VSC narrows down personal data exposed by laptop theft

April 6, 2006

By Darren M. Allen, Vermont Press Bureau


MONTPELIER - A month after the theft of a laptop computer containing personal information of thousands of students and employees of the Vermont State Colleges system, officials are narrowing down the types of private information that were exposed.

In a system-wide e-mail sent Monday to students, faculty, staff and alumni of the five state colleges, VSC Chancellor Robert Clarke emphasized the colleges' assertion that no personal information has been accessed or compromised from the laptop, which has not been recovered.

"We have no evidence to date that personal data were actually retrieved or misused," Clarke said. "The laptop has not been recovered by law enforcement, so our ongoing information requires working with staff who may have exchanged e-mails and attachments with teams including the owner of the stolen laptop."

The concealed laptop was stolen Feb. 28 from the chief information officer's car while it was parked on the streets of Montreal. The car, according to Karrin Wilks, the colleges' vice president for academic and strategic planning, was broken into by someone who also stole a pair of skis and other visible valuables.

The colleges have been under fire recently because they did not notify the nearly 20,000 people whose personal financial information was potentially available on the laptop until three weeks after the theft occurred.

The faculty union has asked its attorney to look into why it took so long to notify its members of the potential information breach, and the state employees union has registered its displeasure as well.

In his memo this week, Clarke said the colleges' notified all banks in Vermont, New Hampshire and New York on March 27 of the theft and potential release of financial information.

The memo did specify the types of information that was potentially on the laptop. College administrators said access to the system's computer networks from the stolen laptop was immediately blocked as soon as they were notified of the theft.

Employee information from June 2002 to November 2005 may have been archived on the laptop. The data, which includes names, addresses, Social Security numbers, salary, taxes, withholding and wage garnishment information, as well as bank account numbers for people with direct-deposit accounts, were not encrypted, the memo said.

Admissions information for all students from June 2002 to December 2004 could have been on the computer. That data includes names, addresses, birth dates, Social Security numbers and academic records such as college placement exams.

Clarke said that information on parents, spouses and dependents was not on the laptop.

Wilks, in a brief interview Wednesday, said the VSC system is in the midst of developing policies for future breaches of information. She said VSC over the weekend also mailed detailed information about the theft to 50,000 students, former students, faculty, staff and former employees.

The laptop theft was followed by an incident late last month in which someone hacked into the Lyndon State College e-mail system. Someone pretended to be the school's computer administrator, sending out a mass e-mail in his name and warning about identity theft.

The hacker has not been identified, and a Lyndon spokesman on Wednesday said the investigation was continuing.

Last fall, the colleges also had a computer security breach in which the Social Security numbers of Vermont Technical College students were posted on a school Web site.

Sensitivity to the disclosure of personal financial information is increasing nationwide because of fears of identity theft. Armed with such information, thieves can pretend to be other people and establish credit in their names, drain their bank accounts and make charges to their credit cards.

Sen. Patrick Leahy, D-Vt., has sponsored a measure in Congress that would make it easier for consumers to protect their own information. This would include a provision forcing companies or entities who lose information to inform their customers of the potential threat.

[an error occurred while processing this directive]