Last week, the College Center for Library Automation (CCLA) announced that it had experienced a data breach which exposed the sensitive personal information of 126,000 students at six colleges in Florida. During a computer upgrade at the CCLA, the breach victims' sensitive personal information was exposed on the Internet for five days from May 29 to June 2, 2010.
The CCLA provides all 28 of Florida's public colleges with library and information services. The breach notification (PDF) did not list the specific data items exposed or stolen. The notification advised affected students to place Fraud Alerts on their credit reports at the three major credit reporting agencies: Experian, Equifax, and TransUnion.
The company also provided a website with further information about the breach: www.cclaflorida.org/security. The website mentioned that breach victims included:
"Students, faculty, and staff members at the following Florida colleges: Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College."
This suggests that far more consumers than 126,000 students were affected by the breach. If I were a former employee at one of these schools, I'd want to know if my sensitive personal information was exposed/stolen, too. So, I wonder what the true number affected consumers is by this breach.
Since I started writing this blog in 2007, I have read dozens of breach notification letters. Frankly, this was one of the skimpiest and thinnest breach notifications I have read. Why?
First, the CCLA's breach notification didn't list the types of personal data items disclosed. It should have. And, the website didn't explain much more. The website did a good job of explaining the state law about what personal information triggers a breach notification:
"... individual's first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements when the data elements are not encrypted: (a) Social security number; (b) Driver's license number or Florida Identification Card number; (c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account."
The website described in a somewhat confusing and vague way the data items exposed/stolen:
"The personal information contained in the temporarily exposed records was incorporated into a longer string of alphanumeric information, and was not specifically identified by type of information in any way. The exposed data did not include any personal financial information such as credit card or bank account numbers, or any library usage records."
So, what exact data items were exposed? After reading this, I was left with the impression that full name, address, phone, birth date, Social Security number and driver's license data were exposed. The exact data items exposed/lost should have been clearly listed in both the breach notification and the website, since that indicates to consumers the seriousness of the breach, and what to do next.
Given the likely data items exposed/stolen, identity criminals have sufficient information to obtain credit fraudulently in the students' names: new loans, credit, credit cards and mortgages. Unfortunately, a new trend by identity criminals is the theft and use of children's Social Security numbers because their credit history is clean and easier to abuse.
Second, the breach notification didn't offer any free credit monitoring and resolution services to breach victims. This is standard practice by most companies after a breach: free credit monitoring services for a year or two. After all, the breach was CCLA's fault and not the breach victims' fault. Perhaps, each breach victim received a personal notification which included this offer.
If I were a victim of this breach, I'd assume the worst and would monitor my credit reports for fraudulent entries and not only place Fraud Alerts on my credit reports. Why? Some lenders may not comply with this. And consumers who have experienced fraud may need stronger protection, like Security Freezes for their credit reports. It is important to understand the differences between Fraud Alerts and Security Freezes.
Credit monitoring is helpful for consumers who are unfamiliar with both the financial/credit process and identity theft. These consumers often don't know what to do to protect themselves.
In my experience, students are often least informed about the dangers of identity theft versus identity fraud. Students often don't understand the financial/credit process and how valuable their clean credit is. CCLA could and should do a lot more to help its breach victims.
Some colleges and universities are providing cyber training classes to help students protect themselves online. And there is identity-theft information college students need to know. This data breach is an excellent opportunity for the CCLA and the colleges it supports to educate students about identity theft, identity fraud, and prevention tips. I can't think of a better function by a library and college.
What do you think?