Personal Identity Data Exposure Incident:

College of Humanities and Sciences

On November 21, 2006 it was discovered that the personal information of 561 students in the College of Humanities and Sciences was inadvertently included in two attachments in an e-mail sent on Monday, November 20 to 195 students who were part of the larger group.  The personal information included name, social security number, e-mail address, local and permanent addresses and some academic information such as GPA.  

When the security breach was discovered, steps were taken to immediately eliminate the exposure by removing the messages from the e-mail databases of all 195 recipients and from the mailboxes of the few students who had their VCU e-mail forwarded to other accounts.

This data was exposed for a very brief period of time and to a relatively few number of people.   

The University has taken a number of steps designed to strengthen the security surrounding confidential information. Central among those efforts has been a systemic attempt to eliminate the use of social security numbers as identifiers. Those steps include:

• Replacing social security numbers with a unique student number in the Student Information System;
• Modifying hundreds of computer reports and information screens to eliminate or mask SSNs to prevent inadvertent disclosure;
• Developing the eID as an alternative login mechanism to replace multiple login processes, some of which used all or a portion of the SSN; and
• Modifying other login mechanisms to permit use of the student number or VCUCard number as an alternative to SSNs.

These and other efforts are ongoing as we move away from decades-old systems and processes that relied on social security numbers. To further increase security and protect sensitive information, we are also taking action to limit access to University servers and workstations from the Internet. This is part of a major redesign of the VCU network that has been underway for over a year. These changes may impact the way that you access University technology resources and information but are necessary to ensure the integrity and security of our systems and network.

What should I do?

Although it has been found that identity theft is less likely to occur from computer data breaches than from more off-line causes such as lost or stolen wallets, the University is taking steps to help protect against the possibility of identity theft.  If you are one of the 561 students affected, you will be contacted about enrolling in a credit file monitoring and identity theft protection service.  VCU has contracted with Equifax Personal Solutions to provide you with a service to help protect your identity and your credit information at no cost to you.  This service includes an “early warning system” that notifies you automatically of key changes to your credit files from any of the three credit reporting agencies.  The service also includes free and unlimited Equifax credit reports and insurance for identity theft protection with no deductible.    

Additionally, you may choose to adopt an increased level of protection by placing a fraud alert on your credit file at Equifax and the other two reporting agencies.  A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. You may call any one of the three major credit bureaus listed below. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review. You should review your credit reports periodically. If you find suspicious activity on your credit reports or have reason to believe your information is being misused, please contact the VCU Police at 804/828-1196 to file a report:

• Equifax - 800/525-6285
• Experian - 888/397-3742
• TransUnionCorp - 800/680-7289

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, you should file a complaint with the FTC at http://www.consumer.gov/idtheft or at 1-877-ID-THEFT (438-4338). Your complaint will be added to the FTC's Identity Theft Data Clearinghouse, where it will be accessible to law enforcement agencies for their investigations. The FTC also will advise you on further steps to take in the event your information is being used illegally.

FAQs

Q. I received the notification via e-mail/letter from VCU about the incident. Does that mean someone stole my personal information and is using it in some way?

A. At this point, VCU has had no reports of unauthorized use of personal information as a result of the inadvertent exposure of this personal data.  The data was exposed for a brief period of time and to a limited number of people.  VCU is doing all it can to contact all individuals whose information was in the e-mail attachments, so that they can take appropriate steps to protect themselves. See the links below for more information on protecting yourself from identity theft.

Q. Exactly what personal information was exposed? 

A. The email attachment contained name, social security number, email, local and permanent addresses and some academic information such as GPA.  

Q. I am a student in the College of Humanities and Sciences.  Is my personal information at risk?

A. Only the 561 students whose personal information was contained in the e-mail attachments are affected by this exposure.  No other students are affected. 

Q.  Some students forward their e-mail to other accounts.  How is such a situation being handled with regard to the forwarding of this e-mail message? 

A.  Only a few of the 195 students who were sent this e-mail message forwarded the message to other e-mail accounts.   All of these students were contacted, and they have confirmed that the e-mail message was deleted from their outside account and the trash cleared.

Q. Who should I contact if I have any additional questions concerning this incident?

A. Please contact the Technology Services Help Desk at (804) 828-2227 or at help@vcu.edu should you have any questions concerning this incident.

Q. Will VCU contact me to ask for private information because of this event?

A. In similar cases at other institutions, people have reportedly been contacted by individuals claiming to represent the University and who then proceed to ask for personal information, including Social Security Numbers. Please be aware that VCU will only contact you with information regarding steps you should take to prevent possible fraud or identity theft; or if you ask us, by e-mail or telephone, for information. We will not ask for your full Social Security Number. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.

Helpful Links Concerning Identity Theft:

• VCU Police: http://www.vcu.edu/police/docs/itp.pdf
• Federal Trade Commision: http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
• Social Security Administration: http://www.socialsecurity.gov/pubs/10064.html
• U.S. Dept. of Justice: http://www.usdoj.gov/criminal/fraud/idtheft.html