Registrar's Office

Image: Photo of SF State Registrar's Office and One Stop Student Service Center

SFSU ID THEFT FAQ

What happened?

On the evening of June 6, 2006, San Francisco State University became aware of the theft of a laptop computer belonging to a faculty member in the College of Business which contained the names and some personally identifiable information for certain College of Business students. 

We have determined that approximately 3,000 names, almost all of them those of former – not current -- students, together with other personally identifiable information, were on the stolen laptop.  

Appropriate law enforcement agencies have been notified and are investigating this matter. Authorities believe it is unlikely the thief targeted the laptop because of any knowledge of the data contents. 

The University is contacting all the students whose names are known to have been on the laptop via e-mail and U.S. mail. To read the letter, go to http://www.sfsu.edu/~admisrec/reg/idltr.html

 We have also set up this Web page to answer questions and provide a contact number for any inquiries. 

What information was included?

The personal information included individuals’ names, full social security numbers for some students, partial social security numbers for others, and, in some cases, phone numbers or grade point average (GPA).  No financial information such as credit card numbers was included on any of the student records on the laptop

If someone has my SSN can they access my SFSU record?

No. The University stopped using SSN as an identifier in August 2005 and began using an assigned SFSU ID number not linked to a student’s SSN. You must enter your SFSU ID and Personal Access Code (SF State Passwords are now used) in order to access your student record.  Both forms of identification are needed to gain access.  Neither your SFSU ID or PAC were stored on the laptop.  Therefore, both IDs are safe.

What should I do to protect myself?

At this point there is no evidence that any missing data has been used illegally. However, the University recommends all affected individuals be vigilant and carefully monitor bank statements, credit card statements and any statements relating to recent financial transactions. If you notice unusual or suspicious activity, you should report it immediately to the financial institution involved and contact the Federal Trade Commission for further guidance.

For tips on how to guard against misuse of personal information, visit the Federal Trade Commission website at http://www.ftc.gov/. You may also wish to visit the Office of Privacy protection for specific information for Californians at: http://www.privacy.ca.gov/ssn/ssn.htm

You do not have to close your bank account or cancel your credit cards.  However it is prudent to take steps to protect yourself against identity theft. One way to monitor your financial accounts is to review your credit report. By law you are entitled to one free credit report each year. Request a free credit report from one of the three major credit bureaus - Equifax, Experian, TransUnion - at www.AnnualCreditReport.com or by calling 1-877-322-8228.

What should I look out for?

Purchases or charges on your accounts you didn't make

  • New accounts you didn't open or changes to existing accounts you didn't make
  • Bills that don't arrive as expected
  • Unexpected credit cards or account statements
  • Denials of credit for no apparent reason
  • Calls or letters about purchases you didn't make

What is the earliest date at which suspicious activity might have occurred due to this data breach?

The University employee's car was burglarized and the laptop was stolen on Thursday, June 1, 2006. If the data have been misused or otherwise used to commit fraud or identity theft crimes, it is likely that such activity would occur during the month of June.

What should I do if I detect a problem with any of my accounts?

The Federal Trade Commission recommends the following four steps if you detect suspicious activity:

Step 1 –

Contact the fraud department of one of the three major credit bureaus:

  • Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
  • Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, Texas 75013
  • TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

Step 2 –

Close any accounts that have been tampered with or opened fraudulently.

Step 3 –

File a police report with your local police or the police in the community where the identity theft took place.

Step 4 –

File a complaint with the Federal Trade Commission by using the FTC's Identity Theft Hotline:

  • By telephone: 1-877-438-4338
  • Online at www.consumer.gov/idtheft
  • By mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington DC 20580.

Can Social Security put a flag on my number?
No, unlike credit bureaus, the Social Security Administration cannot put a flag or security alert of any type on your Social Security number.To report that someone is using your Social Security number, file a complaint with the Federal Trade Commission by using the four steps outlined above:

Where can I get more information?

Please check this web page for further updates or call the Registrar’s office(415) 338-2350.

What are my remedies if my identity is stolen and used illegally?

The Federal Trade Commission (FTC) has produced a booklet to help you remedy the effects of an identity theft. It describes what steps to take, your legal rights, how to handle specific problems you may encounter on the way to clearing your name, and what to watch for in the future. The contents of the booklet, Taking Charge: Fighting Back Against Identity Theft, are available on-line at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm.

What is SFSU doing about the situation?

The University is working with law enforcement to investigate this data breach and to develop safeguards against similar incidents. All faculty, staff and administrators are mandated to take Employee/Student Information Privacy (ESIP) training before they can access employee or student records.  We will contact everyone the week of June 12th to remind them about their responsibilities to ensure  that confidential data remain secure and to remind them to delete any Social Security numbers remaining on computer equipment, including PC’s, laptops, PDA’s and computer servers. The University does not use Social Security numbers for student identification.  We changed last year to use a unique personal identification number called ‘SFSU ID’ by converting all student records on University servers to the new ID numbers.

How is information about this incident being shared?

We are providing as much information as we have about the incident and alerting the affected individual about the situation.
Students can continue to monitor this web page for further updates.

SF State Home