Skip to main content
Scenes from the University of Rhode Island

August 27, 2012

Dear Members of the University Community:

The University is notifying about 1,000 current and former faculty members that certain personal information that appeared on a publicly shared College of Business Administration computer server was accessed and able to be viewed by unauthorized individuals. The University took immediate corrective action to shut down the server.

The University is not aware of any reports of criminal activity or identity theft related to the information that was exposed. The ongoing investigation indicates that certain personal identity information had been placed on a server that was not set-up or intended to be used for storing this type of sensitive information.

In addition to the faculty members, 22 former URI students are also being notified that their information was contained on the server. No personal information from current URI students was contained on the server. In addition, we are working with an out-of-state attorney general's office to assist with notifications to about 80 students from another school who were affected.

The server had been used by faculty in the business college to upload and share course information. The incident was isolated to one server in the college. Based on the investigation to date, no current students and no faculty hired after April 2007 are impacted.

The University takes the protection of personal information seriously. Our priority has been and continues to be to identify the exact nature and scope of this breach and communicate directly with those who are affected. Although no cases of fraud or identity theft have been reported to date, we are taking proactive steps to assist those whose personal information was exposed.

The University will provide 12 months of credit monitoring and identity protection services for those affected by the exposure of their personal data. The University has engaged Identity Theft 911, a company that specializes in identity theft education and resolution, to provide this service, which includes credit monitoring, alerts regarding any inquiries, and file updates or credit changes to the individual's credit bureau file.

We are contacting each individual who may have been impacted via letter with information about accessing the credit and identity protection services at the University's expense.

We take our responsibilities to protect personal information very seriously, and apologize for any difficulty this incident may have caused members of the University community.

Sincerely,

Donald H. DeHayes
Provost and Vice President for Academic Affairs


Frequently Asked Questions

1. What happened?

  • On July 31, 2012 the University of Rhode Island was made aware that files located on a public server within the College of Business Administration contained personal information belonging to a limited number of individuals. These files were accessed outside of the University, exposing the personal records of approximately 1,000 current and former faculty members; 26 former URI students and 80 students from an out-of-state University.

    The University took immediate action to shut down this server, and the information is no longer accessible.

    The incident was isolated to the College of Business Administration only and the University has no related reports of identity theft.

    The server was used by faculty in the business college to upload and share information related to their courses. The ongoing investigation has determined that a database containing the names, Social Security numbers, compensation, and other personal information was improperly uploaded to this server exposing the personal information of approximately 1,100 individuals which included current and former URI faculty members, former URI students and students from an out-of-state university.

    The information on the students from the out-of state university was uploaded to the server by a URI faculty member who was a former faculty member of that institution. The out-of-state student file contained names, Social Security numbers and grades and was loaded in March 2007. The file remained there until the situation was discovered and the server was shut down on July 31, 2012.

2. When did URI find out about this data exposure?

  • We became aware of the situation on July 31, 2012 and immediately shut down the server and began our investigation.

3. What kind of data was compromised?

  • For URI faculty or former faculty: The information that was exposed included name, date of birth, hire year, rank, Social Security number and some compensation information.

    For URI students or former students: The information that was exposed included name and Social Security number only.

    For the out-of-state university students, the information that was exposed included name, Social Security number and grades.

4. Do criminals have access to the exposed data?

  • The information was exposed on an open server and we are unable to determine with certainty who may have accessed and looked at it. The information was out there for a period of time and to date, we are not aware of any criminal misuse of the information but will continue to monitor the situation. We have alerted law enforcement and will work with them if we become aware of any criminal activity related to this situation and data. By providing the credit monitoring and identity theft services of Identity Theft 911, we have taken the precaution of assisting the individuals whose data was exposed to protect and respond appropriately.

5. How many people were affected by the data exposure?

  • We have identified and are in the process of notifying approximately 1,100 individuals. Each impacted person will received a letter from URI. Unless he/she has received a letter, he/she is not affected by this incident.

6. Was the data encrypted?

  • No. The information was stored on an open public server in an unencrypted format and thus is not protected.

Moving Forward

7. Has the missing data been misused?

  • Not to our knowledge. No instances of misuse have been reported to date, and we are continuing to investigate and monitor the situation.

8. Is there a police investigation?

  • While we have notified the Rhode Island State Police as a precautionary measure, as known to date, we have no indication or evidence that there has been any type of criminal activity or criminal violations associated with this event. If this changes, we will update law enforcement and request their assistance. If by chance you are a victim of fraud that appears related to this situation, please let us know. We would also encourage you to file a report with your local police department.

9. What are you doing to make sure this never happens again?

  • We are reviewing all of our current security protocols and will be adding additional security measures as needed to prevent this from happening again. We are also educating our faculty and staff to ensure they do not use open servers to store sensitive data containing personal identity information or other non-public information. Education and training of the campus community about issues pertinent to secure systems and confidential data is ongoing and critical to minimizing the potential for security breaches.

Identity Theft Concerns

10. I am concerned about identify theft - what can I do?

  • There are a variety of steps you can take: These include placing a fraud alert with the credit bureaus, reviewing your financial statements, and signing up for credit monitoring.

    As for your medical identity, we suggest that you regularly review the explanation of benefits statements that you receive from your health insurer. If you see ANY service that you believe you did not receive, please contact your insurer at the number on the statement immediately. If you do not receive regular explanation of benefits statements, contact us, your other providers, or your insurance company and request a copy of such statements following the provision of services in your name or number.

11. What are you doing to assist those impacted?

  • We are committed to helping those affected by this incident.

    The University is providing those affected with access to Triple Bureau Credit Report, Triple Bureau Credit Monitoring and Public Records Monitoring services at no charge*. These services provide alerts for 12 months from the date of enrollment when changes occur to Experian, Equifax or TransUnion credit files. This notification is sent the same day that the change or update takes place with any of the three bureaus. In the unlikely event of any suspicious activity, we are also providing full access to fraud resolution experts.

    These services will be provided by Identity Theft 911, a nationally recognized company that specializes in identity theft education and resolution. Should those affected have any questions, a problem or in the unlikely event that they become a victim, a personal fraud specialist will work with them one-on-one, every step of the way. This resolution service will last for a full year. They will also receive the following:

  • Unlimited access to a dedicated, personal fraud specialist via toll-free number
  • Help with answering any questions and providing guidance with the situation
  • Assistance with taking immediate protective measures to assist in limiting potential damage to their identity
  • Notification to credit bureaus, creditors and collectors, government agencies, and relevant parties if necessary
  • Comprehensive case file creation to assist law enforcement if necessary
  • All phone calls and documentation needed to resolve any identity theft should someone become a victim
  • * Triple Bureau Credit Report, Triple Bureau Credit Monitoring, and Public Records Monitoring services require an active e-mail address to receive alerts, and are delivered electronically via the internet.

12. What will happen if I find out my identity has been stolen?

  • In the unlikely event that your information is misused, a personal advocate will work with you from the first call you make to report the problem until the crisis is resolved. Identity Theft 911 will notify the appropriate agencies, businesses, institutions, and create a comprehensive case file. In addition, they will follow through on every aspect of the case until your identity has been restored.

13. Why did the University wait so long to notify those who might be affected?

  • We identified the issue on July 31, 2012 and immediately shut down the server to prevent any additional exposure. We then moved as quickly as we reasonably could. It took us some time to determine what information was exposed and who was affected. In addition, we needed to go through the information, identify who was impacted, and their relationship to URI, as well as attempt to locate current addresses for individuals who were former faculty, students and outside the University.

    We then had to investigate the facts, create the communications, coordinate the logistics with our service provider, Identity Theft911, to arrange for the completion of a substantial mailing and prepare notices to various state/federal agencies.

14. This situation has greatly upset me. Whom do I call?

  • We want to assure you we are taking appropriate steps to safeguard your information. We are making available -- free of charge -- one year of credit monitoring, ongoing educational materials, and resolution service should your information be misused.

    If you would like to discuss this further with a representative from URI, please call 401-874-5190 from 8:30 a.m. to 4:30 p.m. Eastern Daylight Time, Monday through Friday.

Home

More Information

Did you receive a notification letter? If so, you will have been issued a unique code to use at Identity Services at Identity Theft 911, to obtain identity protection and credit monitoring services at no charge.

Enter your code
Identity Theft 911 logo: Protecting identities. Enhancing reputations.
877.432.7463

Note: If you do not receive a letter regarding this incident, you are not affected.