Student Questions UC’s Data Security By IRENE NEXICA

Tuesday April 05, 2005

I appreciated reading your article on the laptop computer that was stolen from UC Berkeley’s Grad Division—it answered some questions I had that the UC-generated press releases and web info lacked, such as if there was any encryption/password protection on the computer at all. I am a graduate student at UCB, and received a notice from the university that my data was among that stolen with the laptop. 

It is very disturbing to me that my data was not better protected by the university, and now that this computer is floating out there, with press coverage about the importance of the data stored there, it seems it would not take much to get at it if someone wants. With nearly 100,000 people’s addresses, Social Security numbers, and birthdates listed, we are now relatively easy pickings for identity fraud at any time in the future, since most of that ID data stays with us for life. 

It seems cavalier to me that the university highlighted that they were required by law to contact us after this breach of security; I wish that they had done more to proactively ensure it was not stolen and moved quickly to inform us once it was. Waiting two weeks to inform us that our data is out there seems very callous, as if the two weeks gives a thief plenty of time to steal in our names. The time and effort it takes to recover after identity fraud occurs could be a real hardship for someone hoping to focus on finishing their degree fast, especially in this climate of drastic fee increases. Thank god for that law—who knows how quietly UC would have released the news (if at all) without it! 

I still have questions for UC: 

With encryption software so common and cheap, why was encryption not yet installed on these computers? It seems a rather suspect coincidence that the computer was only days away from getting encryption, as your reporter was told. If it was known that this computer wasn’t yet encrypted, why wasn’t it locked up until it could have its data encrypted? When I worked in the Graduate Division, my impression was that sensitive student data was stored on a central server with password access that I assume was locked away somewhere in Sproul Hall, not on portable equipment. 

Why was all this information stored on a laptop that was unsecured? I own a laptop, and for $35 I bought a thick metal cable lock that secures it to tables, desks, etc. via a security slot. I use this lock all the time- when my computer is at home and if I go to a cafe or the library. You can buy similar locks for about $10 on eBay virtually anytime lately. 

If an employee saw the person walk out of the area with the computer, why wasn’t the person stopped sooner? The Graduate Division is three floors above the UC Police offices—couldn’t the response time have been almost immediate if a call was made? 

Are those desktop computers/servers currently storing student information locked to furniture or otherwise secured so they can’t walk off? If staff are not willing to stop someone if they witness stealing, it seems perhaps the equipment should be made harder to remove. 

Given that the computer stored people’s information that was up to 30 years old and UC is finding it hard to contact them since addresses have changed, are they going to provide an easy way for graduates to update their current contact information after graduation, in case there is some security issue they need to inform us of in the future? Perhaps a few secure and encrypted archival storage drives would be a good idea rather than keeping all that data on a laptop that’s in use. Does the Grad Division access 30-year records very often? 

Given all the measures that it seems weren’t taken, it looks to me like this was an accident waiting to happen. Paradoxically, I believe I keep my own personal computer’s data more securely than UC did theirs, and the stakes for the loss of my own machine are much lower. I’ve met many competent and knowledgeable tech people while working on campus, and surely there is a lot of knowledge that could be better harnessed to prevent this kind of impact on students. 

AGSE, the grad student union, is looking into this issue, and my hope is that they aren’t the only campus-related group that has swung into action. My sense of the information I’ve seen from the university is that they are putting a lot of the burden for mitigating the damage on students. It seems to me the university could act much more accountably in this situation. 

If I were a friend to someone and lost their wallet with their driver’s license and Social Security card, I wouldn’t wait two weeks before letting them know. 


Irene Nexica is a graduate student at UC Berkeley.