Home | About | Articles | Resources | Photos | Contact

UVA THEFT HIGHLIGHTS SECURITY CONCERNS-THE DAILY PROGRESS, APRIL 27, 2008

Posted: Monday April 28, 2008

UVa Theft Highlights Security Concerns

By Brian McNeill

Published: April 27, 2008

At some point on the night of April 3 between the hours of 7:30 and 9 p.m., a thief wandered by a University of Virginia employee’s locked car that was parked in the 1600 block of Avon Street Extended.
Apparently noticing valuables inside, the crook smashed through one of the car’s windows and pilfered the UVa employee’s wallet and a briefcase containing a laptop computer.

The password protected laptop held a confidential file containing the names and Social Security numbers of 7,000 UVa faculty, students and staff members.

The incident marked the second major data breach at UVa in recent memory. Last June, UVa discovered that hackers had gained access to a part of the school’s computer network that contained the names, Social Security numbers and birth dates of 5,735 current and former faculty members.

UVa officials mailed letters notifying the 7,000 people affected by the latest security lapse on April 14.
UVa spokeswoman Carol Wood said the approximately 10-day delay was necessary while the university compiled mailing
addresses for everyone affected and consulted with police and risk management officials about when the public ought to be notified.
“We tried to make a thoughtful decision,” Wood said. “We had to balance risk while also trying to find out as much of what actually happened as possible. You don’t want to alarm people unnecessarily. We always try to err on the side of telling people as quickly as possible that an incident has taken place. But there isn’t any industry standard.”

From a problem to a ‘fiasco

Dr. Dean Kedes, a professor of infectious diseases in UVa’s School of Medicine, said he is furious that his personal information may now be on the black market. Kedes said that UVa did a poor job of promptly notifying people who were affected, calling it a “fiasco.”
“It’s really kind of sad,” he said. “This is my employer. I like UVa. But I gotta say that I’m a little bit ashamed of how they’ve handled this and last year’s incident.”
Police advised UVa to release few details in the immediate aftermath of the theft, believing that revealing too many specifics might tip off the possibly unsuspecting thief that the stolen laptop contained sensitive data.
“I know that people find it frustrating,” said James L. Hilton, a UVa vice president and chief information officer. “We’re trying to figure out ways that we could have done better. It’s a fine needle to thread.”
As of Friday afternoon, none of the 7,000 people had reported any cases of identity theft. Likewise, no one has reported any identities stolen in connection with last year’s case.

UVa will mail another round of letters today to each of the 7,000 faculty, students and staff. The letters will contain more details about the data breach and describe services the university is offering to minimize risk.
“The university takes responsibility for this incident and sincerely regrets any concerns or inconvenience it causes you,” states the letter, authored Hilton.
UVa is offering a year’s worth of free credit monitoring and identity theft insurance to all 7,000 people affected, according to the letter. The services — provided by a division of the credit-checking company Experian and the insurance firm Virginia Surety Company — will include daily credit score monitoring, e-mails notifying the person of any potentially fraudulent activity, access to “fraud resolution representatives” for victims of identity theft, and $25,000 of identity theft insurance.
For each person who signs up for the services, UVa must pick up its $22.95 price tag. If all 7,000 people opt to participate, it would cost UVa $160,650.

The chances of identity theft in connection with the April 3 larceny are fairly low, according to police and UVa administrators.
“Some dumb schmuck that broke into this car isn’t going to be too computer savvy,” said Lt. Todd Hopwood of the Albemarle County Police Department. “That’s what we hope for anyway.”
The majority of vehicle break-ins are rarely planned out ahead of time, Hopwood said, suggesting that the thief was not targeting the sensitive information stored on the laptop.
“Most car break-ins are crimes of opportunity,” he said. “A thief walks by and sees a laptop or a purse sitting on the front seat of a car. It’s dark out and no one’s around. Boom. They’ll steal it.”
In this case, the UVa employee had the confidential information on the laptop for a legitimate reason, but was not permitted to take the computer off campus. The file containing sensitive information should have been either digitally shredded or encrypted, Hilton said.

Wood declined to identify the employee or say how the employee was disciplined. “It’s a personnel matter, so I can only say that it’s been dealt with,” she said.

Increasing security of secure information

Hilton said that UVa may “tighten up” its policies governing the transportation of equipment containing sensitive information.
Nearly a dozen UVa employees said in interviews and e-mails that they were frustrated with the university’s handling of the data breach.
“As a UVa alumnus and a 14-year employee, I’m disappointed that UVa didn’t do enough to protect my personal data,” said Michael Kidd, a member and organizer of the CWA/AFL-CIO Local No. 2211 staff union at UVa. “I hear lots of talk about how they’re going to protect my data, but very little about they are protecting my data. Really, how can they justify why my sensitive personal data was on the hard drive of a UVa-owned laptop located at an employee’s house? There’s no acceptable excuse. On the data protection front, UVa is behind the times when compared to the rest of the business world.”

The university is taking steps to minimize the risk of sensitive information being stolen in the future. A UVa-wide project is under way to substantially reduce the collection and use of Social Security numbers. By July 1, each department at UVa must identify all records and records systems within its purview that use Social Security numbers and submit a remediation plan. By July 2009, all of these plans must be implemented.

UVa has been phasing out its use of Social Security numbers in recent years, but work remains, Hilton said. Last week, he said, UVa obtained a license for computer software that will scan university computers for any lurking Social Security numbers and help eradicate them.
“As we find Social Security numbers, we are attacking them,” Hilton said.

Recent Articles:

STAFF PONDERS HR PLAN CHOICE-THE C'VILLE WEEKLY, OCTOBER 7, 2008

Posted: Tuesday October 7, 2008

PEER ADVISORS AND MANAGERS AVAILABLE TO EXPLAIN NEW UNIVERSITY STAFF PLAN-UVA TODAY, SEPTEMBER 30, 2008

Posted: Wednesday October 1, 2008

CITY ASKS UNIVERSITY TO RAISE WAGES-THE CAVALIER DAILY, SEPTEMBER 24, 2008

Posted: Wednesday September 24, 2008

VIRGINIA RETIREMENT SYSTEM HAS ASSETS IN AIG, LEHMAN-DANVILLE NEWS, SEPTEMBER 18, 2008

Posted: Sunday September 21, 2008

BIDEN: MCCAIN HELPED CRIPPLE LABOR MOVEMENT-AP, SEPTEMBER 20, 2008

Posted: Saturday September 20, 2008

GENERAL FACULTY COUNCIL DISCUSSES RESTRUCTURING-THE CAVALIER DAILY, SEPTEMBER 11, 2008

Posted: Thursday September 11, 2008

THE STRUGGLE TO REDUCE STAFF DRIVING-THE C'VILLE WEEKLY, AUGUST 26, 2008

Posted: Monday August 25, 2008

CHANGES IN ED BENEFITS BRING GAINS, SETBACKS-THE C'VILLE WEEKLY, AUGUST 12, 2008

Posted: Tuesday August 12, 2008

FAQ ON UVA RESTRUCTURING-UVA TODAY, AUGUST 6, 2008

Posted: Wednesday August 6, 2008

WAL-MART WARNS OF DEMOCRRATIC WIN-THE WALL STREET JOURNAL, AUGUST 1, 2008

Posted: Friday August 1, 2008

visit the archives ..

Recent Article Comments:

© 2002 - 2006, SUUVA/CWA. All rights reserved. Email SUUVA/CWA. SUUVA/CWA is an AFL/CIO Union Local #2211.

Web Services by BA21 Web & Media

SUUVA/CWA has received 336183 total visits since 2003.