Registrar data stolen in computer theft
Corrections Appended
Editor's Note: This article has been updated in the November 17 issue of the Justice.
Two Apple desktop computers containing academic and personal information for all students enrolled or taking a course at the University from the summer of 2012 to the present were stolen from the University Registrar, according to a Nov. 12 email sent by Marianne Cwalina, the senior vice president for finance and treasurer. The computers were stolen at some point over the weekend of Oct. 24 to Oct. 25.
One of the stolen computers contained students’ “names, birth dates, permanent and email addresses, phone numbers, courses, and grades,” according to Cwalina’s email, which went out to students, faculty and staff. “It is also possible that this device contained some Social Security numbers,” according to the email. However, she added, the computers contained no financial or medical information for students, nor did they contain any faculty or staff employment files. The email went on to note that “to date, our investigators have no evidence to suggest that any personal information has actually been accessed, nor are we aware of any reports of identity fraud resulting from this theft.” Cwalina could not be reached for comment by press time.
In an interview with the Justice, Executive Director for Integrated Media Bill Schaller stated that the University collects social security numbers from all students receiving federal loans or who work on campus. The University requests the social security numbers of all students, as parents commonly cite tuition costs as a tax deduction and the Internal Revenue Service requests that the University verify this.
The University has mailed information to the home addresses of students affected by the theft informing them of what information may have been taken from them. According to the email, University staff members first noticed that the two computers and projection equipment were missing from the Registrar’s Office on Oct. 26. In her email, Cwalina also linked students to a frequently asked questions page on the theft, which added that the University believes that the thieves entered the building through a window. Additionally, the FAQ noted that, while the University has “an ongoing effort to centralize the management, backup and encryption of all staff computers, including computers and workstations, these computers had not gone through the process yet.” The FAQ also states that students were not initially informed because “the university could not notify possibly affected students while our investigation was ongoing.”
In a statement to the Justice, Vice Provost, Chief Information Officer and University Librarian John Unsworth said that the computers that were stolen were password protected, but the data stored on them was not and could be accessed by anyone with the password to the computers.
The FAQ added that the University is presently “not aware of any reports of identity fraud, theft or other harmful activity resulting from this incident, or that any personal information has actually been accessed or misused,” but wanted to make the community aware of the incident and of services available to protect those affected from identity theft.
Schaller told the Justice in a phone interview that the University was not required under the Family Educational Rights and Privacy Act to disclose the breach to the community, as there is no evidence that the information stored on the computers was accessed. However, he noted in a phone interview with the Justice that the University — working with third party experts on forensic methods — has alerted affected students in accordance with each student’s home state data breach laws. He added that the broadcast email to all students, faculty and staff was the most efficient way to reach the community and noted that the University believed that alerting everyone — regardless of whether they had been affected — was “the right thing to do.”
Since realizing the theft, the University has had an open investigation into the matter, with administrators working with University Police and the Waltham Police Department. In a statement to the Justice, Director of Public Safety Ed Callahan noted that it is standard for the University Police to work with Waltham PD on cases, and this case is no exception. Unsworth added that the University has also been in touch with Apple and is tracking the serial numbers on the computers, which will allow the computers to be identified if they are ever brought in to a store.
Schaller stated in a follow-up interview that Kutz Hall, where the Registrar is located, does have a closed-circuit camera on sight. However, the video footage captured by the camera has not been useful for the investigation. Schaller would not go into detail about where the camera is located or what it films, so as not to jeopardize the security system.
In the wake of the announcement, the University has opened up various channels to aid students and families that may have been affected by the breach. Cwalina’s email noted that the University has additionally offered free credit monitoring services and provided a Call Center number for individuals to call with further questions. According to Cwalina, the Call Center will open at 9 a.m. on Nov. 13, but it cannot enroll all callers in the credit monitoring service mentioned in the email. To enroll in the service, individuals must use a code and specific activation instructions detailed in the letter sent to their permanent address. The FAQ additionally advises those affected to place a fraud alert on their credit files and review their financial account statements for fraudulent activity on a regular basis.
Identity thieves commonly use social security numbers to, among other things, open credit card accounts file fraudulent tax returns and put misdemeanors on a target’s record, according to a Feb. 17, 2015 article on Credit.com. Cwalina ended her email by noting that the University is “committed to maintaining the privacy of our students’ information and have taken many precautions to safeguard it. … As always, everyone in the Brandeis community is encouraged to remain vigilant, review your account statements on a regular basis to look for any unusual activity, and monitor your credit reports. We will continue to share any additional information we learn.”
—Max Moran contributed reporting.
An earlier version of this article stated that the two computers stolen were laptops, when in fact they were desktops.
An earlier version of this article said Executive Director for Integrated Media Bill Schaller could not confirm or deny whether the information stored on the computers had been accessed. The University is, at this time, not aware of any reports that any personal information has been accessed or misused.
An earlier version of this article stated that the University was working with third party experts on the best outreach methods. To clarify, the third party experts to whom Schaller was referring are forensics experts who are aiding the University's investigation and attempted recovery of the computers.
Please note All comments are eligible for publication in The Justice.