Thursday, November 03, 2005

Incident: Privacy breach at University of Tennessee

Yet another privacy incident, this time from University of Tennessee:

University notifies staff, students of security breach:

"Approximately 1,900 students have been contacted by the University of Tennessee regarding a Web site that accidentally posted their social security numbers online from April 2004 to early October of this year, and all others affected will be notified by early next week.

“There is absolutely no evidence that anything malicious happened to the social security numbers,” said Brice Bible, assistant vice president and acting chief information officer for OIT. “However, we felt it was the right thing to do to inform students that something could happen, and they should feel completely confident that the university is protecting them.”

A mistaken configuration of archives of the main system allowed the records to be seen publicly rather than kept private, but Bible said that the university as well as OIT has done everything possible to ensure the privacy and safety of the students.

“Students need to be assured that the university — from the chancellor to every member of the staff — takes the protection of students very, very seriously,” he said.

The majority of the identification numbers belonged to students, however, a small amount included university employees, and according to a statement, UT is currently taking steps to perfect Web security and access to student information.

Karen Collins, director of media relations, also emphasized the security measures taken by the university to protect students and their personal information.

“UT has gone above and beyond to make sure all records are kept private, and managed in that matter. Very aggressive steps have been taken to monitor any hacking, as well as to ensure that the Web site was taken down immediately,” Collins said. “We have worked very hard to quickly notify anyone who’s data was misused.”

Collins added that the social security numbers were not posted on a main or department Web page, but on an archive page of one of 800 list-servers.

Bible also would like students to know that many actions have been taken to ensure that a similar incident does not reoccur, and no other identifying information of each student was released.

Any other information concerning issues such as credit fraud, identify theft and credit is available at"

No comments: