Plenty of school data easy pickings for thieves

By Charlotte Hsu

Thursday, Nov. 8, 2007 | 6:52 a.m.

A missing flash drive that was the size of a Halloween candy and held the names, Social Security numbers and academic information of nearly 16,000 current and former UNR students might have been gobbled up by an industrial-size vacuum or dumped in a garbage can.

But a chance exists that the data trove, which a school employee lost last month in downtown Reno, landed in the hands of a stranger who could use the information to sign up for credit cards in someone else's name.

So on Oct. 26, UNR sent a letter telling each potential victim about the possible security breach, which happened Oct. 19. The school is also providing one year of access to an identity theft protection service to those whose information was lost.

"There aren't very many universities that have done that," said Steven Zink, UNR's vice president for information technology. "We should do the right thing , and it's the right thing to do."

But what was such sensitive information doing on a flash drive, anyway? And what could prevent such a debacle in the future?

On Oct. 19, a UNR administrative employee hoping to work at home over the weekend took the flash drive off campus. At some point - likely at a meeting downtown - the device slipped out of the worker's pocket. The missing information wasn't encrypted or password-protected.

The university, Zink said , will review its information technology policies. But the key to preventing future lapses, he said , is to make sure employees know about and follow existing rules.

UNR policy discourages employees from keeping sensitive information on mobile devices. Confidential data stored on them should be password - protected and, when possible, encrypted.

"The employee who lost the drive was someone who should have known better ... People who work with this kind of data certainly have a greater awareness of how to protect it," UNR spokeswoman Jane Tors said.

University officials are considering disciplining the employee, Tors said.

UNR is not alone in losing students' personal information. In fact, Reno's problems seem minor compared with incidents other universities have reported.

UCLA, for example, announced late last year that a hacker had accessed a database housing information on as many as 800,000 University of California students, faculty, staff, applicants, students' parents and former employees. Closer to home, a virus that attacked a College of Southern Nevada server this year could have allowed a hacker to access about 200,000 students' and former students' names, Social Security numbers and birth dates.

Beth Givens, director of the Privacy Rights Clearinghouse consumer advocacy group, said identity thieves may target colleges and universities because those institutions keep personal information on a large number of people.

To improve security, she said, schools can limit the use of Social Security numbers and bar access to that information for all but the few staff members who need it.

UNR and other state institutions are already moving in that direction. At UNR, only employees who perform tasks such as determining who qualifies for financial aid can see students' Social Security numbers. CSN and UNLV similarly restrict access to private data.

All three schools assign students school identification numbers, eliminating the use of Social Security numbers in day-to-day campus activities such as checking out library books.

Still, "security breaches are going to happen," Givens said. No system is foolproof, and hackers are hungry - whether for Social Security numbers or simply for the pride in foiling security measures.

A running list of U.S. data breaches on the Privacy Rights Clearinghouse Web site shows hundreds of breaches in 2007. And that tally represents only incidents making the news.

As Zink pointed out in Reno, had the UNR employee not reported the lost flash drive, it's likely no one would have known the information was gone.