, said it is University practice to send notifications, even if they are not explicitly required under Minnesota’s notification law.
Google picked up a University test file containing almost 200 Social Security numbers that had been inadvertently posted to the Internet a few months ago.
Earlier in the year, according to Wolter, a hacker broke into a computer that contained medical research records.
Wolter said it takes an incident like August’s theft to raise awareness for deans and key administrators.
“Obviously it’s not an ideal scenario, but it’s important to know this computer was in a locked office in a locked building and it was stolen, and it’s important to not lose sight of that,” he said.
The University elected to wait several weeks to make the information public, Wolter said, so it could have the chance to contact affected students.
“If we’re two weeks away from being able to get letters out to folks and there are people who know they have sensitive information, we’d be behind the curve,” he said.
Wolter said there are no suspects in the theft.
University Police Chief Greg Hestness declined Sunday to comment on details of the case because it is an open investigation.
Electrical engineering junior Steve Vandinburg said he was “shocked” that it was “so easy” to steal a computer.
“I’m just glad it wasn’t anything too bad; I wasn’t one who had their Social Security number on (the record),” he said. “Everything else that was stolen was almost public or could be found pretty easily, so I’m not too worried.
“But it’s pretty sad that they can’t protect that type of stuff.”
Bill Dane, University Student Legal Services staff attorney, said that under circumstances in which students entrust their information to someone else and it is stolen, there is “almost nothing you can do.”
“You’re putting your info in the hands of people you rely on to safeguard it,” he said. “If they don’t, there’s not much you can do when the cat is out of the bag.”
Students should give out Social Security numbers only when absolutely necessary and regularly check their credit reports, Dane said.
If personal information is used, students might have some difficulty getting help from the police, he said.
“Law enforcement is overwhelmed on this issue and lots of times there is not a lot they can do to track down (the perpetrators),” he said.
Under Minnesota law, a person may lock down his or her consumer credit report, which prohibits a reporting agency from releasing the credit report until the freeze is lifted.
Also, Minnesota residents are entitled to free credit reports yearly from each of the three major credit reporting agencies.