A file containing the personal information of 7,250 students, faculty and staff, including names, birth dates, salaries, emergency contacts and Social Security numbers, was stolen from an off-campus location at the end of August. Rice announced the theft in an e-mail to the campus community Sept. 10. The Rice University Police Department is conducting the investigation of the theft in conjunction with the Houston Police Department. The device contained two files copied from a computer which contained the personal data of the 7,250 employees on Rice payroll as of January 2010. The data on the device was not encrypted. Senior Director of News and Media Relations B.J. Almond said the police requested he refrain from giving any additional details about the device or the information contained on it to prevent the thief from gaining any potentially useful information. As of Sept. 15, Almond said none of the information on the device had been used maliciously.
Approximately 2,270 people affected were undergraduate and graduate students, but only three students' Social Security numbers were stolen. Of the remaining faculty and staff, Almond estimated about 4,000 had their Social Security number stolen. There were also two employees whose bank account information was leaked. Almond said those two employees have already been notified of the theft.
All persons whose information was on the device have been sent a letter at their campus mailing address. The letter will contain a personalized code recipients can use when contacting TransUnion, a credit score reporting company, to sign up for a free year-long credit monitoring service paid for by the university.
Since each message sent out had to contain a unique code, Business Process Consultant Daniel Fu said the notifications had to be sent out as a letter and not an e-mail. Letters will also be sent to faculty and staff with home mailing addresses on file, and to the most current addresses available to affected former employees and students. These letters are expected to arrive next week. Almond said the delay in relaying information was due to the letters taking longer to prepare than expected.
"It took longer to print [the letters] and get the codes matched up than anticipated," Almond said.
In addition to the letter and the two e-mails sent out to all Rice e-mail addresses Sept. 10 and 14 with updates about the theft, the university put a series of frequently asked questions and answers online at dru.rice.edu.
Almond said there would also be three informational meetings for people to come and ask questions between noon and one today, Sept. 21 and 23. The first session will be held in Sewall Hall 309 and the subsequent two sessions will be held in the McMurtry Auditorium in Duncan Hall. Administrators are working to arrange a fourth meeting in Spanish.
Although Rice was aware of the theft at the end of August, Fu said Rice did not notify employees immediately because administrators will still figuring out what was on the device.
"Over the last two weeks, we've gone back to reconstruct the possibilities of the files that could have been on the device," Fu said. "When it became a likely possibility [that employees' personal data was on the device] we notified people."
After the initial e-mail was sent out Friday, Almond said various offices on campus received approximately 16 e-mails and 15 phone calls. Several people asked if the e-mail was a hoax, while others wanted to know if they were on the list and whose Social Security numbers were stolen. Others requested practical information such as how to place fraud alerts on their accounts or what to do if their identity was stolen.
This is the first time a theft of this kind has occurred at Rice, and the administration is taking steps to prevent a similar incident in the future. The Information Technology department is working to encrypt all files with sensitive data, Almond said, although an estimate of the time it will take to fully implement this policy is unavailable at this time.
"Rice already had systems that are secure and some computers that were already encrypted and are moving forward with other areas for implementing encryption," Almond said.
Although he is part of the crisis management team, Fu said he is hesitant to call this situation a crisis. He said the key in the situation was ensuring that people had the information they needed to protect themselves from any risk.
"It is not a case of identity theft," Fu said. "It's a risk of exposure that this information may be out there."
Fu urged students, faculty and staff to follow the information in the letters they had received, check their credit reports and remain vigilant. Even if their information was not stolen, the FAQs still urge students to place a 90-day fraud alert on their credit file, which they can do for free.
TransUnion has mutilingual employees trained specifically to deal with the Rice case, and Rice will provide all affected individuals with their contact information in the letter.