A Notice Regarding a Recent Data Security Incident Affecting Boise State University students
For those keeping track: we had this incident filed solely under Fresno State, but had counted it in those incidents involving health/medical info. The incident had been included in our March 2018 analyses. — DataBreaches.net
Boise State University received notice recently from Fresno State University that a theft on their campus may have potentially involved some personal information that originated at Boise State.
At Boise State, we value the importance of protecting personal information and have sent additional notices to those affected to explain the incident, the measures taken and some steps they can do in response.
An external hard drive stolen sometime in the last week of December 2017 from a facility at Fresno State included personal information for some Boise State football camp attendees from 2007, 2008 and 2011 and others connected to the Boise State Athletics Department around the same time.
Fresno State, a California State University campus, notified Boise State of the data security incident on March 6 and sent letters to individuals the university could identify as having been potentially exposed. Boise State officials worked through the data a second time to determine what may have been included and whether more individuals should be contacted.
Fresno State indicated some files included personal information, such as names, addresses, phone numbers, dates of birth, full or partial Social Security numbers and medical information including allergies, conditions, emergency contacts, insurance information and ID numbers.
In all, the Fresno State incident involved around 15,000 people, that university reported. Of those, about 3,000 are believed to be connected in some way to Boise State. Fresno State officials are investigating the origin of the Boise State information and how it ended up in their system, but that detail has not been shared publicly.
Boise State is sending a secondary notice to those individuals whose addresses could be determined, but the contact information of approximately 600 attendees of Boise State football camps from those three years could not be confirmed by either Boise State or Fresno State, so Boise State is releasing this broader notice to alert anyone who believes they may have been affected and to outline the steps they can take to protect their personal information.
Fresno State officials say they have no evidence that the device was stolen for the information that it contained, or that any of the information has been used improperly, but the university has taken several steps to protect individuals affected. Fresno State is providing one year of free credit monitoring through Experian IdentityWorks and has established a dedicated call center to answer any questions. The call center number is (877) 646- 7924.
Fresno State recommends that all individuals potentially affected review their account and credit card information. If they see suspicious activities or services they did not receive, they should contact their bank or credit company.
Boise State University is committed to maintaining information security for its students, employees, visitors, fans and others. Though this breach occurred in California, Boise State is reviewing its data usage policies to determine if they can be strengthened or better enforced. In addition, new encryption and security measures are being implemented on certain Boise State computers and new training opportunities are being developed. Even before this incident came to light, all State of Idaho employees, including Boise State employees, were required to take an online cybersecurity training in order to increase general awareness and education about the issue.
Source: Boise State University