UNC Employees Criticize University’s Response To Major Data Breach
CHAPEL HILL – Many UNC employees are still upset over last fall’s data breach, when the personal information housed by the University of more than 6,000 individuals was made publically accessible due to an oversight. Some have criticized UNC’s response to the situation saying it took too long to notify those who were affected.
Charles Streeter, Chair of the UNC Employee Forum, shared the frustrations of his colleagues at a Board of Trustees committee meeting Wednesday. He urged officials to consider tighter University-wide ITS mandated security measures.
“They do not feel secure anymore. Their sense of security in regards to their data has been lost,” Streeter said.
After an initial investigation, the University found that on July 30, during maintenance involving one computer, the safeguards that protected the files against public access were accidentally disabled and published on the internet.
The files that were exposed for almost four months contained information such as names, Social Security numbers, and dates of birth of some current and former employees, vendors, and students.
A University official learned in November that some of those files were accessible on the Internet. Within two weeks, Vice Chancellor for Information Technology Chris Kielt said the files weren’t online anymore.
Kielt said that it was “honest mistake” and that the data was “old and forgotten.”
The University began notifying the people whose information was leaked in December.
Streeter criticized the speed with which UNC communicated the leak and questioned why the issue was not immediately brought to the attention of the entire University community.
He said some people are still receiving their first notification.
“And they all responded that they were not happy right now because they feel like this is a violation of something that the University should have—it really should not have happened,” Streeter said.
UNC Chancellor Carol Folt offered some consolation about the status of the people whose information was leaked.
“I think it is important to say right now that none of the data has been used,” Folt said. “That is a good thing. That does not mean that we take any less notice of the vigilance required to go forward.”
UNC is currently sending out letters offering a one-year subscription to a credit monitoring service at the University’s expense. Each person is assigned a unique code that provides access to the credit monitoring service.
However, the letters mailed to people on Jan. 10 on behalf of the University from Rust Consulting included an incorrect code—another source of frustration for employees.
Streeter said many are worried about what happens after the year of free credit monitoring expires, and in the future, the possibility of another breach.
“If you get that information and you hold onto it, it could be years down the line, and that is what they are really concerned with—what happens after the one year [of credit monitoring]? What recourse do they have to get any type of assistance for something they did not cause?” Streeter said.
In response to the breach, Kielt said that the University has placed greater emphasis on taking inventory of personal information stored in the databases across campus.
A University-wide review began in the early fall. Staff are identifying where sensitive information is stored and are assessing the data—either erasing it if it is no longer necessary, de-identifying it, or securing it.
To learn more about the data breach, click here.