Top College News Subscribe to the Newsletter

24,000 employees affected by data breach

Personal information exposed on the Internet, University working to minimize future threats

News Writer

Published: Monday, December 7, 2009

Updated: Tuesday, December 8, 2009 00:12

data breach

BLAIR CHEMIDLIN | Observer Graphic

Important personal information, such as social security numbers, names and zip codes, of many Notre Dame employees was exposed to the Internet after the University accidentally placed the information in a publicly accessible location.


The data breach affected about 24,000 employees, including some students who work for the University, Gordon Wishon, associate vice president of information technology and the University's chief information officer, said.


The personal information that was exposed will no longer be accessible because the University immediately removed it from the Internet and secured it, he said.


There was no evidence the information was inappropriately used, Wishon said. 


But chair of Faculty Senate Thomas Gresik, who was affected by the data breach, said he did not feel sure he was safe from identity theft.


"It's not possible to determine if somebody managed to download that information before it was taken down," he said. "The logs show that the information had been out there for awhile."


Gresik said he is concerned his information could be out there still.


"That's the current threat," he said. "That information might be sitting on somebody's hard drive or it may have been posted to a bulletin board or whatever places identity thieves post information."


Those affected by the data breach were informed in a letter, which was received on Nov. 20.


"I nearly didn't read it because it was one of those copies of a group letter, except my attention to it was that it was addressed dear Sabine, my first name," Sabine MacCormack, a professor whose social security number, date of birth and full name were exposed, said.


"I was just outraged," she said. "That's the information people need to open a bankaccount or credit card account. In these days of identity theft, I think that's a really serious problem."


MacCormack said she was also upset by the way the University handled the data breach.

"In the future, for start, do not send a letter of this nature, [which essentially said,] we made a mistake and you sort it out," she said.


MacCormack said she thought other steps should have been taken.


"I think it should have automatically offered credit checks and said by responding to such and such an e-mail address you can set this up, to everybody," MacCormack said. "I think some access to the general counsels office for, at the very least legal advice, should have also been automatic. If you have a problem with identity theft, then consult x."


Gresik agreed the letter did not handle the error effectively.


"I think the initial response was inadequate," he said. "I think the University is working on trying to improve that response and I am confident in the near future they will be able to satisfy the concerns of the affected individuals."


Since mailing the letter, the University provided access to credit monitoring services for those who were affected, Wishon said.


"For those with concerns, obtaining a credit report is the first step," he said. "But [that] is something the University cannot do. It must be obtained by the individual."


MacCormack said she planned to use this service.


"I'm going to set up the credit checks. If anything that looks like an identity theft seems to have occurred, I guess I will take some legal advice and pay for it," she said. "But I do think that I shouldn't have to pay for it."


Professor Mark Pilkinton said he and his wife, who works in the library, were both affected by the breach.


"The University has been very good about informing us and providing proactive help to monitor our e-lives, credit checks, etc. to be sure nothing is amiss," he said. "This was a huge snafu, and we're all making the best of it we can."


Wishon said the University also took steps to lessen the chances of a similar error occurring in the future.


"Various technical measures have been and more will be employed to minimize the probability of an inadvertent exposure of sensitive information as well as measures to prevent more targeted intrusions by hackers," he said.


He said process changes were also made in the human resources department.

"I think the likelihood of a similar situation occurring is pretty small," Gresik said.

Still, the problem lies in the fact it is impossible to tell whether someone accessed the personal information while it was on the Internet.


"It is very likely, I gather, that no one actually accessed these records, but it was possible for them to do so, and that's the concern," Pilkinton said.

Recommended: Articles that may interest you

7 comments

Lyse McDonough
Wed Dec 9 2009 17:06
Get protection in case of Medical, SSN and Drivers license identity theft NOW! Financial identity theft is the least of the affected victims' problems. Don't fall for simple credit monitoring, get an Identity Theft Shield here: www.prepaidlegal.com/idt/tlmarket
Lyse McDonough
Wed Dec 9 2009 17:05
Get protection in case of Medical, SSN and Drivers license identity theft NOW! Financial identity theft is the least of the affected victims' problems. Don't fall for simple credit monitoring, get an Identity Theft Shield here: www.prepaidlegal.com/idt/tlmarket
Sold out
Wed Dec 9 2009 00:05
Contact the Human Resources department (askHR) and you'll find you are talking to 'Customer Service'. It sounds like AT&T or Microsoft! Notre Dame has completely sold out!! It's not about education, it's all about $$$, and if something goes wrong, the first instinct by Affleck-Graves and his comrades is to sweep it all under the rug!
Bob - ND grad
Tue Dec 8 2009 18:40
Notre Dame has been behind the times with technology and the internet and most other things.

We now live in a Google economy and ND still acts like it lives in the 1950's. Get with the times ND.

E_Anderson
Tue Dec 8 2009 16:21
Instead of being reactive, Notre Dame could have been proactive in securing their employees from data breaches. Data breach protection services or “insurance” is available and inexpensive. I work for a company, Secure Identity Systems, which provides protection services for organizations of all shapes and sizes. Explore the Data Breach Protection options at secureidentitysystems.com .
Three-Year Security Breach!
Mon Dec 7 2009 23:35
"The information had been out there for awhile." TO GIVE YOU A BETTER IDEA: From a letter sent by Affleck-Graves: "personal information of approximately 24,000 past and current employees was exposed, and for a period likely to have been from August 2006 to October 2009." Another document states that this is a "conservative estimate." Over three years! And some of the information could be found via a simple Google search! So when you say the university immediately removed it, that means the university removed it after the information had been exposed for probably three years.
Legal action now!
Mon Dec 7 2009 23:11
Outrage will result in nothing. People should sue the university! SUE THE UNIVERSITY NOW! The only things that ND understands are legal action and $$$$. Ask Swarbrick!!






log out