24,000 employees affected by data breach
Sarah Mervosh | Tuesday, December 8, 2009
Important personal information, such as social security numbers, names and zip codes, of many Notre Dame employees was exposed to the Internet after the University accidentally placed the information in a publicly accessible location.
The data breach affected about 24,000 employees, including some students who work for the University, Gordon Wishon, associate vice president of information technology and the University’s chief information officer, said.
The personal information that was exposed will no longer be accessible because the University immediately removed it from the Internet and secured it, he said.
There was no evidence the information was inappropriately used, Wishon said.
But chair of Faculty Senate Thomas Gresik, who was affected by the data breach, said he did not feel sure he was safe from identity theft.
“It’s not possible to determine if somebody managed to download that information before it was taken down,” he said. “The logs show that the information had been out there for awhile.”
Gresik said he is concerned his information could be out there still.
“That’s the current threat,” he said. “That information might be sitting on somebody’s hard drive or it may have been posted to a bulletin board or whatever places identity thieves post information.”
Those affected by the data breach were informed in a letter, which was received on Nov. 20.
“I nearly didn’t read it because it was one of those copies of a group letter, except my attention to it was that it was addressed dear Sabine, my first name,” Sabine MacCormack, a professor whose social security number, date of birth and full name were exposed, said.
“I was just outraged,” she said. “That’s the information people need to open a bankaccount or credit card account. In these days of identity theft, I think that’s a really serious problem.”
MacCormack said she was also upset by the way the University handled the data breach.
“In the future, for start, do not send a letter of this nature, [which essentially said,] we made a mistake and you sort it out,” she said.
MacCormack said she thought other steps should have been taken.
“I think it should have automatically offered credit checks and said by responding to such and such an e-mail address you can set this up, to everybody,” MacCormack said. “I think some access to the general counsels office for, at the very least legal advice, should have also been automatic. If you have a problem with identity theft, then consult x.”
Gresik agreed the letter did not handle the error effectively.
“I think the initial response was inadequate,” he said. “I think the University is working on trying to improve that response and I am confident in the near future they will be able to satisfy the concerns of the affected individuals.”
Since mailing the letter, the University provided access to credit monitoring services for those who were affected, Wishon said.
“For those with concerns, obtaining a credit report is the first step,” he said. “But [that] is something the University cannot do. It must be obtained by the individual.”
MacCormack said she planned to use this service.
“I’m going to set up the credit checks. If anything that looks like an identity theft seems to have occurred, I guess I will take some legal advice and pay for it,” she said. “But I do think that I shouldn’t have to pay for it.”
Professor Mark Pilkinton said he and his wife, who works in the library, were both affected by the breach.
“The University has been very good about informing us and providing proactive help to monitor our e-lives, credit checks, etc. to be sure nothing is amiss,” he said. “This was a huge snafu, and we’re all making the best of it we can.”
Wishon said the University also took steps to lessen the chances of a similar error occurring in the future.
“Various technical measures have been and more will be employed to minimize the probability of an inadvertent exposure of sensitive information as well as measures to prevent more targeted intrusions by hackers,” he said.
He said process changes were also made in the human resources department.
“I think the likelihood of a similar situation occurring is pretty small,” Gresik said.
Still, the problem lies in the fact it is impossible to tell whether someone accessed the personal information while it was on the Internet.
“It is very likely, I gather, that no one actually accessed these records, but it was possible for them to do so, and that’s the concern,” Pilkinton said.