Professor’s laptops stolen; contained unsecured student information

Ellen Tworkoski Oct 8, 2007

The first weekend in September was notable for most students as it was the end of the first week of classes. For a small percentage of the student body population, it was the weekend that their social security numbers left campus, stored in the unencrypted files of two stolen laptop computers.

According to University Police reports filed on Sept. 2, the laptops were stolen from the office of a computer science professor in Wean Hall. The door is believed to have been locked and there were no signs of forced entry, according to case officer Lieutenant John Race of the Carnegie Mellon University Police.

A supplemental report filed on Sept. 7 concluded that although the professor typically set the door to lock automatically when pulled closed, the locking mechanism may have been accidentally switched off at some point during the previous day. At the time of the theft, there were five computers present in the room, but only two were stolen, both of which were believed to have “contained significant personal identifying data,” according to the Sept. 7 report.

Race, as well as members of the Information Security Office (ISO), believe that the laptops were stolen because of their commercial value, not for the information contained in their hard drives.
Cases of identity theft are extremely rare on the Carnegie Mellon campus, Race said.

Laptops which are stolen are typically sold on the streets to some “private citizen who thinks they got a good deal,” he said.

Students whose social security numbers were stored on the stolen computers were informed of the theft on the weekend of Sept. 29. The e-mail provided students with general information about the theft as well as a website address through which they could set up a Fraud Alert system on their banking and credit accounts which would notify them of any suspicious credit patterns in the future. Further protective action was left to the discretion of the individual student.

One student, who preferred to remain anonymous for this article, was concerned that students were not notified of the theft until almost a month after it occurred. He asked Carnegie Mellon to pay for a credit monitoring service, which would examine past credit history to determine if fraud had already occurred. The university refused, he said.

Because of incidents like this, administrators have already begun to reduce the use of social security numbers in campus files. Since January 2006, students’ social security numbers have no longer appeared on course files.

However, according to Mary Ann Blair, director of the ISO, this transition in the usage of social security numbers was part of the reason for the slow communication of the incident to affected students.

Blair and her staff concluded that students enrolled in courses taught by the faculty member between summer 2004 and spring 2006 could be affected. With the help of Enrollment Services, the ISO staff compiled a list of the contact information for each student left on the list.

Currently, the ISO is working to create a more secure network that will protect students’ identifying information, even in the case of another laptop theft. Last month, the university purchased “Identity Finder,” a system which allows individuals to scan their hard drives and then encrypt, delete, or quarantine a file which is shown to contain personal information, such as a social security number.

According to Race, it is extremely unlikely that the laptops will be recovered. However, no suspicious activity has been reported on any of the affected students’ accounts.

“CMU needs to take responsibility” for the current theft, the previously referenced student said, and make sure that those affected receive the support that they need in order to protect their most important possession — their identity.