Letter from the President

Dear University Community:

I have been notified by the Eastern Kentucky University Computing Emergency Response Team (ECERT) that a file with names and Social Security numbers, along with other directory type information, was inadvertently posted into a directory on September 29, 2008, where it could have conceivably been accessed on the web. As you will read below, we have no evidence the file was accessed. This file included 5,045 names of faculty, staff, and student workers who were on the EKU payroll during the 2007-08 academic year. If you were not an active member of the faculty and staff or a student worker during this period, you are not affected by this email.

No evidence of unauthorized use of personal information included in this file has been discovered. No active link to this document existed from any EKU website. The only way access to this file would have been possible was to enter the exact filename, which was lengthy and complex, or through a very precise Google search. Additionally, there is no evidence this file has been replicated.

I am notifying the campus today of this situation and will be sending letters to all individuals whose name appears in that file via campus mail and if available, to the last known address for students. I deeply regret that this situation has occurred and, like you, am concerned that so many names were on this file, including mine.

The file was discovered by our IT staff as a result of a Google search. Upon discovery, ECERT immediately removed the file from the University web space, and contacted Google to request the link be removed from their search engine. The file was not found using other web search engines.

Although there is no documented evidence that an unauthorized person has accessed personal information in this file and is using it, there are some steps that can be taken to protect against identity theft. First, a free initial fraud alert (and extended fraud alert after 90 days) can be placed with credit bureaus, a free temporary or permanent security freeze can be requested, and a credit report may be run to ensure accounts have not been fraudulently activated. Call one of the major credit bureaus at the phone numbers listed below:

Secondly, the following resources can be contacted for additional information about identity theft:

Even though we believe that this incident puts our employees at low risk of identity theft and there is no evidence, at this point, to indicate the subject file has been accessed, we nonetheless believed it was our obligation to notify faculty, staff and students of this incident.

To best assist those among you who are affected, the University has established a hotline and email address. You can call 622-7777 or email ecert@eku.edu and either Wally Skiba, Associate Director of Human Resources (Benefits & Compensation) or Esther Renfro, Human Resources Customer Service, will be glad to assist you with any questions or concerns you might have. We have also developed a University webpage at ecert.eku.edu which will provide additional information and assistance to you.

If there is evidence of identity theft, the University will provide additional support to any affected persons.

The University is committed to maintaining the privacy of its employees, taking many precautions for the security of personal information and continually modifying its systems and practices to enhance the security of sensitive information.

You will be apprised of any further information that comes into our possession.

Doug Whitlock
President

Open