OIT News

Frequently Asked Questions

Q: Who was impacted?

A: Selected students of international origin attending UMBC from Fall 2003 to present. Of that group, 150 students information was accessible through Google.

Q: How do I know if I was one of the impacted international students?

A: OIT sent an email and letter to each person who was affected, but if you have any questions or concerns, contact the OIT Help Desk at 410.455.3838 or privacy-alert@umbc.edu.

Q: What does "personal information" mean?

A: The personal information included name, address, date of birth, email, and Social Security Number. This information is no longer viewable, and we have no evidence (beyond an initial alert) that anyone ever did so.

Q: What should I do?

A: If you received an OIT email alert or notification, you should check your credit report. Instructions for doing this are available on the OIT Identity Protection Web site

This is the text of the email and letter sent to UMBC faculty, staff and graduate students who were NOT affected:

On Saturday, June 3, 2006, we received an email from a UMBC student who had done a Google search to find more information about an instructor for a summer school class. He found personal information for 150 UMBC people, including the instructor who is a graduate student of international origin.

The personal information was name, address, date of birth, email, and Social Security Number. This information is no longer viewable, and we have no evidence (beyond an initial alert) that anyone ever did so.

In November, 2003, an Office of Information Technology (OIT) Web site generated this information to support visa compliance of UMBC’s international students. However, a programming error resulted in files not being deleted from UMBC’s Web site after they were used. As a result, the files containing the personal information were potentially viewable by the general public. In December 2005, the visa compliance initiative was revised, and the Web site containing the files was taken down in January 2006. After this, the files were only visible in Google’s search engine until June 5, 2006, two days after we started working with Google to have them removed. In addition, OIT staff members have reviewed a list of other web search engines (e.g., MSN, AltaVista, Yahoo) to make certain those search engines did not have this information.

At this point, we have taken three steps. First, we have sent a security alert letter to 145 international students to report their personal information was potentially viewable through a Google search of each person’s name. An alert means their data was confirmed to be “out of our control” in that it was indexed by Google, and stored as part of its regular indexing process.

Second, we have sent a security notification to 1,599 additional international students to say their personal information was stored in one of many other data files found on that original Web server. We have confirmed with Google that it never indexed these other files. We have also reviewed our Web access logs back to January 1, 2006, and found no attempts to view this information, though our logs do not go back to November 2003 when the Web site was created.

To be proactive, we want to notify these 1,599 students but not alarm them. We have no evidence their information was ever accessed, and the risk that it was is exceptionally low (less than using your credit card to pay for a meal at a restaurant).

Finally, OIT is sending this email update to you and posting it as a campus Web update as part of our ongoing privacy protection efforts. If you work with international students in your department, lab, or course please ask if they were impacted and have any questions. OIT is working closely with International Education Services, the Graduate School, the Graduate Student Association, and Academic Services to provide support. We have developed an Identity Protection Web site and established a phone line, and special email address to provide help with this incident. Taking steps to protect our identity is something we all should regularly do and I strongly recommend that all members of our community review the OIT identity protection web site.

Please be aware that scam artists "phish" for victims by pretending to be banks, stores or government agencies, especially after an incident like this. They do this over the phone, in e-mails and in the regular mail. Never give out your personal information, unless you initiated the contact. UMBC will only contact you about this incident if additional helpful information becomes available. We will not ask for your full SSN, account ID, or credit card information.

I want to assure you OIT is committed to protecting the identity of UMBC students, faculty and staff. On June 7, we completed an upgrade of our campus ID card that removed our reliance upon SSN. On the weekend of June 16, 2006, UMBC will be completing a year-long effort to convert the primary ID of our current student information system away from SSN to a new campus-defined ID number. These efforts are critically important because they reduce our reliance upon SSNs and limit the data that may be potentially at risk when mistakes occur. In addition, I have ordered OIT technical staff to review all web-based applications we have developed and establish stronger procedures for programming review and testing to reduce the risk of these kinds of programming errors in the future.

Let me thank you in advance for your support of those international students impacted by this incident. Please don’t hesitate to contact me if you have questions or concerns.

Sincerely,
Jack Suess
Vice President, Information Technology

Resources:
Privacy Protection Web Site
Phone: on-campus 5-3838, local 410-455-3838, toll-free 1-866-455-8622
Email: privacy-alert@umbc.edu