The personal information—including Social Security numbers—of approximately 1,400 people was compromised after an office burglary mid-January, the University announced on Friday.
On Jan. 18, a break-in was discovered in a Columbia College office, whose locked door was broken into. According to University officials, three notebook computers were stolen.
The University is not disclosing the location of the crime.
Spokespeople said that the computers were password-protected, but contained “limited personal information,” including Social Security numbers of over a thousand current and prospective students, alumni, and past and present employees.
The personal information also contained names and addresses, along with Social Security numbers.
The data was stored on local drives while being worked on as part of University business, and the files were not intended to be stored permanently on the laptops, Columbia spokesperson Robert Hornsby said in an e-mail.
Though the notebook computers were compromised, access to the University’s larger database platforms are not at risk, according to a letter sent to affected individuals from Columbia College Dean Michele Moody-Adams.
Those affected have been notified by both e-mail and regular mail, and are being offered identity theft protection services. The New York City Police Department and Columbia Public Safety are conducting a criminal investigation.
The University declined to comment on whether there have been any reports of identity theft since the data was compromised.
“We understand that personal information is a serious matter,” Moody-Adams said in an interview with Spectator. “It’s a measure of the seriousness with which the college takes this incident that as dean, I’ve chosen to oversee the response.”
Anyone who does not receive a letter or e-mail was unaffected by the break-in. Those who do receive the letters will be given more details on how to follow up, University officials said.
For further protection, Columbia University Information Technology is working with IT departments in specific schools to encrypt various University data.
Spokespeople explained that they had this kind of information on file because the University is required to maintain student and employee Social Security numbers for purposes such as government reports or employee identification verification. But they have stopped using Social Security numbers as identifiers in certain areas for which it is no longer necessary, such as in housing forms.
University affiliates whose information was compromised are being referred to either Associate Dean of Planning and Administration Susan Chang or Senior Associate Dean of Student Affairs Kathryn Wittner.
This is not the first time the University has dealt with a security breach of personal information.
In June 2008, a student employee at Housing and Dining mistakenly posted personal information online that included Social Security numbers of approximately 5,000 current and former Columbia students. The University later found that the information had been posted for over a year. In that incident, the University found no evidence of wrongdoing or theft.
Some identity theft experts not involved in this case said that it was too early to predict the fallout of the burglary, though they agreed that any security breach that includes Social Security numbers is a very serious matter.
David Relkin, a New York attorney and expert on identity theft—with no affiliation with the University—said in an interview, “This [the Jan. 18 break-in] is not that big—1,400 is not a huge number—but by no means is it small.”
And the fact that alumni are included on the list, he said, could be very serious, as they are more likely than undergraduates to have credit cards, which are, he said, “the choice of identity thieves.”
Relkin said he was most concerned that the University took nearly two weeks to notify affected individuals.
Though it is unclear whether the thieves were able to access the information, he said, “It seems outrageous that there was an over-10-day delay. Many people’s personal information may have already been used.”
Hornsby said that since the incident, the College has been involved in an ongoing NYPD investigation, as well as analysis of data and identification of the potentially affected individuals. “These notifications go out as promptly as possible given the complexity of confirming details in such situations and the need to be comprehensive in identifying all potentially affected individuals,” he said in an e-mail.
Ondrej Krehel, information security officer for Identity Theft 911, an identity theft resolution company not affiliated with this case, said that the University should not have had information on laptops, but rather on a central system, though University officials said that they were only there temporarily.
But Krehel added, “What happened right now is data breach, not necessarily identity theft.”
Krehel and Relkin agreed, though, that if the situation does result in identity theft, it could become a much larger problem.
“Wouldn’t you have a certain level of paranoia with your private life? … Now your information is somewhere—you don’t know and you don’t have control of it,” Krehel said of the aftermath of stolen personal information.
Relkin, also speaking of the ramifications of identity theft in general, said, “It kind of hangs around your neck for the rest of your life. … Private information is extremely valuable in a society that identifies people with a sequence of numbers.”
COMMENTS
Comments will be moderated in accordance with our comment policy