Personal Information of up to 90,000 Compromised at Stony Brook

This is an outrage. Information leakages happen, but the fact that nearly one month after the information was removed (and about five weeks after it was initially posted online), the University is just now disclosing this.

The University's disclosure dedicates so much space to the merits of setting up fraud alert through the credit reporting bureaus, yet they've willfully kept the 90,000 affected in the dark since April 24.

That's obviously more than enough time for some very bad things to happen, and Stony Brook's lack of a timely response demonstrates a level of irresponsibility that is almost beyond comprehension.

I was one of those people whose information was made available for possible misuse. But whoever thinks they're doing themselves a favor by stealing my identity is mistaken. I have no money in my bank account and very little credit :-) that's what they get for stealing social security numbers of college students.

After reading this, I couldn't help but recall an incident I was party to a few years ago. After dealing with serious problems of a criminal nature with my roommates at the time, I was finally able to get a hearing in front of the campus judiciary. After the hearing, I was told that I would find out the verdict in three business days. Those three business days passed, and when I called the campus judiciary, I was told that I was not allowed to find out the verdict of the hearing I was a party to (as the plaintiff) due to the Federal Educational Rights Privacy Act (FERPA)! In fact, it took three months and a letter from an attorney threatening a lawsuit to find out the decision from my own hearing.

Then, Stony Brook was anal about privacy, to the point of sheer ridiculousness and actually violated my rights in the process. Now, Stony Brook managed to violate student rights in the opposite way: by shamelessly compromising student data, and then covering it up for a month. I'm sure, however, that as good state employees, those responsible will not be fired or even reprimanded. Hopefully, the Independent will keep investigating this story and find out who was responsible and what, if anything, will be done.

This incident reminds me of one that happened at Nassau Community College about a year ago when a book containing personal student information mysteriously disappeared. I remember thinking to myself I couldn't imagine what I would do if it happened to me - and it has. I'm one of the 90,000 who had their life advertised to the world. I've already canceled some credit cards and I'm changing other things, as well. I don't want to point fingers yet or be livid, however, I am waiting for an explanation and it better be good. The consequences from this monumental mistake have the potential to really ruin someone's life. I don't care how difficult it may have been to access the information via Goggle, there are people in this world that are computer whizzes. We are in a day and age where identity theft seems as common as the cold. There really is no excuse for this ...

I'm sorry to hear you were one of the 90,000. I haven't received a letter-yet-but I still have my "antennae raised" in case a letter ends up in my mailbox one of these days. I was one of those 90,000 as well. That said, I saw some discussion of this on another Stony Brook-related forum and I noted the reluctance of some people to take action against the University, even though they were included in the 90,000 who were affected. It reminds me of someone I knew on campus once, who tripped and broke her foot right outside her dorm building, because the path had been cleared of snow but not salted, resulting in a sheet of ice. If I were her, I would have sued, not out of greed, but just out of principle, but she refused to take legal action. I think that if more students who were wronged in some way spoke up and pursued their rights and full recourse, it would make a big difference. It may very well be the case that the 90,000 affected individuals won't have a legal case unless it turns out that they became actual victims of identity theft as a result of this. But just the inconvenience alone and the fact that the university was so careless with this information and then kept it from the public for so long is enough, in my book, for those affected to pursue their rights. But then again, that's just the future law student in me talking :)

Interestingly, the letters were dated May 7th. However, the letters did not arrive until May 18th, 19th, or the 21st, and I am sure there are still others that have not yet arrived to their recipients. The letters were *NOT* postmarked, however, which certainly raises even more questions as to the true intentions of the university. If the letters were dated May 7th, then why has it taken so long for those letters to arrive? Obviously, with no postmark, one can't prove that they were not sent on May 7th, though the fact that everyone seems to have received their letters only in the past few days seems to indicate that the letters, although dated May 7th, were sent (and possibly even written but retroactively dated) several days afterwards.

In fact, on the topic of notification, Stony Brook could have sent an e-mail to all current students, faculty and staff. They've done so for other incidents in the past. They probably also have a good deal of contact information on alumni who have been affected, through the Alumni Association. They could have called people. Posted an alert on the university website and on SOLAR. But no, none of that was done.

My anger makes me want to use words that are inappropriate to type in this forum. I got a letter myself, and I'm livid. Does anyone have their envelopes still? We really should be checking the POSTMARK on these letters!!

P.S. I heard the story on 880AM this morning. I hope it gets TONS of coverage!

Hey hey hey you heard it here first folks.

I spoke to an attorney, who advised me to wait a couple of weeks to see how the story develops in the news media. He seemed to feel that a class action suit was likely to develop. I think a lot of this also rides on how much more is revealed through the media.

Anyhow, the attorney I spoke to seemed to think that there was something one could potentially go after, but all the facts have to fall into place first.

As far as coverage goes, yes, I do hope this gets lots of coverage, and I do hope that many or most of those affected will pursue some sort of action against the university. Again, not for reasons of greed, but for reasons of principle. If they had informed us a day or two after it was revealed, I think most people would have been a lot more willing to "forgive" than now, when they seemingly purposely waited a month to break the news. I mean, a lot could have happened in that month.

As I mentioned before, I'm seeing a lot of the passive sort of attitude, especially on the Myspace forums and the Newsday board and I don't really understand it. Use your rights, or lose them.

I'm going to post some of the more interesting ones here to keep them alive, in case Newsday removes the message board attached to their story on the issue in the coming days:

"I was one of the people whose info was up on the website. I got my letter on Friday. Pretty much it was a letter to say "Oops, we screwed up, nothing we can do now. Sucks for you eh?"

Same thing happened to me last year with Suffolk Community College. My info has been posted twice now. Hooray for computer based filing systems!!!

At least Suffolk had the decency to give us the numbers to call and put our credit on alert. This time I had to look up the numbers on my own." - Ketchup, Lyndhurst, NJ

"Unlike some high-profile organizations that have lost personal data, the university has NOT offered to pay for additional credit monitoring."

Thats bull...its the universities fault...they should pay for the additional credit monitoring! we trust them with our info and this happens..." - Angry SBU Student, Uniondale, NY

"What I want to know is why does the library have this information in the first place? Why does it have these files on its server? How is it using this information? They don't enroll students into classes nor do they give grades or are directly involved in hiring faculty and staff." - Angry Alumni, Morrisville, NC

"The least they could do is offer complimentary credit protection monitoring for at minimum one year, considering the tremendous amount of individuals affected by this administrative blunder." - Disgruntled SBU Student - Hicksville, NY

"I do not even attend Stony Brook anymore, I transfered out 2 semesters ago, and was still one of the people whos information was posted. I do not understand how this information of almost 90,000 people could be posted by accident, and how no one noticed for 13 days! And we even were not notified as soon as the mistake was discovered. The university screwed us big time and is not even willing to pay for us to monitor our credit. I feel extremely vulnerable and at risk because of this and the fact that the institution who made the mistake is unwilling to help us fix this so it does not ruin our credit is unacceptable." - Diana, North Collins, NY

"The letter I received was not at all informative and I don't believe that the university acted in a timely matter. Why did it take 10 days to notify us after this happened? Just because the information was removed from Google doesn't necessarily mean that it is now not available on the web someplace else.

This is a HUGE screw-up on the university, the library and whomever is responsible for this information being put up on the web. The university is trying to downplay this. I only hope that the people responsible for this are being treated a lot more appropriately (meaning fired) than how the university is treating the 89,000 victims.

This is not a small screw up." - Angry Alumni, Morrisville, NC

"What a PR game! They waited until after graduation to notify everyone! That's why there was a delay!" - Angry, Coram, NY

"Please this is Stony Brook University People--This is par for the couse-- Stony Brook treats its employee's as if they are 2nd class citizens, then run around wanting the underpaid workers to then donate to the university. I have worked in the Library for 5 years, the elevators are dangerous and will shut down for days, there is not enough parking for workers, but the Administration bulding has new refited elevators and lets not forget the new entrance that has added 15 minutes and backups in the parking garage. The only way that they will pay anything is if they are sued. Then they will help." - You Have to be Kidding Me, Centereach, NY

"AND the letter isn't even written personally to each person.......Since when is my name "Recipient"?

This is why I am one alum who will never send them a penny of my money!" - Disgusted, Bronx, NY

"im commenting on this part of the article:

But Stony Brook spokesman Patrick Calabria said the university had responded "as expeditiously as possible."

"It wasn't as if we had information and we withheld it," he said. Rather, the school had been engaged since April 24 in a continuing and open-ended investigation, "finding out what happened, why it happened, how it happened and how we could take steps to keep it from happening again."

This is a blatant lie. The information about this incident was released to us the day after graduation, a full month after everything happened, over 2 weeks after they became aware and took the files offline. There was obviously a meeting held as to when to release information about this incident to students and the day after graduation was chosen because the school would be empty and there would be less of an uprising. SBU administration is full of lies and coverups. Im not surprised at all how they acted. Just one of the many ways they like to bend us over when were not looking." - SBU Student, Lindenhurst, NY

"I want to see the State of New York appoint an independent investigator to the leak and more importantly the cover-up. If the responsibility for this goes to the top, Shirley Strum Kenny ought to resign.

Posting it is a mistake and something that happens; if it exists, it can ever be 100% secure. The hiding of it is the real outrage. This is the despicable secretive administration mentality that Stony Brook is notorious for.
Why were we not notified immediately, but instead almost a month later? Because it was the end of the semester, and now graduation is over, all the students and most of the employees aren't on campus now, so nobody's going to talk about it and nobody's going to hold demonstrations and protest?
I have already heard of a few students who have struggled calling banks dealing with credit fraud in the past month, and only found out yesterday why. Thanks a lot, Stony Brook. Always proving that you don't give a damn about the students." - Current Student, Bayport, NY

"It is bad enough that this happened but Stony Brook delayed the notification until after graduation, the letter was datted May 7th, but was not mailed until at least 10 days later, the employees recieved the lettter on May 19th via US mail, guaduation was May 18th. How come employees were not e-mailed? There was not a word of this before. I bet "Ms Kenny and her inner circle" all had a heads up on it! How come no comment from her! This is a major screw up!" - Angry, Coram, NY

"suny knows every computer on the internet that accessed the files based on their web server logs, are they going to investigate whoever downloaded the file and try to do some damage control? I doubt it they will sit on their stateworker butts doing nothing, not even offering the effected people credit monitoring, which is usually standard in these cases. this happens too often and tight safeguards need to be put in place, its totally idiotic and extremely harmful to commerce. millions of people a year have their identity stolen and the crooks are having a field day because of poor security. they saved alot of money not paying for proper security and should pay that for damages once peoples identity is stolen." - Pat, Center Moriches, NY

"I still haven't heard an explanation as to why the library has access to this information and why it has been storing it since 2002.

If I am going to put credit warnings on my account, I would like an explanation and the person or people responsible for this better be fired!" - Mad as Hell, Raleigh, NC

"An open ended internal investigation is NOT sufficient, nor is Calabria's response. Lawmakers need to insist on an external audit of IT policies and practices. The University should also provide former students, at least, with the option of having their SSNs purged from the Stony Brook databases, and provide such individuals with proof that they no longer retain this sensitive info. Stony Brook has proven that they are unable to keep sensitive information secure, and that they can't even provide timely notification. Letters were received on May 19, which is nearly a month after they learned of the problem." - Concerned Parent

"I agree that the 90 days of free credit fruad monitoring is completely unacceptable. It should be free for at LEAST a year- it's not our fault that our personal information was leaked. I'm really dissapointed in the school and how they keep certain things so secret... everything but our social security number and school ID numbers. This is just great, I recived my letter yesterday. If and when I get a bill from the credit companies after 90 days for the faud monitoring, I'm sending the bill to the university. I refuse to take money out of my pocket for this - college students are poor enough." - JMH - Student from SBU, Stony Brook, NY

"Thanks Stony Brook! It is nice that I received my letter today, a month after this potential breach actually happened. A heads up would have been nice three weeks ago. I know they have my phone number. They call asking for money all the time. Good luck getting another cent from me." - Annoyed, Houston, TX

There is now a group on Facebook regarding this:
http://www.facebook.com/group.php?gid=2373302871

64,000 Ohio state government employees had their personal information compromised by mistake, including info like their SSN numbers. Except, Ohio is going to pay for identity protection services for all those who were affected. Stony Brook should do the same, but I'm afraid that it's going to take legal action to force them to do so. I posted the story on the message board above, but here's the link anyway: ...the state of Ohio is actually going to foot the bill for free identity-theft protection services for all 64,000+ employees who were affected.

Here's the story: http://www.toptechnews.com/story.xhtml?story_id=0330012S05JC

Even though the college is facing fines from the government that still does not make the people whose information was posted feel any better. Being a victim of fraud is tough and more time consuming for you to get things taking care of here are thing that should help those who have been victimized.

A 90-day security alert gives you time to verify if you are a victim of fraud. If you determine you are a fraud victim, you may add a 7-year victim statement to your credit report, only if you file the correct paper work with the police department stating you are a vicitm of fraud. A little information the website left out. There is so much you have to do if you noticed you are a victim of fraud do the mistake that was made. I have included 5 steps that need to be taken if you find that you are a victim:

Step 1: Close any affected accounts
Step 2: Change the passwords on all of your online accounts
Step 3: Place a fraud alert on your credit reports That is all three Credit Beuresa
Equifax (800) 525-6285
Experian (888) 397-3742
TransUnion (800) 680-7289

For each of the credit bureaus:

Get a copy of your report
Make sure your account is flagged with a "fraud alert" tag and a "victim's statement," and insist that the alert remain active for the maximum of seven years.This can only be done with the proper paper work from the police department though.

Step 4: Contact the proper authorities
In the United States, contact the Federal Trade Commission (FTC).

File a complaint. If you are a victim of any type of identity theft, you can report the theft by calling the FTC's toll-free Identity Theft Hotline at (877) ID-THEFT or (877) 438-4338. Counselors will advise you on how to deal with the credit-related problems that can result from identity theft. This should be done right away!!!!!

File a report with your local police department. Get a copy of the police report to notify your bank, credit card company, and other creditors that you are a victim of a crime, not a credit abuser.

Depending on where you live, you might be required to file a report in the jurisdiction where the crime actually took place.