Meloria • Ever Better
Search Tools Main Menu

Security Alert - Last Updated 1/10/2009

We have experienced a security incident and are in the process of investigating. As more details are made available, they will be posted here.

Please contact Sharon Dickman at 585-275-4118 for the most up-to-date information.

What information was stolen? And when did it occur?

The names and Social Security numbers of approximately 450 University of Rochester students and former students were accessed and copied from a non-academic student database to an off-campus IP address.  The problem was discovered on the evening of Jan. 7, 2009. Information Technology security staff analyzed the “traffic” to this  computer database from June 2006 to Jan. 7, 2009 and this was the only instance found.

How do I know if I was impacted by this security breach?

Notifications to the 450 current and former students impacted by this security breach were sent on Saturday January 10, 2009. These notifications, which included information on credit monitoring services, were sent via email and U.S. mail. If you did not receive a notification, you are not affected by this breach.

Why was my name and SSN information in this database?

Social Security Number is a data element in our integrated student systems environment.  The system has information about people who are or were students at the University.

Don’t universities avoid using Social Security numbers to identify students?

At the University of Rochester, students are identified by randomly generated numbers and keep those IDs throughout their college years. We have not used Social Security numbers as the prime way to identify students since 2001. Still, certain offices are required by law to continue to keep a student’s Social Security number for tax purposes and for other reasons.

How did the thieves gain access to this information?

The investigation is continuing.

Were security protections in place to prevent unwarranted access?

Our Information Technology staff works hard to provide a secure environment for the tens of thousands of computers that are part of our network. We continue to further strengthen our current security processes and systems to minimize the chance of this kind of intrusion happening again.

How are we assisting the individuals whose names and Social Security numbers were copied?

We will provide without charge a year of credit monitoring and related identity theft insurance. Details will be sent directly to those whom we believe had their personal information copied. We have contracted with Equifax, one of the three major credit monitoring bureaus, to supply this service. Every individual who we believe was affected by this intrusion will receive a personalized code to register within 120 days and take advantage of the offer.  Please register atwww.myservices.equifax.com/tri

Also, federal law allows all consumers one free credit report per year from each of the national credit bureaus — Equifax, Experian, and TransUnion — through the Annual Credit Report Request Service. Access this service on the Web at www.annualcreditreport.com or call toll-free 877-322-8228. You can either request all three reports at once or request them individually at different times throughout the year.  You can request the reports whether or not you believe that your data was compromised by a hacking incident.

The following agencies also can provide additional information about identity theft:

Federal Trade Commission
http://www.consumer.gov/idtheft

Social Security Administration
http://www.ssa.gov/pubs/10064.html

Social Security Fraud Line
(1-800-269-0271)
Identity Theft Resource Center
http://www.idtheftcenter.org

What is identity theft?

Identity theft occurs when someone uses your name, Social Security number, credit card number, or some other piece of your personal information for financial gain. Usually, victims know when their identity has been stolen when they are contacted by a collection agency over past due accounts they never knew they had or they receive significant charges on a credit card bill for purchases they never made. Sometimes, they are contacted by the police after a crime is committed in their name.

How can I tell if I am a victim of identity theft?

  • Monitor the balances of your financial accounts. Look for unexplained charges or withdrawals.
  • Other indications of identity theft include:
    • ..failing to receive bills or other mail, which may signal an address change by the identity thief,
    • ..receiving credit cards, and/or statements of accounts, for which you did not apply
    • ..a lender trying to repossess a car you didn't know you owned
    • ..being contacted by the police after a crime is committed in your name.
    • ..being denied credit for no apparent reason...
       
      If you're ever denied credit, FIND OUT WHY, especially if you haven't reviewed your credit report lately. This may be the first indication you get that someone has stolen your identity and is racking up charges in your name.
    • ..receiving calls or letters from debt collectors or businesses about merchandise or services you did not buy.
       
      REACT QUICKLY if a creditor or merchant calls you about charges you didn't make. This, too, may be the first notice you get that someone has stolen your identity. Get as much information from them as you can and investigate immediately.

What should I do if I think someone has stolen my identity?

  1. Immediately place a fraud alert on your credit reports.  Contact:
    • Equifax
      Direct Line for reporting suspected fraud: 800-525-6285
      Fraud Division
      P.O. Box 740250
      Atlanta, GA 30374
      800-685-1111 / 888-766-0008
      http://www.equifax.com
  2. If your Social Security Number has been stolen, contact the Social Security Administration (SSA). The SSA can provide information on how to report the fraudulent use of your number and how to correct your earnings record. Contact the Fraud Hotline immediately after you suspect you're a victim of identity theft.
  3. Close accounts which were accessed or opened fraudulently.
  4. Change the passwords on all of your accounts. Create a new, strong password--don't reuse an old one or one that's similar.
  5. File a report with the local police.