The University of Colorado at Boulder is investigating two incidents of unauthorized access to a computer server, one used by Wardenburg Health Center and the other used by the Visual Resource Center of the College of Architecture and Planning.
Both incidents create a potential identity theft problem for affected persons, although there is no evidence that personal information was stolen or used.
The Wardenburg Health Center server contained personal information for approximately 42,000 students, faculty and staff members and a small number of visitors.
The sensitive information on the Wardenburg server included names, Social Security numbers, student identification numbers, addresses and dates of birth. The results of approximately 2,000 laboratory tests also were on the server but there was no other medical or prescription information on the server. The server also contained no financial information.
"We are very concerned about this breach of computer security and we are working closely with a number of IT and information security professionals to analyze this incident so that we can provide accurate information to our clients," said Robert Cranny, director of Wardenburg Health Center.
When the breach of the server was reported to the central campus IT department on July 14, the server was immediately isolated and taken offline. Analysis has been conducted to determine what information might have been accessed.
Preliminary review of the incident has revealed no evidence that personal data were extracted or used to anyone's detriment. As a precaution, however, the university is in the process of contacting everyone whose information was stored on the server. The university also is providing instructions on how to protect against potential fraud and identity theft.
People potentially affected by the Wardenburg incident include prospective and admitted students who have submitted immunization forms, and faculty, staff and visitors who have received health care services.
Affected individuals are being contacted through posted letters and e-mail communication. Information about the Wardenburg server has been posted on a campus Web site -- http://www.colorado.edu/its/security/whc -- with links to the Wardenburg site and the News Center site. In addition, a hotline has been established to respond to individual inquiries about both incidents.
The server for the Visual Resource Center of the College of Architecture and Planning contained only names and Social Security numbers of about 900 students and faculty who used the Visual Resource Center.
Information about the Visual Resource Center server has been posted on a campus Web site -- http://www.colorado.edu/its/security/cap -- also with links to the Wardenburg site and the News Center site.
Both of the online resource pages will help affected persons determine the steps they should take to protect their identity.
"Maintaining the privacy of sensitive data, including information about our students, faculty, staff and clients is of utmost importance," said Dan Jones, CU-Boulder information technology security coordinator. "We are very concerned that breaches have occurred and we are working to ensure that our policies and security measures promote the integrity and confidentiality of these records."
The university has begun to limit the use of Social Security numbers and other personally identifiable information in applications where use of such information is not necessary. As part of those changes, on April 10 the university finished converting all 30,000 students' identification numbers from Social Security numbers to a new unique student ID number that cannot be used for obtaining or extending credit.
Identity theft is a growing problem in higher education. The July 8 edition of The Chronicle of Higher Education reported that more than two dozen attacks on university servers have compromised private data during the last six months.
Contact: Robert Cranny, (303) 492-0025 Dan Jones, (303) 735-6637 Danielle Zieg, (303) 556-2523 Jeannine Malmsbury, (303) 492-3115