Please review the FAQs page before initiating contact. The university aims to ensure the most effective exchange of information surrounding this matter and as such, encourages you to read the below contact information carefully.
Please refrain from calling individual offices or contacts on campus, including ITS, the ITS help desk (TAC), etc., as this will slow down the university’s ability to complete this investigation. All callers will be referred to uncw.edu/datasecurity.
Update Regarding Unauthorized Server Access – June 13, 2014
UNCW’s Information Technology Systems team has concluded its investigation of recent unauthorized access to a UNCW applications server, which made it possible to access a database containing names, addresses and social security numbers of individuals associated with UNCW. UNCW does not believe that the unauthorized access constitutes a breach of personally identifiable information (information hacked for the purpose of misuse). Nonetheless, the university is providing this notification consistent with North Carolina’s Identity Theft Protection Act, so that those who may be affected can be mindful of possible changes to or inquiries regarding their personal information and accounts.
Although the university’s investigation has indicated a wider scope of potentially accessible information than discovered during the first phase of the investigation, the university has no evidence that the personal data or social security numbers were actually found and accessed, and no indication that fraud has been committed utilizing the information. There have been no confirmed instances of misuse associated with this data. Furthermore, our investigation has ruled out the existence of any credit card information on the server.
UNCW is recommending that anyone who has shared personal information with the university utilize standard best practices of information protection as included under “How to Protect Yourself,” below.
Who May Be Affected?
UNCW’s ITS team initially discovered that the groups possibly affected by this data incident included individuals employed at UNCW as of March 2014, which may have included part-time and temporary employees, graduate students, and adjunct instructors; and individuals who took a foreign language placement test at UNCW between 2002 and 2006. The university immediately activated the notification process to reach those individuals via email, or via U.S. Mail when an email address wasn’t available.
Although there is no evidence that the personal data or the associated social security numbers were accessed by the perpetrator of this attack, or that fraud has been committed utilizing the exposed information, it is possible that the attacked server included information from any individuals who have shared personal data with the university. Given the frequency of data security incidents in the digital age, there are more tools available than ever before for protecting one’s personal information. If you have shared personal data with the university, and are concerned about its security, UNCW recommends that you follow the common protocols for monitoring and protecting one’s information, as outlined under How To Protect Yourself, below.
Steps Taken By UNCW to Secure Information
The university has removed the file from the server to ensure no
further access. We have notified appropriate state regulatory and law
enforcement agencies of the incident.
UNCW has also taken aggressive steps to:
- Ensure all server Operating Systems are current
- Ensure all vendor applications are current
- Prevent upload access to the web application server
- Increase frequency of scans to identify unauthorized access issues
- Deploy industry software to identify Personal Identifying Information contained in files housed on university servers
- Migrate existing software applications to separate servers with improved security measures
How to Protect Yourself
As you are the only one legally authorized to review your financial statements and monitor your credit reports, you are in the most effective position to ensure the security of your personal information and protect your identity. UNCW strongly recommends that you take the following five steps, which are entirely free of charge, to safeguard your information, identity and accounts:
Step 1: Check Your Financial Accounts
Review all credit card, bank and/or debit card statements. If you see any activity you did not authorize, contact the bank or company that services the account immediately to report the fraud. You should also request a new credit or debit card with a different number and immediately change any PINs or passwords for the account.
Step 2: Sign Up for Free Services
Under the Fair Credit Reporting Act, you may request your credit report, which will be sent to you free of charge: https://www.annualcreditreport.com/index.action
Some businesses and government agencies offer free credit monitoring. While most offers are genuine, do not provide private information without verifying that the credit monitoring service is legitimate.
Step 3: Notify the Credit Bureaus
Request a fraud alert from one of the credit bureaus. This informs banks and other creditors to take extra steps to verify your identity before issuing credit in your name. A fraud alert is free and will last 90 days unless you request an extended seven-year fraud alert and provide a police report. By notifying one of the bureaus, the other two credit bureaus are automatically notified.
To request a fraud alert, you may contact any one of the three major credit bureaus:
- Equifax -- 1-888-766-0008 or http://www.equifax.com
- Experian -- 1-888-397-3742 or http://www.experian.com
- TransUnion -- 1-800-680-7289 or http://www.transunion.com
Step 4: Consider a Security Freeze
This step makes it very difficult for an identity thief to use your information to open an account or obtain credit in your name. You have the right to place a security freeze on your credit file under state law. (In North Carolina, consumers can now activate free security freezes online.) A security freeze prevents your credit report from being reported to third parties, such as credit grantors, except those permitted by law or those for whom you grant temporary access by contacting one of the credit bureaus. Only you can request a security freeze be placed on your credit file and only you can request the security freeze be removed or temporarily lifted. This may be the most effective method of safeguarding your credit and prevent identity theft. Please contact one of the three credit bureaus above for more information, such as how to place a security freeze and the steps and notice required to lift the freeze.
Step 5: Monitor Your Credit
Review your credit reports several times a year. Private information that is accessed may not be used right away.
Whether to Notify Law Enforcement
If you believe you have evidence that you've been the victim of identity theft or fraudulent activity, you may notify local law enforcement or the UNCW Police at
(910) 962-2222. You should also contact the Federal Trade Commission at www.ftc.gov/idtheft, at 1-877-ID-THEFT (438-4338), or at 600 Pennsylvania Avenue, NW, Washington, DC 20580, and you may call your local sheriff or police department’s office and file a police report of identity theft, keeping a copy of the police report. In addition, you may contact the Consumer Protection Division of the North Carolina Attorney General’s Office at 9001 Mail Service Center, Raleigh, NC 27699, by phone at 1-919-716-6000 or toll free in North Carolina at 1-877-5-NO-SCAM (1-877-566-7226)
If you reside outside of North Carolina, the contact information for the Attorney General of your state can be found on the website for the National Association of Attorneys General available at http://www.naag.org/current-attorneys-general.php.
UNCW is committed to protecting sensitive and confidential information and takes every opportunity, including this one, to educate the university community with regard to security awareness. The university consistently utilizes industry standard information protections, uses leading data management vendors, and has dramatically increased its information protection capacity since the discovery of these exposures. Nonetheless, the university is currently reviewing all aspects of its information security. As you may be aware, the university discontinued the use of social security numbers as student or employee identifiers in 2006. For more information, you may go to the university’s webpage set up to address this matter at http://www.uncw.edu/datasecurity. You may also e-mail us at firstname.lastname@example.org. (Please refrain from calling individual offices or contacts on campus, including ITS, the ITS help desk (TAC), etc., as this will slow down the university’s ability to complete this investigation. All callers will be referred to uncw.edu/datasecurity.)
The university apologizes for any inconvenience this incident might have caused, and is working to maintain protections for sensitive data.