TACOMA, Wash. (CN) – Washington State University failed to promptly notify over one million people their personal data, stored on a hard drive, was stolen in a burglary and then offered inadequate compensation, a federal class action claims.
The stolen hard drive had been kept in a locked safe at a storage unit in Olympia, Washington, and contained Social Security numbers, health information and other personal data from research subjects who the university had been tracking for the past 15 years, according to a complaint filed in the Western District of Washington last week.
The data on the drive is “highly valuable on underground criminal exchanges where stolen data is sold because the information can be used to engage in insurance fraud, and because the information involved can be used to engage in a variety of other crimes, including financial identity theft, for instance by using Social Security numbers to open new accounts in a victim’s name,” the complaint says.
The theft occurred in April 2017, but university officials did not disclose it until June 9.
“As president of Washington State University, I deeply regret that this incident occurred and am truly sorry for any concern it may cause our community,” WSU President Kirk Shulz said in a statement in June after announcing the theft. “The University is taking steps to help prevent this type of incident from happening again. These steps include strengthening our information technology operations by completing a comprehensive assessment of IT practices and policies, improving training and awareness for University employees regarding best practices for handling data, and employing best practices for the delivery of IT services.”
Lead plaintiff Abhi Sheth says his personal information was on the stolen hard drive and that he suffered a fraudulent online charge one week after the theft.
Sheth sued the university for negligence and violation of Washington’s Data Disclosure Law and Consumer Protection Act.
According to the complaint, the stolen hard drive was a backup containing data from one million individuals collected by school districts tracking students after graduation to see if they went to college or got jobs. It also tracked clients in state job-training programs to see if they landed jobs, Sheth said.
WSU’s Social and Economic Sciences Research Center collected the data between 1998 and 2013.
The hard drive was kept in an 85-pound locked safe in a storage shed, and some of the data was not encrypted, the complaint says.
WSU failed to fully inform affected individuals of the scope of the data breach or the risks of identity theft, according to the complaint.
“It is not clear how many people it has notified to date, and its notification letters are vague and do not contain sufficient information regarding the data breach,” the lawsuit says.
Sheth says he will have to spend time and money protecting himself from identity theft, and he has already seen a fraudulent charge on his credit account.
“Consequently, plaintiff has already suffered a fraudulent online charge on one of his existing lines of credit. The fraud occurred on or about April 29, 2017, only about one week after Defendant purportedly learned of the data breach. Plaintiff is taking steps to mitigate this fraud and protect against future fraudulent activity as a result of the data breach. Plaintiff will have to expend time and money to protect himself that he otherwise would not have spent if the data breach had not occurred,” the complaint says.
Although the university offered victims of the theft one year of complimentary identity theft and credit monitoring, Sheth claims that is not sufficient for the damage suffered.
Sheth and the class seek actual and statutory damages and “restitution and disgorgement of the revenues wrongfully retained from [the university’s] research contracts.”
Washington State University is located in Pullman, Washington, and is the state’s second largest university with 29,000 students.
Sheth is represented by Kim Stephens of Tousley Brain Stephens in Seattle.