At least 18 colleges are scrambling to inform tens of thousands of students they are at risk of having their identities stolen after SunGard, a leading software vendor, reported that a laptop owned by one of its consultants was stolen.
The complete extent of the problem is still unknown, though many of the campuses that have been identified are in Connecticut and New York. The laptop contained students' names and Social Security numbers. In some cases, the exposed data also included financial aid information, e-mail addresses, birth dates, and driver-identification numbers.
Now college officials are accusing SunGard of waiting too long—about one month—to inform them of the security breach. The Connecticut attorney general has opened an inquiry into the incident. And there are widespread concerns that SunGard may not be adequately protecting college data.
SunGard Higher Education, the division of the company that employed the consultant, said it found out on March 13 that the laptop was stolen. Colleges said they weren't told of the theft until the second week of April. A spokeswoman for the company, Laura Kvinge, said that was not an undue delay, noting that the company needed to analyze backup data to determine the affected colleges before alerting them.
SunGard has set up a Web page and a 24-hour toll-free telephone number to answer customers' questions about the incident, and has offered to pay for one year of credit monitoring for affected students.
That has not mollified Richard Blumenthal, Connecticut's attorney general. "We are extremely troubled by the delay in alerting us about the breach in security," Mr. Blumenthal said in a telephone interview on Wednesday. "SunGard waited about a month, which is inexcusable."
M. Jodi Rell, Connecticut's governor, in a written statement, also faulted SunGard for the delay.
Former Students Affected
The company notified officials at the Connecticut State University system on April 9 that the laptop contained private data on 3,502 current and former students at four campuses: Central, Eastern, Southern, and Western Connecticut State Universities. The university wrote a letter to the students, who were enrolled at the campuses between September 2001 and December 2004, about the security lapse.
Mr. Blumenthal sent a letter last week to SunGard demanding that the company pay for two years of credit monitoring services to the students, and pay for them to freeze and unfreeze their credit reports. A freeze prohibits anyone from generating debt for an individual whose identity is at risk of being stolen. Only the individual can lift the freeze, but the process can take a few days.
The attorney general's letter also posed 11 questions about the incident for SunGard to answer by May 6. One of them asked the company to identify its policies about the collection, storage, and safekeeping of individuals' personal data.
Bernard Kavaler, assistant vice chancellor for public affairs at the Connecticut State University system, also voiced concerns about SunGard's security procedures. "Four-year-old data should not have been on a computer," he said.
Another institution affected by the security breach was Northwest Missouri State University, where 1,100 current and former students had their personal information compromised.
The data, from 2004, included names, Social Security numbers, and financial-aid data related to Pell Grants, said Mary Ann Lowary, a university spokeswoman.
"We were obviously disappointed that the data was still around on their computer," she said.
SUNY Campuses Involved
Thirteen campuses of the State University System of New York have also been affected by the laptop theft.
About 16,000 current and former students at the Buffalo campus had their names, Social Security numbers, and driver's-license numbers exposed, said Voldemar Innus, the university's chief information officer.
He said the consultant transferred the data from the university to his laptop during the spring of 2007.
Mr. Innus said the Buffalo campus is also troubled about the amount of time it took SunGard to notify the campus of the breach. The campus was notified on April 11.
He said SunGard told him that the consultant's laptop was stolen while he was visiting a college campus in New York. Access to the laptop's operating system was protected through a password.
Stepping Up Protections
Ms. Kvinge, from SunGard, said the consultant did not follow the company procedures on safeguarding data. She said the data was on his laptop because his job included an analysis of customer data as part of installing and upgrading software.
Ms. Kvinge declined to say how many institutions or students have been affected by the breach. She said some institutions are still trying to verify whether their students had their personal information exposed. To date, she said, no students have complained to SunGard about identity theft.
"The company is working hard to support institutions, and to be as thorough as possible," she said in a telephone interview on Wednesday.
SunGard has not retrieved the stolen laptop but was able to determine the data it contained because the data was backed up on another computer, she said. She declined to elaborate.
Ms. Kvinge said SunGard is stepping up its policies and procedures for securing data in the wake of the incident.
SunGard has also offered to reimburse many campuses for their costs in verifying which students were affected by the breach, and notifying them of the security lapse.
