The personal information of thousands of UA affiliates was accidentally made public from Feb. 2 to March 12 earlier this year according to Cathy Bates, a university information security officer.
The information, which included the names and social security numbers of 7,700 people who had received reimbursements from the university, was stored across 14 files on a university server. The files had become mixed up in a group of about 10,000, which contained other, non-sensitive financial information that pertained to the university, and were being transferred to a new financial system, Bates said.
While many of the people involved in the leak were small vendors, a number of them were also guest speakers, people involved with on-campus conferences and some students. Bates said that her department was able to determine that outside IP addresses did in fact access some of the information.
“Our university is an open book when it comes to our finances,” she added. “I think essentially everyone (in the department) assumed that, because the files contained financial information, there wasn’t anything in there that was sensitive.”
The leak was detected after a student searched for her name and social security number within the university’s system on March 10. After finding a file on the website that contained the information, the student reported it to University Information Technology Services administrators two days later. The system was immediately locked down and an investigation began, which involved a thorough search of all 10,000 files to determine which ones were sensitive, Bates said.
Emails following the investigation’s completion were sent to out to those affected in May and then in July notifying them of the incident. The university has also offered to pay for a year’s subscription of credit monitoring for anyone involved in the leak, which University Information Technology Services administrators are encouraging people to take advantage of, Bates said.
Despite the leak, Bates added that UA-affiliates should still feel confident that their information is in a safe place, but to also keep track of what information about them is publicly available, because mistakes do happen.
“There are times when something will happen that is out of your control, and it’s nothing that represents negligence on anyone’s part,” she said. “It’s just part of what it’s like to live in a digital world that we live in.”