Frequently Asked Questions
Below are a number of questions relating to the exposure of personal information and how The Ohio State University is responding to notify and assist you in dealing with this incident.
What is the nature of the data breach?
When was the breach discovered?
What is the university doing in response?
If the breach was discovered on April 2, why did it take two weeks to mail a letter that my information had been stolen?
Why did you notify victims via US Mail rather than email?
I didn’t receive a letter. How can I be sure my data weren’t affected?
What data were exposed?
How long was the information exposed?
How many people were affected?
How was the problem fixed?
Isn’t all information you collect about employees supposed to be secure?
Are there other steps the university is taking?
Can I have my information removed from your computers?
What happened to the person who did this?
I received a notification letter, and need to enroll. What do I do?
I did not receive a notification letter. Is there anything I can do to protect my credit?
How did the data breach occur?
Why did the OSURF have names, dates of birth, and Social Security numbers for faculty and staff who had no affiliation with that office?
Why does OSURF continue to receive my data if all employees are paid by the PeopleSoft HR system?
Does OSURF need everyone’s records and all of this information?
What is the University doing to protect my personal data?
Is the University going to seek an outside opinion in reviewing its data security practices?
Are there plans to extend the credit fraud protection program past one year?
How can I protect my credit once the year’s protection program has expired?
Could the hackers access the ePayroll system (paperless pay), and redirect funds? NEW
What can I do if I do become a victim of identity theft? NEW
Why was I originally told I was not on the list, but then received the notification letter? NEW
Was any information about dependents stolen during the breach?
NEW
What is the nature of the data breach?
During the weekend of March 31/April 1 there was a criminal intrusion into a university database of current and former employees and some personal data—name, Social Security number, employee ID, and date of birth—have been compromised and could be misused.
When was the breach discovered?
Staff at the Office of Research, where the attack occurred, discovered the intrusion on April 2 during a routine security review of daily activity logs and immediately took steps to block any further access. A university information technology response team was convened immediately to investigate the breach, identify affected individuals and their contact information, and take necessary steps to provide notification and assistance. The university has informed appropriate state and federal law enforcement authorities and has engaged outside experts to identify additional possible security measures.
What is the university doing in response?
We have arranged for the affected faculty and staff to receive 12 months of credit protection to protect them against harm from misuse of their personal data. Under the Equifax Gold credit watch and protection program, they will receive monitoring of the consumer credit file and email alerts to key changes within 24 hours, unlimited Equifax credit reports, and certain identity fraud expense coverage. We have sent them letters via US Mail outlining the steps they need to take.
If the breach was discovered on April 2, why did it take two weeks to mail a letter that my information had been stolen?
Immediately after discovering the breach, the university began the necessary steps to notify people whose records were affected and offer them credit protection. Every data breach offers a different set of circumstances that must be investigated. Identifying the names of the people affected and the specific data stolen may take time. Then the names must be matched with addresses for notification. In addition, procuring the services of a credit watch and protection program, and providing a bank of hotline operators with pertinent information were among the tasks that had to be completed before the university was prepared to make an announcement. Two weeks is not an unusual length of time to respond to a situation such as this. A similar breach at UCLA was reported to affected individuals by U.S. Mail three weeks after it occurred. Ohio law requires notification within 45 days.
Why did you notify victims via US Mail rather than email?
There are several reasons for this decision. The primary one is that US Mail is still the most secure and reliable mail delivery service. A second reason is that many people have been instructed to disregard email messages regarding personal financial matters, such as information that might come from a bank or credit card company. Because of this, the university was concerned that an email notification might be viewed as spam and disregarded. Finally, we had accurate US Mail addresses within the Human Resources database, and knew they could be easily accessed.
I didn’t receive a letter. How can I be sure my data weren’t affected?
You can call 1-866-515-9332 or 1-614-460-7483.
What data were exposed?
Names, Social Security Numbers, birthdates, and employee ID numbers were exposed.
How long was the information exposed?
We estimate only a day or two, but as soon as we discovered an abnormal entry, we took steps to protect the information and block access to the information on our servers.
How many people were affected?
14,094.
How was the problem fixed?
We immediately removed the information and placed it on a different server that has no connection with the Internet.
Isn’t all information you collect about employees supposed to be secure?
The university has worked hard to put into place measures to protect sensitive data, which makes this latest incident unusual.
Are there other steps the university is taking?
Yes, we are engaging a company called Cyber Trust to help us assess our security status and identify possible further security measures.
Can I have my information removed from your computers?
In order to comply with state and federal statutes, we are required to maintain the information for set periods of time. This information is needed and must be pulled up on demand when audited by government agencies.
What happened to the person who did this?
We are unable to determine who did this. All information we have about this has been turned over to the appropriate law enforcement authorities.
I received a notification letter, and need to enroll. What do I do?
Equifax has a simple Internet-based verification and enrollment process.
Visit: http://www.myservices.equifax.com/gold
Step 1 – Registration: complete the form with your contact information (name, address, telephone #, Social Security Number, date of birth, e-mail address). The information is provided in a secured environment.
Step 2 – Verify Your Identity: Equifax will verify your identity by asking you up to two security questions
Step 3 – Order Summary: During the "check out" process, provide the following promotional code: <XXXXX> in the “Enter Promotion Code” box. (It is case sensitive, no spaces, include dash.) After entering your code press the “Apply Code” button and then the “Submit” button at the bottom of the page. (This code eliminates the need to provide a credit card number for payment.)
Step 4 - Go to the Member Center – Under “Product List” select Credit Watch to access the product features, set preferences, and locate customer care contact info.
I did not receive a notification letter. Is there anything I can do to protect my credit?
Yes, it is a good practice to contact one of the three national credit bureaus to obtain a free credit report. Federal law entitles consumers to one free credit report from each credit bureau once a year. By staggering the times at which free credit reports are ordered, consumers can monitor their own credit without incurring financial costs. The three national credit bureaus are:
Equifax
(888) 766-0008
Consumer Fraud Division
P.O. Box 740256
Atlanta, GA 30374
http://www.equifax.com
Experian
(888) 397-3742
Credit Fraud Center
P.O. Box 1017
Allen, TX 75013
http://www.experian.com/fraud
TransUnion
(800) 680-7289
Fraud Victim Assistance Department
P.O. Box 6790
Fullerton, CA 92834
http://www.tuc.com
How did the data breach occur?
Criminal hackers who had a sophisticated understanding of computing systems exploited a vulnerability that allowed them access to sensitive data housed at the Ohio State Research Foundation, a unit within the Office of Research. This provided a route for the hackers to breach a database file containing sensitive information. The attack on the server was identified by OSURF staff while performing their daily review of activity logs. The staff responded immediately by moving the sensitive data to a site not accessible via any other server. University computer security personnel were immediately notified, as were appropriate off-campus law enforcement authorities.
Why did the OSURF have names, dates of birth, and Social Security numbers for faculty and staff who had no affiliation with that office?
Until installation of the PeopleSoft system in 1997, OSURF directly administered payrolls for all research projects. For five years following the installation, OSURF maintained HR/payroll data for account monitoring and reporting purposes. And, in order to adhere to federal reporting regulations, they continued to receive the HR data even after a PeopleSoft grants management system was installed. (By law, payroll expenditures must be verified against time and effort reports of charges to ongoing research projects – see below.) With the University’s research activities well in excess of a half billion dollars each year, this means that participants from every college as well as many affiliated units such as the hospitals are included.
Why does OSURF continue to receive my data if all employees are paid by the PeopleSoft HR system?
With the installation of the PeopleSoft system, OSURF no longer needed to perform payroll tasks. However, they are still required to complete federally mandated time and effort accounting reports on the numerous faculty, graduate and undergraduate students, post docs, administrative staff and others paid from federal grants. These are among the most heavily audited reports the University prepares. Since there is no way to identify in advance who will be performing research, the entire OSU employee file has to be provided to OSURF. This data feed from the PeopleSoft human resources system allows OSURF to create the required reports in a timely and efficient manner. With over $650 million in research expenditures in 2006, research represents one of the University’s largest budget sectors. Consequently, OSURF continues to have a valid business reason for this employee data.
Does OSURF need everyone’s records and all of this information?
Research funding at Ohio State is very broad-based, reaching into most departments and numerous job classifications. Indeed, grant proposals can come from any department and can even involve retired faculty and staff. As such, the established business process was for OSURF to house and reference all employee files. However, it is now possible to effectively limit the file with the newest version of the PeopleSoft recently installed on the HR system, and this process is being examined to determine if the file can be reduced.
What is the University doing to protect my personal data?
There are many steps underway to protect the data the University maintains on employees. The Enterprise Data Steering Committee and the Social Security Remediation Committee both have been working to reduce the use of sensitive personal information across campus. This has been and remains one of the University’s highest technology priorities. Updates on their efforts and ongoing projects can be found at the Buckeye Secure site: http://cio.osu.edu/buckeyesecure/
This site also includes a memo from the Provost to faculty, staff, and graduate teaching associates emphasizing Ohio State’s collective and individual commitment to protecting sensitive personal information. In her memo, the Provost reminds us that the University and each of us play a critical role in safeguarding personal information and data under our control.
Is the University going to seek an outside opinion in reviewing its data security practices?
Yes, the information technology consultant Cybertrust has already been hired to provide a critical review of our data security. Cybertrust experts are assessing the exact nature of the attack on OSURF’s system and will review the University processes and policies for dealing with a data breach.
Are there plans to extend the credit fraud protection program past one year?
The University wishes to assist affected individuals with signing up for credit monitoring and protection. This approach is consistent with that employed by other organizations when faced with similar breaches, including the Veteran’s Administration and, most recently the U.S. Department of Agriculture. Indeed, by providing the credit fraud protection service for one year, the University has done more than is required by law. In responding to similar data breaches at UCLA or Ohio University, these institutions notified their affected faculty, staff, students, and alumni about the breach and directed them to free online resources with no sponsored support. As to extension of the year, no decision has been made as to any additional action the university may take. This will be re-evaluated as the year progresses.
How can I protect my credit once the year’s protection program has expired?
Federal law entitles consumers to one free credit report from each credit bureau once a year, and it is a good practice to contact one of the three national credit bureaus to obtain this free report. And, by staggering the times at which free credit reports are ordered, consumers can monitor their own credit without incurring financial costs. Additionally, the Federal Trade Commission has created a web site with valuable information for dealing with identity thefts: http://www.ftc.gov/bcp/conline/pubs/credit/idcrisis.shtm
Could the hackers access the ePayroll system (paperless pay), and redirect funds?
Access to ePayroll requires both an Employee ID and a PIN number. While Employee ID numbers were among the information stolen, PIN numbers were not. So, your ePayroll account could not be accessed with only the stolen information.
The best way to protect your ePayroll account is to create the longest PIN possible, up to 16 characters. This makes it extremely difficult for hackers to guess the PIN correctly. The ePayroll account automatically provides a default PIN, which you should change immediately to protect yourself. The ePayroll system also has two safeguard mechanisms that provide additional security.
First, you are given only three attempts to enter the correct PIN before the system locks you out. You’re then required to contact Human Resources customer service to regain access. Second, an email is automatically sent to your OSU Internet account (name.n) anytime you make a change within ePayroll. So, you would know right away if someone had tampered with your ePayroll account.
Contact customer service if you have additional questions about your ePayroll account or you have never accessed it: 1-800-996-7566. The hours of operations are Monday through Friday from 8:00 a.m. - 9:00 p.m. Note: Ohio State’s company code is 10380.
What can I do if I do become a victim of identity theft?
The Ohio Attorney General’s Office has a program for people whose identities have been stolen and used to either establish credit or create a false identity. First, you must contact your local law enforcement to file a criminal complaint. Once you have done this you can register with the Identity Theft Verification PASSPORT Program. A key benefit of this program is the PASSPORT card victims can present to creditors and law enforcement to establish they have been victimized. For more information, visit http://www.ag.state.oh.us/victim/idtheft/index.asp
The Federal Trade Commission also maintains a helpful site, and is the main U.S. government site for identity theft information. You can also file an online report of identity theft. http://www.ftc.gov/bcp/edu/microsites/idtheft/
Why was I originally told I was not on the list, but then received the notification letter?
Unfortunately, the complete file of names was not transmitted to the call center initially. This omission was quickly remedied, but not before some people were given the wrong information. The University regrets this occurred, and apologizes for the confusion
Was any information about dependents stolen during the breach?
There were some dependents whose information was on the database server and were affected by the breach. These are people who became insured under COBRA, a federally mandated program that allows the continuation of medical, dental and vision benefits. Becoming a COBRA beneficiary happens due to divorce, a child exceeding age 23, or a parent/spouse separating from Ohio State employment. If a dependent becomes insured under the COBRA program, by law they are insured under their own separate “contract” and their name and personal data are entered into the PeopleSoft Human Resource system. These affected dependents are eligible for the Equifax credit protection, and should have received a notification letter from the University.
