There has been no confirmed "identity theft" so far resulting from the theft of a Cornell University computer, but the university is suggesting that the people whose personal information was on the computer take special precautions. These include alerting credit bureaus and making use of identity theft protection services being provided by the university at no cost to the individual.
The computer, stolen early in June, contained the names and social security numbers of about 45,000 people, including students, faculty and staff. According to Cornell Information Technologies (CIT), the file did not include Cornell netID passwords. Not everyone in the Cornell community was affected. If you do not receive a letter from the university about the incident, you were not among those whose information was on the computer. The university also sent an e-mail notification to every affected person for whom e-mail addresses were available. The notifications are based on a review of a backup of all files on the stolen computer.
"This last year as we've seen these incidents happen at other major universities, I've hoped that our security policies and practices at Cornell would prevent an occurrence like this here," said Polley McClure, vice president for information technologies. "Unfortunately they weren't enough. I've been answering e-mails and phone calls from people who are frightened and upset and who will be seriously inconvenienced by this even if their identities are not compromised. I am just so very sorry this happened. We will just have to do more."
"I think that the risk is small, but people need to be vigilant," said Allen Bova, director of Risk Management and Insurance.
As a first line of defense, the affected individuals have been advised to contact one of the three major credit bureaus -- Equifax, Experian or TransUnion -- and request a "fraud alert." It is only necessary to contact one of the three; the other two will be notified automatically. When you ask for a fraud alert, you will also receive a current credit report from the agencies. The fraud alert will remain in effect for 90 days.
Placing a fraud alert is not, Bova noted, the same thing as reporting "identity theft." Some people have been calling police to report identity theft, but "Their identity hasn't been stolen," Bova said. Identity theft occurs when someone actually uses information about a person to apply for a credit card, open a bank account or commit some other misrepresentation. Making an identity theft report also requires submitting legal evidence that a fraud has been committed. "You do not need to report to any law enforcement agency that you received a notification of data loss from Cornell," the university said in an FAQ, pointing out that the police are already very busy with the case.
When you place a fraud alert with a credit bureau, anyone who requests a credit report will be notified that an alert is in effect and is then expected to take steps to verify that you are really the person who initiated the request.
A call to one of the credit bureaus by a Chronicle reporter produced a lengthy voicemail session to activate the alert, followed by connection to a human operator who offered a pitch for an extended protection service for a monthly fee.
The university has contracted with Kroll Inc., an identity theft protection service, to provide its services to the affected individuals at Cornell's expense. The company provides assistance in filing fraud alerts and obtaining and understanding credit reports, a support call center with trained counselors and, in the event actual identity theft occurs, access to investigators to resolve the fraud and aid in identity restoration. Information on these and other services is included in the letter being sent to affected persons. "Because you will be receiving these services at Cornell's expense it is not necessary to purchase services yourself," university officials emphasized.
The university has posted a list of frequently asked questions -- frequently updated -- at http://faq-june2009.cuinfo.cornell.edu/.