Published: September 24, 2009 08:24 am      

Online mishap exposes information

Over 5,000 employee Social Security numbers released

The Social Security numbers of more than 5,000 Eastern Kentucky University employees accidentally were posted on an online directory Sept. 29, 2008.

EKU president Doug Whitlock issued a statement Wednesday addressing the matter and recommended that all employees during the 2007-08 academic year (with a last date of hire being Oct. 15, 2008) alert creditors.

The file containing the information was removed from the Internet on Friday, Sept. 18, Whitlock said.

“To date, we have no knowledge that the personal identity information contained in the file has been misused or exploited,” he said.

The time gap between the recognition of the problem and a public announcement was necessary to keep the exposure of the confidential at a minimum, Whitlock said.

“This made the file inaccessible,” he said. “However, pointers to this file still existed in the Google search engine and specific searches could return small snippets of the file. Notification was made immediately after verifying Google had removed all pointers to this file.”

The file was discovered by the school’s information technology staff as a result of a Google search, Whitlock said

“Upon discovery, ECERT (Eastern Kentucky University Computing Emergency Response Team) immediately removed the file from the University Web space, and contacted Google to request the link be removed from their search engine. The file was not found using other Web search engines.”

A University Web page, www.ecert.eku, was created to provide additional information about this matter, and will be updated frequently to report information.

A special phone line, 622-7777, is now open for those who would like to call with their concerns or for more information, Whitlock said.

“Clearly, this incident violated our information security policies and guidelines, and it demonstrates that we must have heightened vigilance in this area,” Whitlock said. “EKU is undertaking an institution-wide data inventory initiative and conducting a full review to further improve our policies and practices regarding the security of our confidential data.”

To protect themselves against identity theft, a free initial fraud alert (and extended fraud alerts after 90 days) can be placed with credit bureaus, a free temporary or permanent security freeze can be requested and a credit report may be run to ensure accounts have not been fraudulently activated. The university suggested calling one of the following major credit bureaus:

• Equifax, www.equifax.com; 1-800-525-6285

• Experian, www.experian.com/ fraud; 1-888-397-3742

• Trans Union, www.tuc.com; 1-800-680-7289

The following resources can be contacted for additional information about identity theft:

• Federal Trade Commission: www.ftc.gov/bcp/edu/microsites/idtheft/

• Social Security Administration: www.ssa.gov; Fraud Line, 1-800-269-0271

• Identity Theft Victim Checklist: www.101-identitytheft.com/checklist.htm

“Even though we believe that this incident puts our employees at low risk of identity theft and there is no evidence, at this point, to indicate the subject file has been accessed, we nonetheless believed it was our obligation to notify faculty, staff and students of this incident,” Whitlock said. “If there is evidence of identity theft, the University will provide additional support to any affected persons.

“The University is committed to maintaining the privacy of its employees, taking many precautions for the security of personal information and continually modifying its systems and practices to enhance the security of sensitive information,” he said.

Ronica Shannon can be reached at rshannon@richmondregister.com or 624-6608.