A Tufts−owned research laptop containing the personal information of 73 applicants to the Tufts Graduate School of Arts and Sciences (GSAS) was stolen in April, though there has been no sign of misuse of the information to date.
A research associate at the GSAS was using the laptop when it was stolen from Massachusetts General Hospital (MGH) last spring, according to a release issued by the Office of University Counsel.
The computer held a 2010 spreadsheet containing the social security numbers, contact information and personal academic records of 73 then−applicants to the graduate school.
Though the laptop was equipped with encryption software, the research assistant was not able to attest to whether the laptop had been shut down properly and the software enabled, therefore potentially leaving the data available for manipulation, according to Director of Public Relations Kim Thurler.
"Someone finding the laptop might have been able to access the data without a password," said the release from the Tufts Office of University Counsel to the New Hampshire State Attorney General's Office.
As of last month, there was no record that anyone had illegally used any of the data on the spreadsheet, according to Thurler.
The document was downloaded and used in early 2010, raising questions about why the information was being kept on the laptop at all, according to the release.
One student whose information was on the stolen laptop was from New Hampshire, where the law dictates that breaches of personal security be reported, according to the release.
The laptop theft was reported first to the MGH information technology department and the police, according to the information that Tufts released to the New Hampshire State Attorney General's Office according to the law.
Tufts' Office of University Council learned that the spreadsheet containing personal information "might have been compromised" on June 16. After the theft was reported, a search of the laptop's backup drive was conducted, revealing the spreadsheet.
All affected students were notified of the security breach via mail on July 7, and the university offered them one year of free credit monitoring from Experian, a credit−monitoring provider.
One student whose information was stored on the laptop and asked to remain anonymous due to the tenuous nature of the security of her personal information, said she has signed up to use the credit monitoring system offered by the university.
"There's no sign that anyone has attempted to use my information, but the whole incident put a bad taste in my mouth," she said. "I don't understand why my information was made downloadable to anyone with an Internet connection."
A blogger from Databreaches.net, a website dedicated to reporting information and technology security violations, was one of the first to report the breach online.
There was a three−week gap between the time the university learned of the document and the time it notified students.
This is not unusual, the blogger — who also preferred to remain anonymous — told the Daily.
"Once the university learned the laptop contained student information, it had to locate a backup or other way to reconstruct whose data was in that file, prepare a notification letter, arrange for credit protection monitoring and ensure that it complied with all relevant state laws," the blogger said.
According to James Boffetti, senior assistant attorney general of New Hampshire, the potential of a breach that would put a New Hampshire resident at risk was considered a serious offense. The New Hampshire Attorney General's Office could not disclose the identity of the affected individual.
Thurler said that the incident served as a warning to students and faculty to protect their personal information.
"Everyone needs to control, encrypt and physically secure laptops and other information devices and to limit the sharing and use of personally identifiable information," she said. "The university continues to enhance its efforts in this area."
Following the incident, Tufts implemented a Written Information Security Program. Spearheaded by University Information Technology, the program is designed to increase security safeguards on personal information.
Social security numbers will also no longer distributed to faculty members as part of the Graduate School of Arts and Sciences admissions process, Thurler said.
