A former Southeast Missouri State University employee has been indicted on two charges of identity fraud and one charge of computer trespass after being found in possession of 800 student names and Social Security numbers.
William Elum, hall director of Dearmont during the 2006 to 2007 school year, was arrested May 27 in Atlanta. While no students have reported credit fraud as a result of the leak, Elum is accused of trying to access two student accounts.
"I haven't seen any evidence that these data have been misused beyond the attempt the employee used to log on to our system in other students' names," said Dr. Dennis Holt, vice president for administration and enrollment management.
Nevertheless, university administrators are recommending students place a fraud alert on their consumer credit file and also a security freeze on accounts at credit bureaus.
Holt said the employee left Southeast in June 2007. In April misuse of information was detected when the technology office reviewed activity logs. Students were notified of the breach through a letter mailed Thursday.
Holt said the delay in notifying students was caused by the time it took to identify which students were affected; some files were corrupt or had been duplicated.
Students can log into a Southeast portal to access grades, enroll in courses and pay bills. A user ID and password is needed, neither of which are a student's Social Security number.
"There is some evidence he knew about particular people beyond their Social Security number" in the two accounts invaded, Holt said. He characterized the employee as "more mischievous than anything else" because there is no evidence Elum did anything but access the accounts.
Information and suspicions were turned over to Georgia authorities. According to Georgia Tech's Web site, Elum was employed as a hall director at the university during the 2007 to 2008 school year.
"In Georgia, unauthorized possession of such data is a felony. In Georgia you don't have to show the person used the data in any inappropriate way. Possession is enough," Holt said. While court documents were not immediately available, personnel of the Superior Court of Fulton County said Elum is scheduled to be in court June 30.
Elum left Southeast on his own initiative, Holt said. "From what we know, it appears the former employee downloaded [the data] onto a laptop," he said.
When the breach occurred, the university was in the process of converting from using a Social Security number as identification to a special ID. Holt said that "in the future, this kind of activity will not be possible for people in that position."
This is the first time the university has had a wide-scale threat of identity theft. Affected students are encouraged to place a fraud alert and security freeze on credit reports, free to Missouri victims of identity theft.
"Really those are the only two options nowadays," said Shawn Asmus, the chief information security officer with Technology and Networking/ASC, a Cape Girardeau company that helps manage IT services and security.
According to the national credit reporting company Trans-Union, "A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you." However, its Web site warns, "It also may delay your ability to obtain credit." A security freeze does not allow third parties to access credit reports without an individual's consent, according to TransUnion.
Southeast has established a Web site with information about identity theft, available at www.semo.edu/identityalert.