UNC employees recently affected by a data breach in Facilities Services turned out in large number to hear from a panel of administrators who are feverishly working to minimize the damage. The panel members addressed how the university discovered the breach, how it has responded so far, and steps that employees who have been affected can take to prevent fraud.
Vice Chancellor for Information Technology and CIO Chris Kielt said that his office was first alerted to a possible leak of sensitive data by a Facilities Services employee in November. The university took swift action and immediately removed the server that contained the sensitive information.
He said upon further investigation his staff discovered that Google crawled the exposed information, made a copy of the contents and published it on the internet. Kielt was careful to point out that this is a normal business practice for Google and it was not done maliciously. “The data was exposed as the result of an honest mistake. That doesn’t make it any easier, but I want to make clear that it wasn’t a malicious attack or cybercrime.”
His office contacted Google to have the information removed and it was taken down on November 23.
Upon noticing the sensitive information on the server, the university contracted with a commercial forensic review firm to help with investigation. By December 23, the consultant found that 6,500 records that might contain sensitive personal data had been exposed.
Kielt apologized to all of the staff whose information was exposed. He acknowledged that “the circumstances and results are completely unacceptable” and said his office “has to find a way to do a better job.”
Echoing Kielt’s apology, Associate Vice Chancellor for Business Services Meredith Weiss called the breach “unacceptable” and said that her office is “doing everything we can to follow up on this.”
She directed affected employees to several resources where they can obtain additional information: an online set of frequently asked questions, a call center to answer individual concerns and help people who don’t have access to computers get information, and an email address where a response team can be reached. Weiss was careful to point out that all of the materials are being translated into Spanish, Burmese and Karen and that the Facilities human resources team is meeting with people individually to answer questions.
What to do if you were affected
Associate Vice Chancellor for Human Resources Matt Brody advises affected employees that they should consider taking steps to monitor their credit. Employees should take extra care when opening their mail and watch for a letter that contains an activation code for a year of free credit monitoring.
Brody also recommended signed up for free fraud alerts so a message is posted to your credit report informing creditors to the possibility of fraud. One additional layer of protection is a security freeze that will prevent companies from accessing your credit report without your consent. Brody explained that all three measures, taken together, will help keep employees’ information safe. “Fraud alerts and security freezes help to prevent fraud, while credit monitoring advises you after the fact.”
For affected employees who have questions about the credit monitoring process, there are several ways to provide feedback and get your questions answered. Visit Frequently Asked Questions at http://its.unc.edu/2013/12/10/data-breach-faq/ or send an email to incident_questions@unc.edu.
There is also a call center that can be reached at 1-866-458-3184. The call center is available to answer calls in English and Spanish, between 9:00 a.m. and 6:00 p.m. Eastern Standard Time, Monday through Friday, until February 10, 2014. This is the best option if you want to verify your information was not exposed in the data breach.
For more information about the breach and the university’s response, a video of the panel is available on the Forum’s website at https://employeeforum.unc.edu/2014/01/16/winter-community-meeting-unc-data-breach/.