Investigation of data theft ongoing

By Jocelyn Wright     9/23/10 7:00pm

Two weeks after data theft was announced via campus e-mail Sept. 10, the Rice community is still trying to piece together exactly what happened and how such an incident can be prevented in the future.All of the 7,250 affected people were sent letters delivered to their campus and home mailing addresses, when available, Sept. 17 with steps to prevent identity theft.

The device, which Rice University Police Department declined to name citing security reasons, was stolen from an off-campus location near Rice. The theft is still being investigated by RUPD in conjunction with the Houston Police Department, RUPD Captain Dianna Marshall said. RUPD has pursued some leads and will continue to pursue leads as they receive them, but no further progress has been made on the investigation as of Sept. 22.

As of Wednesday, Rice still had no evidence that the data had been used maliciously, Director of News and Media Relations B.J. Almond said. Rice will only know of these incidents if they are reported by affected students, faculty or staff to RUPD. Almond said RUPD had received a few calls reporting credit fraud, but these cases were determined to have taken place before the device was stolen.

---

---

In order to determine whether the stolen data has been used, Almond said Rice is looking for a spike in the number of reported incidents to RUPD by students and employees that their numbers were being used to open unauthorized credit accounts. The credit-monitoring service provided by Rice through TransUnion to all victims of the data theft is designed to inform employees when an individual tries to use their information to open a credit account. Rice is providing the service, which costs $12 a month for personal use according to the TransUnion website, free of charge for one year. Physics Professor Stanley Dodds said the service was costing Rice $39 for each person who signed up for the year. Almond said the monitoring would last for a year because, in cases of stolen personal information, identity theft generally takes place after the first month.

During the first four days following the receipt of letters informing identity theft victims, 10 percent of the recipients signed up for the credit monitoring service through TransUnion. Business Process Consultant Daniel Fu said typically between 15 and 28 percent of recipients of such letters will enroll in a credit monitoring service. Victims of the identity theft have until Dec. 31 to register for the credit monitoring service using the unique codes provided in their letters.

Wiess College Master Mike Gustin said while he appreciated Rice offering the credit-monitoring service, registering was a fairly time-consuming process.

"It's a bit of a hassle to use," Gustin, a Biochemistry professor, said. "It took out a good chunk of my day ... multiply me by everyone in the department, and it's a big time-sink for the university."

Despite these inconveniences, though, Gustin said he felt that overall, the university had handled the theft well.

Three lunchtime information sessions for data theft victims were held Sept. 17, 22 and 23, and another Spanish-language information session was held in the afternoon Sept. 22. Between 70 and 80 people attended each session, Fu said. Most of the questions during the session focused on learning about how the theft occurred, whether the data had been misused, what was being done to prevent similar incidents and how the credit monitoring service works, Almond said.

"Most people have been civil, and some have expressed how upset or angry they are by the data theft, and it's certainly understandable they would feel that way," Almond said.

The data theft has also brought to light questions about Rice's general policies for the handling of sensitive information.

Almond said Rice does not advocate that employees take home secure information or copy it onto personal devices.

"Employees have a responsibility to prevent unauthorized access to confidential information," Almond said.

Furthermore, Almond said access to highly confidential information contained on BANNER, which includes human resources information, payroll, finance and student data, is restricted to administrative positions with appropriate levels of responsibility. Written authorization from supervisors is required and reviewed annually for access to BANNER, Almond said.

Almond also stressed the importance of vigilance across all campus departments to ensure data was properly encrypted and secured to prevent its malicious use. Information Security Officer Marc Scarborough said he strongly encouraged all departments to take advantage of the encryption services offered by his department.

Gustin said he was surprised when he first received the letter but that he feels Rice is fortunate that it has not yet heard of anyone who has been negatively impacted and that so far the university is handling the incident well.

"I think maybe in a way, so far, we've dodged a bullet," Gustin said. "Although when it spills, it spills, and it's not entirely possible to clean everything up, so far I think everything's been OK."

However, Dodds said that while a loss of confidential data from time to time does happen, institutions should take precautions to ensure that does not happen.

"What it usually comes down to is that the data would never, ever leave a secure server," Dodds said. "It should never be downloaded to anything else. Rice, evidently, didn't do that."

He added that if this incident had taken place in a national lab or in a company, the employee responsible for the data theft would be fired. At the information session about the theft, Dodds said Vice Provost for Information Technology Kamran Kahn would neither confirm nor deny that the person responsible for the theft had been fired.

"It's simply gross incompetence - we have an inadequate or inadequately enforced data security plan, and these events have occurred," Dodds said. "It shouldn't have been possible for it to occur either by training or by technical design.

---