Computing Network Breach

What happened?

The Information Resources staff of The University of Texas at Dallas discovered a breach of security within its computing network on July 12.  This discovery was the result of routine checks of the University network. One system on the network contained personally identifiable information, including names, addresses, Social Security numbers, email addresses and telephone numbers. The individuals whose information was present on that system include:

• 4406 students who were on the Dean’s List or graduated between 2000 and 2003
• 3892 students who were contacted to take part in a survey by the Office of  Undergraduate Education in 2002
• 88 staff members from Facilities Management
• 716 faculty/staff members listed in a space inventory record from 2001.

The University is in the process of contacting the individuals described above, and apologizes to all involved.  This incident involves only those individuals described above.

While no one associated with The University seeks to minimize the impact of this incident, there is no indication that the information has been disclosed, disseminated or used to anyone's detriment at this time. The University is actively cooperating with law enforcement agencies to identify the source of this attack, and in the best interests of those potentially affected, seeks to notify anyone whose information could be at risk.

Was any information misused?

There is no indication that any individual’s information has been misused at this time but we cannot rule out the possibility of some future misuse.

What information could have been exposed?

It is possible that information including names, addresses, phone numbers, Social Security numbers and email addresses could have been exposed.

How would this have occurred?

This information was collected and saved before the current system of creating a unique University identification number in place of Social Security numbers for some purposes was created in January 2005. This data was stored long ago as a back up on a computer hard drive that now has been identified as having been put at risk.

The University of Texas at Dallas has adopted a policy concerning the protection of SSNs.  The University also complies with the requirements for the protection of SSNs outlined in Information Resources Use and Security Policy.

With the implementation of the above policy, UT Dallas Information Resources Security officers in cooperation with staff across the University are systematically evaluating and reconfiguring network resources to harden the system against such attacks.  The University’s goal is never to allow such intrusions to take place, and never to place such information at risk.  We are continuously deploying measures to make this goal more attainable. This recent attack has underscored the importance of the role of each and every individual in securing our information resources. We continue to identify and remove potential vulnerabilities.

Was my information exposed if I used a web application?

No, web applications were not compromised.

What did the university do when the problem was discovered?

University IR staff developed a method for locating computers that could be at risk.  These computers were shut down as they were identified.  They were scanned to determine if any data could have been exposed.  Systems determined to be at risk will be reformatted. Their operating systems will be reinstalled.

How can I determine if my information was exposed?

If you are a member of the group described above, you will be contacted by letter, as well as other means available. If you believe you are at risk, you are encouraged to place a fraud alert on your credit report.  Instructions are at http://www.utdallas.edu/ir/security/DataCompromiseResources.htm.

If I was one of the people affected by this incident, does this mean that I’m a victim of identity theft?

No. The fact that someone may have viewed this information does not mean you are a victim of identity theft or that any information was accessed for the purpose of committing fraud. We have no indication that your information was even viewed. However, we believe it is important that you know about the incident so that you can take any steps you feel appropriate to protect yourself.

What can I do as a University citizen to assist in the effort to improve security?

Every member of the campus community has been asked to change his or her password in the past several days.  The Information Resources Security Office will be in touch with representatives of offices across campus with further information about measures each of us must take.  

If I might have been affected, what do you recommend I do now?

Please visit the http://www.utdallas.edu/ir/security/DataCompromiseResources.htm page for information about placing a fraud alert on your credit report.

What are you doing to prevent this in the future?

Data security experts and other information technology specialists are working toward implementing a solution to prevent a recurrence of this event.   We are committed to enforcing existing standards and developing new standards as needed to safeguard the integrity of our systems and protect the data with which we have been entrusted.

The University of Texas at Dallas understands the importance of maintaining the privacy of sensitive data. We take this matter very seriously, and continue to work diligently to ensure that our policies and technical security measures promote the integrity and confidentiality of such records.

What do I do if I have other questions?

For information about how to protect your information and credit see  http://www.utdallas.edu/ir/security/DataCompromiseResources.htm.  If you have questions about this that are not answered by these information resources, please call 972-883-3886 and leave contact information.