UNC employees concerned about data breach

Those impacted say university notifications need to improve
Jan. 22, 2014 @ 08:29 PM

UNC-Chapel Hill employees are still concerned months after the university announced a data breach affecting 6,500 people.

At a UNC Board of Trustees’ University Affairs Committee meeting, UNC-Chapel Hill Employee Forum Chair Charles Streeter said he has received phone calls, emails and in-person complaints from students, faculty and staff who are worried about their information being publicized online.

University officials believe that on July 30 during computer maintenance, safeguards that protected old files were accidentally disabled, leaking names, Social Security or Employee Tax Identification numbers, and in some instances, addresses and dates of birth. A UNC information technology manager was notified of the breach Nov. 11.

The information belongs to some current and former employees, vendors, and students.  As of Nov. 23, the records were no longer accessible on the Internet. On Dec. 10, the university began notifying individuals by mail.

But, according to Streeter, the first mailing sent to affected individuals looked like junk mail and didn’t seem to come from the university. The second mailing that offered a code for credit monitoring contained wrong information, he said, and information on the university website about the data breach wasn’t prominently displayed.

“It was unintentional, and that has been said more than once,” Streeter said. “However, there are people that still feel very strongly. They still want someone to basically be penalized for what happened. Whether or not that’s firing someone, they want something to happen, they want some accountability.”

He added that the people affected hope for more than a year of credit monitoring, and they stressed the need for UNC’s Information Technology Services to have the authority to mandate security initiatives across campus.

“There’s an outcry,” he said. ”There’s a plea from the staff to please do more.”

Last Thursday, the university held a community meeting to discuss the data breach, and employees wonder what plans will be put in place if a breach happens again.

“Let me start by offering a sincere apology for the execution on communications,” said University Affairs Committee Chair Alston Gardner. “That’s inexcusable, and we will do something about that. Security breaches are tricky, they’re regrettable. The best I can say is it shouldn’t have been handled the way it was handled.”

Chancellor Carol Folt said the investigation into the security breach is ongoing.

“I think it’s important to say, too, that right now we have no evidence that any of the data had been used,” Folt said. “That is a good thing, but that does not mean that we take any less notice of the vigilance required to go forward.”

Chris Kielt, UNC vice chancellor for information technology and chief information officer, said most of the data that was leaked was more than a decade old. He said information technology employees are working to clean up the data stored and distributed on campus servers.

“What we have not done, and what we must do in terms of processing ability, is (go) back and (make) sure we either erase that old data that we may have accumulated over time and have forgotten about, we de-identify it or securely store it if it’s old data that’s really important.

“This was an honest mistake made by an individual who changed some permissions,” he added.

UNC Faculty Council Chair Jan Boxill said she has been the target of a data breach, whether it was through UNC or Target’s recent credit and debit card hacking scandal, and thousands of dollars have been fraudulently used from her debit card in the past two months.

Boxill said she also thought the first UNC notification of the data breach was junk mail.

“I, too, thought at first the letter was junk, and the second one that has the information about the code, I haven’t figured out yet how to deal with it,” she said. “... I need to talk to a person.”