The initial response to the potential exposure of personal data on East Carolina University’s OneStop portal reflected a mix of concern and understanding, officials said.
The telephone hotline that was set up to handle inquiries fielded 109 calls in the first three days after it was activated, said Kevin Seitz, vice chancellor for administration and finance. A Web site that provides answers to frequently asked questions about the incident drew approximately 3,000 visits.
“Some people were understandably worried and some thought we had taken the right steps in our response to the situation,” Seitz said. The Web site is www.ecu.edu/incident and the hotline number is 877-328-6660.
Chancellor Steve Ballard said the measured response was probably a result of two factors. “First, we were not hacked and there was no evidence of mass downloading of data or other illegal activity,” he said. Also, Ballard said, data security issues have unfortunately become commonplace.
For instance, last year UCLA notified 800,000 individuals about a data issue; the University of Texas notified 200,000; and the Veterans Affairs department notified 6 million. ECU sent letters last week to about 65,000 current and former students and employees to notify them their personal data may have been accidentally exposed through OneStop. The potential exposure resulted from a programming error that was quickly repaired once the university became aware of it, Seitz said.
There was no apparent malicious intent associated with the incident, Seitz said. “We think the risk of actual identity theft is low, but we want people whose data was potentially exposed to know about the situation,” he said.
“We deeply regret the error that led to this situation,” Seitz said. “It was a result of making a series of modifications to our systems to transition away from the use of Social Security numbers as unique identifiers on a portal on our Web site that allows staff and students to perform a number of tasks such as purchase parking permits, check course availability and examine job openings.”
Personally identifiable data was accessible by unauthorized users from Jan. 22 through Jan. 29. It included names, addresses and Social Security numbers. Credit card numbers for 21 individuals are believed to have been viewed, and those persons were notified by telephone in addition to receiving letters.
Other information, such as parking data, automobile insurance information, job applicant data for faculty and administrator positions, student judicial incident reports, student housing records and graduate program application information, also was possibly viewed.
The vulnerability was discovered when an ECU student, who had been using the portal, unintentionally viewed a screen that contained names and other information. He reported the situation to university police and the Web site was secured within 15 minutes of the initial report.
ECU officials are working with the Office of State Controller, the Attorney General’s office and the University of North Carolina General Administration to ensure that all appropriate steps are taken to respond to the incident.
In addition, the university’s internal auditor and an external firm will review procedures and systems in the Department of Information Technology and Computing Services.