Educational Security Incidents (ESI)

Quick Facts

• Date: 4/17/2008
• Institution: Central Connecticut State University, Eastern Connecticut State University, Southern Connecticut State University, Western Connecticut State University, Buffalo State College, Northwest Missouri State University, SUNY Fredonia, SUNY Brockport, Monroe Community College, Jamestown Community College, Northwestern Michigan College, Niagara County Community College, Genesee Community College, Adirondack Community College, Binghamton University, SUNY Downstate Medical Center, Dutchess Community College, Herkimer County Community College, Orange County Community College, St. John Fisher College, Meridian Community College, Virginia Tech, Argosy University, Yeshiva University, St. John's University, Bryant & Stratton University
• Type of Incident: Theft
• Number Affected: 3,400 - Connecticut State University System Total, 16,000 - Buffalo State College, 1,100 - Northwest Missouri State University, 958 - SUNY Fredonia, 1,500 - SUNY Brockport, 20 - Monroe Community College, 950 - Jamestown Community College, 1,600 - Northwestern Michigan College, 1,202 - Niagara County Community College, 18 - Genesee Community College, 131 - Binghamton University, 2,000 - St. John Fisher College, Unknown - Meridian Community College, Unknown - Virginia Tech, 5,500 - Argosy University, Unknown - Yeshiva University, 6,000 - Herkimer County Community College, Unknown - St. John's University, Unknown - Bryant & Stratton College
• Source: Pogo Was Right
• Abstract Source: The News-Times
• Update1 Source: WIVB
• Update2 Source: Maryville Daily Forum
• Update3 Source: WBEN, WNED
• Update4 Source: Democrate and Chronicle, The Post-Journal, Mlive.com
• Update5 Source: The Buffalo News
• Update6 Source: Pipe Dream
• Update7 Source: Cardinal Courier Online
• Update8 Source: WTOK
• Update9 Source: WSLS
• Update10 Source: Maryland Attorney General Web Site
• Update11 Source: Maryland Attorney General Web Site
• Update12 Source: WKTV
• Update13 Source: Maryland Attorney General Web Site
• Update14 Source: Maryland Attorney General Web Site
• Update15 Source: The Observer-Dispatch

Abstract
The Connecticut State University System announced recently that a laptop stolen from SunGard Higher Education, a CSU System vendor, contained information on CSU System students. The laptop contained information such as names and Social Security numbers on 3,400 students from four different CSU System institutions. The affected students had attended Central, Eastern, Southern and Western Connecticut State University between September 2001 and December 2004. The laptop was password-protected but did not have any type of encryption. The information was given to SunGard to perform services for CSU System, but the information was retained longer then needed according to CSU System spokesperson Bernard Kavaler. SunGard Higher Education has setup a web site - www.sungardhe.com/laptoptheft - to help answer any question on the theft.

Update1
Buffalo State College is among the institutions affected by this theft. The stolen SunGard Higher Education laptop contained private information on 16,000 current and former students. The college has plans to begin sending out notification letters to all affected students. Buffalo State College is working closely with SunGard to determine which students were affected by this incident.

Update2
Northwest Missouri State University announced that was among the institutions affected by the SunGard Higher Education laptop theft. The SunGard laptop contained the names, Social Security numbers, and financial aid information on 1,100 Northwest Missouri students. The university is working with SunGard to identify and notify the Northwest Missouri students affected by this incident.

Update3
SUNY Fredonia was the latest university to announce that it has been affected by the theft of the SunGard Higher Education laptop. The stolen laptop contained personal information on 77 current Fredonia students as well as 881 alumni. Fredonia joins Buffalo State as two of the 12 SUNY System campuses affected by this theft.

Update4
Three more State University of New York campuses have announced the potential exposure of student data after the theft of the SunGard Higher Education laptop. SUNY Brockport is reporting a potential exposure of 1,500 records on individuals that included Brockport in their financial aid applications. Brockport is still working with SunGard to determine how many currently enrolled students were affected. According to a Monroe Community College spokesperson, the stolen latop contained personal information on 20 MCC students. The college has already mailed letters of notification to these individuals. The laptop also contained records on at most 950 Jamestown Community College students enrolled between 2001 and 2003. JCC is working closely with SUNY System and SunGard to determine which students are affected by this theft. Outside of the SUNY System, Northwest Michigan College announced that the stolen SunGard laptop contained information on 1,600 students from 2003. The college was just recently informed of the March 13 theft and is working quickly to mail notification letters to the affected individuals.

Update5
Niagara County Community College and Genesee Community College are two more SUNY campuses affected by the SunGard laptop theft. NCCC reports a potential exposure of 1,202 records while GCC reports a potential exposure of only 18 records. In addition to NCC, GCC, Buffalo State, SUNY Fredonia, SUNY Brockport, JCC, and MCC the other SUNY Campuses affected by this incident are: Adirondack Community College, Binghamton University, Downstate Medical Center, Dutchess Community College, Herkimer County Community College and Orange County Community College.

Update6
Binghamton University worked over the weekend to notify 131 individuals about the loss of personal information following the SunGard Higher Education laptop theft last month. In total, the university notified 11 current students and 120 applicants after it determined the SunGard laptop contained their names and Social Security numbers.

Update7
St. John Fisher College officials are working to notify current and prospective students after it was informed by SunGard Higher Education that college information was contained a stolen SunGard laptop. The laptop contained names and Social Security numbers on nearly 2,000 current and prospective students. In the notification letter college officials urge students to monitor their credit and state the SunGard will be offering 12 months of credit monitoring for free. St. John Fisher College has created a web site - www.sjfc.edu/announcements/security.asp - to help answer questions about the incident.

Update8
Meridian Community College recently announced that it was one of the campuses affected by the theft of a laptop belonging to a SunGard Higher Education employee. After working with SunGard, Meridian officials announced that the laptop did contain information, including Social Security numbers, on former Meridian students. Meridian Community College has notified all of the affected students by letter.

Update9
Virginia Tech is the latest university to announce that it was affected by the March 13th theft of a SunGard Higher Education laptop. The SunGard laptop contained information on It is not known who many individuals associated with VT were affected by this incident. According to VT Director of News & Information Mark Owczarski, the laptop contained personal information on individuals at Virginia Tech in 2000.

Update10
Argosy University sent letters to 5,500 students informing them that their personal information was contained on the SunGard Higher Education laptop that was stolen in March. According to the university individuals that may have applied for financial aid during 2001, 2002 or 2004 are affected.

Update11
Yeshiva University is alerting former students of the university's Benjamin N Cardozo School of Law about a potential exposure of personal information. SunGard Higher Education notified Yeshiva that a laptop stolen from one of SunGard's employees contained Yeshiva student information such as names, Social Security numbers, student loan identification numbers, other financial aid information and other data related to students status and enrollment at the Cardozo School of Law.

Update12
Herkimer County Community College announced that it was affected by the March SunGard laptop theft. The names and Social Security numbers of an unknown number of HCCC students.

Update13
PogoWasRight.org was able to obtain letter sent by St. John's University to the Maryland Attorney General's office notifying the state that the personal information of at least one Maryland student at St. John's was contained on the stolen SunGard laptop. According to the letter, the laptop appears to have contained St. John's student information such as name and Social Security number from 2001.

Update14
PogoWasRight.org was able to obtain letter sent by Bryant & Stratton College to the Maryland Attorney General's office notifying the state that the personal information of at least one Maryland student at Bryant & Stratton was contained on the stolen SunGard laptop. The information on Bryant & Stratton College students included names, address and Social Security numbers.

Update15
The total number of affected HCCC students is 6,000.

Quick Facts

• Date: 3/18/2008
• Institution: Binghamton University (SUNY)
• Type of Incident: Unauthorized Disclosure
• Number Affected 300
• Source: ESI
• Abstract Source: Press & Sun-Bulletin

Abstract
Binghamton University, part of the State University of New York system of colleges and universities, is alerting over 300 that their personal information was accidentally send to other BU students. An e-mail, sent by the Coordinator of Undergraduate Advising for the School of Management Brian Perry, contained the names, Social Security numbers and GPAs of junior and senior accounting major students. The e-mail was meant for faculty members to help decide awards for the year. However, this e-mail was accidentally sent to 288 marketing students at the university. Perry sent a second e-mail shortly after the first asking students to delete the first e-mail. In a letter to affected students, Vice President for Administration James Van Voorst apologized to students and referred them to the major credit bureaus for further assistance. BU spokesperson Gail Glover said that members of the School of Management, including Dean Upinder Dhillon, would also be available to assist students.

Quick Facts

• Date: 12/5/2007
• Institution: University of Buffalo
• Type of Incident: Penetration
• Number Affected: 1
• Source: ESI
• Abstract Source: The Spectrum Online

Abstract
University of Buffalo sophomore Derek Mascarenhas is struggling to deal with the apparent theft of his UBLearns account. Mascarenhas first noticed a problem with his UBLearns account when, after logging into the online system in October, he noticed that he had been resigned from all of his classes. According to Mascarenhas, his account had been accessed from the library between 12:19 p.m. and 12:21 p.m. on Oct 5, a time during with Mascarenhas was in classes, and resigned from all of his classes in a matter of minutes. After contacting the University about this issue, Mascarenhas was told he would have to get signatures from his professors before being allowed back into the classes. However, Mascarenhas was reinstated in his classes prior to obtaining these signatures a bit later. Even though Mascarenhas changed his password immediately after discovering the problem, he was once again resigned from his classes on Oct 17 from another public access computer. Again, Mascarenhas was was in class when this issue occurred. After contacting the university about this problem again, the university began auditing all of Mascarenhas publically available information including Google searches, Mascarenhas' Facebook account as well as the Facebook accounts of Mascarenhas' girlfriend and his former roommate. After against being told he would need to obtain signatures from his professors, Mascarenhas was reinstated in all of his classes within a week. Mascarenhas attempted to contact the university officials investigating the incidents to find out how this could have happened. However, according to Mascarenhas, he was told that the investigation was done "for the school and not for the individual". In an e-mail, UB vice president of Student Affairs Dennis Black has this to say, "he breach could have resulted from many causes. Some of the possibilities are: a roommate watching a login, leaving a logged-in machine unattended, an angry girlfriend/boyfriend with whom he has shared his password, a compromised machine with a password logger or use of the campus wireless network without using the campus VPN (Virtual Private Network)."

Quick Facts

• Date: 5/19/2007
• Institution: State University of New York, Stony Brook
• Type of Incident: Unauthorized Disclosure
• Number Affected: 89,853
• Source: ESI
• Abstract Source: Stony Brook Independent

Abstract
State University of New York, Stony Brook is alerting faculty, staff, student and alumni about a recent security incident. Stony Brook discovered that the personal information, including Social Security Numbers, on almost 90,000 Stony Brook individuals was available through Google Cache for two weeks. According to the university, there was an error while reconfiguring the Health Sciences Center library's web site. The university believes this error was not intentional, but is still investigating the incident. SUNY Stony Brook has created a web site - www.stonybrook.edu/sb/disclosure/ - and setup a hot line - 866-645-5830 - to provide more information to affected individuals.

Quick Facts

• Date: 12/05/2006
• Institution: Nassau Community College
• Type of Incident: Theft
• Number Affected: 21,000
• Source: ESI
• Abstract Source: Newsday

Abstract
Someone stole a print out containing information on the entire Nassau Community College students body. All told, this print out contained the Social Security numbers, name, address and phone number on more then 21,000 NCC students. According to NCC officials, this list was stolen off the desk of an employee in the NCC Student Activities Office when this employee stepped away for about 10 minutes. NCC is offering one year of free credit monitoring for all student affected by this incident. Nassau County Police, FBI and DHS were all notified of this incident.