Oregon State: Security of personal data back to 1996 breached

Oregon State: Security of personal data back to 1996 breached

 

CORVALLIS, Ore. -- An OSU contracted vendor who had access to information for over 21,000 students took data and stored it on his computer, a spokesperson for Oregon State University said.

The vendor was working on updating a program that issues emergency payroll draws and checks for the University. The man said he saved student information on his so that he could work with "live data" from his business.

The data included the names and Social Security numbers of individuals who received an emergency student aid check or an emergency payroll draw from 1996 through November 2004.

The data also included the names and OSU identification numbers of individuals who received an emergency student aid check and or payroll draw check from November 2005 through 2009.

OSU director of Business Affairs Aaron Howell said that the man used the data to cater his computer program to the University's needs and didn't realize that taking the information off-site was a liability.

"He was actually giving us a demonstration of what the upgrade would look like."  Howell said. "and our manager of our cashier area said, 'Uhh... wait a minute. That's live data I'm looking at!"

University officials concluded after an in depth review with the man that the information stayed on his business computer. There is a possibility that it was accessed by someone else.

OSU said that it takes these incidents very seriously and has since severed ties with that vendor. Officials are not releasing the name of that man or his company during the investigation.

While Howell said that the risk to students and former students is low, he suggests checking credit reports to look for anything unusual.

The Federal Trade Commission offers a free credit report at its website.



Here are copies of the text from letters to affected alumni and students:

We recently discovered that a software vendor was in possession of university data that included your personal information without authorization. This data included the names and social security numbers of individuals who received an emergency student aid check or an emergency payroll draw from 1996 through November 2004, along with other less sensitive data. It appears the vendor obtained data in April of 1997, February of 2006, and May of 2008. The data did not include your financial account information.

Since this discovery, the university has reclaimed the data and severed our association with the vendor. We are also readdressing our policy regarding vendor relationships and updating physical access controls on systems that process information of this nature.
Although we have no evidence that any individuals other than the vendor had access to your personal information, we are unable to guarantee that it has been secure.

There are steps you can take to help prevent and detect any misuse of your information. As a first step, you should monitor your financial accounts carefully, and if you see any unauthorized activity, promptly contact your financial institution. You also may want to obtain a free credit report by calling 1-877-322-8228 or by logging on to www.annualcreditreport.com.

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. A victim's personal information is sometimes held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly.

Oregon law allows Oregon residents to protect themselves from the possibility of identity theft by placing a security freeze on their credit files. By placing a freeze, someone who fraudulently acquires your personal identifying information will not be able to use that information to open new accounts or borrow money in your name. Contact information for national consumer reporting agencies is as follows:

Equifax: 1-888-298-0045; https://www.freeze.equifax.com
TransUnion: Fraud Victim Assistance Department, PO Box 6790, Fullerton CA 92834
Experian: Send an e-mail to BusinessRecordsVictimAssistance@Experian.com

If you find that you are a victim of identity theft, report it immediately to law enforcement and the FTC. For more information please see: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt01.shtm.

OSU takes its responsibility to protect private information seriously and has been working diligently to limit the use and availability of sensitive information. If you have any questions about this incident, please contact the Oregon State University Office of Business Affairs security incident hotline at (541) 737-1007 or by sending an e-mail to incidentresponse@oregonstate.edu

--

We recently discovered that a software vendor was in possession of university data that contained information about you without authorization. This data included the names and OSU identification numbers of individuals who received an emergency student aid check and or payroll draw check from November 2005 through 2009. Since the discovery of this unauthorized access, the university has reclaimed the data severed our association with the vendor. We are also readdressing our policy regarding vendor relationships and updating physical access controls on systems that process information of this nature.

We have no evidence that any individuals other than the vendor had access to this information. Since the information only includes your OSU identification number, there is no reason to believe this incident could lead to someone stealing your identity. However, we feel that any unauthorized access to your information is a violation of your privacy and should be brought to your attention.

The Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit reports periodically can help you spot problems and address them quickly. As a first step, you should monitor your financial accounts carefully, and if you see any unauthorized activity, promptly contact your financial institution. You also may want to obtain a free credit report from each by calling 1-877-322-8228 or by logging on to www.annualcreditreport.com .

Oregon law allows Oregon residents to protect themselves from the possibility of identity theft by placing a security freeze on their credit files. By placing a freeze, someone who fraudulently acquires your personal identifying information will not be able to use that information to open new accounts or borrow money in your name.

If you find that you are a victim of identity theft, report it immediately to law enforcement and the FTC. For more information please see:  http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt01.shtm.

OSU takes its responsibility to protect private information seriously and has been working diligently to limit the use and availability of sensitive information. If you have any questions about this incident, please contact the Oregon State University Office of Business Affairs security incident hotline at (541) 737-1007 or by sending an e-mail to incidentresponse@oregonstate.edu