It seems that no one can catch a break anymore. Instead of students bringing an apple for the teacher everyday, they might want to pool their money and get their instructor some sort of identity theft service. Yet another school district in the United States has fallen prey to the wide-spread crime of data theft. Of course, like most unfortunate turn of events, the data breach impacted hard working educators and staff. This breach occurred on the east coast, in the Harrisonburg City Schools of Virginia.

At this point, the information regarding the data breach is extremely unclear. The investigation has only recently begun and there are no suspects yet named. The breach occurred through the theft of a laptop by a consultant for BB&T Insurance. BB&T provides dental coverage for the school district’s staff and faculty. The laptop was stolen out of the car of the contractor while he was in Ohio working on another client’s case. No word on why the consultant had the personal material on his private laptop. The material stolen contained limited medical records, addresses, names, and social security numbers. Authorities report that this is more than enough material to successfully steal someone’s identity.

In an effort to calm fear about the possibility of the data breach, a spokesman for BB&T assured the media that there are numerous security settings on the laptop to prevent it from being illegally accessed. He would not go in to more detail, saying only that “there are multiple levels of encryption and security which we believe will deter any criminal elements from accessing private files.” The spokesman was also reluctant to announce when the breach was first reported, since the school district was only notified in the middle of May. Once again, the spokesman told the media that he could not share any more details about the ongoing investigation, except that more details would be made clear in a press release.

At this time, there is no estimate about the number of individuals who might be affected by this breach. Mike Loso, assistant superintendent for the school district, said that an email was being sent out to the entire district to let people know about the potential risk to their personal data. A.C. MacGraw, the spokesman for BB&T said that the company plans to contact the affected individuals directly, once a number has been determined. The insurance company will offer its customers a subscription in Equifax’s Credit Watch until the threat has passed.

While a subscription to the Credit Watch is a good first step, it does not cover victims as well as other ID theft services, such as Lifelock. While Equifax monitors the credit reports of a client as seen by their system, there are still two other credit bureaus which are not included in the Credit Watch. Lifelock provides a system that monitors all three bureaus and alerts people if someone attempts to open a new credit card account or take out a loan in that person’s name.

One of the oldest institutions of higher education in the United States recently suffered from one of the newest and pervasive forms of crime. Officials reported in mid-February that someone had gained access to private and highly sensitive information off of one of the Harvard University servers. The server also contained personal information about a number of applicants and current students, although this material was believed safe until further investigations showed the data breach was wider than originally believed.

Initially, statements from Harvard noted that the servers contained personal data, but that it has not been compromised. As time went on, however, authorities came forward with the troubling news that numerous students were now at risk for identity theft. In total, over 10,000 personal records were accessed and out of this 10,000, there were over 6,500 social security numbers taken. The university also reported that Harvard Student ID numbers were also taken, although these do not pose the same security risk as do the social security numbers.

The breach occurred on the university’s Graduate School of Arts and Sciences’ server, although no one has been indicated as a suspect in the crime. There has also been no indication of how long the data breach was taking place before system authorities were notified and shut down access to the server. This is just one in a long string of data breaches that have hit the collegiate education system in the United States. However, Harvard has shown itself to be one of the best responding universities.

CIO Daniel Moriarty reported to the media that, although there was some initial hope that the student data was safe, it was his unfortunate duty to report that these hopes were no longer valid. The university has assured students that it will do everything in its power to help combat any instances of identity theft that might result from this breach. One of the most basic steps the university is taking is “notifying the individuals who have been impacted and lining up the [identity theft] services for those individuals.” Similar services have been available at other institutions, although there has been a greater lag time between the data breach and the purchase of the ID theft services.

Although used by students, one of the services available to anyone concerned with protecting their identity is Lifelock. The company provides credit monitoring through all three bureaus and alerts the subscriber before any loan applications or credit cards are opened in their account. For a minimal monthly fee, subscribers have reported having a better piece of mind and more confidence that their identity will remain secure.

*In an alarming piece of news, Harvard University students affected by the data breach in February have more to worry about. In mid-March investigators found that personal data from the university server had been posted on the peer-to-peer file transfer system known as BitTorent. This has effectively spread the social security number and private data to millions of individuals.

Amid the sun and palm trees of Florida, many local teachers and employees now have one more issue to worry about, other than just sunburn. It was reported earlier this week that a high school senior at Atlantic Technical High School was tracked down as the source of a large data breach. In all, over 35,000 individuals within the Broward School District of Coconut Creek Florida, were put at risk by the hack.

Authorities were able to track the student down in a timely fashion. According to their written reports, the student did “a poor job of covering up his actions, although that did not stop him from committing the crime.” That data encryption system for the school district was recently upgraded, although reports haven’t detailed whether or not this upgrade was in response to this data breach. Students at Atlantic Technical are required to fill out a computer access form that binds them to abiding by a series of rules and regulations, one of which is respecting the integrity of personal data and files on the school’s servers.

While details are still developing in the case, the school board is attempting to alert affected faculty and staff. Unfortunately, despite the “sloppy hack” and the quick response by authorities, no list has been created to name the individuals at risk of identity theft. The information that was taken contained personal addresses, social security numbers, bank routing numbers for the district’s direct deposit system, and funds contributed to state-run retirement funds. Teachers and staff throughout the district have expressed a great concern at this threat to their privacy and security.

Until the school district is able to alert all 35,000 individuals, people are advised to take matters in to their own hands. Unlike other recent data breaches, the Broward School District has not guaranteed to provide identity theft monitoring for its employees. Experts suggest that the public school system is not able to support subscriptions for such a large number of people. However, some teachers have taken steps to protect themselves. One of the easiest options available to both faculty and staff is a subscription through an ID theft service, such as Lifelock. These companies monitor the credit reports of subscribers and check with all three credit bureaus to make sure that no unauthorized activity is made on credit cards, bank accounts, or loan applications.

As for the student caught with the stolen information on his laptop at home, charges have been filed. For the mean time, the student has been suspended for two weeks while the investigation continues. Efforts at the district level have been made to bring the student up for the possibility of expulsion. Although the offender was only 17 at the time of the data breach, the severity of the hack may expose him to being charged as an adult, as criminal charges will no doubt soon follow his trial with the local school board.

Continuing the long string of data breaches to affect students, employees and undergraduates at Connecticut State University have become the next victims in line. Those who attended institutions in the state system over the last four years are advised to contact the university to see whether or not they are an affected individual. Details are still pending about the extent of the breach, although initial estimates place the number around 3,500 impacted students, some having graduated. Unfortunately, because the university is still trying to recover the information, the ongoing investigation limits the amount of detail available to the media.

The material that was stolen contained the names and social security numbers of students; more than enough information to create a situation in which people must be weary of identity theft. Despite regulations regarding the university’s computer system, the files were not encrypted. Upon further questioning of officials, it was learned that encryption regulations apply only to files stored on the CSU servers, not offsite locations. The reason this issue becomes so important is because the data breach occurred when a business laptop of a school vendor was stolen on an on-campus visit. Although the vendor was in a public area, surveillance cameras have yet to identify the guilty party.

Despite the problem of the actual files not being encrypted, the vendor has assured the university that his computer was password protected and that “every reasonable effort is being made to locate the missing laptop.” There hasn’t been any information reported about the company that the vendor worked for or what their personal security regulations entail. Future reports should contain that information and a more thorough history of the vendor to see whether or not it has had any similar data breaches.

While the university has attempted to contact the affected individuals, the process is not yet complete. For those who are nervous or fear that they have been the victim of identity theft, there are a few steps that they should take. First of all, they should contact the university immediately. The people most likely at risk are students who attended Eastern Connecticut University, Western Connecticut University, Central Connecticut University, and Southern Connecticut University between the years 2001 and 2004.

If you were a student during that time frame and haven’t been contacted yet, you should also keep a close eye on your credit report and other personal financial information. Unfortunately, the sale of personal information is rampant on the internet and is one of the main reasons that identity theft has become so pervasive. Some of the affected individuals have been subscribing to ID theft services to protect against any of the damages associated with identity theft. Of the available institutions providing such services, many have found that Lifelock, the company that has ads displaying the president and CEO’s social security number on the side of a truck in New York City, to be a cost effective and secure option.

Drugs, under age drinking, failing classes, and now identity theft? Most of these are problems that parents of college students have had to worry about for some time. But now, with more and more personal data involved with the education process being placed online, a new risk has emerged. Recently, at the University of Missouri, an information system that contained private information about students and researchers was hacked. In all, over 22,000 individuals were put at risk.

While details are still developing about the incident, it appears that the perpetrator was working from computers in China and Australia. No one has officially been charged with the crime. Apparently the hacker was able to access the information through an internet query page that was used to generate reports about computer trouble on campus. Perhaps the hacker had a sense of humor when conducting his illegal activities. The files were compiled on the site because the university was taking an account of the number of internal computer issues affecting students and staff. Even though at the time of the data breach the report had already been printed, it had not been removed from the site. This is an unfortunate example of a data breach that was easily preventable.

Incidences like this only further show the susceptibility of current sites of personal data. Ever since the attack was reported, university officials have taken steps to increase the security of their network. While information is still coming in about the event, officials have said they will contact the affected individuals. In the mean time, staff and students should monitor their credit reports, bank accounts, and consider purchasing an ID theft security system, such as Lifelock. The university hopes to alert everyone in a timely fashion as they get more details about the data breach.

While the University of Missouri works to fix this most recent attack on their system, some members of the wider-university community have expressed skepticism about the safety of the network. This most recent incident comes only four months after another part of the university’s private data system was infiltrated. In that separate attack, the social security numbers of 1,220 university researchers were stolen, as were the passwords of over 2,500 grant applicants.

There has been no mention of individually contacting the individuals involved in the January attack. As a result, members of the university’s research community, as well as those people who applied for grants recently, need to pay extra attention to their personal accounts. The two failings of security measures the university has in place in such a short period of time has some worried about the wide-spread implications of these attacks and the possibility of future problems. It also raises the importance of having different passwords for different accounts, be they email, database, or individual files.

If there were an “oops” or “oh sh*t” category, this entry would certainly fall into it. Duke University accidentally left the personal information of 273 former New York University students available to general internet traffic. Oops. Now, if there’s any good news here, it’s that a) Duke found the mistake–it wasn’t uncovered when there was a problem and they correct did all of the notifications themselves; b) it was a very, very small “breach” (I don’t think you can even call it that)–we’ve been writing about entries where there’s been five-digits worth of people affected so 273, while not a small number if you’re one of those 273, is reasonably small; c) the means of access wasn’t done with malicious intent–the data was simply accessible by search and it wasn’t hacked nor deliberately made available in a way that it was commonly seen and used. Again, this is small consolation to the 273 people whose information it was and undoubtedly they’re wishing they had Lifelock right now.

The former New York University students were members in a class taught by a current member of Duke’s faculty during the professor’s previous employment at NYU in 1997. The personal data included the student names and SSN’s. Apparently the records were part of his personal records that he brought over with them. Duke University’s assessors determined that the information could have been reached only if someone were searching by exact student names AND already had a search code for the Social Security numbers.

The personal information was removed from Duke’s public drives within 30 minutes of the school becoming aware of the problem on April 30. Within hours, all major search engines had cleared their caches and indexes of the student information. I’m really curious to know how they were able to do that (clear the caches). I once wrote about a girl from college and she found it and got pretty upset–it took over a month before the engines finally disassociated my site from her name. I would suspect that a major site like Duke’s would be spidered more frequently though so maybe it’s as simple as that.

As always I would encourage those affected to sign up with Lifelock’s services. It’s always better to be safe than sorry and for $9/month I think it’s a very cost-effective investment.

Across the Sooner State, students, faculty, and staff at the Oklahoma State University can rest a little easier after a server breach that hit over 70,000 individuals. Although the company IdentityTruth beat Lifelock to the punch on this one, it’s always reassuring to know that for-profit companies are willing to step in every now and then and help clean up the mess when it affects innocent people.

This particular breach affected people at OSU who had purchased parking and transit permits over the past six years. The data specifically included social security numbers, addresses, and names; fortunately the credit card records were kept protected. A stolen laptop, the start of all of this, exposed the records and personal data of 37,000 students, faculty and staff, and the university responded by transitioning most of its services to random 8-digit identifying numbers for students instead of using SSNs. However, the server used for the parking and transit services had not been updated and for that reason it was hit.

Although IdentityTruth jumped at this “opportunity”, I can’t help but wonder if those affected at Oklahoma State weren’t a little disappointed that the university didn’t come through with one of the larger, more experienced identity theft protection companies: Lifelock. Although IdentityTruth offers “$2 million dollars” in protective services, their actual services post-breach are substantially less impressive than Lifelock’s so although I’m sure it provides some sense of peace of mind for those left exposed, I’m not entirely convinced that provides a whole lot more than that.

From the Daily O’Collegian (the OSU student paper): “Even though personal data was exposed, there is no indication any of that information has been misused or any identity theft has occurred. OSU officials have removed the confidential information from the database.

“This breakdown in security is totally unacceptable,” said OSU President Burns Hargis. “We are conducting a full review and will take whatever steps are necessary to protect our network from unauthorized access. This is a serious matter and we will deal with it aggressively. We regret the circumstances and concern this situation has caused.” ”

Hopefully, IdentityTruth won’t have to work very hard for this one since it doesn’t appear that those affected are in a great deal of danger–and that’s good with their unproved services.

There was a data breach at Dominican University this weekend. Dominican University is located in Chicago and the data breach here affected over 5,000 current students and alumni from 2003, 2005, and 2007. First reported (to me anyway), here, it appears the problem was due to the misuse of access granted to part-time work-study students who were able to access Excel spreadsheets from previous years. What’s sad to me is that the university took no real action despite the problem being their own fault. They simply “encouraged affected individuals to place fraud alerts on their accounts”. I bet they wish they had Lifelock. Anyway, I think it’s pretty despicable that Dominican takes no real accountability for their error–most companies at least provide some sort of identity protection service for a year following a significant problem like this.

Dominican issued this statement:

“Dominican University takes information security very seriously. In April, we discovered that two student workers had accessed Excel files containing limited student data by misusing passwords related to their work-study employment. We notified all affected parties in writing, set up a toll-free hotline, and have worked closely with both the local police and states attorney’s offices.

The students went through a full university judicial process, were suspended temporarily and have been barred from future campus employment, among other sanctions. The university is conducting a complete security audit and internal review.

At this time we have no reason to believe that any information has been misused, but retain the right to prosecute as necessary.”

Hello! DO something. Yeah, it’s great that you’re notifying the affected individuals and their families but shouldn’t you actually do something other than suspend the students? What I really would like to know is how malicious the intent was to use this data. Did they just have access to it? Were they trying to use it? Did they just find it because they were seeing what all their passwords would let them into? Those would be the questions I would want answered if I were one of the affected individuals.