Information for Some Vol State Students and Faculty Found Vulnerable on Web Server
Submitted on April 30, 2012 at 10:50 AM
Some 14,000 Volunteer State Community College students and faculty are being notified that some of their personal data was placed on a web server. Based on a review of server logs, it is unlikely that the files have been accessed since 2008, outside of college personnel. Although it’s possible that this data could have been accessed by unauthorized individuals on the web, campus officials say they have no direct evidence that it has been discovered or used by anyone maliciously.
There was no credit card or financial information in these files. This is not the main web server, but one where a course instructor would typically post course syllabi and other relevant academic information. A very limited number of faculty files were involved. The files contained names and Social Security numbers. The files were immediately removed from the web server. We want to reiterate that this information was not placed on Vol State’s main site, www.volstate.edu. The server in question has been removed from the web.
We believe that most of the affected students are former students. Some of our instructors serve as an adjunct instructor at other institutions, so some information posted included a limited number of students attending other institutions.
“We are notifying the affected students and faculty members as a precaution,” said Bruce Scism, interim president. “We have contacted the major credit reporting agencies and informed them that some of our students’ and faculty member’s personal information may have been accessible. We want to err on the side of caution.”
College officials recommend those on the list place a “fraud alert” on their credit files with the major credit bureaus. The alert is a free service that will request that creditors verify an individual’s identity before opening a new account. The college also created a web site at www.volstate.edu/securityID to make people aware of the situation and provide information to students about protecting their private information. In addition, all affected students will receive one-year of credit protection from Volunteer State Community College upon request.
“We regret what has happened and apologize for the inconvenience this may cause,” Scism said. “Vol State takes the protection of personal information very seriously. The college had policies and employee training sessions regarding the protection of such information. Vol State is reviewing and changing those processes in order to keep personally identifiable information in a secure environment. The college has already implemented several measures that should keep a problem like this from recurring.”
A phone number has been set up to handle calls about this matter. It is 615-230-3390. The website, with links to credit agencies, can be found at www.volstate.edu/securityID
# # #
QUESTIONS AND ANSWERS
Personal data was placed on an academic web server and due to the nature of the server being web-based, the files were not fully protected. This resulted in the possibility that some students’ and faculty member’s personal data may have been accessible. Upon discovery of the files, the personally identifiable information was immediately removed and the server is no longer on the web.
Who did this?
The web server was primarily used for academic purposes. Typically a course instructor would post the course syllabi and other relevant academic information. Due to having a log in and password, a very small number of employees thought the web server was a secure environment to upload files. Although these could not be readily seen, they were mistakenly put in a vulnerable location. The server is designed to serve as a secondary web location for academic communication and is not a secure file server.
Will the instructors be disciplined?
We are currently investigating the matter and working with each employee involved to address the issue. Our focus now is to let those affected know about the problem and help them resolve this issue.
What kind of information became vulnerable?
Some student and faculty member names and social security numbers were posted on a Vol State web server. The bulk of information had not been accessed since 2008, other than by authorized college personnel. No credit card or financial information was on the server.
Is my information at risk?
Odds are no, but the college has notified every person on the vulnerable lists to err on the side of caution. The information was posted on a web server utilized by faculty and students – not the main www.volstate.edu server.
How will I know if I’m affected?
The college has contacted everyone for whom it can verify personal information was made vulnerable. However, those who receive a letter about the incident should consider protecting themselves as outlined on the Federal Trade Commission web site at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm#CRContact
All affected students may receive one-year of credit protection from Volunteer State Community College upon request.
How did Vol State respond to the problem?
Officials immediately blocked access to the server and removed all files containing the personally identifiable information. This server is no longer available on the web. The college mailed letters to those affected, notifying them of the problem and outlining steps to help prevent possible fraud. The college also contacted the major credit reporting agencies to inform them that some personal information may have been accessible.
What is the college doing to help protect the students?
All affected students and faculty members may receive one-year of credit protection from Volunteer State Community College upon request. In addition, all affected individuals have been advised about how they could protect themselves. Information about contacting credit reporting agencies and creating fraud alert systems was mailed to them and made available on the college’s web site, where a link to the Federal Trade Commission site includes detailed instructions on what to do to avoid identity theft and fraud.
Have the appropriate people or agencies been notified by the college?
Yes, the college notified major credit agencies to inform them that some students’ personal information may have been accessible.
What is being done to make sure it doesn’t happen again?
We’ll make every effort to ensure it doesn’t happen again. All files of concern have been removed from the server and the server has been removed from the web.
What can I do if I’m concerned about protecting my personal information?
The Federal Trade Commission recommends that you call the toll-free fraud number of any of the three nation-wide consumer reporting companies and place an initial fraud alert on your credit reports. An alert can help stop someone from opening new credit account in your name.
P.O. Box 740241, Atlanta, GA 30374-0241
P.O. Box 9532, Allen, TX 75013
Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, GA 92834-6790
You are entitled to order free copies of your credit reports, and, if you ask, only the last four digits of your SSN will appear on your credit reports. Once you get your credit reports, review them carefully. Look for inquiries from companies you haven’t contacted, accounts you didn’t open, and debts on your accounts that you can’t explain. Check that information, like your SSN, address(es), name or initials, and employers are correct. If you find fraudulent or inaccurate information, get it removed. For more details about protecting your identity, visit the Federal Trade Commission website at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm#CRContact
A service provided by the Office of Public Relations.