Carolina officials are investigating a data breach that risked unauthorized online access to personal information concerning some current and former employees, vendors and students. It is believed that more than 6,000 people are affected.
On Nov. 11, an information technology manager in the Division of Finance and Administration was informed that some electronic files managed by the Division of Facilities Services inadvertently became accessible on the Internet. The files contained names and Social Security or Employee Tax Identification numbers, and in some cases, addresses and dates of birth.
When University officials learned about the incident, they immediately took steps to block access to the files and began an extensive investigation, which is ongoing. University officials believe that on July 30, during maintenance of one computer, the safeguards that protected the files against public access were accidentally disabled.
The University also learned that as part of Google’s automated processes, these files were copied and made publicly accessible. The University asked Google to take the records down immediately, and Google complied. As of Nov. 23, the records are no longer accessible on the Internet.
The University engaged a nationally recognized consultant to identify potentially affected individuals as soon as it had been confirmed that their personal information was included in the files. On Dec. 10, the University began notifying these people by mail.
“Other than Google’s activities described above, we have not been able to determine whether individual personal information was accessed by others or was misused as a result of this incident,” Kevin Seitz, interim vice chancellor for finance and administration, said in the notification letter sent to the affected people’s last known addresses.
“Please be assured that we continue to evaluate our computer and administrative systems and to implement appropriate measures to protect the sensitive information in our possession.”
Chris Kielt, vice chancellor for information technology, said the University’s prompt, aggressive action underscores its commitment to protect sensitive data. Making sure the files were secured and notifying the affected people as quickly as possible were top priorities, he said.
To help protect personal information stored on campus servers, Information Technology Services (ITS) has a process in place for regularly scanning servers that have been identified by a unit’s system administrator as storing sensitive data.
“Furthermore, as part of a broader initiative to address the risk imposed by the exposure of sensitive data, ITS is working to formalize the process for identifying and safeguarding sensitive data University-wide,” he said.
“That process will help in the discovery and remediation of less-than-ideal security procedures surrounding the storage of sensitive data – data that is so important to safeguard for our community. And this need is well understood by campus administrators. ITS is partnering with IT leaders from the University’s schools and departments to continue to move this initiative forward.”
The letter sent to people affected by this data breach included recommendations, based on information from the N.C. Department of Justice and the U.S. Federal Trade Commission, about ways to protect against identity theft and a link to frequently asked questions outlining what happened, what kind of personal information was involved, and steps people can take to monitor any potential fraudulent activity and protect their information (see http://its.unc.edu/incident).
People also can contact the toll-free call center assisting the University at 1-866-458-3184 from 9 a.m. to 6 p.m. weekdays until Feb. 10, 2014. People at the call center are able to assist in English or Spanish, and anyone needing translation assistance in Burmese or Karen can call the Facilities Services human resources office at 919-962-9060 or visit the office in Room 110 of the Giles Horney Building on Airport Drive.
SOURCE: University of North Carolina
The FAQ on the Incident provides additional details, including the statement that the breach occurred on July 30 when it seems like a firewall was disabled for a computer undergoing maintenance. The data continued to be exposed until November 23. Despite the fact that SSN are involved, the university is not offering those affected any free credit monitoring services.