Wisconsin bungles another data breach and ID theft threat to 60,000

The State of Wisconsin has a history of mishandling data breaches, this time by the University of Wisconsin System. Last Thursday evening UW-Madison disclosed that a campus database containing Social Security numbers of 60,000 former students and staff had been repeatedly hacked or accessed since 2008. A University Website and the letter sent to victims of the breach assert there is no evidence that anyone's information was retrieved. The statement implies there is no risk of ID theft although all the University releases were careful not to use the words "identity theft" in any of the text.

The State of Wisconsin bungled major data breaches in 2007 and again in 2008 involving Social Security numbers. The 2007 incident involved 171,000 Wisconsin taxpayers who were mailed tax forms with their Social Security Number printed on the mailing label. In 2008, 260,000 recipients of state health care benefits were mailed a brochure with their Social Security number printed on the mailing label. The management of both breaches was bungled by prematurely announcing that the mail, which had not been delivered to recipients, contained Social Security numbers. The premature press releases exacerbated the breach by putting identity thieves on notice to steal the mail. In both cases, the State provided credit-monitoring services to the victims upon request.

Now, the University of Wisconsin is denying victims credit monitoring services because the University contends that they have no evidence that Social Security numbers were retrieved by the hackers. Critics argue that conversely, the University has no evidence that Social Security numbers were not retrieved over the two-year period by hackers. To add to the mishandling of their public relations, the University has declined to comment on camera.

Although the University of Wisconsin determined that the recent hacking incident began in 2008, they did not detect the breach until October 26, 2010. The database contained 60,000 pre-2008 university photo identifications that included Social Security numbers. They notified victims by mail in a letter dated November 30. This author first noticed the release on the evening of December 9 on Madison.com although the date stamp on that article now shows December 10.

This author also has an early University faculty/staff picture identification card last validated in December 1993. I have not received a letter either because my ID card information was not included in breached files or because the University does not have my current mailing address. The limited information provided on the University's Incident Website makes it impossible for would-be victims like me to know if my picture ID contain my Social Security number was part of the breach.

The University appears to be downplaying the significance and threat of the breach to the public. They are also being cautious in their statements and have declined on camera interviews. It is not easy to find the letter they sent to victims or the incident Website through online searches or through the University Website. Information is difficult to find unless you know where to look for it. It is not consumer friendly.

The incident Website states, "We wanted to make you aware of the incident and let you know what we have done to prevent this from happening in the future." The statement on the Website and letter make it appear that the University is voluntarily providing notification to victims. However, under law, the University is required to notify victims of the breach.

Breach notification laws have been enacted by Wisconsin and 45 other states, the District of Columbia, Puerto Rico and the Virgin Islands. These laws require notification of victims if a breach occurs that involves residents of their state or territory. Each of the 49 laws differs in compliance requirements and penalties for noncompliance. It is likely that the 60,000 victims of the recent UW breach reside in many, if not all, of the 49 U.S. jurisdictions that have a breach notification law. The University is required to comply with the laws of each state or territory in which a victim of the breach currently resides.

It is not clear that the University met the compliance requirements for each breach notification law. For example, while the Wisconsin law requires notification of victims within 45 days of learning of a breach, the Illinois law requires notification in the "Most expedient time possible without unreasonable delay." Some states exempt notification of victims if the electronic information accessed was encrypted.

It is standard procedure to encrypt sensitive information that is stored electronically regardless if it is facing the internet, secured behind a firewall, or offline. Encryption software is inexpensive and commonplace even on home and business computer systems. For example, Microsoft Vista and Windows 7 operating systems have turnkey solutions for data encryption--bitlocker. It is a reasonable consumer expectation that a leading research university, such as the University of Wisconsin-Madison would have standard security practices in place to protect sensitive student, staff and faculty information through encryption and other commonly available security measures.

The Family Educational Rights and Privacy Act (FERPA) requires educational institutions to protect student information including Social Security numbers. Penalties for violation include the loss of federal funds.

Amendments to FERPA published in December 2008 recommend that educational institutions adopt standard security practices to protect electronic information. The FERPA refers to several National Institute of Standards and Technology (NIST) Information Security Standards.

For example, an excerpt from NIST Special Publication 800-53 says, "The use of encryption by the organization reduces the probability of unauthorized disclosure of information and can also detect unauthorized changes to information."

It appears that the University of Wisconsin has not adopted the FERPA recommendations on information security standards.

This is not the first time UW-Madison computers were hacked. A year ago, the University determined that computers in the Chemistry Department were hacked over a several year period potentially compromising the names and Social Security numbers of nearly 3,000 people on campus.

A leading study on data breaches published in 2009 that we authored included the following findings:

Education-related organizations account for nearly one-third of all the data breach incidents reported in the U.S.
Colleges and universities account for 78% of all education-related breach incidents.
Over a third of all educational sector data breaches occur by hacking.
Encryption would have prevented 60% of all data breaches and the compromise of over 90% of all consumer profiles.
The University Incident Website provides limited information to victims, avoids addressing identity theft and denies victims of complimentary credit monitoring services. University statements emphasize that there is no evidence that information was taken, however, they provide no assurance that information was not retrieved manually, photographically or by other means transparent to their admittedly weak information systems security.

Victims that are concerned about identity theft should take preventive measures immediately. Victims of identity theft often do not see clues of identity theft until over a year after thieves misuse their information.

While financial fraud is easily detected by credit monitoring, other types of identity theft such as medical identity theft, employment fraud, Social Security and benefits fraud can take years to detect. Then it can take years for victims to restore their good name after spending hundreds of hours and thousands of dollars.

Today, anyone with a computer, desktop publishing and a printer can counterfeit a Social Security card with your name and Social Security number. Counterfeit cards can be sold over and over again compounding the identity theft problem with victims. A counterfeit Social security card and a counterfeit birth certificate opens the door to getting employment, a driver's license and a bank account.

Victims of the UW breach can request that an initial 90-day fraud alert be placed on all three credit reports by contacting any one of the three major credit reporting agencies, Equifax, Experian or TransUnion, listed below. The credit reporting agencies will also provide a credit report as part of the process.

Equifax (800-525-6285) - online or phone for placing fraud alert
Experian (888-397-3742) - online or phone for placing fraud alert
TransUnion (800-680-7289) - online or phone for placing fraud alert
Consumers may also obtain a free credit report from each of the three credit reporting agencies annually. We recommend that consumers stagger their requests for credit reports from each of the three credit reporting agencies by four months in order to increase the frequency of credit report monitoring. This is no substitute for a credit monitoring service, which continuously monitors all three reports. The Federal Trade Commission Website given below also provides high quality information to consumers and victims about preventing, detecting and reporting identity theft.

AnnualCreditReport.com Online or 1-877-322-8228
Federal Trade Commission--Identity theft site
Consumers that see value in more comprehensive identity theft risk mitigation services should consider purchasing such services on their own, regardless if they have been a victim of a breach or not. We have recommended high-value services in other articles.

As a service to the Madison Community, we are providing free telephone consultations to victims of the University of Wisconsin data breach. We will provide answers to questions about identity theft, a free informational guide on how to protect you against identity theft, and recommendations on high-value identity theft risk mitigation services for consumers. We can be contacted by email or by telephone (608-241-3500).