The Nevada Sagebrush

The University of Nevada, Reno recently gave out the Social Security numbers of four guest lecturers to a student club, less than a month after a UNR employee lost the Socials of about 16,000 students.UNR’s data record was flawless until October but the recent mistakes add to nationwide statistics.

In 2006, 52 colleges lost or were robbed of students’ information, about 16 percent of all breaches nationwide, according to an analysis by security firm Sandstorm Enterprises. Often, a breach affected tens of thousands of people.

“Colleges and universities do not have a good track record for data breaches,”said Beth Givens, director of nonprofit consumer information advocacy group Privacy Rights Clearing House.

The most recent UNR breach stemmed from a public information request.

J.A. Buchanan of the College Republicans said he received a packet with the payment information of six lecturers on Nov. 23 from Sandy Rodriguez, director of the Associated Students of the University of Nevada, as part of a records request by the club.

Tucked inside were the W-9s of two of the lecturers, including Social Security numbers, and the Socials of two others. Rodriguez said she never looked at the information after receiving it from the UNR Controller’s office.

Buchanan said he saw the W-9 tax forms in the packet a few days after receiving it. When examining the packets with The Nevada Sagebrush last Tuesday, Buchanan saw other Socials were in there as well.

Joyce Duncan, UNR accounts payable manager, said this is the first reported leak of its kind.

Buchanan didn’t release the numbers and kept the packets at the Washoe County Republican Headquarters for safekeeping. He said he let the lecturers know of the leak. The Nevada Sagebrush could not contact any of them for an interview.

Buchanan said he plans to give the information back to Rodriguez Tuesday at her request.

“It shows the carelessness,”Buchanan said. “This goes as an example of that the university doesn’t really care about security.”

He said he was shocked at finding the numbers. Socials, if the wrong people find them, can be used to ruin a person’s credit, muck up Internal Revenue Service records of reported income and even link a person to fraud.

Rodriguez said she feels responsible for the latest leak, though as of Monday at 3 p.m. she had not seen the paperwork herself.

“What happened is it fell through the process,”Rodriguez said.

She said because the request made by the College Republicans for payment records of guest lecturers for the past four years was “above and beyond”the requests for budgets and minutes the ASUN office usually receives, she sent the request to the Controller’s office.

Rodriguez said she should have gone to the university archivist, but instead decided to expedite the process for the students.

“The bottom line is that we should have sent the request through the archivist,”she said.

She said she wouldn’t break the process in the future.

Leah Gorbet, university controller, said she didn’t see why the students needed the documents if they only wanted to know how much the speakers were paid. Rodriguez said she gave the students what they wanted.

Gorbet said she gave Rodriguez the information that was requested, the extent of her office’s responsibility.

A recent Nevada law forbids documents created on or after Jan. 1, 2007 from requiring a Social. Institutions have until 2017 to delete or black out Socials on documents created before Jan. 1, 2007.

Duncan, who manages the office that processed the request, said a student who no longer works in the office copied the records Buchanan requested. The law gives leeway on the Socials in the records – they all predate 2007 – but Duncan said the private information should have still been blacked out.

“We do the best we can in this office to maintain privacy,”she said. “It’s a main concern of this office. This was an oversight.”

She said in the future, requested records will have Social Security numbers blacked out before going to the public.

But the W-9s should not have even been copied, she said.

“The W-9s shouldn’t have been scanned, that is not our policy,”Duncan said. “It is a privacy issue.”

Duncan said she will reinforce the policy to everyone in the office.

A MONTH LATER

The unencrypted one-gigabyte data drive lost at the end of October with about 16,000 student Socials also marks the first major data loss of that kind at UNR, said Steve Zink, vice president of information technology.

Since UNR’s incident, Zink said more than 50 vendors tried to sell improved security to the university. Zink said he declined all offers.

About 1,200, or 7.5 percent, of the affected UNR students have also signed up for the one-year credit watch service being paid for by UNR, said Jane Tors, UNR spokeswoman.

When hackers stole the data of about 310,000 customers of Internet search giant Lexis Nexis, fewer than 6 percent signed up for the credit monitoring service Lexis Nexis offered.

Tors said she anticipated more response from students and parents. She said the university was prepared to absorb the $16 monthly fee for all 16,000 students.

Tors said the university went “above and beyond”what they needed to in helping protect students.

Some privacy analysts said the Equifax Credit Watch Silver offered by UNR was far better than nothing but time limits and limited credit watching doesn’t make it the best.

Givens of the nonprofit advocacy group called it the standard offer.

UNR’s service monitors one of the student’s three credit reports weekly for changes – often the first indicator of identity theft. It also offers $2,500 in identity theft insurance with a $250 deductible.

Givens said a better service would monitor reports from all three credit bureaus: Equifax, TransUnion and Experian. However, most major credit agencies send their reports to all three.

Equifax’s best service, Credit Watch Gold with 3-in-1 Monitoring, watches all three reports and comes with $20,000 in identity theft insurance and no deductible. The Gold service cost $6 more a month, according to the Equifax Web site.

Tors called UNR’s monitoring service adequate for what the university knows about the leak. She said any appearance of criminal use of lost information would likely result in better protection for students.

Zink said it is less of a concern because the device was not stolen.

“It’s a serious thing but not as serious as if somebody stole something because then you assume they’re going to do something with it,”Zink said.

Zink said many people and parents he’s spoken with have had similar instances of lost data. He said with the UNR data, their biggest concern was financial aid, which wasn’t on the drive.

Ira Victor, president of the Sierra Nevada chapter of InfraGard, said it would be hard to track any data leak or stolen identity to the lost data drive. InfraGard is a FBI-partner organization designed to broaden communication between the public and private sector on data security.

Victor said tracking a stolen identity to the leak poses problems because of the number of possible leaks. Some stolen identities can take years to show and some won’t ever appear on a credit report, he said.

An illegal immigrant using the Social to get a job won’t appear. Neither will data trafficking or the “modern day pump-and-dump,”which Victor described as criminals artificially inflating a stock price with the user’s identity and then liquidating it, thus associating the victim with fraud.

Tors said she doesn’t think UNR pursued any other services to protect against this. Zink could not be reached for comment about this.

University Security
Victor, also a security consultant with Data Clone Labs, spoke with the university after the initial leak about other ways to protect information in the age of portable data.

He said policies like automatic encryption on portable data drives and making a plugged-in data drive necessary to work can help prevent leaks in the future.

Zink said he thinks the university protection meets a balance of security and freedom in an academic setting.

Zink said UNR usually encrypts or password protects its information – his laptop has several layers of protections – but the lost data drive had its encryption turned off before it was lost.

Zink said the IT department’s policy book also outlines protection procedures more carefully than he expected it to. The policy reads “if critical or sensitive information is stored on a mobile device, password protection and, whenever possible, encryption should be used.”

“It’s clear that shouldn’t have been done,”Zink said.

The employee who lost the drive also had the ability to turn encryption off, which Zink said the employee may have done to give a presentation or access another file also on the drive.

“If we didn’t have people, we wouldn’t have problems on the tech side,”Zink said.

He said he hopes employees learned from the lapse.

Zink said security at the university is probably still better than precautions most students take. He said he regularly sees students leaving laptops alone in the library – likely with critical information on them.

Worries of lost socials

One month after losing the Social Security numbers and other information of about 16,000 students, other employees gave the Socials of four guest lecturers to students by mistake.

If your Social falls into the wrong hands, it can, among other things, lead to:

• Ruined credit through criminals applying for credit cards, maxing them out and never paying them off
• Tax confusion if an illegal worker uses your Social, leaving you with unreported income for a job you didn’t have
• Fraud connection if a criminal organization uses your Social in buying stock to artificially pump the value and then liquidate it for a profit, leaving your number attached to the crime.
• See here for tips on preventing identity theft.

Related Posts:

• No Related Posts