New Mexico State University has determined that an on-campus theft of computing equipment in June included a laptop with a link to personal data on 171 students, a potentially serious compromise of vital information.
The suspected thief, the university said in a letter dated Aug. 11 to the affected students, has been arrested and charged, but the suspect “had disposed of the stolen laptop containing the personal information prior to being arrested.”
Two thefts of computing equipment at NMSU were reported, on June 19 and June 24, both at O’Donnell Hall, the College of Education building.
The stolen laptop “inadvertently” contained “a link to an excel file containing your name, date of birth, Social Security number and other student information related to you, along with similar personal information of approximately 170 other students,” said the letter, sent by Norma Grijalva, the university’s chief information officer.
The suspect, 19-year-old Oscar Quintana, was arrested on June 27 by NMSU police and is in custody at the Doña Ana County Detention Facility. He faces two counts of burglary of a commercial structure and one count each of possession of burglary tools and tampering with evidence. Grijalva said she did not know if he is a student.
“It appears that the thief was not targeting data, but rather items that could easily be sold and therefore the likelihood of data being misused is very low,” Grijalva wrote in her letter.
That was little solace to Ronald Thomas, whose wife is one of the affected students. Thomas fired off an angry response to Gov. Susana Martinez, NMSU regents and the university’s information technology director, calling the actions of whoever authorized or placed the information on an unsecured and un-encrypted laptop or laptops “egregious.”
He said NMSU should be “held financially responsible for any and all financial losses and expenses incurred by the students protecting their identities,” and that any involved faculty members should be “terminated or suspended without pay.” He called on the governor and regents to launch an investigation.
“Why in the hell did it take this long to let us know?” Thomas asked in an interview Tuesday. “And what have they done about it? Why even put that information on a laptop, even one used by an administrator?”
Grijalva said students were contacted “as soon as we knew for sure which students were affected.” Every step of the investigation takes time, she said, and officials did not have the luxury of having the laptop.
The faculty member to whom the university computer was assigned had a backup file, and that, eventually, provided the information needed.
“By law we have 60 days to notify victims. We were within that time frame,” she said.