UVa laptop stolen, had sensitive data

April 16, 2008

By Brian McNeill


A laptop stolen from a University of Virginia employee contained sensitive information about more than 7,000 students, staff and faculty members. Stolen from an unidentified employee from an undisclosed location in Albemarle County, the laptop contained a confidential file filled with names and Social Security numbers.

"As soon as we learned about the theft, we starting moving as quickly as we could," UVa spokeswoman Carol Wood said.

UVa mailed out letters Monday to each person affected by the data breach. The university will publicly announce the incident today. The Albemarle County Police Department is investigating the theft. At the police department's request, UVa is releasing few details about the incident. Wood declined to say when the burglary occurred or which academic departments were affected. She did say, however, that the theft did not occur on UVa's campus.

Investigators apparently do not believe that the personal information was the target of the theft, according to the letter from James Hilton, UVa.s vice president and chief information officer.

"Although circumstances suggest the thief was not targeting this information and there is no evidence he or she has seen or is using your personal information, I am bringing this incident to your attention so you can be aware of signs of misuse," Hilton wrote.

Brian Reed, a graduate student in UVa's Curry School of Education, said he received a letter notifying him that his personal information had been exposed. He immediately notified the credit-rating agencies listed in Hilton's letter and filed a 90-day fraud alert.

"You hear all the stuff on the news about identity theft," Reed said. "I had this moment of panic."

Reed said he was "frustrated" that a UVa employee would keep his personal information on a laptop. Too many similar incidents have occurred at other universities and government agencies, he said, for UVa to store sensitive data anywhere other than on secure servers.

"This has happened many times before," he said.

A laptop stolen in February from a National Institutes of Health researcher may have contained medical records of 3,000 patients. Similar incidents have been reported at the City University of New York and the University of California, Berkeley.

The most recent data breach at UVa was discovered last June. An investigation by UVa police and the FBI found that hackers had accessed records of 5,735 faculty members on 54 days between May 20, 2005, and April 19, 2007. In that case, the faculty members. names, Social Security numbers and dates of birth were exposed. No credit card, bank account or salary data was tapped.

Wood said that no one has reported an instance of identity theft in connection with either last year.s privacy breach or the new laptop theft. The university has been phasing out its use of Social Security numbers as a personal identification number, Wood said, and is constantly reviewing and renewing its security procedures.

main page ATTRITION feedback