BANGOR, Maine — The University of Maine professor whose laptop containing the Social Security numbers of more than 600 former students was reported stolen from the educator’s luggage earlier this month violated university information security policies.
John Forker, chief information security officer for the University of Maine System, said Friday that all system employees receive annual online training in those policies. The system’s Information Security Standards document lays out overarching rules for UMS and campus employees.
“In my mind, this should have been encrypted,” Forker said of the information. University officials are not naming the professor.
The laptop, believed to have been stolen from a piece of checked baggage during the professor’s Feb. 10 flight from Seattle to Boston, contained a media card that held class records for more than 900 students who attended the university from as far back as 1999. Data included names, grades and, for more than 600 of the students, Social Security numbers.
Until 2007, system campuses used Social Security numbers to identify students, a common practice among universities at the time. After that, the schools began issuing unique ID numbers.
The laptop was password protected, but the media card was not encrypted.
Forker said employees need to have department-level approval before they can have Social Security numbers on their computers, even if data are encrypted.
“In this instance, there was no reason for [the information] to be there,” Forker said. “I can’t see any reason they would have needed that.”
Forker said the professor may not have been aware of what sensitive information was contained in the class roll data. He said future employee training sessions will stress the fact that older data may contain Social Security numbers and how to keep that information safe.
University security policy requires “compliant data,” or information sensitive enough that its misuse could harm the university or its students, be “encrypted or secured at rest, in transit and anytime it is not in use.”
The policy also mentions a “formal disciplinary process” for employees who violate it but does not go into details about what that process looks like. Forker said it differs based on the nature of the offense and who the employee is. Any disciplinary decision would be the result of talks between the employee’s supervisor and human resources.
University of Maine spokeswoman Margaret Nagle declined to comment on whether any disciplinary action was taken or is being considered against the professor because it is a personnel matter.
When the professor discovered the laptop was missing, the individual called the airline and reported the theft to Massachusetts State Police, according to Forker. A copy of the report was not immediately available Friday, but a state police spokesperson said he or she would look for it.
The university offered affected students one free year of credit monitoring, alerts regarding credit changes and identity theft insurance through Experian Information Solutions.
UMS has fallen victim to breaches in the past.
Nearly three years ago, hackers breached a UMaine server, compromising the data of 2,818 people who made purchases at the campus computer store in Orono and another store at the University of Arkansas.
In 2013, someone stole the keys from a University of Southern Maine van, giving them access to campus buildings that contained sensitive information. USM changed the locks in response and urged employees to shut down their computers when not in use.
In 2010, a breach compromised the records of more than 4,500 students who visited the University of Maine’s counseling center since 2002.
Forker said hackers attack the system on an almost daily basis, and UMS has beefed up its security in recent years to keep them out.
Follow Nick McCrea on Twitter at @nmccrea213.