Archive for Thursday, September 20, 2007

KU investigates records breach

Newspaper anonymously receives personal information in mail

September 20, 2007


Reader poll
Does KU do a good enough job protecting private records?

or See the results without voting

In a meeting with Journal-World reporters and editors, Kansas University spokesman Todd Cohen, surveys a stack of documents sent to the Journal-World and other newspapers Wednesday at the News Center, 645 N.H.

In a meeting with Journal-World reporters and editors, Kansas University spokesman Todd Cohen, surveys a stack of documents sent to the Journal-World and other newspapers Wednesday at the News Center, 645 N.H.

KU investigating release of important documents

KU launches an investigation into how area media received documents listing the personal information of hundreds of students. Enlarge video

On the street

Are you careful about throwing away private information?

Yeah, I pretty much always shred it or burn it.

More responses

Graded student exams. Student ID numbers. Health insurance information. Social Security numbers. Cell phone numbers. Home addresses. Names.

An identity thief's dream.

All of the above records - some originals, others copies - were contained in Kansas University documents mailed Tuesday to the Lawrence Journal-World.

The records were accompanied by an anonymous letter, written ostensibly by former mathematics department teaching assistants and current employees of the KU Recycling Center, that said the records had been recovered from trash and recycling receptacles in the KU math department. The letter went on to say that the writers had repeatedly tried to persuade the math department to better safeguard personal information.

"We've been informed that personal documents and records were sent to the media, along with allegations of improper handling of private information," Lynn Bretz, KU spokeswoman, said in a statement. "The protection of private data is critical, which is why we've started an investigation into where these records came from and what changes need to be made to ensure a similar breach doesn't occur again."

That's too little, too late, though, for those whose information was left unprotected.

"It is kind of nerve-racking because ID numbers are useful for a lot of things that go on here on campus," said Vanessa Cunningham, a sophomore from Olathe whose name and student ID were released. "We have to change our passwords every now and then on the computer for our KU Web site. If they're not taking care of that information, then there's no point in a lot of things we do."

Math department chairman Jack Porter said he was concerned that this information may have been ascertained through other means, such as theft from an office, pointing out that he keeps student information on his desk. He said the department does have a policy on the care of personal information, but he otherwise refused to comment.

KU policies

KU's Privacy Office maintains a set of standards and practices for the safekeeping of this kind of information, including keeping all student information, such as exams, in a locked filing cabinet.

"Always shred or pulverize paper containing personal, private information," the standards state. "Recycle paper containing private information only in secure, locked bins."

The anonymous letter stated some of this information was found in recycling bins, but much of it was discovered in a trash bin behind Snow Hall.

The Journal-World contacted KU to inquire about the documents Tuesday night. University spokesman Todd Cohen said an investigation was launched almost immediately. All told, the records contained nearly 400 names and student ID numbers. There were 14 Social Security numbers - including a copy of one Social Security card - four dates of birth, three pieces of health insurance information and 17 phone numbers. There were also immigration documents, high school report cards, student final exams and student transcripts in the package.

"We take protecting this kind of information very seriously. This is a very, very serious issue," Cohen said.

This is the second time in the past six months that student personal data was found unsecured. This summer, a number of student final exams were discovered unsecured in the halls of Wescoe Hall, which was about to undergo renovations. At the time, the university pledged to do a better job of safeguarding records.

Any disclosure of student information not considered directory information - such as names, addresses, e-mail addresses and possibly phone numbers - is forbidden by the Family Educational Rights and Privacy Act. Though extremely rare, violation of FERPA can result in termination of federal funding to the offending school or university. People also could sue individually for breach of privacy, if they choose.

That penalty sounds somewhat hollow, though, to students, faculty and staff whose personal information has been exposed.

Victims feel violated

For KU student Melissa Farr, the discovery that her personal information was disclosed to the media came as a shock.

"Never would I have thought the news would end up with my personal information. I thought they properly disposed of old exams, papers, etc.," she wrote in an e-mail. "I guess since I work at the hospital and disposing of patient information is such a huge deal, I guess I haven't thought that it could be happening right where I go to school."

With a student ID and name, it's possible to access transcripts, tuition bills and some student health information.

Pamala Shadoin, a KU staff member, was dismayed to learn her information had been included in the documents. She mentioned the possibility that more papers could be out there to be found by anyone.

"It worries me a lot," she said. "This is something the university should really care about. It's unfortunate it takes something like this for the university to take action."

In addition to the Journal-World, the records were sent to two other area newspapers, according to the letter. The university has requested that all of the documents be returned to the university immediately.

The Journal-World has made the documents available to KU to assist with its investigation but does not plan to return them, said managing editor Dennis Anderson. No copies of the documents will be made public and they will be destroyed once reporting of the story is complete, Anderson said.

"We have no interest in the contents of the documents," he said. "Our priority is reporting how this happened and what the university is doing in response."

The Journal-World has kept the documents in a locked filing cabinet since receiving them, taking them out only to catalog the contents and to attempt to contact people whose records are included. The Kansas City Star, as of Wednesday night, had not determined what it would do with the documents it received, said editor Mark Zieman.

"We're still discussing that. We know that they'll be disposed of properly, one way or another," he said.

The University Daily Kansan, the other newspaper to receive a set of documents, made a copy of the documents for its reporters to use, but returned the originals to the university, said editor Erick R. Schmidt.

"We've kept them locked up since we got them," Schmidt said. "The university said they wanted to contact faculty and staff who were involved, and they couldn't do that without the documents."

A possible solution

Even before these documents were sent to the media, KU had started a review of how it deals with information. At this fall's faculty/staff convocation, Provost Richard Lariviere said the new protocol would require a major change in how the university does business.

Denise Stephens, vice provost for information services, who is leading the new initiative, said it is critically important that faculty and staff who routinely handle information know how to safeguard the information - while retaining it for possible use in the future. An example would be research data that could be built on in coming years.

The initiative has four broad parts: records retention, data stewardship, accountability and training. Stephens said it's important that departments designate a person to be responsible for information being dealt with correctly.

"We're building a comprehensive program across the university," she said. "Information is all over the university. It's going to be important to identify what's out there, who has it and what risks it presents if it's lost or inappropriately accessed."

Stephens said it could take years for the initiative to take hold among all faculty and staff, but it's worth the time and effort.

The Federal Trade Commission suggests anyone whose personal information, especially Social Security numbers, has been compromised take four steps. Place a fraud alert on your account with the three major credit bureaus - Equifax, Experian and TransUnion - close any accounts that may have been tampered with, file a complaint with the FTC, and, if necessary, file a police report. More information on identity theft is available at and


frazzled 10 years, 7 months ago

Clearly KU needs to do a better job of safeguarding sensitive records. On the other hand, what does the LJW think its doing by "cataloging the contents of the records and attempting to contact the people involved"? Plus the tone of this article ("too little, too late", "that penalty sounds hollow", etc.) makes it sound to me like the LJW would rather be part of the problem than part of the solution. Typical.

samsnewplace 10 years, 7 months ago

I hope all students were contacted that were affected this time around. It sounds like it is just one day and it happens all the time. How stupid, with the crime we have in this town, to have personal information so easy to get to! WAKE UP KU~!

OnlyTheOne 10 years, 7 months ago

Hey, folks! Read the article! "that said the records had been recovered from trash and recycling receptacles in the KU math department." That isn't "stolen" plumberscrack. If the LJ-W contacts the people they can get the victim's response AND ensure they were actually contacted. How is that "LJW would rather be part of the problem than part of the solution?" frazzled "Math department chairman Jack Porter said he was concerned that this information may have been ascertained through other means, such as theft from an office, pointing out that he keeps student information on his desk." A pure and simple violation of the privacy policy! All Lawrence residents need to wake up, samsnewplace. When we lived in Lawrence it was commonplace to see people driving alleys looking in trashcans pulling out envelopes (mail offers, bills, etc.) some with Topeka, JoCo and local plates.

unite2revolt 10 years, 7 months ago

I like how the UDK says they gave the papers back because the university wanted to contact faculty and staff. I think maybe the university should be the ones calling the students, not ljw staff. Way to care about the students.

One other thought for those of you who might be affected. Think real hard about if you want to put a fraud alert on your credit reports, it will show up everytime you want to get credit for something too.

Godot 10 years, 7 months ago

I don't understand why the LJW did not turn this over to the police. It isn't up to the editorial staff to determine whether the papers were "stolen" or "found."

jlw53 10 years, 7 months ago

Just further proof that this Chancellor cannot effectively lead anything. If he can't make sure these things don't continue to happen after at least 2 previous major incidents, and he continues to keep employed the people who are responsible without any repercussions, then the former head of the Alumni association was correct in referring to him as Elmer Fudd. A major dud!! And these are just a small sampling of his "leadership".

Godot 10 years, 7 months ago

I am assuming the grad students and employees who took it upon themselves to retrieve these records and copy and distribute them kept at least one copy for themselves.

oldgoof 10 years, 7 months ago

Oh the horror. How many days can the LJW keep Trash-Gate alive?

publicdefender 10 years, 7 months ago

Sadly, KU has a long history of violating FERPA and promising to put more safeguards in place to protect personal information of students. Two years ago, the Financial Aid Office released protected information about 100 students and pledged to take steps to ensure this "mistake" would not occur again. Apparently, KU does not learn from their "prior" mistakes. I wonder how many more violations occur that go unreported. It makes me wonder...

pace 10 years, 7 months ago

Math department chairman Jack Porter said he was concerned that this information may have been ascertained through other means, such as theft from an office

Jack porter, He was responsible for safeguarding the practices in his department, He didn't care enough to do it. Now the whistle is blown and he comes out with accusations about the whistle blowers. Yeah maybe it was stolen, maybe the dog ate it. I would prefer that people who had responsibility took responsibility. Good for the whistle blowers and good for the ljw. I bet a lot of lazy practices will change in a lot of offices on campus. The shredders should be humming for a least a week until they go back to old ways.

been_there 10 years, 7 months ago

As a victim of identity theft and having several hundred dollars charged to my account, I also agree with pace. Many years ago after a divorce I wanted to get electric service but could not because someone across the state was using my social security number for years on her electric account. I had to drive to their office with proof of who I was to get electricity. Obviously the other lady didn't have to. My son had the exact same problem when he wanted to get a telephone. He also had to show ID. Many people have had the IRS come after them for not paying taxes because someone else used their social security number to get a job.

ontheotherhand 10 years, 7 months ago

Jack Porter, be very glad that I am not a Math student a KU. More audacious than the fact that you keep personal records on your desk is the fact that you admitted it to the newspaper. Are you ignorant enough to think that no one can enter your office simply because it's locked? Hello! Ever heard of cleaning staff? Office staff? Thieves? Hello? Hello? This is serious business and kudos to those who brought it to our attention. I hope the LJW continues to highlight this situation until clear policies are in place.

I've known two people here in Lawrence who got their identities stolen. Clearing their names and their credit records was a nightmare. How can we attempt to protect our private information when other people are merely throwing that info in the trash???

flutter 10 years, 7 months ago

Just because the LJW can keep those documents doesn't mean that they should. In an effort of decency, they should return them and all copies to KU. They claim that they are "locked up" but who has access to the key to that lock? Keeping them only improves chances that more people have access to this sensitive information, so isn't LJW just increasing/participating in perpetuating the problem?? Just one more reason LJW is incredibly disapponting.

Commenting has been disabled for this item.