7,800 linked to USD told of network security breach

December 3, 2005

By Bruce V. Bigelow, Union-Tribune Staff Writer


The University of San Diego has notified almost 7,800 individuals, including some faculty members, students and vendors, that hackers gained illicit access to computers containing their personal income tax data.

The compromised data included names, Social Security numbers and addresses, according to a letter signed by Douglas Burke, the private Catholic university's director of network and systems operations. <> The undated letter aggravated many recipients, though, because it provided no details about the breach and offered no specific recommendations on steps they could take to protect their personal banking and credit accounts.

"It's one of the worst security breach notice letters I've ever seen," said Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego nonprofit consumer group once affiliated with USD.

"I'm outraged," said Michael Shames, who teaches part-time at USD's law school and shares an office with Givens as executive director of the Utility Consumers' Action Network, a nonprofit consumer advocacy group. "I was just astounded that a university would go to such lengths to keep their own people in the dark about something like this."

A USD spokeswoman voiced regret about the shortcomings of the letter, which was mailed Wednesday, and the breach in USD's computer network, which was discovered Nov. 14.

"It's a very unfortunate situation, and we're very empathetic to the folks who have been impacted by this," said the spokeswoman, Pamela Gray Payton. She said it was USD's first computer security breach.

A hacker or hackers gained access for an unknown period to a computer server on campus that is used to print W-2, 1099 and 1098T tax forms, Payton said. The compromised data included information from 2003 and 2004 for certain vendors, consultants, student aid recipients and employees.

Payton could not say if any administrators or trustees were affected, saying the computers containing the data were used to generate the letters automatically.

"If a trustee received a check or W-2 form, then they were affected," said Payton, who noted she received a copy of the letter yesterday afternoon.

Under California law, companies and organizations that operate computerized databases with sensitive personal information are required to alert people whose data has been compromised by computer break-ins.

The law was intended to help people prevent identity theft, a crime in which thieves use stolen personal data to get credit cards and loans and make purchases using someone else's name. Once alerted, consumers can monitor their bank and credit accounts more closely and request that a fraud alert be posted on their credit reports.

But the law does not specify what information should be included in the notice, or when it must be sent.

"If you're somewhat Web-savvy and you read the news, you'll know that there is nothing new about these security breaches," Givens said.

In April 2004, for example, hackers pierced network security at the University of California San Diego and accessed personal data on an estimated 380,000 students, alumni, faculty, employees and applicants.

But Givens said the required notice letter really is an opportunity to tell people what they need to do.

"A good letter will say, this is how you contact the three credit reporting bureaus, and this is how you put a fraud alert on your accounts," Givens said.

Such information is available online at her group's Web site, www.privacyrights.org, and from the Federal Trade Commission www.consumer.gov/idtheft.

"Not having had this experience before, what we're willing to do now in retrospect is make that information available to people who call the university," Payton said. University officials also were investigating the feasibility of putting the information on USD's Web site.

[an error occurred while processing this directive]