CUinfo

1. What happened?

In June, 2009, a Cornell-owned computer that contained a large amount of administrative data was stolen. Our review of a current backup of the files on the system revealed that confidential personal data for about 45,000 current and former staff and students, and some dependents, had been present.

Once we made this determination, Cornell immediately worked to retrieve contact information for the affected individuals. We sent a preliminary notification to everyone for whom we had a current e-mail address on June 23, and the formal notifications have now been sent out via U.S. Mail.

Because this incident is currently the subject of an active law enforcement and internal investigation, we cannot reveal any specific information concerning what happened.

2. If I didn't receive an e-mail or letter, does this mean that my information was not on the stolen computer?

Yes. We have conducted a very thorough analysis of a current backup of the data on the computer. If you do not receive an e-mail notification or a notification letter, we did not find your confidential personal information in the backup data from this computer.

3. What will Cornell do to help mitigate the cost and inconvenience to me?

Cornell has engaged Kroll Inc. to provide credit monitoring and identity theft restoration services available at no charge to affected individuals. If you are an affected individual, you will receive a notification letter describing how to use these services. The letter will also include both domestic and international toll-free numbers that you can call for professional guidance.

We have pre-paid for your use of Kroll's ID TheftSmart service and the notification letter will include your enrollment information. Please do not accept any other company's offer of assistance with credit monitoring or similar services.

4. What steps can I take myself?

While there are a number of steps you can take on your own, such as requesting a credit report, fraud alert or security freeze, you will shortly be receiving the formal notification letter which includes a phone number for the help desk that Kroll, Inc. is setting up on our behalf. We strongly urge you to contact the professionals at Kroll's ID TheftSmart service for advice about how to best respond to this situation.

5. Should I contact the police?

You should not try to file a report with the police just on the basis of Cornell's notification of data loss. A report to them is only appropriate if you are actually experiencing identity theft. The law enforcement agencies are asking that you contact them only if a bank or a credit bureau has notified you of fraudulent activity. Should this be the case, the New York State Police are the investigating agency and you should contact one of their offices.

Please bear in mind that the police are very busy with the case and, therefore, you should go to them only if you have received notice of fraudulent activity that points to identity theft. You do not need to report to any law enforcement agency that you received a notification of data loss from Cornell.

6. Has the data been misused?

To date, we have no knowledge that the personal identity information contained on the computer has been misused or exploited. We will update this website promptly if we learn otherwise.

7. Why was this information on a computer?

A member of the Cornell technical staff, who is responsible for supporting our central administrative systems, was using these files to correct transmission errors found in the processing of the files. The data was being used for troubleshooting. Cornell's information security policies and guidelines do not allow unencrypted confidential personal data to be stored on any computer device that is not in a physically secured location. This employee's actions, although unintentional, violated our policy and practices.

8. How can you be sure a similar incident won't happen again?

Clearly, this incident violated our information security policies and guidelines, and it demonstrates that we must have heightened vigilance in this area. Cornell is undertaking an institution-wide data inventory initiative and conducting a full review to further improve our policies and practices regarding the security of our confidential data.

9. Is there an investigation into this incident?

Cornell has reported the stolen computer to law enforcement and is working with them to identify the perpetrator(s). We cannot discuss further details of an active investigation.

10. What else is the university doing?

In addition to working with law enforcement to recover the computer, Cornell has alerted Human Resources and the Computer Help Desk about this incident. While your Cornell NetID passwords were not part of the data on this computer, requests for changes to passwords or personnel profiles will be carefully scrutinized. Most importantly, Cornell is committed to collaborating with our affected community members to safeguard against identity fraud that may result from this crime. We will work closely with Kroll, Inc. in the coming months to determine if any misuse of the data occurs. If we discover a pattern of fraud, we will provide further notification to everyone affected.

11. What if I still have questions?

For advice about responding to this exposure of your personal data, please call the ID TheftSmart phone number that appears in your notification letter. If you have other questions about this incident, please send an email message to data-theft-june2009@cornell.edu.