Friday, June 16, 2006

Loss of card leads to potential identity theft.

This email will explain itself. I just thought I would blog it.

From: Frank Butler, Executive Vice President for Finance and Administration
Cc: Bcc: Bradley Jay Luttrell
Date: 06/16/06 04:00 pm
Subject: Report on Theft of Personal Data

This afternoon, the university began mailing 6,500 current and formerstudents whose personal information may have been contained on afaculty member's computer drive that was stolen.I wanted to inform you about the incident and briefly discuss what stepswe are taking as an institution to mitigate the potential impact aswell as do everything possible to minimize future occurrences.

This incident was reported to UK police on May 26. A faculty member inthe School of Human Environmental Sciences reported that a "thumbdrive" - a small, detachable computer drive - was taken from aclassroom. The faculty member believes the drive may have containedclassroom rosters and personal data of students.It is impossible to tell how many students may have been impacted bythis theft.

The thumb drive, which contained more than 130 files, didnot match up completely with the professor's computer hard drive, whichhad class rosters and other information dating back to 1988. So, wehave decided to take the most cautious and conservative route andattempt to contact every student who was listed in some way on theprofessor's hard drive in his office.

First, this is a regrettable incident and we are deeply sorry that ithas occurred. We are doing everything possible to alert students andformer students who may have been impacted and provide them withinformation about how they can respond.

We believe that in the future the potential for such incidents will begreatly minimized as our new technology and information system - IRIS,the Integrated Resource Information System - is fully implemented. Inall, the university will have invested some $60 million in thistechnology upgrade.

The bottom line is that under IRIS, the use of Social Security numberswill be greatly reduced. As many of you know, students, faculty andstaff are assigned individual and unique identification numbers - not their Social Security numbers - to be used for class rosters, trainingand other campus activities.

Second, we are communicating with the campus about steps that can betaken in the short term to minimize the potential for additionalexposure or breaches of confidential information. Those steps include:

1) Our Information Technology (IT) department is conducting acomprehensive scan across the campus to determine where there areSocial Security numbers in use that might be publicly exposed in somemanner.

2) Additionally, as precautionary measures, IT advises: 1) a routinereview of credit card(s) and banking/financial institution(s)statements for any suspicious and/or unauthorized activity. 2) annuallyrequest a free copy of credit reports. You may do so by contacting aconsolidated credit report provider, such as AnnualCreditReport.comeither online at or by calling1-877-322-8228. (3) review Web site on identity theft:

Third, and finally, we are forming a committee - composed of informationtechnology, legal and human resources staff - to examine the use andsecurity of Social Security numbers and make recommendations to betterensure that such information is safeguarded in the future.

We are not alone in this challenge. Since last year, 67 majoruniversities have reported extensive security breaches in one form oranother - many involving far more people than the incidents that haveoccurred at UK.

In an age and time in which vast amounts of information are continuouslystored and moved quickly and freely, we must take every step possibleto mitigate potential exposure and protect the confidentiality of ourstudents, faculty and staff.

At UK, we realize the anxiety and concern that such incidents cause. Weare moving quickly to minimize any negative impacts. As importantly, weare cting quickly and thoughtfully to ensure that we have systems andprocesses in place that limit such occurrences in the future.

Frank Butler
EVPFinance and Administration

Ebay is full of more than good deals.

I bid on a lens for my camera on ebay, and didn't get it. I only bid up to $885.00, basically because I forgot to watch the end of the bid. Well, very soon after the bid ended, I received a second chance offer. I'm not crazy about these deals, because I had all ready had someone try to take advantage of me.

I received my first email from the bidder, asking if I was interested. I said yeah. So they said that I would receive an email from ebay, and of course shortly after I did.

This one was from aw-confirm@eBay. com , so I knew it was legit. I was interested. I got a very complex looking email telling me all this crap, looked like it was straight. I scanned through, not paying attention to most of it. But here was the problem, I didn't want to use Western Union. Apparently, you have to use Western Union if you don't win the auction...

Alex and I looked for a Western Union all over Lex Vegas, I just couldn't find one, because Yahoo directions was wrong. I was upset, and really wasn't crazy about sending it through wire anyways.

So I just decided against it. I emailed the person back, and asked them if they would mind me paying through paypal, because I didn't want to use Western Union.

No response.

I decided that I would send it again. I really wanted that lens. I sent another email, just saying I wanted to pay with pay pal because I didn't trust paying through Western Union.

Boy was I in for a treat.

Here is the response I got from the person:

(Warning, message is copied nearly exact and does have foul language. I only partially edited this message, as I would like for people to realize how easily this happens and the attitude of those who do it. Parental guidance and censorship is advised.)

"I am a romanian scammer and I target greedy idiots like you that think you can get something brand new for less than half the retail price.

You need to grow a brain because ebay is full of scammers like me.

I hope you get scammed soon f***head you dumba**. "

Everything I told you sounded like it was the real thing, right up until that last response, right?
Here's what I've figured out.

  • The original email from the person is a personal email, in which I shouldn't have gotten first if the seller had really done a second chance offer.
  • When I received the email from aw-confirm@eBay. com, notice the space at the end of the .com. That was only the name used, the person had put aw-confirm@eBay. as their first name, and then com as their last name. The actual email after I looked closely wasn't anything to do with ebay, it was
  • I never received any messages in my ebay account. Always look for those. You should be getting emails sent to your ebay account and your email. These guys are very good at convicing you it's real.
  • Western Union is even advised against by ebay. Never ever try it. It and MoneyGram are the two most unsafe ways of transfering money between people who don't know each other.

I've turned this guy in through two complaints and I am confident ebay will take the proper actions to punish them. Ebay even locked down my other account after it was hacked.

Talk about your share of bad luck & shams.

The Doctor is out.