Student personal and academic information may have been accessed after a theft in Kutz Hall last month. In an email sent to the entire Brandeis community Thursday evening, Nov. 12, Senior Vice President for Finance and Treasurer Marianne Cwalina announced the potential consequences of the theft and the precautions being taken.
There has been no evidence that the information stored on the one computer that stored personal student information, an iMac desktop, has been accessed, Executive Director of Integrated Media Bill Schaller clarified in a phone interview with The Brandeis Hoot. The university has worked with a third-party team of computer forensics experts to try to determine if the network or any of this information, which was stored on the password-protected hard drive of this computer, was breached. The information was not encrypted. Although the university is going through the process of centralizing the management of all staff computers, these computers in the registrar’s office had not been put through that process yet. Schaller reiterated that this is an ongoing project and that all staff computers that have not had their data centralized and secured will go through this process. No specific timetable for when this would be completed was given, however.
The email from Cwalina stated that the information on these computers consisted of names, birth dates, permanent addresses, email addresses, phone numbers, courses and grades. Students who were enrolled in a class from the summer term of 2012 to present are vulnerable to their information being accessed, but Schaller affirmed that none of this information has actually been accessed.
No faculty or staff information were stored on this computer in the registrar’s office, nor were any personal financial or health records. Cwalina mentioned that social security numbers might have been stored on this hard drive. Schaller clarified that this doubt comes from the fact that students are not required to report their social security number to the university, depending on if the student receives grants or other financial aid that requires tax documents to be reported.
Staff members first reported the theft on Monday, Oct. 26, saying that computers and some projection equipment were stolen at some point over the previous weekend, according to the email. It appeared in the Brandeis Police log for the week of Oct. 25-31. From there, an active criminal investigation was undertaken by the Waltham Police Department, with the assistance of Brandeis Police, according to Schaller. The investigation led to the belief that the perpetrator gained access to Kutz Hall through unauthorized access to a window, according to an FAQ page regarding these thefts on the LTS website.
This investigation prevented the reporting of the consequences of the theft at first. This delay was coupled with the fact that the university had to draft specific letters for each student possibly affected based on their state of residence, Schaller explained. Cwalina’s email stated that students whose information might have been compromised were mailed letters to their permanent address explaining what happened and what precautions were being taken from this point forward, one of which is a free credit monitoring service, the cost of which will be covered by the university’s insurance policy, for those potentially affected. With each state having different laws regulating credit monitoring after a breach of information, letters had to be specified for each student based on their permanent residence.
California became the first state to require credit-monitoring services information following a data breach after passing law AB 1710 last year, according to an article in The National Law Review. The law specifically states, “If identity theft prevention and mitigation services are provided, the data breach notification must inform the affected persons that the services will be provided for at least 12 months and at no cost, and that it also must include information on how to obtain the services.” Other states, however, mandate more requirements and safeguards for data breaches, according to Schaller.
Only those whose information might have been accessed will be eligible to enroll in the credit monitoring service, instructions for which are included in the letters that were mailed out on Nov. 12.
Additionally, a call center has opened for further questions and help, which will be available Monday through Friday, 9 a.m.-9 a.m., at 1-877-846-5276.