By IZZY BRIONES
At the University of Mary Washington 4,100 student and employee social security numbers have been stolen in the past month and the school community was made aware of it on Friday. Those who had their social security numbers stolen and their information compromised were notified through emails by the University and made aware of the situation before a school-wide email was sent to other members of the UMW community.
On January 5, 2016 the University learned about the theft of a personal laptop reported by the victim, who will remain an unnamed employee. The details reveal that while said employee was waiting at an Amtrak rail station, their laptop was taken from them. What made this theft so detrimental, however, was the fact that a total of 4,100 student and employee social security numbers were on the stolen laptop. This situation calls into question the university’s protocol and policy pertaining to the protection of personal information.
The university’s website states that something such as a social security number is “Personally Identifiable Information” and “Highly Sensitive Data.” According to these classifications, it is stated that, “every caution should be used in protecting this information from authorized access, exposure or distribution…[and] should only be collected or maintained when there is an approved and authorized business justification. Unless absolutely required for a particular business function, these personally identifiable data elements should never be collected, stored,shared or distributed.”
Director of media and public relations Marty Morrison was reached out to for comment by databreaches.net about the above policy, specifically pertaining to the storage of this highly sensative data and personally identifiable information on an employee’s personal laptop.
“UMW’s policy prohibits storing personally identifiable information on laptops. Per the policy, social security numbers can only be stored in prescribed areas where additional controls and safeguards are utilized. In this case, the policy was not followed,” Morrison said.
The breaking of policy and many questions sit unresolved; the most striking issue about this whole incident however, is the fact that it is not clear why this story had been hidden for a month from the greater community and was only recently shared.
In response to the issue above, Morrison stated that the University “notified the affected individuals as soon as we were able. When we learned of the incident, we immediately began an investigation and determined the laptop computer stored files containing personal information of some current and former students, and employees. We decided to notify the larger community last week to clarify misinformation that had come to our attention.”
In response to the entire incident Morrison said, “We have taken appropriate action with the involved employee. And to help prevent this from happening in the future, we are re-educating our staff on the importance of handling personal information securely, and are evaluating the use of additional security processes and controls.”
This story comes as a large data protection concern for the community amidst a year wrought with fraudulent emails and spam messages. Just this past week alone, many students have received emergency notices to appear in court, all of which have been sent by a fake account with a University of Mary Washington email address. In response, the entire student body and faculty receives notices and warnings for small incidents such as these from the university; However, with a theft of 4,100 employee and student social security numbers the information remained unannounced for a month to the greater community at UMW.
“I think that the school should have notified all students when they learned of the theft,” said junior international relations Cody Reynolds. “Given the nature of the contents on the laptop, the school was in the wrong to not immediately notify the students so that they may take the necessary steps to protect their identities.”
In addition, a student who had their social security number stolen (whose name will remain anonymous due to the situation) stated, “I felt I was notified in a way that lacked urgency, because I received a letter that went to my home address rather than to me.
I don’t think that it should have taken them so long to share with the rest of the school however I can see how sharing this type of information with the greater community can create unnecessary panic to those that are not affected.”
Editor’s Note: An earlier version of this story incorrectly titled Marty Morrison’s position as “director of media and public relationships.” The title has since been corrected. We are very sorry for the error. – Emily Hollingsworth, News Editor