Data Breach

Updated on November 8, 2010 

 

Between September 24, 2010 and September 29, 2010, a UNF recruitment file containing the personal information of high school and college students (and others interested in UNF) may have been accessed by unauthorized persons outside the United States. While immediate steps were taken to contain this breach and to prevent further unauthorized access, UNF is sending letters and e-mails to the 106,884 people impacted by this breach of security. The files that were breached contained information from 2007 through 2010. Anyone who applied to UNF before that time is not impacted.

UNF recognizes that those impacted will have many questions. This list of frequently asked questions was designed to provide helpful information about the breach.

 

What happened? 

A person (or persons) outside the United States unlawfully gained access to a computer server containing a confidential file of information.  In the world of computer security, these types of people are identified as “intruders.” The University Police Department is working with the Federal Bureau of Investigation on the case.  Investigators strongly believe that the intruders were not stealing personal information but were attempting to access research computers.  

 

While we have no proof that confidential information was stolen, the University is taking the precautionary measure of distributing a letter and e-mail notification to those individuals whose information was in the file, so that they can take appropriate steps.

 

Do you know who did this? 

At this point, we do not know who this intruder is but our investigation into the incident has been brought to the attention of the FBI.  The FBI is now working with our University Police Department on the case. This is an ongoing investigation, and the cause and intent has yet to be determined, but investigators strongly believe that the intruders were not stealing personal information. 

 

 

How many people could be impacted and what type of personal information was possibly revealed to the intruder? 

A total of 106,884 people could have been impacted by this breach.  Of those: 

  • 52,853 had their names and social security numbers compromised 
  • 54,031 had their names and dates of birth compromised  

 

How often do data breaches happen? 

According to Privacy Rights Clearinghouse which has been maintaining a listing of data breaches for five years, 56 schools across the United States have had data breaches so far this year. Since the organization began compiling information on data breaches in 2005, there have been 440 data breaches at U.S academic institutions, resulting in the compromise of 7.5 million records.  The University of Florida, Florida International University and Valdosta State University recently had data breaches. 

 

Why would UNF have my information? 

UNF collects a variety of information as part of the recruitment and application process.  This information is used by the University to communicate with prospective students, to determine eligibility for admission, and to award financial aid.  

 

What could the intruder do with the information? 

It is possible that the intruder could commit identity theft and then credit fraud.  To learn more about identity theft, go to www.ftc.gov/idtheft/  

 

Will the University contact me to ask for private information because of this event? No.  In similar cases at other institutions, people have reportedly been contacted by individuals claiming to represent the University, who then proceed to ask for personal information, including social security numbers and/or credit card information. Please be aware that UNF will only contact you about this incident if additional helpful information becomes available. We will not ask for your full Social Security Number. We will not ask for credit card or bank information. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.

 

What student data is at risk?    

In some cases, the intruder may have had access to ACT and/or SAT test scores because those scores are used in the recruitment process.  UNF grades, financial aid history and course history are not at risk.

 

My son/daughter received notification that his/her information was impacted.  Does that mean my information is also impacted? 

Parent information is not impacted by the breach, unless the parent applied to UNF (or expressed an interest in UNF) from 2007 to 2010.

 

I was one of the people that received a notification via e-mail/letter from the University of North Florida about the breach. Does that mean someone stole my personal information?
Not necessarily.  At this point in the investigation, we know the intruder accessed the information, but we do not know if, how or when the intruder plans to use the information.   
 

Is this information still at risk of disclosure to the intruder or others?
The computer involved in this incident has been secured. The University is taking precautions to minimize future security risks.  However, as stated above, the intruder did have access to the information and we don’t know if, how or when the intruder plans to use the information.

 

If I was one of the people notified that my information was possibly compromised, what should I do?   

You should request a free initial fraud alert to be placed on your credit files by calling any one of the three major national credit bureaus:

 

Equifax
Direct Line for reporting suspected fraud:
1-800-525-6285
Fraud Division
P.O. Box 740250
Atlanta, GA 30374
http://www.equifax.com/answers/set-fraud-alerts/en_cp 

 

Experian
Direct Line for reporting suspected fraud:
1-888-397-3742
Credit Fraud Center
P.O. Box 1017
Allen, TX 75013
https://www.experian.com/fraud/center.html 

 

TransUnion
Direct Line for reporting suspected fraud:
800-680-7289
Fraud Victim Assistance Department
P.O. Box 6790
Fullerton, CA 92634
http://www.transunion.com/corporate/personal/fraudIdentityTheft/fraudPrevention/fraudAlert.page  

 

When contacting the credit bureaus, you should request the following:

  • Instruct them to flag your file with a fraud alert including a statement that creditors should get your permission before opening any new accounts in your name.
  • Ask them for copies of your credit report(s). Credit bureaus give one free credit report a year. 

 

Why aren’t the bureaus already doing credit monitoring for all the names in the compromised files? 

Credit agencies will not permit UNF to act on behalf of others regarding credit data.

 

If I think I have been a victim of credit fraud, what should I do? 

There are several steps you should take. 

  • Place a security freeze on your credit file: A 90-day security alert gives you time to verify if you are a victim of fraud. If you determine you are a fraud victim, you may add a 7-year victim statement to your credit report.
  • Close the accounts that you have confirmed or believe have been tampered with or opened fraudulently.  Use the FTC’s ID Theft Affidavit (available at www.consumer.gov/idtheft ) when you dispute new unauthorized accounts.
  • File a local police report.  Obtain a copy of the police report and submit it to your creditors and any others that may require proof of the identity theft crime.
  • File your concern with the FTC.  The FTC maintains a database of identity theft cases used by law enforcement agencies for their investigations.  By filing a concern, it helps the FTC learn more about identity theft and the problems victims are having so FTC representatives can better assist you.  The FTC’s Identity Theft Hotline toll-free number is 1-877-IDTHEFT (1-877-438-4338) or you can visit their website at www.ftc.gov.
  • Inform creditors: Contact each creditor with the fraud account and inform them that the account is fraudulent.
  • Document all contacts: Make notes of everyone you speak with; ask for names, department names, phone extensions and record the date you speak with them.
  • Understand the process: Each creditor may have a different process for handling a fraud claim. Make sure you understand exactly what is expected from you, and then ask what you can expect from the creditor. At the conclusion of an investigation, ask the creditor for a document that states you are not responsible for the debt.
  • Follow up: Make sure everything a creditor/credit reporting agency has requested is received. It is always a good idea to place a follow up call or send a letter for confirmation.
  • Review reports regularly: Obtain another report several months after you believe everything is cleared up. If a new fraudulent account is discovered, you know how to handle it. If your credit report is back to normal, you can feel confident that all issues were resolved as you expected. It would be a good idea to check your credit report again in six months and a year later.
  • Don't throw away files: Keep all notes and correspondence in an accessible file in case they are needed in the future.

 

What should I do if I find unusual activity on my bank/credit card statements or credit reports? 

You may be a victim of credit fraud.  See above. 

 

Who should I contact if I have any additional questions concerning this breach? 

In order to answer any questions that you may have regarding this incident, the University has established communications channels.  You may send questions by e-mail to databreach@unf.edu or call (904) 620-2114. 

  

If I don't find anything suspicious with my accounts, is my identity safe? 

While that may be an indication that things are fine now, please continue monitoring your financial statements and your credit report.

 

I did not receive a letter from UNF. Does that mean my confidential information was not exposed? 

For those people impacted, UNF sent notices to the most recent contact information on file.  If UNF does not have your most recent contact information, there is a possibility you were impacted but did not receive word.  If you would like UNF to check if your information was among the files compromised, please call (904) 620-2114.

 

I recently moved and changed my e-mail address.  I’m not sure if UNF tried to notify me of the breach by letter and/or e-mail.  How do I check? 

If you would like UNF to check if your information was among the files compromised, please call (904) 620-2114.  If you are on the list of those impacted by the breach, you will need to know that the University Police Department General Offense Report number is 6000616.  The General Offense Report can be accessed here.

 

What is the University doing to make sure this doesn’t happen again? 

Once UNF determines the method used by the intruder to access systems, we will change our access and security methods to prevent it from reoccurring.

 

How could this happen? 

UNF is constantly reviewing and updating information technology security systems and procedures. However, security technology is constantly changing, which means cyberspace intruders are finding new ways to compromise systems. As new security features become available and we become aware of new attack modes, we will continue to take steps to prevent this type of activity.

 

If this breach occurred September 24 through the 29, why didn’t I get an e-mail about it until Oct. 15? 

Although steps were taken immediately to secure the data, it required some time to investigate the incident, especially once law enforcement was contacted.  This was necessary to ensure we had a complete report of everyone whose information was involved and to cooperate fully with the active investigation. The notification was conducted in a manner consistent with best practices and with an eye towards avoiding making mistakes during the notification process itself.  We apologize if it seems that this process took longer than desired, but please be assured the matter was of the highest priority and conducted as swiftly and accurately as possible.

 

How can I learn more about identity theft? 

Go to www.ftc.gov/idtheft