UW responds to security reports

by Ken Harris

Wednesday, January 30, 2008 00:58

University of Wisconsin responded to media reports Tuesday that twice as many people may have been affected by a UW security breach than previously suspected, stating there was no evidence of a further breach.

Brian Rust, director of communications for DoIT, said there was nothing to indicate anyone else has had his or her information exposed on the Internet.

UW originally reported 205 people had their Social Security numbers posted on an Internet database after making purchases from the university computer store. The database was available to the general public for about a year. The Associated Press reported as many as 529 people may have had their information exposed.

Rust said he told the AP “there may have been more; there may not have been more” when asked if anyone else had been exposed.

“We don’t have any proof from any network logs their information was out on the Web,” Rust said.

Rust said UW was not going to inform the other 304 people because they were not required to by law. The conditions that warrant being contacted were not met, he added.

According to Rust, UW was required to inform the original 205 people of the possible exposure because there was proof of outsiders visiting the site on which information had been posted.

The information was compiled originally to track purchases made at the store by UW faculty and staff. Members were required to swipe their UW ID card to verify their identity.

Some people were still using old IDs that had their Social Security numbers attached to them, and some numbers were placed in the database and open to be viewed by anyone.

Rust said up until this point, UW has suggested people exchange their old IDs for the new ones that are not attached to their Social Security numbers. However, the university will now be informing the old staff they must change IDs because the old cards will be voided starting March 15.