December 13, 2018

Berkeley to victims of personal data theft: "Our bad"

Last week I and 98,000 other lucky individuals received the following letter:

University of California, Berkeley
Graduate Division
Berkeley, California 94720-5900

Dear John Alexander Halderman:

I am writing to advise you that a computer in the Graduate Division at UC Berkeley was stolen by an as-yet unidentified individual on March 11, 2005. The computer contained data files with names and Social Security numbers of some individuals, including you, who applied to be or who were graduate students, or were otherwise affiliated with the University of California.

At this time we have no evidence that personal data were actually retrieved or misused by any unauthorized person. However, because we take very seriously our obligation to safeguard personal information entrusted to us, we are bringing this situation to your attention along with the following helpful information.

You may want to take the precaution of placing a fraud alert on your credit file. This lets creditors know to contact you before opening new accounts in your name. This is a free service which you can use by calling one of the credit bureau telephone numbers:

Equifax 1-800-525-6285     Experian 1-888-397-3742     Trans Union 1-800-680-7289

To alert individuals that we may not have reached directly, we have issued a press release describing the theft. We encourage you to check for more details on our Web site at http://newscenter.berkeley.edu/security/grad. The following Web sites and telephone numbers also offer useful information on identity theft and consumer fraud.

California Department of Consumer Affairs, Office of Privacy Protection:
http://www.privacy.ca.gov/cover/identitytheft.htm

Federal Trade Commission’s Website on identity theft: http://www.consumer.gov/idtheft/

Social Security Administration fraud line: 1-800-269-0271

Unfortunately, disreputable persons may contact you, falsely identifying themselves as affiliated with US Berkeley and offer to help. Please be aware that UC Berkeley will only contact you if you ask us, by email or telephone, for information. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.

UC Berkeley deeply regrets this possible breach of confidentiality. Please be assured that we have taken immediate steps to further safeguard the personal information maintained by us. If you have any questions about this matter, please feel free to contact us at or toll free at 1-800-372-5110.

Sincerely,
Jeffrey A. Reimer
Associate Dean

In a few days I’ll post more about my experience with the “fraud alert” procedure.

UPDATE 11:45pm – I should add that I gave Berkeley my ‘personal data’ when I applied to their computer science PhD program in 2003. (I ended up at Princeton.) Why, two years later, are they still holding on to this information?

Comments

  1. Welcome to my world 🙁

  2. The fraud alert does seem to work. I had to call in from my home phone to open a new credit card 3 weeks after I had one put on.

  3. Mark Gritter says:

    I believe many data-retention policies are driven by lawsuits. If they are sued about discriminatory hiring or admissions, there needs to be a paper trail to mount an effective defense.

    For example, University of Minnesota’s policy is to retain duplicates of admission materials for “1 year after term for which application processed provided no litigation is pending”. Typical retention lengths for employment applications are 2-3 years.

  4. @Mark Gritter:

    The UofM policy you cite would not have permitted anything like what happened at Berkeley. There, the last THIRTY years worth of doctoral applicants had their stuff swiped, because it was all on a *laptop* which was literally left lying on a desk in an empty room.

    Obviously, the individual who had custody of the laptop didn’t think there was anything important on it. He or she was *wrong*, but unfortunately the attitude of “it’s just old records our lawyers told us to keep, not really worth anything to anybody” is a tough one to overcome.

    With respect to the reasoning that maintaining these records is a defensive strategy against lawsuits, what needs to be understood is that keeping so much old data exposes one to legal liability as well. Personally, I believe the Berekeley example is extreme (thirty years?? a laptop??) and that a clue-by-four needs to be applied via a successful lawsuit.

  5. Mark Gritter says:

    Actually, the release states that for applications only data from 2001 and later was present. It was registered students and doctoral recipients that were longer periods. (I just realized my sister may fall into the former category…)

    I can’t imagine a technical solution to the problem that I would be happy with (in terms of either efficiacy or usability.) And I can’t imagine draconian rules actually being followed to the extent that we won’t have more laptops-get-stolen-and-hundreds-of-people-are-borked incidents. It would still be a major problem even with just the recent admissions data. So it seems to me that we need mechanisms and policies to lower the cost of such data theft rather than futilely trying to prevent these widely-spread “secrets” from leaking out.

    For example, not collecting SSNs from applicants. Or providing better mechanisms for switching credit identification (good luck on that one).

  6. The case for hard disk encryption and OpenBSD.

    I’m getting sick of all these companies and organizations that store consumers’ data but obviously can’t responsibly protect them!