Hard drive with personal data missing from CSUSM

August 3, 2004

By Bruce Kauffman, Staff Writer


SAN MARCOS ---- A hard drive from a laptop computer containing the Social Security numbers of more than 23,000 people has disappeared from Cal State San Marcos, putting students, staff and faculty there and at six other Cal State campuses at risk of identity theft, it was disclosed Tuesday.

University officials said some 1,900 names belonged to students and employees at Cal State San Marcos.

The officials said that the hard drive has not been recovered, but they added there are no confirmed reports of unauthorized credit card charges or other identity theft as a result.

The drive was discovered missing June 28 from a campus office in Craven 1324, campus police said. They added that there was no evidence that anyone broke into the office. Some 23,500 people whose names and personal information were contained on the drive learned of the incident in a letter from Cal State dated July 21.

The letter, a copy of which was obtained by the North County Times, said the drive was "either inadvertently discarded or stolen."

"This is a very serious issue for us," the letter went on, "and we know that it is a very serious concern for you."

The letter was signed by the university system's chief auditor, Larry Mandel, and sent to students, professors and university staff members not only at Cal State San Marcos, but also at San Diego State and the campuses at San Luis Obispo, Fullerton, Dominguez Hills, Sonoma and Monterey Bay.

"It's lost," Cal State spokeswoman Clara Potes-Fellow said of the hard drive in a phone interview Tuesday from the office of the chancellor in Long Beach. "Information could have been compromised because the CSU is not in possession of the drive any longer and we don't know where it went. (We) do not know for sure if it went into the wrong hands."

Patricia Cuocco, the university system's senior director of technology, advice and policy, said more than three weeks went by between the discovery of the missing drive and the mailing of the letters because, under state law, the university was faced with the task of making sure it notify only those whose information might be compromised, and no one else. "The law does not allow us to make speculation," she said.

For San Diego State, the breach is the second this year. In March, the university notified 178,000 people ----- students, employees and alumni ---- that hackers broke into a computer where Social Security numbers were stored. Potes-Fellow said only 11 names of San Diego State people were on the hard drive that disappeared June 28.

In the incident at Cal State San Marcos, university officials said that an auditor from the university system was working on a laptop there during the week of June 21-25 when the hard drive crashed. It was removed from the computer and replaced. The faulty drive was placed in a box, apparently the same box the replacement drive came from. The drive is about the size of a credit card.

When the auditor left on June 25 for the weekend, officials said, the box with the damaged drive was left in the office. Not far away was a trash can. The office door was locked. When the auditor returned on June 28, the drive was gone.

Aaron Woodard, the assistant chief of police at Cal State San Marcos, said the facilities department on the campus searched Dumpsters on June 28 and failed to turn up the drive, though that could be because the small item would be hard to find in the volume of trash.

Woodard added that the drive might have been thrown out in the trash, or whoever found it and committed what he called a crime of opportunity "did not know what they had."

Cuocco said the identities and Social Security numbers on the hard drive belonged to people who had done financial transactions on the campuses, such as paying university fees or library fines. She said she assumed the drive had password protection because university policy calls for that.

Social Security numbers can be used by thieves to obtain credit cards, open bank accounts and even obtain driver's licenses, according to state agencies such as the Department of Consumer Affairs and nongovernmental groups such as the San Diego-based Identity Theft Resource Center.

There have been other thefts of personal data on campuses in North County and San Diego County in the last year.

Computers stolen in a break-in at a building at MiraCosta College over Labor Day weekend in 2003 contained personal information about some 700 students, including their Social Security numbers. A computer security breach in the business and financial services network at the University of California San Diego in mid-April 2004 may also have yielded personal student information.

Contact staff writer Bruce Kauffman at (760) 761-4410 or bkauffman@nctimes.com.

main page ATTRITION feedback