A stolen Cornell University computer has compromised the personal information of thousands of members of the University community. The computer contained the names and social security number of current and former students as well as current and former faculty and staff members.
An e-mail obtained by WVBR said that currently, no misuse of this sensitive information has been found. Also in the message, Cornell said that they have enlisted the help of Kroll Fraud Solutions to “provide fraud counseling and credit monitoring services at the university’s expense.”
The University plans to notify those affected through letters to be sent out today. A call center will also be established and a set of frequently asked questions will be issued to those people whose information has been affected.
Source: WBVR
SC Magazine reports that the breach affected 45,277.
There is no information on Cornell’s site at the time of this posting, but the university press office confirmed that a computer had been stolen and that the university is investigating. A spokesperson said that he was aware of the email circulating that included a reference to 45, 277 affected, but that he would not comment on it, saying only that the university will be posting something to their web site when they have more information.
Update: an FAQ is now available on Cornell’s site. Some of the facts:
In June, 2009, a Cornell-owned computer that contained a large amount of administrative data was stolen. Our review of a current backup of the files on the system revealed that confidential personal data for about 45,000 current and former staff and students, and some dependents, had been present.
A member of the Cornell technical staff, who is responsible for supporting our central administrative systems, was using these files to correct transmission errors found in the processing of the files. The data was being used for troubleshooting. Cornell’s information security policies and guidelines do not allow unencrypted confidential personal data to be stored on any computer device that is not in a physically secured location. This employee’s actions, although unintentional, violated our policy and practices.