After a security breach on campus compromised the personal information of 1,400 University affiliates, students and identity theft experts are questioning the administration’s handling of the break-in.
On Jan. 18, there was a burglary in a Columbia College office—the location of which has not been disclosed—and three notebook computers were stolen. The University announced on Friday—11 days after the incident—that personal information was stored on the laptops, including the names and Social Security numbers of current and prospective students, alumni, and past and present employees.
Since the incident has been made public, the administration has reached out to affected students, offering them a free two-year subscription to a credit monitoring system, and also encouraging them to activate fraud alerts.
Columbia spokesperson Robert Hornsby said in an e-mail on Monday, “Based on information we have as of today, there has been no evidence to suggest that the information on the stolen computers has been accessed.”
According to identity theft experts, if the personal information gets in the wrong hands, credit cards could be fraudulently used, and worse, new credit cards or loans could be taken out, leading to more serious issues of identity theft.
But Steven Bellovin, a computer science professor, who has lectured on “identity theft as a modern crime,” said that there should not be a lot of concern in this situation.
“It is very, very low risk here,” he said. “Almost always, they are stolen for the physical retail value."
Students, though, expressed concerns about the ramifications.
“It seems pretty scary. ... A lot can happen with Social Security numbers,” Adrienne Giffen, GS, said. “That makes you wonder why the Social Security numbers aren’t protected by the school."
Alexander Cheung, CC ’10, echoed these concerns, saying, “It’s not just a pen or office supplies. … We need to invest in more advanced technology to protect that kind of information.”
“It’s really scary,” Laurel Neveu, BC ’11, added. “How do they keep hold of all their records?”
The letter sent to affected students, signed by Columbia College Dean Michele Moody-Adams, said, “We have already strengthened the physical security of the office in question and are in the process of increasing our laptop security through the installation of high level encryption programs. We also are taking a more aggressive approach to scanning computer equipment for potential security threats.”
Hornsby said in an earlier e-mail that the data was stored on local drives, and that the files were not intended to be stored permanently on laptops.
According to Bellovin, the University can better protect against these types of crimes in general by putting personal information on laptops only when it is necessary. “The number one rule to avoiding privacy problems is, don’t have the information in the first place,” he said.
Others expressed some concerns about the nearly two-week delay in notification. Lauren Haynes, SEAS ‘13 and one of the students who received the e-mail saying that her information was compromised, said that she was at first very upset, but has since changed her perception of the situation.
“Initially I was very angered that they waited so long,” she said, but added that she realized they “had to get as much information as possible before they told students.” Hornsby also explained in an earlier e-mail that the notification went out as promptly as possible given the complexity of confirming details and the need to be comprehensive.
Bellovin acknowledged the unusual length of the delay, but said he didn’t know the specifics of this case. “It seems a bit long, but sometimes it takes a long time to figure out what’s going on,” he said.
David Relkin, a New York attorney and expert in identity theft who has no affiliation with this case, said that the two-year subscription to a credit monitoring agency was an important step. He advised individuals to take this offer and set up fraud alerts, though he admitted that the alerts have inevitable consequences.
“After putting the fraud alert on, it becomes extremely difficult to get a credit card,” he said.
In the letter sent to individuals with compromised information, the University advised those affected to get copies of their credit report by calling the appropriate agencies. Relkin said this process could take some time.
“When they finally get their reports in five to 10 business days, they shouldn’t just look at whether there has been a new credit card opened," he said. "They should see if there have been any unauthorized inquiries."
Another burden is the effect this process has on an individual’s credit score, he said, adding, “Every time someone accesses your credit report, your credit score goes down. That is not something that you can avoid.”
Computer science professor Salvatore Stolfo—whose research interests include computer security—said that laptop thefts are very common, but added that the information could potentially have value for the criminals. “The thieves may be interested in stealing the laptops, but they may also hunt for information that they can sell on the black market. I do not know the extent of the stolen personal data, but it could be quite lucrative,” he said in an e-mail.
Speaking of the credit monitoring subscription, Ondrej Krehel, information security officer for Identity Theft 911—an identity theft resolution company not affiliated with this case—said, “I believe that two years is generous by the University. My only questions would be, what happens after two years? ... This information is out there somewhere, right? ... What happens 20 years from now?”
Sam Levin and Elizabeth Scott contributed reporting.