Some KAIST students may think that they are the only ones suffering from personal information breach from financial, telecommunication, and Internet companies. But while KAIST as a university has not suffered from a major breach, some foreign universities have. The breached information include social security numbers (SSN), academic grades, ID, passwords, email addresses, names, and phone numbers.

 

In January, an academic administrator at Oxford University accidentally sent a list of poorly performing students to hundreds of fellow students. The list included names of nearly 50 students who have scored poorly, as well as their percentage mark and their degree subject. Receiving a bad grade is in itself not going to be pleasant, but the thought of fellow students knowing that you performed poorly would be traumatizing. After the incident, school officials apologized to the students and assured that incidents like this will never happen again.

 

Another breach occurred in February at the University of Maryland (UMD). Hackers breached a database containing 287,580 records of faculty, staff, students, and affiliated personnel. The breached information included names, SSNs, date of birth, and university identification numbers. The president apologized in an email, and the university offered students a free one-year membership to identity protection service. The university is in the process of adding additional security to the databases and cooperating in the police investigation.

 

Around the same time as the incident at UMD, University of Indiana also suffered from personal information breach. Names, addresses, and SSNs of approximately 146,000 students and recent graduates were accessed by an outsider. While the university spokesperson said that the chance of sensitive data falling into the wrong hands is very remote, students worried that they might suffer from identity theft.

 

The cases of security breaching above all happened within one year from the present. In 2012, hackers affiliated with Anonymous, an international network of hackers, called Team GhostShell released information of 120,000 user accounts and school records from Princeton University, Harvard University, Cambridge University, Imperial College London, and more. The breached data included email addresses, passwords, names, bank account numbers, payroll information, and other private data.

While the universities claim that they have done their best to ensure personal information were protected securely, it did not change the fact that many students and personnel were affected by the breach and with potential chance of identity theft.

 

Some students have decided to take aggressive action and filed a lawsuit against the party responsible for the personal information leak. In Canada, security of the personal information of 583,000 Canadians who took Ontario Student Assistance Program loans between 2000 and 2006 was compromised. Two hard disk drives containing financial details, SSNs, addresses, phone numbers, and birth dates were lost by federal employees. Students filed a class action lawsuit of 600 million US dollars (or about 1000 US dollars per affected student) against the attorney general of Canada. The state appealed against the lawsuit,  but the date for the appeal has not yet been set.

 

Two former Ohio University students have filed a lawsuit in 2006. The university’s computer systems were breached and SSNs, names, medical records, and home addresses of approximately 173,000 students were leaked. The two students requested payment for credit monitoring services for those whose personal information may have been illegitimately disclosed. However, the court dismissed the lawsuit due to the fact that they failed to prove they suffered the damages they wanted compensation for. Victims of the breach failed to provide any evidence of identity theft or other crimes, so the school’s attorneys maintained that the claims of the two students were based solely on fears and not actual damages.

 

The growing number of security breaching cases have led to government action. The Korean government established the Personal Information Protection Commission (PIPC). PIPC issued the Personal Information Protection Act (PIPA), which aim to increase the people’s rights and ensure the protection of people’s dignity and values. Canada has a similar act to PIPA called Personal Information Protection and Electronic Documents Act (PIPEDA). It became a law in 2000 to promote consumer trust in electronic commerce. The law gives individuals multiple rights, such as to question why the organization collects, uses, or discloses their personal information. The law requires the organizations to maintain a secure program concerning the collection and usage of personal information.

 

Surprisingly, the US does not have a single law concerning the privacy of its citizens; rather, it has many different laws related with the protection of personal information and privacy. In the US Constitution, the word “privacy” is never actually used. The Fourth Amendment, as well as the First Amendment and the Ninth Amendment, is related to the right to privacy in the federal sector. Therefore, some individual states, such as California and Montana, have their own laws concerning personal information.