OREGON STATE UNIVERSITY

Data breach questions, answers for current, former OSU employees

07/13/2010

The following are questions and answers related to the data security breach at Oregon State University that was the subject of a Tuesday, July 13, letter to current and former OSU employees.If the information below doesn't address your needs, you may also direct specific questions to 541-737-1007 or incident.response@oregonstate.edu.


Q.  I received a letter, supposedly from OSU, about a security incident involving my personal information.  Is this real?

A.  Yes.  As the letter explains, OSU had a security incident involving personal information for many current and former employees.  If you received some other letter or anything asking you to provide personal information, that is not from OSU.

 

Q. Why is my personal information at risk?

A. Records containing some personal information of employees working for OSU between 1999 and 2005 were stored on an employee's personal work computer that recently became infected by a virus. Though the virus caused functionality problems with the machine, an examination of the computer found no evidence that any of the employee data was extracted from the machine, and computer experts say it is “highly unlikely” that any personal information was obtained by any unauthorized user. We can’t say with absolute certainty, however, that your information is safe, and so we’re encouraging affected individuals to consider taking appropriate precautions, just in case.

 

Q. Why is OSU keeping employee records for so long?

A. Oregon law requires OSU and other public institutions to maintain employee records for 75 years. The records in question fall within that time frame.

 

Q.  My letter said that OSU was notified of this breach June 28th, yet I didn’t receive the letter until  July 14th.  Why did it take so long to notify me?

A.  We asked the computer experts to take extra time to thoroughly examine the infected machine looking for any indication that data was removed.

 

Q. Were addresses and phone numbers in the employee data files?

A. No.

 

Q. How do I know if my information was in the employee data files?

A. Letters were mailed to affected employees on July 13. If you receive a letter, your information was in the data files in question, though once again, it is highly unlikely that it has been accessed by a third party. If you do not receive a letter, your information was not involved.

 

Q.  Does OSU have policies in place to try and prevent this sort of data loss?

A. OSU’s Information Security Policies can be found here:  http://oregonstate.edu/fa/manuals/is.

 

Q. How do I put a “credit freeze” in place?

A. You will need to contact the three national credit reporting agencies (TransUnion, Equifax and Experian) in writing to place the freeze. Keep in mind that when you place the freeze, you will not be able to borrow money, obtain instant credit, or get a new credit card until you temporarily lift or permanently remove the freeze. The cost of placing the freeze is no more than $10 for each credit reporting agency for a total of $30. However, if you are a victim of identity theft and have filed a report with your local law enforcement agency or submitted an ID Complaint Form with the Federal Trade Commission, there is no charge to place the freeze. For detailed procedures, go to the Oregon Department of Consumer and Business Services at www.dfcs.oregon.gov/id_theft.html and click on Security Freeze.

 

Q. Will OSU pay for the credit freeze?

A. Not at this time. We’re sufficiently convinced that the threat to anyone’s information is so remote that we are not paying for the level of protection, but are providing information for individuals who may want to purchase that coverage, out of an abundance of caution.