Stolen UC Berkeley Laptop Exposes Personal Data on 100,000

March 29, 2005
Thief was able to walk into campus office and walk out with personal info on thousands

SAN FRANCISCO (AP) - A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society's vulnerability to identity theft.

University officials waited until Monday to announce the March 11 crime, hoping that police would be able to catch the thief and reclaim the computer. When that didn't happen, the school publicized the theft to comply with a state law requiring consumers be notified whenever their Social Security numbers or other sensitive information have been breached.

The law is meant to alert people that their personal information could be used by scam artists to obtain loans or conduct other business under an assumed identity.

UC Berkeley plans to advise the 98,369 people affected by the laptop theft to check their credit reports, although there has been no indication any of he personal information has been used illegally, university spokeswoman Maria Felde said.

"The campus really regrets this happened and is taking steps to strengthen security in the future," Felde said. The university has set up a hotline, 1-800-372-5110, and a Web site, http://newscenter.berkeley.edu/security/grad/ to answer questions about the laptop theft.

The UC Berkeley incident follows several other high profile instances in which businesses and schools have lost control of personal information that they kept in computer databases.

Recent breaches have occurred at: ChoicePoint Inc., a consumer data firm duped into distributing personal information about 145,000 people; Lexis-Nexis, a data storehouse where computer hackers obtained access to the personal information of 32,000 people; and Chico State University, where a computer hacking job exposed 59,000 people to potential identity theft.

Universities have accounted for 28 percent of the 50 security breaches of personal information recorded by California since 2003, said Joanne McNabb, the chief of the state's Office of Privacy Protection. That's more than any other group, including financial institutions, which have accounted for 26 percent of the breaches affecting Californians.

This is the second time in six months that UC Berkeley has been involved in a theft of personal information. Last September, a computer hacker gained access to UC Berkeley research being done for the state Department of Social Services. The files contained personal information of about 600,000 people. That security breach hasn't been linked to any cases of identity theft, Felde said.

The risks of identity theft have risen in recent years as technological advances make it easier for businesses, schools and other organizations to create vast databases containing Social Security numbers, credit card account numbers and other personal information.

All that valuable data has turned the computer storehouses into inviting targets for thieves who frequently don't have to work too hard to pull off their crimes.

Computer hackers create some of the mischief by circumventing high-tech firewalls, but 58 percent of the breaches recorded by California officials have occurred after a computer or other device containing personal information is lost or stolen, McNabb said.

The security risks of these incidents could be minimized if the caretakers of the personal information encrypted the sensitive information - a process that makes it virtually impossible to read the data without a special code.

The laptop stolen from UC Berkeley was supposed to be encrypted this month, Felde said. The computer, which required a password to operate, was left unattended for a few minutes in a restricted area of a campus office before someone walked in and stole it, Felde said. A campus employee witnessed the theft and reported it to university police.

Authorities suspect the thief was more interested in swiping a computer than people's identities. Felde said there been no evidence so far to indicate the stolen information has been used for identify theft.

The stolen laptop contained the Social Security numbers of UC Berkeley students who received their doctorates from 1976 through 1999, graduate students enrolled at the university between fall 1989 and fall 2003 and graduate school applicants between fall 2001 and spring 2004. Some graduate students in other years also were affected.

The stolen computer files also included the birth dates and addresses of about one-third of the affected people.