Add University of Mary Washington to any list you’re keeping of education entities that have reported a breach in 2016.
The university recently started notifying an unknown number of people that a university-issued laptop with names, addresses, and Social Security numbers was reported stolen in transit. The details of the theft were not disclosed, but the university learned of the theft from the employee on January 5.
It’s not totally clear from the notification letter whether this was employee data or student information. DataBreaches.net has yet to send an inquiry to UMW as (1) I haven’t found a media contact email address on their web site and (2) their social media (Twitter) team has yet to respond to an inquiry requesting the email info.
Update: I subsequently obtained the email address from the university’s Twitter team and sent them an inquiry. In response to my questions, university spokesperson Marty Morrison responded that both students’ and employees’ information was on the stolen laptop, and that approximately 4,100 people, total, were affected.
The laptop was stolen from the employee while the employee was in an Amtrak rail station.
Of note, it appears that there was a policy violation in this case. In response to my question asking whether the data were supposed to have been encrypted, Morrison replied:
UMW’s policy prohibits storing personally identifiable information on laptops. Per the policy, social security numbers can only be stored in prescribed
areas where additional controls and safeguards are utilized. In this case, the
policy was not followed.