Security Incident

What happened?

There were two separate security incidents resulting in exposures of sensitive data including Personally Identifiable Information (PII) at the University of North Carolina at Charlotte (the “University”). (see press release)

When and how did the incident(s) occur?

A. Incident #1 – During an information system upgrade, because of misconfiguration and incorrect access settings, data stored on the University H: drive were exposed on the Internet and available to unauthorized users during the period of November 9, 2011 to January 31, 2012. Upon identification of the misconfiguration, the University took steps to correct the misconfiguration, and implemented additional safeguards and controls to protect University’s information assets.

B. Incident #2 – Files containing sensitive data including PII were stored in a manner that left them open to the Internet. Unauthorized users could have accessed the files in question during the period of 1997 to February 2012. Upon identification of the exposure, the University took steps to correct the issue, and implemented additional safeguards and controls to protect University’s information assets.

What actions did the university take?

A. The University immediately took a number of parallel steps to investigate and remediate the exposure.

B. On January 31, 2012 upon learning about the Incident #1, the University immediately activated the security incident response plan to address the security incident.

C. The University leveraged services of a leading forensics and investigations firm to conduct an in-depth and thorough forensics investigations of the Incident #1 and Incident #2 to determine what happened.

D. The University partnered with a leading information security firm to help identify and remediate security vulnerabilities campus-wide.

E. The University partnered with a leading electronic discovery firm and leveraged industry proven software to discover sensitive data and remediate exposure.

F. The University sent preliminary notice of the first incident following an investigation, provided additional updates through video interviews and meetings with faculty, and is providing notice of the exposure as soon as possible following the investigation and remediation.

Does the university have any indication that any person has suffered identity theft as a result of either of these incidents?

At this time, the university has no evidence or reports of possible identity theft connected to either of these incidents.  However, it is recommended that you review the identity theft materials posted for consumers on the Federal Trade Commission (FTC) website at http://www.ftc.gov/idtheft.  This website provides detailed information to help you protect yourself from identity theft, and the steps to take if it occurs.

If you notice suspicious activity, you should report it immediately to the University at the following number 1-855‑205‑6937 and to any financial institution involved.  You should also contact the Federal Trade Commission at www.ftc.gov/idtheft, at 1-877-ID-THEFT (438-4338), or at 600 Pennsylvania Avenue, NW, Washington, DC 20580, and you may call your local sheriff’s office and file a police report of identity theft, keeping a copy of the police report.  In addition, you may contact the Consumer Protection Division of the North Carolina Attorney General’s Office at 9001 Mail Service Center, Raleigh, NC 27699, by phone at 1-919‑716‑6000 or toll free in North Carolina at 1-877‑566‑7226.  If you reside outside of North Carolina, the contact information for the Attorney General of your state can be found on the website for the National Association of Attorneys General available at www.naag.org/current-attorneys-general.php.  

• TransUnion: 1-800‑680‑7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
• Equifax: 1-888‑766‑0008; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
• Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9554, Allen, TX 75013

If you have any questions, comments or concerns, please contact Sanjeev Sah at 704‑687‑5444 or securityincident@uncc.edu.