Educational Security Incidents (ESI)

Quick Facts

• Date: 12/22/2006
• Institution: Utah Valley State College
• Type of Incident: Unauthorized Disclosure
• Number Affected: 15,000
• Source: Attrition.org
• Abstract Source: UVSC News Release

Abstract
Utah Valley State College is working to notify 15,000 Distance Education faculty members and students about a recent security incident that exposed the names, Social Security numbers and other personal information of these individuals. Earlier this month, UVSC became aware that the personal information of individuals involved in the college's Distance Education program was starting to show up on the Yahoo search engine. UVSC immediately removed the information from its web servers and worked with Yahoo officials to remove the information from Yahoo as well. UVSC officials are confident the information is no longer publicly available. UVSC has setup both a hotline, 801-863-8200, and a web site, www.uvsc.edu/it/idalert.htm, for anyone that has questions about this incident.

Quick Facts

• Date: 12/22/2006
• Institution: Texas Woman's University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 15,000
• Source: ESI
• Abstract Source: The Dallas Morning News

Abstract
Texas Woman's University alerted all 15,000 students that were enrolled during the 2005 calendar year at the university's Denton, Dallas and Houston campuses to the possibility that their personal information was exposed this week. It seems the university transmitted all of these students' IRS 1098-T Tuition Statement information to an authorized vendor over an unsecured connection. While the university does not have any evidence that this information was exposed to an unauthorized party, officials point out that the university is aware of the potential for such and is taking the matter quite seriously. TWU has setup a both a "Data Exposure Response Hotline", 940-898-3840, and a "Data Exposure Response" web site, http://www.twu.edu/response/index.asp.

Quick Facts

• Date: 12/19/2006
• Institution: Mississippi State University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 2,400
• Source: ESI
• Abstract Source: The Clarion Ledger

Abstract
Mississippi State University officials announced today that the personal information of 2,400 student workers was inadvertently posted to a public university web site. Included among this information were student names and Social Security numbers. The university has already contacted the affected students and has offered them one year of free credit monitoring. According to officials, the university is investigating the incident and removed the information immediately, but declined to name the department responsible for the exposure.

Quick Facts

• Date: 12/15/2006
• Institution: University of Colorado, Boulder
• Type of Incident: Penetration
• Number Affected: 17,500
• Source: Attrition.org
• Abstract: University of Colorado

Abstract
The University of Colorado at Boulder has begun to notify 17,500 students that an attacker was able to gain unauthorized access to a computer in the UC Boulder College of Arts and Sciences. This computer was used for advisement purposes and contained personal student information including names and Social Security numbers. According the university officials, the attacker was able to gain access through a web site hosted on the computer. UC Boulder is still investigating this incident and is not aware of exactly what information was exposed during this attack at this point. UC Boulder stopped using SSNs for student identification back in 2005 and is currently deploying a complex program to search for any electronic records that still contain these numbers. The university has created a web page (http://www.colorado.edu/its/security/awareness/privacy/identitytheft.pdf) to help answer any questions students might have about the incident or how to protect themselves from Identity Theft.

Quick Facts

• Date: 12/14/2006
• Institution: University of Virginia
• Type of Incident: Unauthorized Disclosure
• Number Affected: 62
• Source: ESI
• Abstract Source: Daily Progress

Abstract
University of Virginia officials are asking all faculty to destroy any computer files or media that contain student's Social Security numbers. This move comes after the university suffers its second accidental disclosure of student SSNs. In this most recent incident, a teaching assistant accidentally e-mailed a spreadsheet containing names, grades and Social Security numbers to all 61 students in their class. While the university is in the process of phasing out the use of Social Security numbers as student identifiers, this will not happen until a new database system is installed. Currently, the university does not expect to have this new system installed and ready to use for another three years.