|
Q: What happened?
A: On Saturday, November 25, 2006, during the Thanksgiving holiday, three desktop computers were stolen from the University of Idaho’s office of Advancement Services. The university launched an internal investigation at the same time it reported the theft to City of Moscow police. The case is currently being handled by the Latah County Sheriff’s Office. Efforts continue to recover the computers, but to date, they have not been found. Anyone with knowledge regarding the theft of the computers should contact Latah County Sheriff’s Detective Jennifer L. McFarland at (208) 882-2216
To date, the university is not aware of an improper use or disclosure of personal information on the stolen computers.
Q: Why did the University of Idaho wait so long to release news of this incident?
A: The University of Idaho has been working collaboratively with law enforcement authorities since the theft was discovered and reported. At their request, to help preserve the integrity of the investigation, the university did not release information until given word to do so by law enforcement.
Q: How many and what kinds of records were involved?
A: The university’s internal investigation revealed that six months prior to the theft, the computer hard drives contained datasets with names, addresses and Social Security numbers for approximately 70,000 individuals. As a precaution, the University of Idaho is making a broad notification about the computer theft to approximately 331,800 individuals. The larger number represents the total number of individuals whose information may have been accessed by Advancement Services as part of the office’s work at the university.
The personal information included Social Security numbers, dates of birth, home addresses and contact information. The information did not include driver’s license numbers or credit card or account information.
Q: What is the University of Idaho doing in response to this incident?
A: The university has taken immediate steps to investigate the nature of the data contained on the stolen computers, to notify individuals who may be affected, and to assess and improve upon its internal physical and electronic security.
As a precaution, the University of Idaho is notifying all individuals whose personal information may have been on the computers and thus possibly compromised as a result of the theft. In-state residents are receiving an e-mail notice and out-of-state residents are receiving a letter by regular mail.
In addition, the university has sent information to media outlets to provide a broad-based public notice, has set up a website (www.identityalert.uidaho.edu) to provide additional information and resources.
The University of Idaho is following up its initial investigation with a complete review of its electronic and physical security measures for the Advancement Services and other offices. Among the other immediate steps being taken by the university:
- Removing sensitive information from specific computing devices
- Installing encryption software on desktop and laptop systems that access sensitive information
- Enhancing physical and electronic security
- Improving data management protocols
Q: Was my information in the stolen computers?
A: If you received notification from the University of Idaho—either via e-mail or regular mail—or if you are an alum, donor, student or employee of the university, your information may have been on a hard drive in one of the stolen computers.
Q: How can I tell if my personal information has been compromised?
A: There is no evidence at this point to indicate that any information on the stolen computer hard drives has been accessed or used illegally. As a precaution you should monitor your accounts for any suspicious activity.
Q: Am I the victim of identity theft?
A: The fact that the stolen computers had personal information on them doesn't mean that you're the victim of identity theft or that the thief or thieves are able to access and intend to use the information on the stolen computers for fraudulent purposes.
The best protection is for individuals to place a fraud alert on their credit files and to review their credit reports regularly.
Q: I haven’t noticed any unusual activity on my accounts. What can I do to protect my personal information?
You should consider placing a fraud alert on your credit file. A fraud alert lets creditors know to contact you before any new accounts are opened in your name. Simply call any one of three credit reporting agencies listed below. The one call will let you automatically place a free fraud alert with all three of the agencies. Those agencies will then send you a letter with instructions for how to receive a free copy of your credit report from each agency.
Equifax: 1-800-525-6285
P.O. Box 740241
Atlanta GA 30374-0241
www.equifax.com
Experian: 1-888-EXPERIAN (397-3742)
P.O. Box 9532, Allen TX 75013
http://www.experian.com
TransUnion: 1-800-680-7289
Fraud Victim Assistance Division
P.O. Box 6790, Fullerton CA 92834-6790
http://www.transunion.com
You should request a free credit report. The three major nationwide consumer reporting companies listed above are required by law to provide you with a free copy of your credit report each year, if you ask for it. The three companies have created a comprehensive annual credit report request service through which you can order your free credits reports each year:
Annual Credit Report Request Service: 1-877-322-8228
P.O. Box 105281, Atlanta GA 30348-5281
www.annualcreditreport.com
If you do find suspicious activity on your credit reports, call the Latah County Sheriff at (208) 882-2216 to file a report of identity theft and contact the credit companies listed above. Get a copy of the police report, since you may be asked to provide a copy, along with other documentation, to help explain any issue with your records. More information about identity theft is available through the Federal Trade Commission’s website, www.consumer.gov/idtheft.
Because Social Security numbers may be involved, we also recommend that you monitor your Social Security statement. The Social Security Administration website at www.ssa.gov/pubs/10064.html will explain how to address possible misuse of your social security number and how to review your statement.
Q: Do I need to change my Social Security number?
A: Probably not. The Social Security Administration’s website contains information about steps to take to monitor your personal information and the circumstances under which it may issue a new number (www.socialsecurity.gov/pubs/10064.html).
The Social Security Administration cannot guarantee that a new number will solve identity theft issues. Changing a Social Security number may also affect your credit history, which could make it difficult to get new credit or open a bank account.
Q: Do I need to close my bank account, cancel my credit cards or change my driver's license?
A: No. The stolen hard drives did not include any information about bank accounts, credit card accounts or driver's licenses.
Q: Will University of Idaho contact me to ask for personal information because of this incident?
A: No. The University of Idaho will not contact you to ask for personal information such as your Social Security number or credit card or banking information. The university will only contact you to notify you of the computer theft and to provide suggestions on how to protect against potential identity theft and fraud.
In similar circumstances at other institutions, people have reportedly been contacted by individuals fraudulently claiming to represent the institution from which the information was stolen and asking for personal information. The University of Idaho recommends caution if you receive similar phone calls or e-mails.
Q: Will the University of Idaho pay for credit monitoring?
A: No, but we encourage you to place a fraud alert on your credit reports, and to review your credit reports regularly
Under the Fair Credit Reporting Act, you are entitled to one free personal credit report in a 12-month period. Visit www.annualcreditreport.com to learn how to request a copy of your report..
Q: Didn't University of Idaho have a similar incident recently?
A: No. This is the first such theft of computers containing sensitive personal information from the University of Idaho. There was concern in 2005 regarding a data breach of a vendor whose database held personal information of some University of Idaho employees; many university employees received notification of that incident from the vendor.
There have been many other instances in which leading universities and companies have had the personal information they hold compromised as the result of a computer theft, including Boeing Corporation, the Keck School of Medicine at the University of Southern California, Ford Motor Company, Fidelity Investments, University of Alabama and Ameriprise.
Q: What is University of Idaho doing to improve the security of personal information?
A: When the computer theft was reported, the University of Idaho launched an internal investigation. The data from the three hard drives were reconstructed, to the extent possible, in efforts to identify the specific files affected.
We have launched an internal review of electronic systems security; are removing sensitive information from specific computing devices; are installing encryption software on desktop and laptop systems that access sensitive information; and are enhancing physical security.
Q: Why is the University using AnswerNet to provide the mailing and hotline services, and why is AnswerNet using different facilities throughout the U.S. to provide these services?
A: Due to magnitude of the notice, the University was concerned that our services to students, alumni, faculty, and staff would be adversely affected if the University took on all the tasks associated with mailing the notice and manning a hotline. Therefore, the University outsourced the hotline and mailing services to AnswerNet. AnswerNet was chosen because it has assisted other higher education insitutions in similar situations and because it is a national company with services located in different states. Using AnswerNet services has allowed University staff to focus forward on changes to our systems to improve our information services security.
Q: Why is AnswerNet asking for my DOB and SSN?
A: If you have received a mailed letter from the University / AnswerNet, it has a PIN code on it that is unique to you. If you have the letter available, you can give this to AnswerNet and they will be able to locate you in the database. If you don’t have the letter available when you call, AnswerNet will try to identify you in our database using your date of birth and the last four numbers of your social security number. If you don’t want to give your DOB and last four of SSN to AnswerNet, please call them back when you have the letter in front of you, and give them the PIN code on the letter.
Q: Why am I getting the letter if I never attended the University of Idaho?
A: Relatives and former relatives of students and employees may also be in our database. We encourage those who are in our database to go to our website and take steps to put a fraud alert on their credit report.
Q: Why was there a lag between the date of the letter and when I received it?
A: Because the size of the mailing was so large, it was necessary for the University to contract with an outside mailing service. It took about 3 weeks from the time we developed the letter to get it printed, distributed and into your mailbox.
This FAQ was last updated on February 13, 2007.
Additional questions and answers may be added to this document. |