A computer hacker accessed computer systems containing confidential personal data of Western Illinois University alumni a full month ago, but some of the more than 180,000 people affected only learned of the problem this week.
That response time, school spokesman John Maguire said Tuesday, was too slow, and the school is looking at changing its procedures to make sure notification happens faster.
Maguire emphasized that although Social Security numbers and some credit card information were kept in the breached systems, the school has no evidence that any information has been used maliciously.
"We strongly think it unlikely that anything was copied or compromised,'' Maguire said.
Academic files not affected
In notices sent beginning June 26, the university told alums and others that the security breach happened June 5.
A hacker or hackers accessed "several Electronic Student Services systems,'' according to information posted on the school's Web site Sunday.
Personal data, names, Social Security numbers, addresses and phone numbers for anyone who took a course at the school since 1983 were kept on the computer system. An additional 1,000 records from students who attended between 1978 to 1982 were also kept on the compromised system.
Even data from some applicants who did not attend Western might have been accessed because the school keeps those records for at least a year, in case the student were to reapply.
Credit card account numbers for people who bought merchandise through the school's Web site or who stayed at the University Union hotel might also have been accessed. No academic files were accessed, officials said.
The school learned of the breach the same day it happened, and it immediately fixed the breach and beefed up security. The school's public safety office has been in touch with the FBI, but no arrests have been made, Maguire said.
At first, the school thought as many as 240,000 people were affected, but the number was revised after weeding out old or duplicate records.
Keep an eye on credit reports
Maguire said about 40,000 e-mails were also sent out beginning last week, but the overall response time was not acceptable.
"In terms of trying to notify somebody by mail, we are looking at those procedures,'' he said. "We realize that is one of the criticisms, and we are trying to be responsible to that.''
Although officials have received no reports of records being copied or tampering with, they urged anyone potentially affected to monitor credit reports closely and consult the Federal Trade Commission or state attorney general for tips on how to protect yourself.
There have been security breaches at 29 universities or colleges in the last six months, Western officials said. In March 2005, hackers accessed a server run by the Kellogg School of Management at Northwestern, potentially learning user names and passwords to more than 21,000 computer accounts held by students, staff and alumni. At the time, NU officials said they didn't think any personal data was stolen.
[an error occurred while processing this directive]