E-mail includes data on students

December 9, 2006

By Gary Robertson, Times-Dispatch Staff Writer


For the second time this year, the personal information and Social Security numbers of hundreds of Virginia Commonwealth University students have been compromised.

According to the university's technology services Web site, personal information on 561 VCU students in the College of Humanities and Sciences was inadvertently included in two attachments in an e-mail.

The information included names, Social Security numbers, local and permanent addresses and grade-point averages.

The e-mail was sent Nov. 20 to 195 students to inform them about their eligibility for scholarships from Phi Kappa Phi, a national honor society. They were part of the larger group of 561 students whose personal information was released, according to the university.

VCU says the problem was discovered Nov. 21 and steps were taken immediately to eliminate the messages from the e-mail databases of all 195 students who received it. The university said the information was exposed briefly and to a relatively few number of people.

The college says it has contacted those whose information was released.

The university also says its has contracted with a firm to provide credit file monitoring and identity theft protection to the affected students at no cost to them.

But the event has left a bitter aftertaste for some.

"I was pretty angry," said Louise Kapelewski of Richmond, a senior.

Kapelewski said she thought a university as large as VCU 30,000 students -- would have security measures to prevent such disclosures.

She added that at least two of her friends also were victims, and they weren't happy, either.

Chuck Epes, Virginia communication director for the Chesapeake Bay Foundation, also had his personal information compromised in the glitch.

He said he takes efforts to keep personal information private.

"We shred family mail with personally identifying information, [and] I am cautious about giving out credit card numbers," Epes said.

"And then, out of the blue and despite your best efforts, something like this happens that you have no control over that exposes potentially damaging information."

Epes said he doesn't know how his personal information was obtained. He is not a current student and hasn't taken full-time classes at VCU for years.

He said his personal information also was released a couple of years ago when he and his wife took a swing dance course at J. Sargeant Reynolds Community College.

"I had to do the same thing I'm doing now -- contact credit bureaus, put fraud alerts on accounts, and cross my fingers nothing bad happens," Epes said.

In September, VCU said the names, Social Security numbers and e-mail addresses of about 2,100 current and former students had been online for eight months, because of human error.

The university reported that the personal information of freshmen and graduate engineering students from the fall semester of 1998 through 2001 was unintentionally placed in a folder available on the Internet.

Human error was cited in both the November and September incidents.

Also, a former VCU student pleaded guilty two months ago in federal court to illegally acquiring the log-in names and passwords for the e-mail and online accounts of many students and university staff members.

Mark D. Willis, VCU's chief information officer, said the university is moving aggressively to identify and eliminate areas where Social Security numbers the main culprit in identity thefts -- may be exposed.

main page ATTRITION feedback