By Martin H. Bosworth
April 28, 2006
The theft of a laptop containing information on thousands of students and faculty throughout Vermont's state college system is not only the latest example of bad laptop security, but it led one retired faculty member to find out that "free" credit monitoring isn't always what it appears to be.
Karen R. was one of many individuals notified that a laptop containing data on 20,000 students, faculty and staff in the Vermont State College (VSC) system was stolen from the locked car of a Lyndon College employee on vacation in Montreal.
The data on the laptop included names, addresses, Social Security numbers, and payroll information, as well as academic records on students. None of the data on the laptop was encrypted or protected, though authorities believed the theft was based more on the value of the laptop than what was in it.
College administrators told the Vermont Press Bureau that they blocked access to the university's network as soon as they found out about the theft.
As is often the case with thefts or disappearances of laptops, several weeks elapsed between the discovery of the theft and notification of authorities. The theft was discovered on Feb. 28th, but university administrators did not notify affected individuals for three weeks, and area banks until March 27th. Karen did not hear about it until March 25th.
Not only that, VSC fell victim to another data breach when a hacker used a stolen information technology employee's password to send out a campus-wide e-mail describing the laptop theft.
According to the Burlington Free Press, the e-mail said that "Increased security measures are supposedly coming soon, but obviously not soon enough."
"Free" Fraud Alert Neither Alert Nor FreeIn a complaint to ConsumerAffairs.com, Karen related her quest to make sure she wouldn't be a victim of identity fraud due to the laptop theft.
"We were strongly urged to and given instructions on how to place a fraud alert with the credit bureaus," she said. "I contacted Equifax to do so. I received information from them that they would contact the other two credit bureaus."
"The written notification I received from Equifax stated [that] 'We will forward your information to Experian and TransUnion and they will also add an alert to your credit file in their databases, eliminating the need for you to contact each credit reporting agency directly,'" Karen said.
But Karen didn't get any notification from Experian. When she contacted them, despite following the instructions she was given, she wound up up signing up for their monthly paid "credit monitoring service," without her consent.
Despite sending certified letters to Experian advising them of the error, she has been unable to get the credit monitoring service charge off her credit card, nor has she gotten the fraud alert placed on her Experian credit report.
Experian was hit with a class action lawsuit in 2004 for deceptive marketing and advertising relating to its "Free Credit Report" service, offered through subsidiary ConsumerInfo.com.
The suit charged that subscribers would sign up to get what they thought was a free credit report, only to find they were signed up for monthly "credit monitoring" services at $7.95 a pop.
The FTC brokered a settlement with ConsumerInfo.com in August 2005 to stop their practice of selling "free credit reports," ordering them to pay $950,000 in claims and barring them from advertising "free" credit reports in the future.
"At this point, I feel that I not only may be a victim of identity theft, but I am also a victim of Experian," Karen said.
MSNBC reporter Bob Sullivan recently investigated why many victims of data breaches don't utilize the free credit monitoring services companies offer them for protection.
In his blog, "The Red Tape Chronicles," he discussed the reasons why, ranging from ignorance of the signup process, to simple laziness, to mistrust of giving more personal information to companies that couldn't protect it adequately in the first place.
"Some victims were probably scared off by the sign-up process, which could require divulging a Social Security number," Sullivan said. "After all, who wants to fork over personal information to a company that's just lost it?"