On Sept. 30, UGA officials discovered a file containing personnel information on a publicly available Web server for 18,931 faculty and staff members employed at the institution in or around 2002. The university has begun an investigation into how and why the file was made public.
Pursuant to Georgia law, employees whose information was compromised will be notified. The file, created for administrative purposes, contained employees’ names, Social Security numbers, dates of birth, dates of employment, sex, race, home phone numbers and addresses.
“This investigation will be ongoing over the next 90 to 120 days and will form the basis for changes that are appropriate to ensure accountability and reduce the risk of this happening again,” said Timothy Chester, UGA’s chief information officer. “We are and will be holding ourselves accountable for this incident.”
The file was discovered after an employee called the EITS Help Desk to say their personal information, located via Google, was on an EITS website. After the claim was verified by the Office of Information Security, the site was taken down.
Anyone employed at UGA during 2002 is being advised to take appropriate steps to guard against identity theft by using the guideline outlined at http://www.consumer.gov/idtheft. Additionally, those affected should review the information contained in http://www.infosec.uga.edu/sate/idtheft.php to learn more about recommended precautions.
“The best solution to protect individuals against identity theft is education and diligence,” Chester said. “Equipping individuals with the means for proactive monitoring of their credit, by taking advantage of a free annual credit report and selective use of fraud alerts, when appropriate, is the best course of action. Diligence, regardless of whether an individual’s personal information has been disclosed, is the only real way to protect against identity theft. We will continue to provide individuals affected by this disclosure with support and assistance as necessary, to aid them in the use of these services.”
Comprehensive information on this incident, including a frequently asked questions guide, is available at http://fraudconcerns.uga.edu or by contacting the EITS Help Desk at 706-542-3106 or helpdesk@uga.edu.
EITS staff are taking steps to reduce the risk of such computer breaches in the future, according to Chester.
“Ultimately, the encryption of sensitive data is the best technical way to reduce the risk of inadvertent disclosure and it is the best practice adopted throughout higher education to manage this problem,” Chester said. “We are currently in the planning stages for this work and will be reaching out across the university community to have a conversation about this work, how it will impact schools, colleges, and administrative units, and what the timeline should be to proceed with these changes in an orderly fashion.
“This work will be our most important priority over the next nine to 12 months and will take precedence over all regular support and enhancements to our core student, finance and HR systems, with the exception of regulatory updates and normal ‘break/fix’ support,” Chester added. “I ask for your support as we redirect our attention towards these important risk reduction efforts.”
