University Breach Lawsuit Settled
96,000 Receiving Credit Monitoring, Restoration ServicesThe University of Hawaii has agreed to settle a class action lawsuit in the wake of five data breaches over a three-year period that affected about 96,000. It will provide those affected with two years of free credit monitoring and credit restoration services.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
In the original suit, monetary damages were sought, but those aren't included in the proposed settlement. Lynne Waters, a University of Hawaii spokesperson, estimates the credit-monitoring and restoration services will cost the university about $550,000.
The settlement in Gross v. University of Hawaii will affect students, faculty, alumni, university employees and others whose data was exposed in five breaches from 2009 to 2011, according to a university statement.
The breaches occurred at UH Manoa, UH West Oahu, Kapiolani Community College and Honolulu Community College, which are all part of the university system.
"We have researched more than 40 data breaches at colleges and universities across the country. In almost every instance, two years of credit monitoring and fraud restoration were offered to data breach victims," said Bruce Sherman, one of the attorneys involved in filing the class action lawsuit. "Offering two years of credit monitoring and fraud restoration services to breach victims should be the standard response by any breaching entity in Hawaii, including government agencies," he said in a statement.
The settlement is still subject to court approval. Once approved, services will be administered by Kroll Background America Inc.
Faculty, students and alumni affected by the breaches will be sent a letter and e-mail by March 1 instructing them how to sign up for the credit-monitoring services online.
Breach Details
The most recent of the five breaches, according to the university, occurred on July 1, 2011, when campus employees reported that boxes of paper files containing personal information were missing from a secured storage area. The information included in the files was necessary for processing payments for Kapiolani Community College business transactions, including some combination of name, address, phone number, Social Security number, and/or credit card information.
In the suit, filed in the U.S. District Court of Hawaii on Nov. 18, 2010, the plaintiffs referenced four other breaches, including one in October 2010 where names, Social Security numbers, dates of birth and other "extremely detailed" personal information on more than 40,000 alumni were posted on an insecure website for almost a year by a retired faculty member who had been conducting research.
In a June 2010 incident, a hacker penetrated an unsecured server storing names, Social Security numbers and credit card numbers for almost 54,000 students, guests and alumni. In a February 2010 breach, 35 names and credit card numbers were made mistakenly available on a public computer at the Pacific Aviation Training Center at Honolulu Community College. And in an April 2009 incident, a malware-infected server exposed more than 15,000 names and social security numbers of students who applied for financial aid at Kapiolani Community College, along with their parents' personal information, according to the lawsuit.