MSU notifies students, staff of security breaches

November 6, 2007

By MSU News Service

Montana State University is informing 271 people that their Social Security numbers may have been exposed in one of three separate data security breaches.

On Nov. 2, it was determined that a stolen data storage device contained the Social Security numbers of 216 students and employees who lived in on-campus housing from 1998 to the spring of 2007.

In a separate incident that also occurred on Nov. 2, an independent security analyst informed university data security staff that an Excel spreadsheet with the names and Social Security numbers of 42 people - mostly new hires during the summer of 2006 - was available on the MSU Web site. The spreadsheet was immediately removed.

While investigating the Excel spreadsheet incident, MSU data-security staff discovered another Excel spreadsheet with the Social Security numbers of 13 people affiliated with the Department of Computer Science on the university's Web site. It, too, was immediately removed. "We take these incidents very seriously and act as swiftly as we can to notify the affected parties," said Cathy Conover, an MSU spokeswoman. "We try to learn as much as we can from each incident to improve our security and are investing a great deal of time to prevent these events from happening again."

The information on the storage device was not encrypted. University police and the Gallatin County Sheriff's Office have been informed of the theft.

MSU Residence Life is notifying by mail the 216 individuals whose personal information was on the device. The letter includes information on how to receive a free credit report, flag a credit file with a fraud alert and monitor accounts for suspicious activity.

MSU Residence Life will be removing all sensitive personal information from portable data-storage devices to prevent this event from happening again.

"Even though we don't believe the thief, or thieves, targeted the data on the device, this is a very serious matter, and we want to alert students and employees that their personal data may be vulnerable to abuse," Conover said.

"We've used our Web site to post a list of actions we recommend people take to protect themselves."

Those recommendations can be found at

With regard to the first Excel spreadsheet, MSU was notified of its presence on the Web by an outside data security watchdog group. The spreadsheet was saved in error by a Human Resources/Personnel and Payroll employee in August 2006 and then inadvertently posted on the Web in July 2007.

MSU's Human Resources/Personnel and Payroll Department does have security protocols to prevent this kind of human error, but those protocols were implemented after August 2006.

The 42 individuals affected will be notified by letter this week.

The second Excel spreadsheet containing the Social Security numbers of 13 people affiliated with the Department of Computer Science was generated for travel vouchers. An employee mistakenly posted it to the MSU Web in 2002, university data-security staff determined.

The College of Engineering plans to improve security awareness of employees who deal with sensitive data and implement protocols and procedures to minimize any potential exposure of sensitive information.

The 13 people affected will be notified by letter this week.

main page ATTRITION feedback