Purdue News

May 20, 2005

Purdue issues alert about illegal access of computers

WEST LAFAYETTE, Ind. – Purdue University is alerting current and former employees that their Social Security numbers and other information may have been illegally accessed from at least one of four campus computer workstations.

"Our investigation of a recent information technology security breach shows that the records of 11,360 current and former employees may have been accessed electronically," said James R. Bottum, vice president for information technology. "We do not know how or whether the intruders intend to use this information, but we are alerting everyone who may have been affected because this information could be used to commit identity theft.

"It is critical that we all – whether involved in this incident or not – monitor our credit reports and financial statements. The problem we've experienced here is just one example of how vulnerable all organizations can be."

Employees can determine if their information was involved by visiting http://www.purdue.edu/dataincident/. If the answer is "yes," they will automatically be sent to a page listing steps on what to do, with links to helpful sites. If the answer is "no," they will be sent to a page that lists general information on identity theft.

This is the third time in the past year that Purdue has announced computer security breaches. Bottum said the basic problem in the current incident is that, in the years before identity theft became a concern, Social Security numbers were used routinely for identification. Purdue began its process of moving away from using Social Security numbers beginning in 2003 when it removed Social Security numbers from the face of university identification cards.

Removing Social Security numbers from all of the university's business practices, however, is an enormous task, said Morgan R. Olsen, executive vice president and treasurer.

"With any large, complex organization, moving to a new identification system is a slow and expensive process," Olsen said. "However, we are directing all units on all campuses to discontinue the use of Social Security numbers in all records except those that are absolutely necessary or required by law by the end of calendar year 2006. In addition, all new or modified administrative systems and processes currently are required to rely on the Purdue University identification number rather than the Social Security numbers."

Olsen noted that Purdue is investing more than $75 million in the OnePurdue project, which will combine and modernize business, student information and human resources databases and business processes.

"OnePurdue will integrate systems and applications to reduce the number of places where sensitive information is stored," he said. "That, in turn, will make it easier to safeguard or encrypt data and implement best practices."

The most recent security breach spanned a 17-day period before it was discovered May 5. In this case, software developers were testing programs for the university's purchasing system, using records that contained personal data of many Purdue employees systemwide, as well as some retirees, graduate student employees and some former employees.

Forensic analysis shows that intruders infiltrated the developers' computers through the Internet, installing software that then allowed access to files with the confidential information.

"We don't know for what purpose these files were accessed, but prudence suggests that we all take precautions," Bottum said. "One of the possible uses for this kind of data is to attempt identity theft. One of the recommended ways to watch for fraudulent activity in your name is to routinely monitor your credit report.

"There are three credit agencies that by law must provide everyone in Indiana with a free review of their credit report every year. The best way to track this is to alternate among them every four months."

All three credit agencies can be accessed online. To request your credit report by phone call (877) 322-8228; your reports will be mailed to you.

Olsen also urged people to call Purdue police at (765) 494-8221 to report any individuals saying they are affiliated with Purdue and who offer to help or are requesting private information.

"No Purdue representatives will be calling or e-mailing to ask for anyone's personal information," Olsen said.

In January, Purdue announced that unauthorized users gained access to computers in the College of Liberal Arts, potentially affecting 1,266 people. In October, unauthorized users gained access to computer passwords, and all university computer system users were required to change their passwords.


Writer: Jeanne V. Norberg, (765) 494-2084, jnorberg@purdue.edu


Sources: James R. Bottum, (765)496-2270, jb@purdue.edu

Morgan R. Olsen, (765)494-9705, mrolsen@purdue.edu


Purdue News Service: (765) 494-2096; purduenews@purdue.edu

 

To the News Service home page

Newsroom Search Newsroom home Newsroom Archive