ORONO – The sensitive personal data of more than 600 current and former University of Maine students, including their names and Social Security numbers, were compromised after the theft of a faculty member’s laptop, the university said Wednesday.
The breach occurred when a university-issued laptop computer belonging to a physics professor at UMaine Orono was stolen from his checked baggage Feb. 10 on a flight from Seattle to Boston, UMaine spokeswoman Margaret Nagle said.
The laptop contained sensitive records of 604 students who were enrolled from 1999 to 2007, including names, Social Security numbers, phone numbers, email addresses, grade data and course information, she said.
The names and course information of another 337 current and former students were also on the laptop, Nagle said. After 2007, the university stopped using students’ Social Security numbers as student ID numbers, and began using unique numbers to identify students. The laptop that was stolen also contained records from before the change was made.
It is at least the second time in three years that a computer attack has exposed UMaine students’ Social Security numbers. In 2012, UMaine’s server was breached by hackers through Computer Connection, a computer store that primarily served UMaine, included 2,818 “unique identifiers,” including as many as 435 credit card numbers and 1,175 Social Security numbers.
The computer stolen this month was password-protected, Nagle said, but the sensitive student data were on a removable media card that was not encrypted.
The physics professor, who was not named, reported the theft to the university after returning from travel on Friday, she said. School officials then worked to establish exactly what data were stolen.
When asked why the faculty member didn’t inform the university about the theft on Feb. 10, when the laptop was stolen, Nagle said only that the faculty member reported it upon returning to Maine on Friday.
She would not say whether there would be repercussions for the faculty member, saying it was considered a personnel issue.
The university system’s general counsel reported the data breach to the Office of the Maine Attorney General, a requirement of the state’s Notice of Risk to Personal Data Act.
The theft of the laptop was also reported to the airline and Massachusetts State Police.
Nagle said the university would also take steps to tighten security going forward, although she did not say what specific measures would be taken.
“Any time an incident like this occurs, anywhere, we take it as an opportunity to strengthen our security posture and remind all members of the university community of the need to protect sensitive data – from research data to personnel and student records,” she said.
All of the students whose information was on the laptop attend or have attended physics classes at the Orono campus, Nagle said. Students whose Social Security numbers were stolen will be notified by mail and offered a year of free identity-theft protection, she said.
Nagle said she didn’t know why information about former students was still on the computer.
She said all university employees are required to attend annual training sessions on proper handling and storage of sensitive data. However, the school does not have explicit data-security policies that require steps such as encryption or purging of sensitive data that is no longer needed, she said.
“All campus staff are expected to take precautions,” Nagle said.
Although each campus has an inventory of university issued laptops, the system office does not keep a centralized database of all laptops issued to UMaine System personnel throughout the state.
Staff Writer Noel K. Gallagher contributed to this report.
J. Craig Anderson can be contacted at 791-6390 or at:
Twitter: jcraiganderson
Send questions/comments to the editors.
Comments are no longer available on this story