By Bruce V. Bigelow
UNION-TRIBUNE STAFF WRITER
December 3, 2005
The University of San Diego has notified almost 7,800 individuals,
including some faculty members, students and vendors, that hackers
gained illicit access to computers containing their personal income
The compromised data included names, Social Security numbers and
addresses, according to a letter signed by Douglas Burke, the private
Catholic university's director of network and systems operations.
The undated letter aggravated many recipients, though, because it
provided no details about the breach and offered no specific
recommendations on steps they could take to protect their personal
banking and credit accounts.
"It's one of the worst security breach notice letters I've ever seen,"
said Beth Givens, director of the Privacy Rights Clearinghouse, a San
Diego nonprofit consumer group once affiliated with USD.
"I'm outraged," said Michael Shames, who teaches part-time at USD's
law school and shares an office with Givens as executive director of
the Utility Consumers' Action Network, a nonprofit consumer advocacy
group. "I was just astounded that a university would go to such
lengths to keep their own people in the dark about something like
A USD spokeswoman voiced regret about the shortcomings of the letter,
which was mailed Wednesday, and the breach in USD's computer network,
which was discovered Nov. 14.
"It's a very unfortunate situation, and we're very empathetic to the
folks who have been impacted by this," said the spokeswoman, Pamela
Gray Payton. She said it was USD's first computer security breach.
A hacker or hackers gained access for an unknown period to a computer
server on campus that is used to print W-2, 1099 and 1098T tax forms,
Payton said. The compromised data included information from 2003 and
2004 for certain vendors, consultants, student aid recipients and
Payton could not say if any administrators or trustees were affected,
saying the computers containing the data were used to generate the
"If a trustee received a check or W-2 form, then they were affected,"
said Payton, who noted she received a copy of the letter yesterday
Under California law, companies and organizations that operate
computerized databases with sensitive personal information are
required to alert people whose data has been compromised by computer
The law was intended to help people prevent identity theft, a crime in
which thieves use stolen personal data to get credit cards and loans
and make purchases using someone else's name. Once alerted, consumers
can monitor their bank and credit accounts more closely and request
that a fraud alert be posted on their credit reports.
But the law does not specify what information should be included in
the notice, or when it must be sent.
"If you're somewhat Web-savvy and you read the news, you'll know that
there is nothing new about these security breaches," Givens said.
In April 2004, for example, hackers pierced network security at the
University of California San Diego and accessed personal data on an
estimated 380,000 students, alumni, faculty, employees and applicants.
But Givens said the required notice letter really is an opportunity to
tell people what they need to do.
"A good letter will say, this is how you contact the three credit
reporting bureaus, and this is how you put a fraud alert on your
accounts," Givens said.
Such information is available online at her group's Web site,
www.privacyrights.org , and from the Federal Trade Commission
"Not having had this experience before, what we're willing to do now
in retrospect is make that information available to people who call
the university," Payton said. University officials also were
investigating the feasibility of putting the information on USD's Web
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.