Personal Identity Data Exposure Incident:

On August 29, staff from the School of Engineering and the Office of Technology Services discovered that the personal information of 2,890 VCU students could be accessed through the Internet. Personal information including name, social security number, and email address for entering freshmen and graduate students in the School of Engineering from the fall semesters of 1998 through 2005 was affected. The exposure was caused by a human error. During a system restoration, administrative records stored on a server in the School of Engineering were inadvertently transferred to a folder that was accessible to the Internet. While this data has been exposed to the Internet, there are no indications that it was actually viewed or used for any purposes.

When the security breach was discovered, steps were immediately taken to remove Internet access to those files, and to eliminate the record of those files which are stored on search engines such as Google and Yahoo. The affected students are being contacted individually about this exposure.

The University has taken a number of steps designed to strengthen the security surrounding confidential information. Central among those efforts has been a systemic attempt to eliminate the use of social security numbers as identifiers. Those steps include:

• Replacing social security numbers with a unique student number in the Student Information System;
• Modifying hundreds of computer reports and information screens to eliminate or mask SSNs to prevent inadvertent disclosure;
• Developing the eID as an alternative login mechanism to replace multiple login processes, some of which used all or a portion of the SSN; and
• Modifying other login mechanisms to permit use of the student number or VCUCard number as an alternative to SSNs.

These and other efforts are ongoing as we move away from decades-old systems and processes that relied on social security numbers. We will also be taking action to limit access to University servers and workstations from the Internet. This is part of a major redesign of the VCU network that has been underway for over a year. These changes may impact the way that you access University technology resources and information but are necessary to ensure the integrity and security of our systems and network.

What should I do?

It is recommended that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. You may call any one of the three major credit bureaus listed below. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review. You should review your credit reports periodically. If you find suspicious activity on your credit reports or have reason to believe your information is being misused, please contact the VCU Police at 804/828-1196 to file a report:

• Equifax - 800/525-6285
• Experian - 888/397-3742
• TransUnionCorp - 800/680-7289

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, you should file a complaint with the FTC at http://www.consumer.gov/idtheft or at 1-877-ID-THEFT (438-4338). Your complaint will be added to the FTC's Identity Theft Data Clearinghouse, where it will be accessible to law enforcement agencies for their investigations. The FTC also will advise you on further steps to take in the event your information is being used illegally.

FAQs

Q. I received the notification via e-mail/letter from VCU about the incident. Does that mean someone stole my personal information and is using it in some way?

A. At this point, VCU has had no reports of unauthorized use of personal information as a result of the inadvertent publishing of this personal data. However, the file was exposed to public access via the Internet increasing the potential that personal information was read by someone who could use the information wrongly. VCU is doing all it can to contact all individuals whose information was in that file, so that they can take appropriate steps to protect themselves. See the links below for more information on protecting yourself from identity theft.

Q. Exactly what personal information was potentially exposed to the public? If I am a not current student, was my information released?

A. The file contained name, social security number, and e-mail address. The students who information was viewable were entering freshmen and some graduate students in the School of Engineering from the fall semesters in years 1998 through 2005. Other students who were not enrolled during these dates and/or were not in the School of Engineering during these dates are not known to be affected.

Q . Is this information still at risk of disclosure to some unauthorized person?

A. VCU has taken every precaution to assure that this information is no longer at risk. The file has been removed from the affected server and the server's Internet access has been removed. VCU officials have worked with Internet search companies to remove any reference to this file from their systems.

Q. I was a student in the School of Engineering but have since changed majors. Were my records exposed?

A. Yes, if you were a School of Engineering major or enrolled a School of Engineering graduate program during from 1998 through 2005, your information was likely in this file.

Q. Who should I contact if I have any additional questions concerning this incident?

A. Please contact the Technology Services Help Desk at (804) 828-2227 or at help@vcu.edu should you have any questions concerning this incident.

Q. Will VCU contact me to ask for private information because of this event?

A. In similar cases at other institutions, people have reportedly been contacted by individuals claiming to represent the university and who then proceed to ask for personal information, including Social Security numbers. Please be aware that VCU will only contact you with information regarding steps you should take to prevent possible fraud or identity theft; or if you ask us, by e-mail or telephone, for information. We will not ask for your full Social Security number. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.

Helpful Links Concerning Identity Theft:

• VCU Police: http://www.vcu.edu/police/docs/itp.pdf
• Federal Trade Commision: http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
• Social Security Administration: http://www.socialsecurity.gov/pubs/10064.html
• U.S. Dept. of Justice: http://www.usdoj.gov/criminal/fraud/idtheft.html