CHAPEL HILL – For almost four months, the personal information housed by UNC of more than 6,500 individuals was publically accessible because of an accidental breach of data.
“Primarily the vast majority of people who were impacted were existing staff or former staff at the University because again, this was older data. Only a small number of students were impacted—less than 200,” said Chris Kielt, UNC’s Vice Chancellor for Information Technology.
The files that were made public contained information such as names, Social Security numbers and dates of birth of some current and former employees, vendors, and students.
Currently Kielt said that the University officials have not been able to determine whether the personal information was accessed by others or misused as a result of the incident. To date, he has not received a report of misuse of personal information.
After an initial investigation, the University found that on July 30, during maintenance involving one computer, the safeguards that protected the files against public access were accidentally disabled.
“There was a server that existed in one of the departments. It was moved from a physical hardware device to a virtual environment, and in the process, there was a change in how the data was made available, and unfortunately it was published in a public way to the Internet,” Kielt said.
A University official learned in November that some of those files were accessible on the Internet. Less than two weeks later, Kielt said the files weren’t online anymore.
To his knowledge, Kielt said the University has not sought punitive action toward any individual(s) for negligence in connection with the breach.
Kielt said “a substantial number” of the people whose information was leaked have been notified, and a second round of notifications will be sent out soon. It is a time-consuming process, he explained, as they are using data collected from 1999 up to the mid 2000s to track down the individuals.
Kielt said that while it doesn’t make the situation better, the information wasn’t obtained through malicious intent, as by hacking, rather it was inadvertently published.
“No data breach, no exposure of an individual’s sensitive data is an acceptable circumstance. We take this extremely seriously. We feel it is our job to protect all the information that we are entrusted with.”
In response to the breach, Kielt said the University has placed greater emphasis on taking inventory of personal information stored in the databases across campus. The review began in the early fall of this year.
Kielt said that when managing such an enormous amount of data, the University has to be vigilant at all times.
“Like many institutions, we are going to go through the process and clean that data up and make sure that it is kept in the most secure way possible; that we are aware of where it is, so we have inventoried it; and we have secured it appropriately if we really need to keep it.”
As part of the review, University staff are identifying where sensitive information is stored and are assessing the data—either erasing it if it is no longer necessary, de-identifying it, or securing it.
At the time the affected files were created, the University utilized Social Security numbers to track employee, student, and vendor records. This practice has been severely restricted by the University since 2006.
For more information on the breach and how to find out if your personal information was used by someone else, click here.