Question and Answer

What happened?

Personal data was placed on an academic web server and due to the nature of the server being web-based, the files were not fully protected. This resulted in the possibility that some students’ and faculty member’s personal data may have been accessible. Upon discovery of the files, the personally identifiable information was immediately removed and the server is no longer on the web.

Who did this?

The web server was primarily used for academic purposes. Typically a course instructor would post the course syllabi and other relevant academic information. Due to having a log in and password, a very small number of employees thought the web server was a secure environment to upload files. Although these could not be readily seen, they were mistakenly put in a vulnerable location. The server is designed to serve as a secondary web location for academic communication and is not a secure file server.

Will the instructors be disciplined?

We are currently investigating the matter and working with each employee involved to address the issue. Our focus now is to let those affected know about the problem and help them resolve this issue.

What kind of information became vulnerable?

Some student and faculty member names and social security numbers were posted on a Vol State web server. The bulk of information had not been accessed since 2008 other than by authorized college personnel. No credit card or financial information was on the server.

Is my information at risk?

Odds are no, but the college has notified every person on the vulnerable lists to err on the side of caution. The information was posted on a web server utilized by faculty and students – not the main www.volstate.edu server.

How will I know if I’m affected?

The college has contacted everyone for whom it can verify personal information was made vulnerable. However, those who receive a letter about the incident should consider protecting themselves as outlined on the Federal Trade Commission web site at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm#CRContact. All affected students may receive one-year of credit protection from Volunteer State Community College upon request.

How did Vol State respond to the problem?

Officials immediately blocked access to the server and removed all files containing the personally identifiable information. This server is no longer available on the web. The college mailed letters to those affected, notifying them of the problem and outlining steps to help prevent possible fraud. The college also contacted the major credit reporting agencies to inform them that some personal information may have been accessible.

What is the college doing to help protect the students?

All affected students and faculty members may receive one-year of credit protection from Volunteer State Community College upon request. In addition, all affected individuals have been advised about how they could protect themselves. Information about contacting credit reporting agencies and creating fraud alert systems was mailed to them and made available on the college’s web site, where a link to the Federal Trade Commission site includes detailed instructions on what to do to avoid identity theft and fraud.

http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm#CRContact

Have the appropriate people or agencies been notified by the college?

Yes, the college notified major credit agencies to inform them that some students’ personal information may have been accessible.

What is being done to make sure it doesn’t happen again?

We’ll make every effort to ensure it doesn’t happen again. All files of concern have been removed from the server and the server has been removed from the web.

What can I do if I’m concerned about protecting my personal information?

The Federal Trade Commission recommends that you call the toll-free fraud number of any of the three nation-wide consumer reporting companies and place an initial fraud alert on your credit reports. An alert can help stop someone from opening new credit account in your name.

  • Equifax
    1-800-525-6285
    www.equifax.com
    P.O. Box 740241, Atlanta, GA 30374-0241
  • Experian
    1-888-EXPERIAN (397-3742)
    www.experian.com
    P.O. Box 9532, Allen, TX 75013
  • TransUnion
    1-800-680-7289
    www.transunion.com
    Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, GA 92834-6790

You are entitled to order free copies of your credit reports, and, if you ask, only the last four digits of your SSN will appear on your credit reports. Once you get your credit reports, review them carefully. Look for inquiries from companies you haven’t contacted, accounts you didn’t open, and debts on your accounts that you can’t explain. Check that information, like your SSN, address(es), name or initials, and employers are correct. If you find fraudulent or inaccurate information, get it removed. For more details about protecting your identity, visit the Federal Trade Commission website at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm#CRContact