Personal information for about 2,700 University of Idaho employees was inadvertently posted at the school’s Web site for 19 days in February, though officials say it was not easy to access and there’s no reason yet to believe it was misused.
It was the latest data breach at a regional college, following the theft of some computers from the UI’s fund-raising office and the theft of a portable hard drive from an Eastern Washington University employee late last year. Officials say they have not heard of any crimes or other problems stemming from the incidents.
“This hit us hard,” said Provost Doug Baker on Friday. “We’re very concerned about it, and we’re taking rapid corrective action to protect people’s data and make sure it never happens again.”
In this case, a university data file was mistakenly included along with a report from the UI’s internal research department that was posted at the department’s Web site. It contained information including names, birthdates and Social Security numbers for about 2,700 university employees, but did not include any personal financial account numbers. The file was being used as part of an authorized university activity, and Baker said the UI has no reason now to believe the information was improperly accessed.
“It was not in a prominent place (online) and it was in a proprietary binary data file, which means you need a special program to read it,” he said.
The information was online for 19 days. When the university’s computer experts realized the mistake Feb. 27, the information was taken down and an investigation opened, the UI said.
The school is sending letters to the 2,700 employees whose information was placed at risk and has set up a Web site with information at http://www.vandalidentity.net/default.aspx?pid=97037.
In an interview earlier this year, Beth Givens, the director of the Privacy Rights Clearinghouse, said data breaches at universities, companies and other large organizations are “a problem of epidemic proportions.”
Her group, a California-based nonprofit that specializes in consumer protection issues, says more than 100 million “data records” have been lost in computer security breaches in the last two years.
Data security and storage has been an issue in higher education for years now. Colleges gather a lot of sensitive personal information about students, professors and employees, and while many schools have stopped using Social Security numbers as personal identifiers, their archived information going back decades does include such information.
The UI announced it was revamping its policies and procedures for handling sensitive information after three desktop computers were stolen from the university’s fundraising office in Moscow over the Thanksgiving 2006 break.
While officials couldn’t say precisely what information was on the computers’ databases, an investigation showed that the names, addresses and Social Security numbers of about 70,000 students, employees, alumni and donors had been stored on the computers six months before the burglary.
A smaller theft occurred at EWU in November, when a portable storage device with information about 500 instructors from 2001-2002 was stolen along with an employee’s purse.
Officials have said they know of no fraudulent activities resulting from the incidents.
Since the computer theft in November at the UI, the school has added firewalled networks to protect desktop computer systems and raised standards for data encryption, the UI said. The school is also planning to further limit access to sensitive information, conduct a desk-by-desk audit of computers in key departments, and move away from using Social Security numbers.
Click here to comment on this story »