Another computer security breach at UI

March 10, 2007

Associated Press and KLEW Staff

The University of Idaho says a data file posted to the school's web site may have put at risk the personal information of approximately 2,700 university employees.

It's the third time in almost a year that the personal information of people affiliated with the school has been compromised.

UI officials said in a news release Friday that, to date, there is no indication that "the information was successfully read or used for any purpose other than the reason for which it was created."

But officials said the school is notifying by letter all affected individuals and recommending steps to check and safeguard their personal information.

UI said the data file, in a proprietary binary format readable only with compatible software, was accessible on the university site for 19 days in February. The university's Information Technology Services department immediately removed the file on Feb. 27 after discovering its existence.

Officials said UI launched an immediate investigation into the incident.

The data file was uploaded by an authorized user for legitimate university research purposes. It contained personal identifying information including names, birthdates and Social Security numbers for approximately 2,700 university employees, but did not include any personal financial account numbers.

"We are taking this news especially hard given the corrective security actions recently enacted, and the university's increased awareness of data security," said Doug Baker, provost and executive vice president.

Among the completed steps taken to enhance data security, the university said it has:

- Assessed and inventoried data within its centrally managed administrative systems.

- Implemented improvements to the institution.s data management protocols including the creation of firewalled networks to protect desktop systems from outside attacks and stricter standards for desktop security, such as data encryption and network storage.

University officials said there is work being done to "remove duplicated information from the school's central database, reduce access to and use of sensitive information except for purposes authorized and essential to institutional work and protect data that is in use or in storage."

Desk-by-desk audits of key departments will be conducted to ensure adherence to new security standards.

The university will also develop a data security training program for its employees.

"In the meantime, we ask our employees to redouble their efforts to ensure the security and safe practices surrounding their individual, departmental and unit-wide computer systems," Baker said.

main page ATTRITION feedback