June 6, 2008
Stanford University determined yesterday that a university laptop, which
was recently stolen, contained confidential personnel data. The
university is not disclosing details about the theft as an investigation
is under way.
The university is sending e-mails and letters to current and former
employees whose personal information may be at risk, as well as posting
information on the Stanford homepage at: http://www.stanford.edu, and
notifying the media. Officials estimate that the problem could extend to
as many as 72,000 people currently or previously employed by Stanford.
While the university has rigorous policies and guidelines designed to
protect confidential information, events such as this demonstrate the
need for heightened vigilance in this area. To that end, Vice President
for Business Affairs and Chief Financial Officer Randy Livingston will
lead a task force to review policies and practices regarding the safety
and security of sensitive data.
Livingston said: "The university has guidelines that prohibit keeping
sensitive information on unsecured computers. This effort will be
redoubled after this incident."
The message sent from Livingston to past and current Stanford employees
June 6, 2008
Dear Stanford Community Member:
I'm extremely disappointed to let you know that a Stanford laptop, which
contained confidential personnel information, was recently stolen. This
matter has been reported to law enforcement.
In working to identify the information that was on the machine,
yesterday we discovered that it had personnel records of current and
former Stanford employees hired before September 28, 2007. Although you
personally may not be affected, we are sending this email to everyone in
the Stanford community.
We believe that the perpetrator of the crime was not seeking the records
on the computer or even aware of them. Often, such thefts are property
crimes in which the laptop's hard drive is erased before the laptop is
resold. While there is no evidence that any of the information on the
stolen laptop has been accessed, the University is committed to taking
steps to assist individuals whose personal data may be misused.
Stanford works very hard to secure the sensitive data entrusted to it by
current and former faculty and staff. We are currently assessing
appropriate steps to increase protection of this information. For
additional information, see below. We sincerely apologize for this
With deepest regrets,
Vice President for Business Affairs and Chief Financial Officer
Q & A
WHO IS AFFECTED?
While we are still trying to assess the categories of affected
individuals, you may be affected if you received any paycheck from
Stanford before September 28, 2007; this group includes faculty, staff
and students who have been employed by the University in any capacity.
(If you were hired by Stanford after September 28, 2007, your data was
WHAT DATA WAS ON THE LAPTOP?
Personal information may include some or all of the following:
* First and last name, gender, birthdate
* Social Security Number
* Business title and office location
* Work and home phone numbers
* Home address
* Stanford email address
* Stanford ID card number and Stanford employee number
There are no driver's license numbers, credit card numbers, bank account
numbers or other financial information.
WHAT IS THE UNIVERSITY DOING?
Stanford is working with law enforcement to recover the laptop. Stanford
has alerted HR and the Computer Help Desk about this incident, and will
scrutinize any requests for changes to passwords or personnel profiles.
Stanford is committed to working with our affected community members to
prevent identity theft as a result of this crime.
WHAT DO I NEED TO KNOW TO PROTECT MYSELF?
Affected individuals should review the information provided by
California's Office of Security Information and Privacy Protection, and
specifically you will want to take a look at the checklist of actions
and protections at:
Some of the specific recommendations from that checklist include
requesting a free credit report from one of the three major credit
bureaus - Equifax, Experian, TransUnion and
http://www.AnnualCreditReport.com or by calling 1(877) 322-8228. By law
you are entitled to one free credit report annually.
Additionally, Stanford is committed to providing enhanced safeguards
against identity theft for affected individuals, but in the short time
since we have become aware of this incident, we have not finalized
arrangements for these safeguards. We will have services in place next
week and Stanford is committed to assuming this cost. Further
information will be accessible through Stanford's Home Page,
http://www.stanford.edu, and kept updated as more information becomes
available. Please remember that you can obtain a free credit report
today, as described above.
WHAT OTHER IDENTITY THEFT RESOURCES ARE AVAILABLE?
Additional resources include:
* Federal Trade Commission at http://www.ftc.gov/idtheft
* Identity Theft Resource Center at http://www.idtheftcenter.org
* The Privacy Rights Clearinghouse at http://www.privacyrights.org
HOW CAN I RECEIVE MORE INFORMATION?
You can call (650) 736-0099 and leave your contact information for a
return call. You can also go to the Stanford home page for updates or
email privacyquestions (at) stanford.edu with your full name and date of
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com