My Data Breach
Notification Letter Hammers Home Today's RealityI spend a good amount of time reporting on and editing stories about data breaches - that happen to other organizations.
See Also: How to Take the Complexity Out of Cybersecurity
A few days ago, a breach hit home.
I received via mail a breach notification letter from my former school, The College of New Jersey, saying that a flaw in the student employment system allowed one student to inadvertently access personal information for 12 other students while applying for a position. That information included name, Social Security number, school, date of birth and home address of the other applicants for that particular position.
The student reported the incident to the college, which acted upon the vulnerability and corrected it within hours. "Neither the college nor law enforcement agencies have evidence that any data has been extracted from the system," the notification said.
I was informed of this breach because my name was included in the On-Campus Student Employee System database. There's a "remote" chance that my information is at risk, I'm told. But to be safe, I was offered a complimentary one-year membership to Experian's ProtectMyID Alert.
My reaction to the notification? The college seems to have acted appropriately, contacting affected individuals and offering complimentary identity theft protection. They also reached out to law enforcement and local media outlets who reported on the story.
Still, I couldn't help but feel let down, almost as if a burglar had been in my house. How could the school have let this happen? Now I'm left weighing my options. I can:
- Take the college up on this offer, providing myself comfort and assurance, knowing that my information is being monitored for any fraudulent activity; or
- I can do nothing and assume everything's been taken care of, that none of my information leaked.
Fearful of the worst, I have this vision that a few months down the road I'll find out that someone opened a phone plan in my name, making expensive calls internationally. Or maybe someone will open an account at another bank, taking over my identity, thus turning my life into a nightmare.
Knowing today's threat landscape, I'll take the school up on its offer. I have to. There's always that remote possibility that my information somehow got out and could be used fraudulently.
This incident also serves as a reminder that our information is collected in so many different ways by organizations. Sticking just to this incident, think about the types of information a college routinely collects: classes taken, on-campus jobs held, grades and disciplinary records. The list goes on and on. And what if all that data is compromised?
As 2011 showed us, there is no end to the number and variety of data breaches we'll see from public and private entities, and the ripple effects can be devastating to the individuals affected. In 2012, we likely will see a new generation of breach notification legislation globally, as organizations get a handle on proper incident response.
Meanwhile, I'm left with the realization: Writing about data breaches is one thing. But to be a victim of one is quite another.