UNC Charlotte Posts Personal Data on 350000 People

System misconfiguration and incorrect access settings are to blame for exposed data discovered by staff at the University of North Carolina at Charlotte. In two separate incidents, financial account numbers and about 350,000 Social Security numbers were posted inadvertently to the Internet, where it was publicly available. One of the exposures affected general university systems over a period of three months. The other pertained specifically to the university's College of Engineering systems over a period longer than a decade.

Both involved data for students, staff, and faculty and included names, addresses, Social Security numbers, and in some cases financial account data pertaining to university transactions. The university said in a statement that it has no reason to believe that any information from either event was inappropriately accessed or that information was used for identity theft or any other crime.

The breach was first announced February 15, 2012. Subsequently, the institution called in state and federal regulatory and law enforcement agencies to direct next-steps and launched a forensics investigation to understand the extent of the potential damage and the causes. Since then the exposures have been remediated.

In the briefer incident, the university reported in an online FAQ, data stored on a university drive was exposed to the Internet during a system upgrade "because of misconfiguration and incorrect access settings." That exposure lasted from November 9, 2011 to January 31, 2012. When the misconfiguration came to light, the university corrected it and put in place additional safeguards and data controls.

In the longer incident, the university said, files containing sensitive data were stored in a manner that left them open to the Internet. "Unauthorized users could have accessed the files in question during the period of 1997 to February 2012." Again, when the exposure was discovered, U North Carolina Charlotte corrected the problem and put additional safeguards and controls in place.

The university said it continues to monitor the situation carefully and has increased its internal review procedures--which are considerable--to watch for any unusual activity. It's also scrambling to alert those whose personal information was part of the public exposure. The advice it's offering to those affected: Place a free fraud alert on credit files with the three major credit reporting agencies.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured