Updated 3:04 pm (Dec. 16th 2012)
According to DataBreaches.net, the university does not have a list of what information was involved for each person. However, the linked FAQ on the breach indicates the information may have included: name, Social Security number, address or date of birth. The FAQ goes on to say: “regardless; each person is being offered free credit monitoring and services from ID Experts to help protect them (even if your SSN was not included).”
It is not clear if the university had backup data, or at least any updated backup data. The policy states:
Specifically, department managers should:
- Create only the records the department needs.
- Retain records according to the Records Retention Schedule.
- Maintain records in appropriate storage and locations.
- Limit access to records of confidential information on a ‘need to know’ basis.
- Secure access to records of restricted information (e.g. SSN, HIPAA, etc.) either by:
- encrypting digital records
- keeping physical records locked or supervised at all times.
- Preserve records of historical significance.
- Dispose of records no longer required in the proper manner.
Original Post
President Andrew K. Benton sent an email today informing the university community that a laptop computer belonging to an authorized university employee was stolen from that individual’s car. This laptop had been used extensively in work related to the IRS, “and it contained data dating back to 2008 involving as many as 8300 Pepperdine campus community members.” Approximately 75 percent of these names belong to students.
The theft was reported to local law enforcement, and Pepperdine immediately launched its own investigation into the matter.
While it is possible that the thief was solely looking for the laptop, “we must prepare for the worst case scenario,” Benton wrote. Pepperdine’s Chief Information Officer, Jonathan See, will send out a more specific advisory within the next few days.
The laptop was not encrypted, according to Benton, and confidential information stored on an unencrypted computer is subject to a confidential information breach. The university is committed to protecting the information of all community members and assures members that this will not happen again.
In response to the potential loss of confidential institutional data, Benton wrote that the university realizes that it needs to review its policies related to technology, data storage and the reality of increasingly sophisticated crime.
Pepperdine officials have identified all names that may be exposed, and have created a tailored program to respond to this security breach. The university has contacted identify theft experts to respond as quickly and as accurately as possible. Very soon information will be directed to each one of the 8300 individuals whose security has been compromised.
Benton wrote on Dec. 7:
“I am writing merely to say that I am sorry this happened. I am also sobered by the reality of losses like this that are certainly not inevitable, but are not uncommon. The most important thing we can do right now is to communicate what we know, and also to give timely and thorough information to those individuals who have been impacted.
“We will learn something from this loss, and we will support those who experience any impact from it.”