August 27, 2012
Dear Members of the University Community:
The University is notifying about 1,000 current and former faculty members that certain personal information that appeared on a publicly shared College of Business Administration computer server was accessed and able to be viewed by unauthorized individuals. The University took immediate corrective action to shut down the server.
The University is not aware of any reports of criminal activity or identity theft related to the information that was exposed. The ongoing investigation indicates that certain personal identity information had been placed on a server that was not set-up or intended to be used for storing this type of sensitive information.
In addition to the faculty members, 22 former URI students are also being notified that their information was contained on the server. No personal information from current URI students was contained on the server. In addition, we are working with an out-of-state attorney general's office to assist with notifications to about 80 students from another school who were affected.
The server had been used by faculty in the business college to upload and share course information. The incident was isolated to one server in the college. Based on the investigation to date, no current students and no faculty hired after April 2007 are impacted.
The University takes the protection of personal information seriously. Our priority has been and continues to be to identify the exact nature and scope of this breach and communicate directly with those who are affected. Although no cases of fraud or identity theft have been reported to date, we are taking proactive steps to assist those whose personal information was exposed.
The University will provide 12 months of credit monitoring and identity protection services for those affected by the exposure of their personal data. The University has engaged Identity Theft 911, a company that specializes in identity theft education and resolution, to provide this service, which includes credit monitoring, alerts regarding any inquiries, and file updates or credit changes to the individual's credit bureau file.
We are contacting each individual who may have been impacted via letter with information about accessing the credit and identity protection services at the University's expense.
We take our responsibilities to protect personal information very seriously, and apologize for any difficulty this incident may have caused members of the University community.
Donald H. DeHayes
Provost and Vice President for Academic Affairs
On July 31, 2012 the University of Rhode Island was made aware that files located on a public server within the College of Business Administration contained personal information belonging to a limited number of individuals. These files were accessed outside of the University, exposing the personal records of approximately 1,000 current and former faculty members; 26 former URI students and 80 students from an out-of-state University.
The University took immediate action to shut down this server, and the information is no longer accessible.
The incident was isolated to the College of Business Administration only and the University has no related reports of identity theft.
The server was used by faculty in the business college to upload and share information related to their courses. The ongoing investigation has determined that a database containing the names, Social Security numbers, compensation, and other personal information was improperly uploaded to this server exposing the personal information of approximately 1,100 individuals which included current and former URI faculty members, former URI students and students from an out-of-state university.
The information on the students from the out-of state university was uploaded to the server by a URI faculty member who was a former faculty member of that institution. The out-of-state student file contained names, Social Security numbers and grades and was loaded in March 2007. The file remained there until the situation was discovered and the server was shut down on July 31, 2012.
For URI faculty or former faculty: The information that was exposed included name, date of birth, hire year, rank, Social Security number and some compensation information.
For URI students or former students: The information that was exposed included name and Social Security number only.
For the out-of-state university students, the information that was exposed included name, Social Security number and grades.
There are a variety of steps you can take: These include placing a fraud alert with the credit bureaus, reviewing your financial statements, and signing up for credit monitoring.
As for your medical identity, we suggest that you regularly review the explanation of benefits statements that you receive from your health insurer. If you see ANY service that you believe you did not receive, please contact your insurer at the number on the statement immediately. If you do not receive regular explanation of benefits statements, contact us, your other providers, or your insurance company and request a copy of such statements following the provision of services in your name or number.
The University is providing those affected with access to Triple Bureau Credit Report, Triple Bureau Credit Monitoring and Public Records Monitoring services at no charge*. These services provide alerts for 12 months from the date of enrollment when changes occur to Experian, Equifax or TransUnion credit files. This notification is sent the same day that the change or update takes place with any of the three bureaus. In the unlikely event of any suspicious activity, we are also providing full access to fraud resolution experts.
These services will be provided by Identity Theft 911, a nationally recognized company that specializes in identity theft education and resolution. Should those affected have any questions, a problem or in the unlikely event that they become a victim, a personal fraud specialist will work with them one-on-one, every step of the way. This resolution service will last for a full year. They will also receive the following:
* Triple Bureau Credit Report, Triple Bureau Credit Monitoring, and Public Records Monitoring services require an active e-mail address to receive alerts, and are delivered electronically via the internet.
We identified the issue on July 31, 2012 and immediately shut down the server to prevent any additional exposure. We then moved as quickly as we reasonably could. It took us some time to determine what information was exposed and who was affected. In addition, we needed to go through the information, identify who was impacted, and their relationship to URI, as well as attempt to locate current addresses for individuals who were former faculty, students and outside the University.
We then had to investigate the facts, create the communications, coordinate the logistics with our service provider, Identity Theft911, to arrange for the completion of a substantial mailing and prepare notices to various state/federal agencies.
We want to assure you we are taking appropriate steps to safeguard your information. We are making available -- free of charge -- one year of credit monitoring, ongoing educational materials, and resolution service should your information be misused.
If you would like to discuss this further with a representative from URI, please call 401-874-5190 from 8:30 a.m. to 4:30 p.m. Eastern Daylight Time, Monday through Friday.