ECU sends notices of potential data exposure
(Feb. 9, 2007)
East Carolina University officials said today that they are notifying thousands of current and former students and employees that their personal data may have been accidentally exposed on a university web site.
The potential exposure resulted from a programming error that has been repaired, said Kevin Seitz, vice chancellor for administration and finance. There was no apparent malicious intent associated with the incident, Seitz said. “We were not hacked. We have no evidence that data was stolen or otherwise inappropriately used,” he said.
“We think the risk of actual identity theft is low, but we want people whose data was potentially exposed to know about the situation,” Seitz said.
The university on Friday began mailing about 65,000 letters to individuals telling them that their personal data was potentially exposed. In addition, ECU has established a web site and telephone hotline to answer questions about the incident. The web site ishttp://www.ecu.edu/incident and the phone number is 877-328-6660. The web site is active now, and the telephone hotline will be activated at 8 a.m. Monday and will be answered from 8 a.m. to 5 p.m. Monday through Friday.
“We deeply regret the error that led to this situation,” Seitz said. “It was a result of making a series of modifications to our systems to transition away from the use of Social Security numbers as unique identifiers on a portal on our web site that allows staff and students to perform a number of tasks such as purchase parking permits, check course availability and examine job openings.”
Personally identifiable data was potentially accessible by unauthorized users from Jan. 22 through Jan. 29, officials said. It included names, addresses and Social Security numbers. Credit card numbers for 21 individuals are believed to have been viewed, and those persons are being notified by telephone in addition to receiving letters.
Other information, such as parking data, automobile insurance information, job applicant data for faculty and administrator positions, student judicial incident reports, student housing records and graduate program application information, also was possibly viewed.
The vulnerability was discovered when an ECU student, who had been using the portal, unintentionally viewed a screen that contained names and other information. He reported the situation to university police and the web site was secured within 15 minutes of the initial report.
ECU officials are working with the Office of State Controller, the Attorney General’s office and the University of North Carolina General Administration to ensure that all appropriate steps are taken to respond to the incident.
In addition, the university’s internal auditor and an external firm will review procedures and systems in the Department of Information Technology and Computing Services.
University officials urged individuals whose information might have been compromised to review account statements and monitor credit reports.