USC warns 7,000 of large computer security breach

USC has warned about 7,000 people that their personal information, including Social Security numbers, was on a desktop computer stolen from an office at the business school.

It is the third time in two years the school has experienced a major breach of student and faculty privacy due in part to its decades-old computer system.

A major overhaul of the campus-wide system is under way, but it will take another four years to accomplish, said Bill Hogue, USC's chief information officer.

This year, lawmakers ordered state agencies and businesses to notify potential victims when their personal information has been breached or stolen. The law won't take effect until July 1, 2009.

Several items were stolen from the Moore School of Business over the Memorial Day weekend, USC spokesman Russ McKinney said.

"Among the items was a desktop computer belonging to Deputy Dean Dr. Scott Koerwer," McKinney said. "As a result of the computer being stolen, we feel it is possible that some personally identifiable data could have been compromised."

McKinney said the university is notifying about 130 faculty and staff at the Moore School and just under 7,000 students who took business courses in the last academic year. The university's Division of Law Enforcement and Safety and the Office of Information Technology are investigating the theft.

University officials have no evidence anyone's personal information was accessed, he said, but the university notifies students of potential breaches of privacy even when there is only a small likelihood the data were compromised.

"The responsible thing for us to do is to notify those persons whose data was contained in the computer," McKinney said, "and share with them some useful steps they may want to take."

The vulnerabilities are a legacy of decades-old computers with which many institutions are just beginning to grapple, Hogue said.

Stanford University last week notified 72,000 current and former employees that a university laptop computer that had been stolen contained personal information.

"It is just an epidemic in our society," Hogue said. "It's a sorry situation."

This latest threat to students' personal information was the result of a property theft. But students' personal information has been compromised in other ways.

In April 2006, about 1,400 students' names, Social Security numbers and birthdays were accidentally e-mailed to as many as 1,000 students in the Hospitality, Retail and Sports Management Program.

In August 2006, the university said the information including names, Social Security numbers and birthdays of about 6,000 students was potentially vulnerable because an external hacker had penetrated secured areas of the university's campus computer network. The hacker's entry into the system had occurred about a year before it was detected.

In an ongoing effort to make such records more secure, the university announced in 2006 it would cease using students' Social Security numbers as student identification numbers, beginning in the fall of that year.

To eliminate the need for individual departments to keep student data, the university has been developing a secure central database for such information. But the university, like many large institutions, is still working with computer systems designed in the 1970s, with Social Security numbers deeply imbedded in their architecture.

It's possible, Hogue said, business school personnel did not know the Social Security numbers were in the database.

The computer system update has not progressed to the stage where departments no longer need to keep their own student records, he said. "That's one of the goals of the upgrade."

In 2004, USC trustees authorized a top-to-bottom upgrade of the university's computer systems and changing student records was a top priority.

Trustees voted in August to award a $1.5 million contract to SunGard Higher Education to analyze the Columbia campus computer system and propose improvements. The $1.5 million analysis is the first stage of an estimated $55 million upgrade of the campus' computer infrastructure over seven years. USC calls the project OneCarolina.

Hogue said he'll likely recommend to the board this summer that the university move to the implementation phase of OneCarolina.

Meanwhile, student identification cards no longer display Social Security numbers. But the university still collects that information and likely will continue as long as the federal and state governments require the information.

University officials say solving the problem requires both improving computer systems and changing the school's culture to make people more sensitive about protecting students' data.

"We must do a better job of safeguarding our staff and student information," McKinney said, "and we are working constantly to do that."

Reach Hammond at (803) 771-8474.

AP-NY-06-09-08 2037EDT