UW staff's personal data was on public Web site at least a year

January 16, 2008

By David Callender


UW-Madison officials waited more than a month before advising more than 200 faculty and staff members of a potential exposure of their personal information on the Internet last year.

The personal information -- including e-mail addresses, phone numbers and Social Security-based campus ID numbers of faculty and staff who made purchases from the DoIT computer shop -- had been accessible on a campus Internet site for at least a year, said Brian Rust, communications manager for the UW's department of information technology.

Rust said the Web-based database for DoIT employees was intended to keep track of sales transactions for statistical purposes. He said the department only learned that purchasers' campus ID numbers -- some of which still use Social Security numbers -- could be accessed after a UW staffer found information about his own DoIT purchase during a routine online search.

Rust said the employees involved in the exposure were reprimanded, but declined to say what exactly their punishment entailed.

According to a letter to the affected faculty and staff dated Jan. 7, UW senior legal counsel Nancy Lynch wrote that the university became aware of the problem on Nov. 26.

Lynch wrote employees that their e-mail addresses, phone numbers and Social Security numbers were "inadvertently disclosed."

But Rust said the information did not constitute a security breach, since there was no indication that any unauthorized person -- other than the one staff member -- had actually accessed the information.

Rust said the UW delayed notifying staff members because it had to determine whether any information had been used, develop corrective measures, and ascertain the UW's legal liability. He said the UW complied with a state law requiring anyone affected by such an exposure to be notified within 45 days of the event.

Both he and Lynch said there was no indication that the information had been misused.

Rust acknowledged that although the faculty and staff names may not have been included in the information that was disclosed, in many cases their identity could be gleaned from their e-mail addresses, which usually consist of all or part of an individual's name, and from online directories that allow searches by phone number.

He also admitted that the exposure was due to the design of the database, which had been in use for about a year. He said that programmers knew the information could be accessed from outside, but apparently no one recognized that the data might include Social Security numbers and other personal information.

The UW revelation comes amid a series of inadvertent disclosures of personal information -- usually involving names and Social Security numbers -- by state government agencies.

On Tuesday, state officials revealed that Social Security numbers could be read on tax information mailed to about 5,000 state residents in northeastern Wisconsin last week.

Earlier this month, a private contractor sent a mailing to 260,000 state Medicaid clients that included their Social Security numbers on the mailing label; a similar mailing in 2006 went to about 171,000 residents.

Rust said that, in contrast to those disclosures, anyone looking for personal information would have had to find the DoIT Web site in question and then would have had to know that some campus ID numbers still use Social Security numbers.

In an effort to control the release of personal information, the UW stopped using students' and employees' Social Security numbers as part of their campus ID numbers several years ago. But some longtime employees have not changed that ID number to a new, randomly generated number, he said.

"It's not to say that we're not taking responsibility for this exposure, but this is a reminder that if people don't want something like this to ever happen again, then they should really change that number," he said, adding that DoIT plans to phase out all Social Security-based ID numbers within about a year.

Unlike the state in the recent breaches, however, the UW did not offer any free credit monitoring for faculty and staff affected by the exposure. Rust said employees would have to decide for themselves whether to seek the additional monitoring.

main page ATTRITION feedback