College Alumni Data Breach

By: Tonya Mead, CFE, CHFI, PI, MBA, MA Educational Psychology

Thanksgiving is often a time when fraudsters prey upon our most vulnerable. You wouldn’t think that university fundraising departments would risk exposing confidential income, employment, and private wealth information of their alumni to third parties for added financial gains would you?

Related Articles and Reports

The Information Commissioner in England has been asked to examine complaints that colleges and universities in the United Kingdom have been routinely sending confidential alumni information to third party firms to screen for wealth.

Fundraising Best Practices

I admit that I served as a Development Intern for an Ivy League college. In this role, I was trained to conduct research on high net worth targets for major giving campaigns. Before the advent of the universal use of the internet, we would conduct open source research; review SEC Reports, 10-K and 10-Q Forms, Edgar, Proquest/Dialog and Lexis/Nexis. It was an in-house operation and researchers adhered to the strictest guidelines to maintain confidentiality. We prepared prospect reports based upon information and the sources that we developed, not based upon financial information submitted on school documents by the student, family member or alumni as a condition of admission, merit scholarship or financial aid.

So while we all hope to make a conscious effort toward social responsibility, giving back to our communities, and playing it forward, let us stop and reflect upon the limitations we should place upon the recipient organization as they use our data internally. As a former fundraising executive and now computer hacking investigator and fraud examiner, these questions are advised:

Recommended Questions from a Computer Hacking Forensic Investigator

  1. How and in what format will the donation be publicized? Will my name be listed?
  2. What happens with the records used to enter, store, track and report upon my financial gift?
  3. How secure is the organization’s information system?
  4. Who has access? And, for what purpose is the access granted?
  5. How long do you maintain this information? What is your process for destroying it?
  6. Do you have signed agreements with your third party vendors regarding the limitations and use of my data?
  7. Who is financially liable in the event that an intentional or unintentional data breach occurs at the site of the third party and/or university?
  8. Who has the responsibility for victim restitution?
  9. Do you sell or does the third party vendor sell my data to others?

These are just a few questions we should pose as we make philanthropic contributions. If there are other items that you have considered and wish to share, please add in the comments section.

Happy Thanksgiving!

Tonya J. Mead, CFE, CHFI, PI, MBA, MA, Certified K-12 Administrator and School Psychologist is author of Fraud in Education: Beyond the Wrong Answer and president of Shared Knowledge, LLC If you like her work, please support her at Patreon.