A Vanderbilt professor’s computer containing the names and social security numbers of 7,174 current and former students was stolen from a locked campus office sometime during the weekend of Feb. 6, according to Vanderbilt public affairs officials Beth Fortune and Liz Latt.
Letters were sent on March 10 and 11 to the individuals whose personal information was on the personal computer, alerting them to the situation and that they were being offered, free of charge, 12 months of identity protection, credit monitoring, credit alerts and a $1 million theft insurance policy by Debix Identity Protection Network, per a contract made by the university.
Associate Director for Vanderbilt News Service Melanie Moran said in an e-mail that it took a little more than one month to alert the students affected because university officials wanted to be as accurate as possible in trying to determine the information contained on the computer.
“Every file had to be reviewed by a trained computer forensic technician to determine exactly who was affected,” she wrote.
At the time the letters were sent, university officials believed only students who had been at Vanderbilt between 1999 and 2003 were affected. Since the letters were sent out, however, they determined that the personal information of 1,347 current students was also on the computer.
Moran said the initial thought that only students from 1999-2003 were affected was in light of conversations with the professor and the initial work by the certified computer forensic technician.
“Because we wanted to communicate as quickly as possible, that was what we knew at the time,” she wrote. “Soon after that we learned that students after 2003 were affected, and we updated our communication methods and information.”
Vanderbilt Student Government President-Elect Lori Murphy said she was pleased with the university’s purchase of the $1 million identity protection plan but was concerned about the length of time between the theft and when letters were sent to students.
“I am concerned about the length of time that passed before this breach came to light. I plan to meet with additional university officials to determine what measures we are taking to protect against these types of threats in the future,” Murphy wrote in a statement. “Moving forward our team will continue to advocate student security and safety as our paramount concern in all of our conversations with the administration.”
According to Public Affairs, the desktop belonged to a professor who kept a database of his grade book, including social security numbers for some students who took at least one class or served as a graduate assistant. Provost Richard McCarty sent a letter on March 16 to all academic deans advising them to purge information like this from their files and to not collect it in the future.
The use of social security numbers in the registration process has begun to be phased out in recent years. Once YES, the replacement for OASIS, is fully implemented in fall 2010, social security numbers will not be part of the new system, according to Fortune and Latt.
Individuals who are affected can visit the identity protection Web site Vanderbilt has created and call Development and Alumni Relations at 1-800-288-0037. Those who are affected have until June 15 to sign up for the Debix services.
Erin Prah contributed reporting to this article.
