September 2009 Data Exposure Incident FAQ
A file containing the names and social security numbers, along with other directory type information, was inadvertently placed into a directory which could have conceivably been accessed on the web.
How was it discovered?
The file was discovered by our EKU IT staff as a result of a Google search.
When did it happen?
The file was posted on September 29, 2008. The data exposure was discovered on Friday, September 18, 2009.
Who did it?
If "it" refers to the department who posted the file, since this issue falls under a personnel matter, the University does not normally release this type of information.
If I didn't receive a letter, does this mean that my personal data was not in this file?
Yes. If you do not receive a notification letter, your name was not in this file.
Whose names were in this file?
Only names of faculty, staff, and student workers who were on the EKU payroll during the 2007-08 academic year (with a last date of hire being October 15, 2008) were included in the file. This file included 5,045 names.
Has the data been misused?
To date, we have no knowledge that the personal identity information contained in the file has been misused or exploited. We will update this website promptly if we learn otherwise.
Why was this information on a university webpage?
A member of the EKU staff who is responsible for collecting data inadvertently posted a file containing this information into a directory. EKU's information security policies and guidelines do not allow unencrypted confidential personal data to be stored on any computer device that is not in a physically secured location. This employee's actions, although unintentional, violated our policy and practices.
How can you be sure a similar incident won't happen again?
Clearly, this incident violated our information security policies and guidelines, and it demonstrates that we must have heightened vigilance in this area. EKU is undertaking an institution-wide data inventory initiative and conducting a full review to further improve our policies and practices regarding the security of our confidential data.
Is there an investigation into this incident?
At this point, the investigation into this incident is complete.
What else is the University doing?
- We have designed and launched an EKU webpage ecert.eku.edu with general information about identity theft as well as specific information regarding this incident. We have a designated phone line to handle inquiries - 859-622-7777
- We have a designated email address to handle inquiries - email@example.com
- We have designated Wally Skiba, Associate Director of HR and Esther Renfro, Human Resources Customer Service as point of contact.
- We can also provide additional support if you have difficulty in filing your request for fraud alert, security freeze, or seeking a credit report.
Most importantly, EKU is committed to collaborating with our affected community members to safeguard against identity fraud that may result from this crime. We will work closely with you in the coming months to determine if any misuse of the data occurs. If we discover a pattern of fraud, we will provide further notification to everyone affected.
Why did it take so long to notify people?
The file in question was taken off our web server immediately, as soon as it was found on Friday, September 18. This made the file inaccessible. However, pointers to this file still existed in the Google search engine and specific searches could return small snippets of the file. Notification was made immediately after verifying Google had removed all pointers to this file. A campus-wide announcement prior to then would have increased the possibility for exposure.
What if the media contacts me for a comment?
We would request that you direct all media inquiries to Marc Whitt, Associate Vice President for Public Relations & Chief Communications Officer at 859-622-2301.