FREQUENTLY ASKED QUESTIONS ON INADVERTENT EXPOSURE OF SENSITIVE STUDENT INFORMATION

What happened?
On Monday, October 18, 2010 UH officials were notified of an inadvertent exposure of student information.

How did this happen?
A faculty member, who was conducting a study of UH students, uploaded files containing personal information onto an unencrypted faculty web server, which was thought to be secure.

Am I affected?
Approximately 40,000 unique SSNs were stored on the server. Student who attended UH Mānoa from 1990 – 1998 and during 2001 may be affected. In addition, students who attended UHWO during Fall of 1994 or graduated from 1988 - 1993 may also be affected.

What information was in the compromised database?
The uploaded files contained data including names, social security numbers, and may have also contained addresses, birth dates and educational information.

Has the data been misused?
At this time, University officials have no evidence that anyone’s personal information was accessed for malicious intent or that any information was misused.

Was any credit card information exposed?
No. We have no evidence of any credit card or other personal financial information being exposed.

Have law enforcement authorities been notified?
The Honolulu Police Department and FBI have been notified, and have been asked to investigate any potential criminal activity related to this incident.

What is the campus doing to prevent future security breaches?
UH West Oahu is also working with UH System to adopt more proactive security measures to ensure better privacy protection. Additional security measures being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks.

How will affected individuals be notified?
Letters to affected individuals were mailed on October 29, 2010, and should be received as soon as October 30, 2010. In addition, an email notice will be sent to affected individuals at their most recent email address on record.

What should affected individuals know and do?
Carefully monitor your financial information and take protective measures against identity theft, which include:

Obtaining and carefully reviewing credit reports. Free credit reports from all three credit agencies may be obtained at http://www.annualcreditreports.com or by calling 877-322-8228.
Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.
Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.

If your identity or account has been compromised, you may take actions such as requesting refunds, closing accounts, and placing your credit records in a state of “fraud alert” or “freeze.” Please know that we are making every effort to ensure that this incident does not recur.

If I did not receive a notification letter, does that mean my information was not in the compromised database?
Not necessarily. While every attempt has been made to identify and contact all individuals, we did not have addresses for all individuals.

Why was SSN included in data released to a faculty member for research?
The data was provided to the faculty member about a decade ago, when SSN was still used as the Student ID#. Use of the SSN for this purpose was phased out during 2002-2004 with the implementation of a new student information system. In addition, since this release of data, UH has since adopted a new policy that requires de-identification of data released for research purposes.

How can I get more information?
Go to the webpage at www.uhwo.hawaii.edu/idalert. Updates will be posted as new information becomes available.