How To Get Help And File Complaints About Private Student Loans

To complete college and/or graduate-level study, many consumers took out student loans. According to the Consumer Financial Protection Bureau (CFPB):

"Student loans have now surpassed credit cards as the largest source of unsecured consumer debt... unlike federal student loans, private student loans do not generally have the same borrower protections such as military deferments, discharges upon death, or income-based repayment plans."

More help is available. The CFPB announced that it provides assistance for consumers who are experiencing problems with taking out a private student loan, repaying their private student loan, or managing a student loan that has gone into default and may have been referred to a debt collector:

• Before applying for loans, students should read the financial aid shopping sheet. Some consumers have already submitted feedback to the CFPB about what they want in this draft disclosure sheet. The CFPB will use this feedback in crafting future disclosure guidelines for lenders.
• Students who already have loans can use the Student Debt Repayment Assistant interactive, online tool to discover new repayment options.
• Borrowers who are experiencing difficulties paying loans, managing loans, or loans that have gone into default can now submit complaints at the CFPB website about private student loans. the types of complaints include: payment difficulties, confusing advertising or marketing terms, billing disputes, deferment issues, debt collection problems, and credit reporting issues.

Borrowers can also submit complaints to the CFPB via a toll-free phone number (1-855-411-2372), via fax (1-855-237-2392), and via postal mail (CFPB, P.O. Box 4503, Iowa City, Iowa 52244).

Private student loans are issued by banks, credit unions, schools, and similar lending institutions. If you aren’t sure what kind of loans you have, the CFPB advises students to visit the National Student Loan Database System for Students and select “Financial Aid Review” for a list of all federal loans made to you. Click each individual loan to see who the company is that collects payments from you.

Complaints about federal student loans (e.g., Direct, Stafford, Perkins, etc.) should be submitted to the U.S. Department of Education. The CFPB will automatically forward complaints it receives about federal student loans to the Department of Education.

Data Breach At City College Of San Francisco Affects Thousands

The San Francisco Chronicle reported that a data breach at the City College of San Francisco (CCSF) could affect tens of thousands of students, employees, faculty, and staff. After the Thanksgiving holiday, computer viruses were found installed on computers in the college's computer labs.

The computer viruses had been installed as long as 10 years ago, and transmitted stolen data to locations in several countries. The data stolen included personal banking and other sensitive personal data. According to the newspaper report:

"Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran... Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected."

The college has posted a page with frequently asked questions to assist its users. the page stated in part:

"Currently there is no evidence that any of the College’s main servers and databases held in trust by the College have been compromised. Our security consultants are still conducting their analysis but it appears at this time that the viruses focused on information taken off individual workstations and computer servers for student labs. Confidential student and employee information is held in trust and stored on District servers. Our network security consultants are continuing their analysis of the servers and we will communicate the results of this work as soon as it is available."

For users that have experienced identity theft or fraud, the college FAQ page directs users to the U.S. Federal Trade Commission (FTC) website for further assistance.

If this FAQ page is the extent of the breach notice by the college, then -- in my opinion -- it is woefully inadequate. It would seem that the data breach caught the school administration unprepared.

The notice should inform users about the results of the breach investigation and actions so this breach doesn't happen again. Since online banking credentials appear to have been stolen, that represents ways for identity criminals to access the bank accounts of breach victims to steal money and/or more personal information: personal data: full names, email addresses, street addresses, Social Security numbers, and mobile phone numbers. With this core personal data stolen, thieves can obtain credit fraudulently.

Given this, the breach notice should also provide contact information and links to the credit reporting agencies. Simply suggesting to users that they change their online passwords is not enough given the personal information exposed. If further fraud happens, the college needs to step in and provide free credit monitoring and resolution services.

Missouri State University Data Breach

Earlier this month, Missouri State University announced a data breach that affected 6,030 students in its College of Education. During October and November 2010, students' names and Social Security numbers were posted on an unsecure server connected to the Internet.

The affected students studied at the College of Education during 2005 through 2009. Reportedly, the university learned about the breach on February 22, 2011 when a person contacted the university about the breach.

As a result, the univeristy has disciplined the employee who posted the information online, worked with Google to remove the sensitive data from the search engine's web servers, provided affected consumers with complientary identity-theft insurance, and reported the breach to the Missouri Attorney General's office as required by law.

 

Report Cites Causes of Numerous Breach History in The State of Hawaii

A post last week covered several historical data breaches at the University of Hawaii. It seems that some government officials in the State of Hawaii are concerned and finally taking action about breaches across the state.

At the request of Hawaii State Senator Mike Gabbard, the Liberty Coalition, a Washington-based policy institute, analyzed the history and causes of all data breaches in the state since 2005. The trigger for this was the latest breach at the University of Hawaii which affected 40,000 students and alumni. Earlier this week, the Liberty Coalition issued Part 1 of its report (PDF format). Key findings from the report were pretty damning:

• "Since 2005, at least 479,000 Hawaii records have been breached: Almost one for every three residents."
• "The University of Hawaii is responsible for 54% of all breaches in Hawaii (259,000 records); more than all other Hawaii organizations combined."
• "As the single biggest contributor to Hawaii data breaches, the University of Hawaii has a pattern of breaches and unfulfilled promises."
• "Neither business nor academic organizations have adequate market incentives to keep personal information secure."
• "Breach notifications are vague and fail to empower victims. Victims cannot know which breach caused identity fraud, cannot hold organizations accountable, or protect themselves."

The breaches happened in a variety of ways, including hacking, lost or stolen laptops, negligence, or a combination of ways. I found this finding key:

"Although each breach event may differ slightly, Hawaii has a policy climate which does not give its citizens sufficient means to protect themselves from breaches. If identity fraud occurs, the entire burden rests on the individual to recover. In contrast, a breaching organization usually bears no responsibility to help victims recover."

That is a playing field heavily tilted toward businesses and against consumers,, students, and residents. The historical list of breaches in Hawaii since 2005:

1. June, 2005: University of Hawaii (UH) - 150,000 records
2. September, 2005: Internal Revenue Service (IRS) - 2,300 records
3. October, 2005: Wilcox Memorial Hospital - 130,000 records
4. November, 2005: Safeway - 1,400 records
5. April, 2006: NewTech Imaging - 40,000 records
6. January, 2007: Wahiawa Women, Infants and Children program (WIC) - 11,500 records
7. August, 2007: United States Postal Service - 3,000 records
8. April, 2009: Hawaii Department of Transportation - 1,892 records
9. April, 2009: UH - 15,487 records
10. June, 2009: A Hawaii Hospital ~1 record
11. November, 2009: Chaminade University - 4,500 records
12. February, 2010: UH Breaches - 35 records
13. April, 2010: Blood Bank of Hawaii's Donor Center - 25,000 records
14. June, 2010: Destination Hotels & Resorts - 500 records
15. June, 2010: UH - 53,821 records
16. October, 2010: UH - 40,101 records

The report's conclusion about the University of Hawaii:

"If UH had fulfilled its multiple promises to the Hawaii legislature and UH alumni, then all of its subsequent breaches would have been prevented or substantially mitigated. The fact that breaches continue to occur is evidence that UH has not implemented its policies, nor fulfilled its promises to the legislature. The Hawaii legislature must hold UH accountable..."

Business and higher education executives need to be fired, fined, and/or jailed. Or perhaps an entity needs to lose its funding temporarily. Business as usual is not acceptable. The report's conclusions about the state's existing laws about data ownership:

"Unfortunately, Hawaii law asserts, without legal precedent, that organizations may “own” or “license” personal information. The notion that organizations can “own” personal information is a threat to privacy because if you can own my personal information, you can own me. But intellectual property rights in personal information have little basis in law. Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable. Personal information is not patentable..."

A threat to privacy? If Hawaiian residents don't own their personal information, they have no control over it. That means, effectively, no consumer privacy.

Part 2 of the report is due during the coming months. I look forward to reading responses from the Governor and state senators about the report's findings. If the state's legislature fails to publicly debate and implement stronger breach laws with consumer protections, then I hope residents elect new state representatives during the next elections. Or maybe a dip in tourism will prompt the needed changes.

The Liberty Coalition is an independent public policy organization that focuses on issues about civil liberties, basic rights, and individual privacy. The coalition works with 80 partner organizations, operates the National ID Watch project, and the Privacy Commons.The report is good work.

The University of Hawaii Majors In Data Breaches

I love the Hawaiian islands. I have visited there twice. First in 1979 and then in 2004. The second trip was a cruise from Honolulu around the islands. The weather, food, and surf were enjoyable. Unfortunately, its university has suffered data breaches like other colleges and universities around the USA.

In July 2010, the University of Hawaii at Manoa announced a data breach with it Parking Office database affecting about 40,000 persons. The breach occured on May 30, was discovered on June 15, and breach victims were notified July 6. The data exposed included Social Security Numbers and personal information were exposed for thse individuals, plus information for 200 credit cardholders. A few weeks later, the number of affected persons was revised upwards to 53,000. Affected individuals included:

"UH Mānoa faculty and staff members employed in 1998... faculty and staff employed within the UH system in 1998 and any registered student at UH Mānoa in 1998... Anyone who had business with the UH Mānoa Parking Office between January 1, 1998, and June 30, 2009..."

Basically, a lot of people related to the university was affected. In its announcement, the university referred breach victims to a website page with information about how to access their credit reports. The university did not offer its breach victims any credit monitoring or credit resolution services. Not good. Organizations usually do this, but not the UH.

In its July 2010 announcement, the university said:

"To protect personal information from further unauthorized access, Social Security numbers are no longer used for parking transactions, and are being purged from all current and historic Parking Office databases. Additional security measures that are being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks."

The university is just getting around to implementing these security measures? That might be understandable if this was the university's first data breach. Sadly, it wasn't.

In June 2005 the University of Hawaii Library in Honolulu experienced a breach where the personal information of 150,000 students, faculty, staff and library patrons was exposed and stolen. At that time, the university used Social Security numbers to track who checked out library materials. A former employee gained access to the personal information and used the Social Security numbers to obtain fraudulent loans.

And in May 2009, the university experienced another breach at its Kapiolani Community College campus in Honolulu. In this breach, 15,487 students who applied for financial aid were affected after an information-stealing computer virus was found on one of its Internet servers. The infected computer was connected to a network with names, addresses, phone numbers dates of birth, and Social Security numbers.

So, with this breach history the parking office is just getting around to removing Social Security numbers from its databases? Five years later?

But there is more. On October 29, 2010 the university experienced yet another breach. This breach at the University of Hawai'i West O'ahu (UHWO) in Pearl City included 40,101 records affecting students and alumni at both the UH and the University of Mānoa. The data exposed included names, Social Security numbers, birth dates, addresses and academic information. Reportedly, the faculty member who accidentally placed the files on an unencrypted Internet server retired before the breach was discovered.

This breach history makes me wonder if the University of Hawaii is serious about data security; if the senior executives at the school get that the school has a security problem. The school's latest announcement doesn't mention any training of faculty and staff about good data security habits. As Dark Reading noted:

"The vast majority of the breached information was placed online... by a now-retired Institutional Research Office (IRO) faculty member... he had [also] transferred large amounts of student information to his home computer for easier access. He deleted the remainder of this information after this breach came to light. The University of Hawaii has not commented on how many other faculty members have transferred student personal information to their home computers."

Sounds like the university needs a Chief Security Officer to help it develop some effective data security policies and then train the appropriate faculty and staff. Otherwsie, more breaches will likely happen. If the university already has a CSO, then it needs a new one.

Breach at Library Affects At Least 126,000 Florida Students

Last week, the College Center for Library Automation (CCLA) announced that it had experienced a data breach which exposed the sensitive personal information of 126,000 students at six colleges in Florida. During a computer upgrade at the CCLA, the breach victims' sensitive personal information was exposed on the Internet for five days from May 29 to June 2, 2010.

The CCLA provides all 28 of Florida's public colleges with library and information services. The breach notification (PDF) did not list the specific data items exposed or stolen. The notification advised affected students to place Fraud Alerts on their credit reports at the three major credit reporting agencies: Experian, Equifax, and TransUnion.

The company also provided a website with further information about the breach: www.cclaflorida.org/security. The website mentioned that breach victims included:

"Students, faculty, and staff members at the following Florida colleges: Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College."

This suggests that far more consumers than 126,000 students were affected by the breach. If I were a former employee at one of these schools, I'd want to know if my sensitive personal information was exposed/stolen, too. So, I wonder what the true number affected consumers is by this breach.

Since I started writing this blog in 2007, I have read dozens of breach notification letters. Frankly, this was one of the skimpiest and thinnest breach notifications I have read. Why?

First, the CCLA's breach notification didn't list the types of personal data items disclosed. It should have. And, the website didn't explain much more. The website did a good job of explaining the state law about what personal information triggers a breach notification:

"... individual's first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements when the data elements are not encrypted: (a) Social security number; (b) Driver's license number or Florida Identification Card number; (c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account."

The website described in a somewhat confusing and vague way the data items exposed/stolen:

"The personal information contained in the temporarily exposed records was incorporated into a longer string of alphanumeric information, and was not specifically identified by type of information in any way. The exposed data did not include any personal financial information such as credit card or bank account numbers, or any library usage records."

So, what exact data items were exposed? After reading this, I was left with the impression that full name, address, phone, birth date, Social Security number and driver's license data were exposed. The exact data items exposed/lost should have been clearly listed in both the breach notification and the website, since that indicates to consumers the seriousness of the breach, and what to do next.

Given the likely data items exposed/stolen, identity criminals have sufficient information to obtain credit fraudulently in the students' names: new loans, credit, credit cards and mortgages. Unfortunately, a new trend by identity criminals is the theft and use of children's Social Security numbers because their credit history is clean and easier to abuse.

Second, the breach notification didn't offer any free credit monitoring and resolution services to breach victims. This is standard practice by most companies after a breach: free credit monitoring services for a year or two. After all, the breach was CCLA's fault and not the breach victims' fault. Perhaps, each breach victim received a personal notification which included this offer.

If I were a victim of this breach, I'd assume the worst and would monitor my credit reports for fraudulent entries and not only place Fraud Alerts on my credit reports. Why? Some lenders may not comply with this. And consumers who have experienced fraud may need stronger protection, like Security Freezes for their credit reports. It is important to understand the differences between Fraud Alerts and Security Freezes.

Credit monitoring is helpful for consumers who are unfamiliar with both the financial/credit process and identity theft. These consumers often don't know what to do to protect themselves.

In my experience, students are often least informed about the dangers of identity theft versus identity fraud. Students often don't understand the financial/credit process and how valuable their clean credit is. CCLA could and should do a lot more to help its breach victims.

Some colleges and universities are providing cyber training classes to help students protect themselves online. And there is identity-theft information college students need to know. This data breach is an excellent opportunity for the CCLA and the colleges it supports to educate students about identity theft, identity fraud, and prevention tips. I can't think of a better function by a library and college.

What do you think?

College Offers Cyber Training For New & Current Students

As an information architecture professional, I have participated in website redesign projects for several colleges and universities. It's always a pleasure to make a college's or university's website easier to use and to navigate for the school's target audiences.

I was pleased to read about an upcoming event in October at Colin College in Texas titled, "Being a Cyber Smart Student- What You Do Now Can Affect You Later." It would be hard to find a truer title for this event. The event description:"

"Technology is a way of life for today's teens; however, what was cute in high school can have serious and long-term consequences in college and the real world. Dallas-Fort Worth Metroplex attorney, Lynn Rossi Scott, will discuss the pitfalls for college students, including copyright violations, identity theft, social networking, child pornography, cyberbullying, shaming, and sexting."

Hopefully, more colleges and universities will draw upon nearby privacy experts to offer similar training sessions to both current students and high school students. The identity theft risks are great, and both college students and high school students need the training. Learn more about tips for college graduates to avoid identity theft and fraud.

Boston Business Journal: BigBad Agency Closes

My former employer was in the news again this week. The Boston Business Journal reported:

"Digital marketing firm BigBad Inc. has shuttered... In recent years the firm has worked with the John F. Kennedy Presidential Library & Museum, Beth Israel Deaconess Medical Center, and Connecticut College, among others. BigBad’s board of directors voted to shut down the agency in March... At least one company that was a client when the agency closed received a letter notifying the company of BigBad’s closure..."

In March of this year, the Boston Business Journal reported the agency's problems. While the agency has taken down its website, its Facebook and Twitter pages were still available today.

I enjoyed working there at the company focused on the higher education and health care verticals. My projects included some really innovative website redesign work in 2009 for Wooster College, Miami University (Ohio), and other higher education website redesign projects that haven't yet launched. The iWooster application appeals to a wide variety of users, from prospective students to current students to alumni to parents of students.

What made my time at BigBad (about 18 months) really special was my coworkers... a really collaborative and supportive group of professionals. I wish them all the best and hope that we work together again soon.

Educational Credit Management Corporation Breach Affects 3.3 Million Borrowers

Well, it didn't take long. About 85 days into 2010, we now have the largest data breach of the year, by far.

Last week, the Education Credit Management Corporation (ECMC) announced in its web site that 3.3 million borrowers' sensitive personal data was stolen during a data breach. According to ECMC, the stolen data included:

"... names, addresses, dates of birth and Social Security numbers. No savings, checking or credit card information was included in the data."

This is not good. Not at all. First, a breach with a huge amount of sensitive data like this indicates a breakdown in security, employee training, or both. This huge amount of data should never be this vulnerable on any type of storage media: USB drive, external hard drive, portable device, or whatever.

Second, identity criminals can do a lot of damage with this stolen data types: from apply for fraudulent loans to sell victims' Social Security numbers to undocumented immigrants to use to gain employment.

ECMC insures more than $11 billion in student loans for the U.S. Department of Education. The data was stolen from the company's St. Paul, Minnesota headquarters during the weekend of March 20 - 21.

Yesterday, the Wall Street Journal reported:

"ECMC said the stolen information was on a portable media device... simple, old-fashioned theft... It was not a hacker incident... It plans to notify affected customers in writing this week... ECMC also owns Premiere Credit LLC, a federal student-loan collection agency. No Premiere accounts were affected by the theft... Federal student-loan guarantors such as ECMC, USA Funds and American Student Assistance have contracts with the federal government to insure student loans against default... ECMC is the designated guarantor for loans in Oregon, Virginia and Connecticut, but borrowers from all states could be affected."

What is particularly nasty about this theft is that many borrowers, students, represent a vulnerable consumer segment. This consumer segment is often the least experienced and prepared about identity theft and fraud. They don't have the awareness, knowledge and funds (yet) to monitor their credit reports for fraudulent loans and other activity, plus subscribe to credit monitoring and resolution services.

In my opinion, ECMC has done the minimum: arranged for only 12 months of free credit monitoring services for its breach victims. I expected a far longer period of free credit monitoring services. Four years minimum seems sufficient to me, since it allow the students to complete (and keep the focus upon) their education and enter the workforce. To ECMC's credit, the company-arranged services from Experian include both credit monitoring and credit resolution (PDF).

While many colleges and universities have policies about identity theft and data breaches for staff and faculty, only a handful of higher education institutions have produced identity theft prevention events for students. This massive breach could be an opportunity for insurers like ECMC to show how much they care -- to do more than the minimum. Provide a longer period of free credit monitoring/resolution services, plus support and fund college-based identity-theft education and prevention programs.

A Really Damaging Data Breach At the University of North Carolina

This blog does not cover every breach incident; only the ones with broad implications or where the organization should do more to help its breach victims. Campus Technology reported last week:

"A data breach that took place in 2007 at the University of North Carolina at Chapel Hill and was discovered in late July 2009 is finally being reported to victims by letter. University staffers reported that they believe the security breach exposed social security numbers for about 114,000 women, although about 180,000 records were potentially exposed as a result of the incident."

You can read online the breach notification letter (PDF format) from the University and its explanation of the breach event (PDF format). The following illustrates just how damaging this data breach was:

The women's records were part of a multi-year medical research study, the Carolina Mammography Registry, which collects and analyzes data from 31 sources in seven states using software developed by the university. The records also contained names and in many cases dates of birth, addresses, phone numbers, demographic information, insurance status, and health history information."

In my opinion, the University should do more beyond referring its breach victims to the three major credit-reporting agencies to file Fraud Alerts. The University should:

• Pay for at least five years of credit monitoring services for the breach victims, due to the ongoing threat to their financial accounts
• Pay the Security Freeze fees at all three major credit-reporting agencies, so the breach victims can lock down their credit reports
• Provide its breach victims with a user-friendly web site, and not a couple PDF documents, with ongoing status information about the breach incident investigation, what the university is doing to fix the problem, and what the university is doing to prevent further data breaches

Binghamton University Students Circulate Petition For Removal of CISO

This InformationWeek news article caught my attention:

"Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room. The existence of the unsecured documents was discovered March 6 by a reporter working for student radio station WHRW and disclosed on March 9."

First, kudos to the student reporter. Sloppy and poor data security should be reported. Second, the school's CISO should lose his/her job. This type of data breach happens far too often in higher education institutions:

"A recent report, "Breaches in the Academia Sector," by John Correlli of JMC Privacy Consulting Group, noted that from 2005 through 2007, there were 277 publicly reported breaches at colleges and universities in the United States. Eighty-nine of those incidents followed from unauthorized access, 45 came from accidental online exposure, and 37 were the result of a laptop theft. And of the 263 reported privacy data breaches in the United States in 2008, about one-third (76) occurred at colleges and universities."

The news broadcast from the local FOX television affiliate:

The good news: the Binghamton students "get it." They understand the importance of good data security and the consequences of poor data security. They understand the importance of accountability... of holding the proper person responsible. That person is the CISO.

Too bad that the University's officials don't get it.

Identity Theft Prevention Events at College And University Campuses

Any review will discover that the nationwide statistics for data breaches include colleges and universities. Colleges and universities archive the sensitive data about a wide range of consumers: students, applicants, alumni, parents, faculty, and employees.

Unlike corporations, most colleges and universities are transparent with their breach notices and disclose the number of records stolen or lost. Some of the larger data breaches* among higher education:

• Boston College: march 2005: computer system hacked: 120,00 records
• Tufts University; April 2005: computer system hacked: 106,000 records
• University of Utah: August 2005: computer system hacked: 100,000 records
• University of Texas McCombs School of Business: April 2006: computer system hacked: 197,000 records
• Ohio University: April 2006: computer system hacked: 300,000 records
• Western Illinois University: June 2006: computer system hacked: 180,000 records
• University of California at Los Angeles: December 2006: computer system hacked: 800,000 records
• University of Miami (Florida): April 2008: stolen computer tapes: 2.1 million records
• University of Utah Hospitals and Clinics: June 2008: stolen billing records: 2.2 million records

I was pleased to read that several colleges and universities are conducting identity-theft awareness and prevention events for students, faculty, and staff:

• "Protecting Yourself Against Identity Theft Lunch and Learn" on October 28, 2008 at the University of Baltimore to provide, "steps one can take to minimize the risk of identity theft. This training will highlight precautionary measures in addition to key facts and protection essentials."
• Miami University (Ohio) will conduct several events during October 28 - 30, 2008. Topics include "Computer Break-ins: From Beginning to Prosecution," "Security Awareness: Payment Cards," "Music and Video Downloads: Avoiding Legal Trouble," and more.
• On November 7, 2008 the University of Illinois will conduct a "Personal Privacy: Protecting Your Identity" session on identity theft
• Texas Tech University and the University of the Pacific both provide scam warnings, prevention, and recovery resources for their communities to protect against ID-theft

If you are a parent, its a good idea to encourage your son or daughter to attend any identity-theft training sessions at their school. If you are a student or faculty member, it's in your own best interest to attend events at your school. If your college or university doesn't provide identity-theft prevention training, ask them why they don't and when they will.

*Source: Chronology of Data Breaches, Privacy Rights Clearinghouse