Faculty, staff ID threatened
E-mail containing Social Security numbers, driver’s license numbers released
Published: Thursday, September 2, 2010
Updated: Thursday, September 2, 2010 16:09
At 8:55 a.m. on Thursday, Aug. 26 an e-mail containing the Social Security number, driver's license number, and first and last name of 2,484 full and part-time ASU employees was sent to 144 ASU e-mail addresses.
This information breach has raised concern among affected faculty, as identity theft becomes a risk when Social Security numbers are disclosed.
Jack Zibluk, professor of journalism and president-elect of Faculty Senate, said the biggest response among faculty to the breach has been a sense of discomfort.
"There's always that possibility that somebody could have downloaded it, forwarded it, printed it; the fact that that information is possibly out there, however tiny that possibility is, it only takes one of those recipients to have downloaded it, printed it or copied it, and you only need one person with that intent to do something bad. So there's that little bit of angst," Zibluk said.
While the chances are very small that those files were misused by anyone, the possibility is still there of someone downloading, printing and copying them.
Zibluk explained that faculty raised this concern through a thread of e-mails, sharing information on how to safeguard themselves in such a situation.
"I put out on the Faculty Listserv some of the information that I got, and it really started some conversations. Other faculty members chimed in and said, ‘hey, this school should really get us credit protection.'," Zibluk said. "The administration set that up for us within 24 hours. That idea came from the faculty, and Dan Howard [interim chancellor] particularly listened."
Mark Hoeting, associate vice president and chief information officer of ITS, explained that for the 2,484 users impacted, a product from Experian has been purchased that will basically put a fraud alert and monitoring system in place on each of their credit files. They're doing it for one year, and the need for continued service will be revisited in 12 months.
Another concern Zibluk said was raised by faculty was the question of why Information Technology Services even has a file containing Social Security numbers, when student and faculty ID numbers are used in lieu of Social Security numbers for virtually everything having to do with the university.
ITS explained in an e-mail sent to each user affected by the breach that Social Security numbers were collected during the registration process to register drivers with the Arkansas Department of Finance and Administration. The reason for this is prior to 2000, the State of Arkansas used Social Security numbers as driver's license numbers.
"The file contained personal information of employees who had filed for (a) authorization to drive a [Arkansas] State University vehicle, or (b) permission to be reimbursed for driving their personal vehicle on [Arkansas] State [University] business," Hoeting said. "What happens is our Travel Office is required to register those employees with the state, and it checks their driving record and other things, to make sure they're legally able to drive those vehicles, and that's essentially what the file was."
Hoeting said it was his understanding that the 144 recipients of those files were a part of a distribution group that receives a newsletter from the Travel Office.
"It was just an inadvertent mistake--we all make them. It just happens, and unfortunately this one contains some sensitive information," Hoeting said.
Just ten minutes after the e-mail was sent, ITS was alerted and began the process of removing messages. ITS finished this process at 10:45 a.m., leaving about an hour and a half window for potential exposure.
In addition to protecting the credit of those whose information was leaked, Hoeting said ITS is in the process of new security measures to make sure this doesn't happen again.
"What's going to have to happen ultimately is that the institution will have to have a policy in place, which classifies information in terms of restricted data such as Social Security numbers.
Then there will be limited use data, like maybe your license plate number off of your car--everybody can see that, but you probably don't want us to put that on the Web," Hoeting said.
"And then there will be public information that's not protected in any way, like enrollment numbers and total budget, things that we put out there on the front end."
Hoeting said the more sensitive information that's classified as restricted will have a certain set of security parameters around it, and very few people will be able to access them.
Zibluk said the one positive outcome of the whole thing was showing the importance of communication among faculty and staff, and it's built community and trust.