OREGON STATE UNIVERSITY

OSU notifying individuals of data security breach

07/24/2012

CORVALLIS, Ore. – Oregon State University is notifying approximately 21,000 current and former students and employees that some of their personal information was copied without permission by a contracted vendor who was upgrading software in the cashier’s office.

OSU officials say they don’t believe the information, which includes some Social Security numbers, was taken with malicious intent, but say the university is notifying students and employees, who may wish to monitor their credit reports.

The unauthorized copying of data occurred on three different occasions when software was being updated, and involves records from 1996 through 2009. Records after 2004, however, did not include Social Security numbers, according to Jon Dolan, chief information security officer for the university.

“Beginning in November of 2004, we changed to a system of generated identification numbers at OSU and we have since greatly limited use of Social Security numbers,” Dolan said. “Those numbers were the primary source of ID used at the university for a very long time.”

The university is notifying the students and employees of the data security breach to comply with both the letter and spirit of the Oregon Consumer Identity Theft Protection Act.  Individuals whose records are involved are receiving a letter outlining the data breach and providing options for protecting their data against exploitation.

OSU has opened a hotline for individuals who may have additional questions or concerns at 541-737-1007 as well as an e-mail address for written correspondence: incidentresponse@oregonstate.edu. There also is a web-based question-and-answer page to help address additional concerns individuals may have: http://oregonstate.edu/incidentresponse.

Aaron Howell, OSU’s director of Business Affairs, said the office restricts access to authorized personnel only and is updating its data security protocols to obtain agreement from vendors that they understand, and will comply, with the restrictions around OSU data.

“While we believe the risk to the individuals we are contacting is low, we want to take the conservative approach and ensure that information is provided to people to let them make their own decisions on how best to protect themselves,” Howell said.