Clearly Oregon State University does not pay enough attention to security bloggers who have derided such trite phrases as “in an abundance of caution.” Their press release from today:
Oregon State University is notifying 34,000 current and former employees that a computer containing some of their personal information was recently infected by a virus, even though the university’s computer experts say it is “highly unlikely” that the virus put any of that information in the hands of unauthorized users, OSU officials say.
The university is making the notification out of an abundance of caution and to comply with both the letter and spirit of the Oregon Consumer Identity Theft Protection Act. While there is no evidence that individual information has been accessed by a third party, officials are going to such lengths, in part, because records for many of those employed between 1999 and 2005 contained Social Security numbers as the “unique identifier” in each employee’s record, and the presence of those numbers raises the potential, however remote, of identity theft.
“We don’t want to unnecessarily alarm individuals, because in this case we have no evidence that any data was extracted, nor any evidence of identity theft linked to this security breach,” said Jon Dolan, chief information security officer for OSU. “Notifying individuals gives them the opportunity to take preventive measures, should they so choose, to place extra protections on their credit information and further minimize any individual risk.”
Each of the individuals whose records are involved is receiving a letter this week outlining the data breach and providing options for protecting their data against exploitation. Those options range from simply monitoring their financial accounts and credit reports to placing a freeze on their credit files.
OSU has also opened a hotline for individuals who may have additional questions or concerns (541-737-1007) and an e-mail address for those who would like to express their concerns in writing: [email protected].
Officials have also created a web-based question-and-answer page to help address additional concerns individuals may have: http://oregonstate.edu/incidentresponse.
“We take seriously the fact that identity theft has become an important problem in recent years and that as an institution required to collect a significant amount of personal data from our employees, we have responsibilities to safeguard that data,” said Dolan. “So in the rare event that a breach like this happens, we feel it’s our duty to go above and beyond to raise awareness and encourage preventive measures. By doing so, we hope there will be no further problems associated with this incident.”