62°F
weather icon Mostly Cloudy
Las Vegas, NV
News

College may never know if any information stolen

May 22, 2007 - 9:00 pm
 

On May 11, 49-year-old Mary Wilcox was warned that her Social Security number and date of birth might have been stolen by a hacker who accessed a server at the Community College of Southern Nevada.

Five days later, she was scrambling to contact her credit card companies and her bank after she was told that someone had tried to make a $1,000 purchase on her credit card.

"I don't know if that's (because of) them (CCSN) or not, but I'm assuming it is," said Wilcox, an ultrasound technician who attended classes at the college more than four years ago.

As of Friday morning, the college had received 1,016 phone calls and 127 e-mails from people since it announced the week before to nearly 200,000 current and former students that their Social Security numbers may have been stolen.

None of those calls were from people who had had their identities stolen, according to Rand Key, the college's executive vice president for planning and development.

"Most people are quite understanding about it," he said in between returning more than 100 phone calls from people who had called the college's identity theft hot line and been bumped up the chain of command to his office.

College officials said there was no indication that anything was stolen from the institution's server, which contained the names, dates of birth and Social Security numbers of 197,518 students dating back to 2000.

An internal investigation on the server produced no evidence that any personal information was taken or accessed, and a five-week forensic analysis by a third party came to the same conclusion.

There may ultimately never be a way to know whether any information was taken from the server, and college officials don't expect charges to be brought against the culprit.

But even if Wilcox's incident was caused by the security breach, college officials maintain that the college is exempt from any damage caused by the incident and isn't paying for a credit-monitoring service for those who might have been effected because there is no proof.

The college's response to the incident has also come under criticism by those who might have had their information placed at risk.

Key acknowledged that callers' primary complaint was that they weren't informed sooner.

But he said college officials waited because they didn't know the extent of the breach.

On top of the internal and forensic reviews of the server, the college also had to wait for the printing and mailing of the 200,000 letters to students, he said.

Other colleges have immediately notified their students about security breaches because the colleges had evidence that information had been accessed or taken, he said.

He said Community College of Southern Nevada officials looked at how those colleges handled similar situations, and their research found that only Berry College had paid for access to a credit reporting agency for its victims.

At Berry College, a private college in northwest Georgia, financial aid data of more than 2,000 students was "misplaced" by a consultant in September. The information contained the names, Social Security numbers and family incomes of the students.

At the college's expense, the effected students were allowed to access a major credit reporting agency over the next 12 months, even though officials said they had no reason to believe the information was taken or used fraudulently.

Educational institutions are among the most targeted for hackers, according to the Identity Theft Resource Center, a national nonprofit organization that provides research and help to victims of identity theft.

In 2006, there were more than 300 publicized security breaches, including electronic breaches like the one in Southern Nevada, affecting nearly 20 million people, according to the center.

Education breaches made up 28 percent of the total, just under the number of government and military breaches.

Linda Foley, founder of the Identity Theft Resource Center, said educational institutions are frequent targets because they often can't spend as much money as private companies on security.

But she defended CCSN after looking at the way the college handled the situation, including the length of time it took to notify students.

"You don't want to create alarm unless (it's) necessary," she said. "The administration sounds like it's trying to do the right thing."

An organization will often wait to notify possible victims until it has verified the nature of the attack, she said.

Foley advised those who might be effected to extend their free 90-day fraud alert when it expires.

The college has set up its own Web site, www.identityprotect.ccsn.edu, where students can find instructions on how to place and extend a fraud alert. People can also call (866) 264-1290 for more information.

The Associated Press contributed to this report.

MOST READ
Don't miss the big stories. Like us on Facebook.
THE LATEST
Coffee beans are prepared at a farm in Braganca Paulista, Brazil, Monday, Aug. 4, 2025. (AP Pho ...
Will Brazilian coffee, beef and tropical fruit still be tariffed?
By Elénore Hughes Associated Press

Brazilian Vice President Geraldo Alckmin said Saturday that Brazilian exported goods to the U.S. including coffee, beef and tropical fruits would still be tariffed 40%, despite President Donald Trump’s decision to remove some import taxes.

MORE STORIES