Another security breach — this time following the theft of a laptop owned by the company which implements the Banner system — has exposed the names and Social Security numbers of over 130 individuals related to Binghamton University.
This weekend the University notified 11 students and about 120 applicants that their names and Social Security numbers were saved on a laptop belonging to an employee of SunGard Higher Education, which was stolen on March 13. The information was password protected, but not encrypted, and the laptop also contained similar information for about 3,400 Connecticut State University students and an undisclosed number of Buffalo State college students.
Although SunGard Higher Education, the company which offers consulting for Banner system users, notified the SUNY system about the theft on April 9, a BU spokeswoman declined to say what caused the nearly two-week delay in notifying students about the breach. A SUNY spokeswoman could not be reached for comment about the time lapse.
According to New York State law, any person or business who handles sensitive personal information, such as Social Security numbers, must disclose security breaches, but the law does not specify a time frame for the notification.
In the days following the notification to SUNY, both SunGard and the University at Buffalo established Web sites about what had caused the breach and what possible victims should do to prevent identity theft. Buffalo’s site noted that individuals affected would be receiving letters explaining the situation.
“While identity theft does not appear to be the motive behind the incident, we regard all information security matters very seriously and are working with SunGard Higher Education to take the steps we feel are necessary to protect our students and constituents,” said Megan Galbraith, a SUNY spokeswoman.
She also noted that SunGard is offering a year of free credit-monitoring service through Triple Alert, a credit agency.
According to Laura Kvinge, the director of communications at SunGard, the company’s policy of deleting data for inactive projects was not followed by the employee, and new policies are being put in place to prevent future security breaches.
But according to several privacy rights experts, the University’s use of Social Security numbers as online logins is “inadvisable” and “creating a vulnerability” for students.
At BU, students use their Social Security numbers to log in to the BUSI system, which gives access to class schedules, grades and the DARS. The newly implemented Banner system assigns students a random identification number.
According to Robert Ellis Smith, a privacy expert and the publisher of the Privacy Journal, Social Security numbers should only be used when their purpose as an ID number relates to scholarships, taxes and federal financial aid.
“It’s (using Social Security numbers as ID numbers) a very poor practice,” said Paul Stephens, the director of policy and advocacy at the Privacy Rights Clearinghouse, a nonprofit consumer organization. “Social Security numbers should really never be used for the purposes of logging in to a Web site.”
The news of the laptop’s theft comes on the heels of an incident in which the Social Security numbers of more than 330 SOM students were e-mailed to more than 200 students by a School of Management undergraduate adviser.
In 2005, 414 students’ information was jeopardized when a document containing their Social Security numbers was left in an unsecured location on a University server.
“They [the University] are not being a very good steward of the information if it is using the Social Security number as an identification number,” Stephen said.