Data Breach

Updated: March 27, 2012
 

On March 13, 2012, the Office of Information Technology (IT) learned that due to a server management error, a University of Tampa temporary text file containing sensitive information was publicly accessible for a certain period of time. There is no evidence the text file has been used maliciously. Immediately after receiving notification, IT secured the text file and took steps to ensure it is no longer publicly accessible or searchable.

The text file included 6,818 records of students who were enrolled for Fall 2011 by July 12, 2011. Information included UT identification number, social security number, name and date of birth. The sensitive information was displayed as a string of numbers that would not be immediately obvious to a casual viewer. Exposure of this text file was potentially from July 12, 2011, through March 13, 2012. The compromised text file was discovered during an in-class exercise and was immediately reported to IT. UT notified Google to remove the cached text file from the search engine, and quick removal of the text file by Google was verified.

While there is no evidence of any fraud or other malicious behavior, as an additional precaution UT has decided to pay for each potentially impacted individual to sign up, if they desire, with Experian, a national identity protection service. Letters were sent on March 27, 2012 to those individuals potentially impacted by the data exposure.

It was also determined that two other database files were potentially accessible, but were not indexed by Google or any other search engine. These database files contained sensitive information, including UT identification number, name, social security number and photos, for an additional 22,722 individual records. IT has thoroughly examined database files and associated logs and has determined and verified that the logs show that the database files were accessed by one UT student on March 13, 2012, who along with one other student who viewed the database files made the report. Those students met promptly with University representatives and allowed IT staff to search the computer and storage device to ensure the database files were eliminated. Based on our investigation to date, UT administrators believe there is no risk to students and employees in these two database files.

What happened?
The text file and two database files were created to help resolve a problem with UT identification cards that occurred when a new server was made operational in July 2011. The information resided on internal UT servers and was not intended to be viewed externally. Unfortunately, the text file consisting of current student data was later inadvertently indexed by Google. However, the two database files with an additional 22,722 records were not indexed by Google or any other search engine.

While we have no evidence the confidential information was used maliciously, the University will be taking the precautionary measure of notifying the 6,818 individuals whose information was in the Google-indexed file, so that they can take appropriate steps.

How many people could be impacted?
Approximately 6,818 Fall 2011 students who were enrolled by July 12, 2011, could have been potentially impacted by this exposure. Students who enrolled after July 12, 2011, are not affected. The additional 22,722 individual records in the other two database files were not indexed by Google or other search engines, but were accessed and viewed by two UT students. IT staff members took immediate steps to clean the students’ computer equipment to verify elimination and prevention of further use of the database files.

How did UT learn of the exposure?
On March 13, 2012, the temporary text file was discovered during an in-class exercise about advanced search techniques. When the breach was discovered, the faculty and students immediately reported it to IT. IT secured the text file and took steps to ensure it was no longer publicly accessible or searchable.

IT’s investigation also revealed the existence of two database files. The activity logs associated with these database files indicated that one student from the class accessed the database files on the evening of March 13, 2012. IT staff contacted that student. That student, along with one other student who viewed the database files, met with University representatives and allowed IT staff to promptly search the computers and a USB storage device to ensure the database files containing the additional 22,722 records were not present on their computers.

As for the temporary text file containing records of 6,818 Fall 2011 students who were enrolled by July 12, 2011, IT is reaching out to the remaining members of the class to determine if the text file was copied or transferred.

The lab computers the students were using have been analyzed to ensure the data no longer resides on the computer or UT network.

Is it possible for someone to have accessed the files without being traced on UT’s network logs?
Access to UT information systems is logged. IT has thoroughly examined the files and associated logs, and has a record of each individual access to the files. IT has secured the activity logs, and the University has engaged an independent, third party that is expert in information technology security to further analyze the findings.

How often do data breaches happen?
According to Privacy Rights Clearinghouse, 16 schools across the United States have had data breaches so far this year. Since the organization began compiling information on data breaches in 2005, there have been 600 data breaches at U.S academic institutions, resulting in the compromise of 9.06 million records. Several Florida colleges and universities have recently had data breaches.

Why does UT have my information?
The information is all related to the UT identification card, the Spartan Card, for purposes of utilization of campus services. Governmental agencies, such as the Department of Education and the Internal Revenue Service, require UT to collect student and employee social security numbers.

What could an unauthorized individual do with the information?
It is possible that an individual with malicious intent could commit identity theft and then credit fraud. However, no financial information of any kind, such as bank accounts, credit/debit or ATM cards, was in the files. To learn more about identity theft, go to www.ftc.gov/idtheft/.

Who is at risk of being impacted by the breach, and what should those people do?
The individuals whose records were included in the database files containing the additional 22,722 records are not at risk. For the temporary text file with the 6,818 Fall 2011 students who were enrolled by July 12, 2011, UT will contact each potentially affected person by letter at their permanent address of record. Students who enrolled after July 12, 2011, were not affected and will not receive a letter. The letter to affected students will contain information on how to enroll for the prepaid identity protection service either through a toll-free number or website. All those eligible for the service will be given the chance to sign up.

How do I verify if I am not impacted?

To help UT community members with a valid SpartanWeb login easily and quickly determine if their personal information was compromised, the UT Office of Information Technology has created a breach verification portal in SpartanWeb. Once you logon to SpartanWeb, the portal will return whether or not your information was included in the text file that was publicly accessible.

To access the portal, click here Breach Verification.

If it is determined that your information was in the compromised file, you will receive instructions on how to enroll in the prepaid identity protection service via mail.

Will the University contact me to ask for private information because of this event?

You will receive a letter in the mail from The University of Tampa with instructions on how to sign up for the prepaid identity protection service via telephone or website. When you initiate the contact, questions will be asked by the credit monitoring service to verify your identity.

What data is at risk?
UT identification number, name, social security number and date of birth were included in the file that consisted of students who enrolled by July 12, 2011 for Fall 2011.

What data is not at risk?
Grades, personnel information, financial aid history, mailing address, email address, passwords, phone number and course history are not at risk. None of the files included any financial information, such as credit/debit card or ATM card information, bank account numbers or driver’s license numbers.

If my son/daughter receives notification that his/her information was impacted, does that mean my information is also impacted?
Parent information was not in any of the files and is not impacted by the breach.

If I receive notification via email/letter from UT about the exposure, does that mean someone has my personal information?
Not necessarily. At this point, we know the information was accessible and searchable, but we have no evidence that it was viewed and used maliciously.

Is this information still publicly accessible and/or searchable?
The file has been secured, and deleted from search caches. The University is taking precautions to minimize future security risks.

Why isn’t automatic credit monitoring enrollment in place?
Identification protection services will not permit UT to act on behalf of others regarding their credit data. All 6,818 individuals desiring this protection should respond as directed in the forthcoming correspondence which was mailed March 27, 2012.

Who should I contact if I have any additional questions concerning this breach?
You may send questions to Donna Alexander, vice president for information technology, at dalexander@ut.edu.

If I don't find anything suspicious with my accounts, is my identity safe?
While that may be an indication that things are fine, it is always good practice to monitor your financial account statements and credit report.

I did not receive a letter from UT. Does that mean my confidential information was not exposed?
For those people impacted, UT will send letters to the most recent contact information available. If UT does not have your most recent contact information, there is a possibility you were impacted but did not receive word. If you would like to check if your information was included in the compromised file, go to the breach verification portal on SpartanWeb, as described earlier. Or, please contact Donna Alexander, vice president for information technology, at dalexander@ut.edu.

What’s being done to prevent this from occurring again?
UT takes this incident very seriously, and UT President Ronald Vaughn has ordered a thorough investigation and is taking aggressive action to make sure it doesn’t happen again. UT has engaged an independent, third party that is expert in information technology security to review security practices and procedures. This is in addition to IT’s annual financial and information security audit and three-year external review of information systems. We are constantly improving security features to avoid exposures and breaches, and, a number of tools and services are used to aid in ensuring that the information, computers and the University network are well protected.

How can I learn more about identity theft?
Go to www.ftc.gov/idtheft.