August 9, 2005 — A University of Utah department computer has been compromised by an unknown outside source, ultimately leading to unauthorized access of the server, according to the University of Utah Office of Information Technology. The server contained library archival databases including a file with approximately 100,000 names and social security numbers of former University employees. The database included information used as an index for archives for paper employee files from 1970 to 2003.
“Our office was notified on Monday that the names and social security numbers of former employees were housed on the compromised server,” said Stephen H. Hess, associate vice president for information technology. “An investigation immediately followed and all compromised systems were pulled offline. We are currently auditing all machines, business practices and security procedures involved in this incident to make certain this does not happen again.” Hess added, “We have no evidence that any names or social security numbers were taken, but we want to get word out to our former employees as a precaution.”
In an effort to insure that identities are protected, former employees who worked at the U between the years 1970 and 2003 should check the U’s Web site, www.IDalert.utah.edu, which explains the steps they should take to protect themselves. If anyone has more specific questions after checking the Web site, they can send an e-mail to IDalert@utah.edu or call 801-581-4000.
The University also wants to issue a warning that in similar cases at other institutions people have reportedly been contacted by individuals claiming to represent the University and who then proceed to ask for personal information, including social security numbers and/or credit card information. The University of Utah will only contact people with information regarding steps they should take to prevent possible fraud or identity theft; or if someone asks us, by e-mail or telephone, for information. The U will not ask for a full Social Security number, and will not ask for credit card or bank information. The U recommends that people do not release personal information in response to any contacts of this nature that they have not initiated.
Hess notes that, “The U has been proactively engaged in improving the University’s IT security and we feel confident our central servers are adequately protected. We regret that this particular department breach occurred and are doing everything possible to eliminate the risks and prevent a similar incident from happening. Again, we have no reason to believe that any names or social security numbers were taken to be used for identity theft, but want to be very cautious.”