If you have questions that are not answered in these FAQs, or if you would like a University representative to assist you in using one of the credit bureau websites to place a fraud alert on your credit file, send an email message to incident_questions@unc.edu, and a University employee will contact you.

 


What Happened?

On November 11, 2013, an information technology manager in the Division of Finance and Administration at The University of North Carolina at Chapel Hill discovered that some files located at the Division of Facilities Services inadvertently became accessible on the Internet. These files contained the names and Social Security or Employee Tax Identification numbers, and in some cases, addresses and dates of birth, of some current and former University employees, vendors, and students. The University believes that these files were accessible to the public from July 30, 2013 until November 23, 2013.

Upon learning of this incident, the University immediately took steps to block access to the files and began conducting an extensive investigation. Based upon its ongoing investigation, the University believes that on July 30, 2013, during maintenance involving one computer, the safeguards that protected the files against public access were accidentally disabled. The University also learned that as part of Google’s automated processes, these files were copied and made publicly accessible. The University asked Google to take these records down immediately. Google complied with the University’s request and as of November 23, 2013, the records are no longer accessible on the Internet.

The University is continuing to investigate the situation. Other than Google’s activities described above, we have not been able to determine whether individual personal information was accessed by others or was misused as a result of this incident, but we have no evidence that this information was used maliciously.

Back to Top

Why was personal information included in these files?

The files contained information relevant to conducting University business, including granting application access to a University system, scheduling people’s time, paying employees and vendors for work, and students’ phone bills. The source files have been deleted and are no longer publicly accessible.

Back to Top

When were the affected records created?

Most of the records were created between 1999 and the mid-2000s.

Back to Top

How many people were affected by this incident?

Although the investigation is ongoing, the University believes that approximately 6,500 people are affected.

Back to Top

What actions did the University take in response to this incident?

The University immediately took a number of parallel steps to investigate and limit the exposure of this information. On November 11, 2013, as soon as the incident was confirmed, the University immediately activated its security incident response:

  • The University immediately (on November 11, 2013) denied Internet access to the files.
  • The University immediately (on November 11, 2013) notified Google (where copies of the files were being hosted) and requested that Google remove the files from the Internet. By November 23, 2013, the files were no longer accessible.
  • The University’s ITS Incident Response Team conducted an in-depth and thorough forensics investigation of the incident to determine what occurred and the nature of the information involved.
  • The University’s ITS team and the Division of Facilities Services analyzed the data that could have been affected to determine whether sensitive information had been exposed.
  • The University engaged a nationally recognized consultant to identify potentially affected individuals as soon as it was confirmed that their sensitive information could have been affected.
  • The source files have been deleted and are no longer accessible to the public.
  • On December 10, 2013, the University began sending a letter to the last known home address of every individual believed to be affected by this incident and for whom the University had address information. Each letter specifies the type of personal information affected for that individual.
  • The University posted a story about the data breach (http://its.unc.edu/2013/12/10/university-investigates-data-breach-notifies-affected-people/) with a link to these frequently asked questions on the UNC homepage, the ITS homepage, the News Services website and the University Gazette website. The Facilities Services website also includes a link to the story.
  • The University engaged a nationally recognized consultant to establish a call center to answer frequently asked questions and forward the contact information for people who request additional information to the University’s incident response team. The University also established an email address (incident_questions@unc.edu) so people could contact the University directly about the incident.
  • The University is providing translation assistance in Spanish, Burmese and Karen.
  • The University is offering free credit monitoring for people who feel that the recommendations from the North Carolina Department of Justice about protecting against identity theft are insufficient. The University is notifying people affected by the incident directly by mail in early January 2014 about how they can pursue this option.

Back to Top 

How do I know what parts of my personal information were affected?

There were three versions of the letter, and the letter you received specifies which parts of your personal information were affected.

If your letter said, “personal information including your name and Social Security Number or Tax ID Number, Address and Date of Birth were contained in these files,” that means the files included your name, Social Security Number or Tax ID (depending whether you are an individual or a vendor), as well as your address and date of birth.

If your letter said, “personal information including your name and Social Security Number or Tax ID Number were contained in these files,” that means the files included your name and Social Security Number or Tax ID (depending whether you are an individual or a vendor).

And if your letter said, “personal information including your name and Social Security Number or Tax ID Number and Date of Birth were contained in these files,” that means the files included your name and Social Security Number or Tax ID (depending whether you are an individual or a vendor), as well as your date of birth.

If you have any questions about this, you can contact incident_questions@unc.edu and a University representative will assist you.

Back to Top

Why were Social Security numbers included in these files?

At the time the affected files were created, the University used Social Security numbers to track employee, student and vendor records. This practice has been severely restricted by the University since 2006.

Back to Top

Does the University have any indication that anyone has suffered identity theft as a result of this incident?

The University has no way to know whether information has been or will be misused. However, it is recommended that you review the identity theft materials posted for consumers on the North Carolina Department of Justice’s website at http://www.ncdoj.gov/Protect-Yourself/2-4-3-Protect-Your-Identity.aspx and on the Federal Trade Commission’s (FTC) website at http://www.ftc.gov/idtheft.  These websites provide detailed information about protecting yourself from identity theft and about steps to take if it occurs.

Back to Top

If my personal information was accessed by an unauthorized party, does that mean that I will become a victim of identity theft?

Not necessarily. Even if someone did access your information, this does not mean that you have been, or will become, a victim of identity theft or that the unauthorized individual intends to use your personal information to commit fraud. The University notified you about this incident so you can protect yourself. You can do this in several ways: by placing a fraud alert on your credit file; by placing a security freeze on your credit report; and by reviewing your credit reports regularly. Each of these measures is described below.

Back to Top

What is a fraud alert and how does it work?

Most credit card companies and other creditors will not issue credit without first checking an applicant’s credit history. A fraud alert tells potential creditors that they should contact you first before issuing new credit in your name, thereby preventing someone from fraudulently obtaining credit without your knowledge. A fraud alert will not prevent you from using your credit cards or other accounts. A fraud alert, however, may slow the process of receiving new credit since the purpose of the fraud alert is to help protect you against an identity thief opening new credit accounts in your name. When you place a fraud alert on your account, potential creditors receive a message instructing them to re-verify the identity of the person applying for credit before approving the credit application. There is no charge for placing a fraud alert on your credit file. An initial fraud alert lasts for 90 days and is free. You may renew the fraud alert at no cost for an additional 90 days. There is no limit to the number of times you can renew the fraud alert.

You can place a fraud alert on your credit file by contacting any one of the three national credit bureaus (Equifax, Experian, and TransUnion). As soon as one credit bureau confirms your fraud alert, the others are also notified to place fraud alerts on your credit file. You can contact the credit bureaus as follows (the links below will take you directly to the fraud alert section of the website for each credit bureau):

Equifax

1.800.525.6285

PO Box 740241

Atlanta, GA 30374

https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp

Experian

1.888.397.3742

PO Box 9532

Allen, TX 75013

https://www.experian.com/fraud/center.html

TransUnion

1.800.680.7289

PO Box 6790

Fullerton, CA 92834

https://fraud.transunion.com/fa/fraudAlert/landingPage.jsp

If you would like a University representative to assist you in using one of these websites to place a fraud alert on your credit file, send an email message to incident_questions@unc.edu.

Back to Top

What is a security freeze?

A security freeze – which is also sometimes called a credit freeze – prohibits a credit bureau from releasing your credit report without your consent. However, placing a security freeze may delay, interfere with or prohibit the timely approval of any application you then make regarding a new loan, credit, mortgage, insurance, government services or payments, rental housing, employment, investment, license, cellular telephone, utilities, digital signature, Internet credit card transaction or other services, including an extension of credit at a point of sale. Because of this, you may need to remove or temporarily lift the security freeze. Also, if you have a security freeze in place and decide to apply for credit monitoring, you might need to temporarily lift the security freeze and then re-activate it after you are enrolled in credit monitoring.

Here are some general things you should know about placing a security freeze:

  • If you choose to place a security freeze, you will need to place one with each individual credit bureau, because the instructions and processes differ from one credit bureau to another.
  • Here are the websites for the three credit bureaus:
  • When you place a security freeze, your credit file cannot be shared with potential creditors, insurance companies or other third parties.
  • A security freeze is not completely fail-safe because creditors can issue credit without pulling a credit report.
  • A security freeze will not prevent current creditors and businesses with which you have prior relationships (such as credit card companies, insurance providers and financial institutions) from reporting to or accessing your credit file information. It does, however, prevent new potential creditors and new third parties from gaining access to your credit files.
  • Each credit reporting agency has five business days from receipt of your request to place a security freeze.
  • Each credit reporting agency has three business days from receipt of your request to lift a security freeze.
  • Depending where you reside, credit bureaus may sometimes charge a fee for placing, removing or temporarily lifting a security freeze. But many states, including North Carolina, require that consumers be allowed to place and remove a security freeze free of charge.

For additional information about security freezes and how to place them, see: http://www.experian.com/consumer/security_freeze.html and/or https://help.equifax.com/app/answers/detail/a_id/159/session/L2F2LzIvdGltZS8xMzg3MzA2MTEwL3NpZC9VSEV3dDNJbA%3D%3D.

For information about the applicable fees, if any, for placing and removing security freezes in each state, see: https://help.equifax.com/app/answers/detail/a_id/75/session/L2F2LzEvdGltZS8xMzg3MjkzNzU0L3NpZC9saUNmSjJJbA%3D%3D.

For information related to security freezes specific to North Carolinians, see: https://www.experian.com/consumer/help/states/nc.html and/or https://www.experian.com/consumer/help/report/fcra_nc.html.

Back to Top

Is a credit freeze different from a security freeze?

No, they are the same thing. The question above describes what a security freeze – also sometimes called a credit freeze – does and how to place one.

Back to Top

Why should I review my credit report?

You should regularly review your credit reports and monitor your accounts for unusual activity. In addition to your right to one free credit report per year, placing an initial fraud alert entitles you to a free credit report from each of the three credit bureaus. You can use these reports to review and monitor your credit report periodically. To get your free report, go to https://www.annualcreditreport.com/index.action or call 1-877-322-8228. To track your credit during the year, you can request a free report from a different credit bureau every four months.

If you have general questions about identity protection, you can contact the Consumer Protection Division of the Attorney General’s Office by calling 919-716-6000, visiting the website at www.ncdoj.gov or mailing the office at Consumer Protection Division, 9001 Mail Service, Raleigh, NC  27699-9001. Additionally, the FTC produces a brochure, “What to Do If Your Personal Information Has Been Compromised,” which contains helpful information and links to additional information the FTC has on this issue. You can access this brochure online at http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt150.pdf. The FTC has additional information regarding identity theft at http://www.ftc.gov/bcp/edu/microsites/idtheft/.

Back to Top

What is credit monitoring?

Credit monitoring services protect primarily against new account fraud. This form of fraud occurs when a criminal uses your personal information to open credit card, mobile phone, or other financial accounts using your name, Social Security number and other personal information. New account fraud can be difficult to detect because the criminal generally has billing statements sent to an address other than your real address. Beginning on the date of enrollment, credit monitoring provides an alert whenever changes occur to your credit files. This notification will be sent to you the same day that the change or update takes place with any of the three credit bureaus. You can learn more about credit monitoring at https://www.privacyrights.org/identity-theft-monitoring-services.

Back to Top

Does the University provide credit monitoring services?

The University is offering people affected by this incident who feel that the North Carolina Department of Justice’s recommendations are not sufficient the option of a one-year subscription to a credit monitoring service that monitors activity at all three credit bureaus, at the University’s expense. The University is notifying these people directly by mail about how they can pursue this option, including the individual code they will need to access the credit monitoring service.

The letters mailed to people on January 10, 2014, from Rust Consulting on behalf of the University unfortunately included an incorrect access code. Rust is mailing people the correct code at its expense. However, people do not have to wait for their new code to sign up for credit monitoring. They can call the toll-free number 1.877.432.7463, and a representative will be able to provide them with the correct code. People simply have to give the representative their name and the last four digits of the incorrect code to get the correct one.

Anyone who uses an incorrect code to sign up for credit monitoring at https://www.myidmanager.com/promo_code.html will be provided with the 1.877.432.7463 toll-free number to obtain the correct code.

This access code allows the individual to sign up for the one year of free credit monitoring at the University’s expense. In addition, the Office of Human Resources is currently exploring options for discounts that can be made available to all employees for credit monitoring services that would be directly paid for by employees. This is in addition to the one year of University-paid credit monitoring services currently offered to individuals who are affected by the data breach.

Back to Top

My access code for credit monitoring doesn’t work. What should I do?

Unfortunately, the letters mailed to people on January 10, 2014, from Rust Consulting on behalf of the University included an incorrect access code. Rust is mailing people the correct code at its expense; people should have that corrected information during the week of January 20, 2014.

However, people do not have to wait for their new code to sign up for credit monitoring. They can call the toll-free number 1.877.432.7463, and a representative will be able to provide them with the correct code. People simply have to give the representative their name and the last four digits of the incorrect code to get the correct one.

Anyone who uses an incorrect code to sign up for credit monitoring at https://www.myidmanager.com/promo_code.html will be provided with the 1.877.432.7463 toll-free number to obtain the correct code.

Back to Top

I did not receive a notification letter. Does this mean that my personal information was not compromised?

During the week of December 10, 2013, the University began sending a letter to the last known home address of every individual believed to be affected by this incident and for whom the University had address information. If you received a letter, it will specify what elements of your personal information are affected. If you have moved recently and you believe the University does not have your current address please call the toll-free call center assisting the University at 1.866.458.3184. The call center is available to answer your phone call, in English and in Spanish, between 9:00 a.m. and 6:00 p.m. Eastern Standard Time, Monday through Friday, until February 10, 2014. You also can send any questions not answered in these FAQs directly to the University at incident_questions@unc.edu, and a University employee will contact you.

Back to Top

What kind of personal information was involved?

The letters sent to the people affected by this incident detailed which elements of their personal information were in the compromised files.

Back to Top

When was the information publicly accessible?

The University believes that the files containing sensitive information were online between July 30, 2013 and November 23, 2013.

Back to Top

Can Google be forced to confirm whether the files copied as part of their normal processes were accessed?

The University cannot compel Google to provide information.

Back to Top

Why was there a delay in notifying me about this incident?

The University takes this situation very seriously, and officials acted immediately to remove the files from public access. But it was equally important to verify that your personal information was included in the files, and what elements of that information were included, before notifying you about the incident. The University discovered this incident on November 11, 2013. Immediately upon becoming aware of this inadvertent disclosure, the University began conducting a thorough forensic investigation. Because of the diversity and complexity of the potentially affected data and the detailed analysis required, it took time to identify files that might have been exposed and to confirm the validity of the personally identifiable data the files contained. Obtaining current contact information for potentially affected individuals, preparing and mailing notification letters to alert them of this incident, and setting up a toll-free call center required additional time.

Back to Top

Is my personal information still at risk of disclosure?

Upon learning that these files were inadvertently accessible on the Internet, the University immediately took steps to deny public access to them. The University requested that Google, which had independently copied and hosted the files on its own servers, do the same. The University has confirmed that Google has complied with its request and that the files are no longer accessible. The University has no reason to believe that any other party made copies of the files. If copies were made, they do not appear in Internet searches conducted by the University.

Back to Top

Has the University contacted law enforcement about this incident?

No. Criminal conduct is not suspected at this time.

Back to Top

Should I contact the Social Security Administration to change my Social Security number if my Social Security number was part of the information that was contained on the compromised servers?

The Social Security Administration is unlikely to change your Social Security number in the absence of any evidence that your Social Security number is actually being misused. In addition, according to information on the Social Security Administration’s website, http://www.ssa.gov/pubs/10064.html#new, changing your Social Security number may create additional problems because you would lose your existing credit history and because other government agencies (including the Internal Revenue Service and the Department of Motor Vehicles) and private businesses (such as banks and credit reporting companies) are likely to have records under your current Social Security number.

Back to Top

Should I notify the IRS?

The IRS Taxpayer Guide to Identity Theft advises that if your tax records are not currently affected by identity theft, but you believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, etc., you can contact the IRS Identity Protection Specialized Unit at 1-800-908-4490. See additional information at http://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft.

Back to Top

What should I do if I believe my personal information has been used fraudulently?

You should immediately: (1) report the crime to your local law enforcement agency, (2) contact any creditors involved, and (3) notify all three credit bureaus. You may also choose to put a credit freeze on your file; please note that there may be a cost associated with this. Additional guidance is available on the Federal Trade Commission’s website at http://www.ftc.gov/bcp/edu/microsites/idtheft.

Back to Top

What is the legal recourse for an individual whose data is compromised?

The University does not provide legal advice to individuals outside the scope of their duties as employees or agents of the University.

Back to Top

Did the affected files contain any information about my bank account?

Our investigation of this incident indicates that the affected files did not contain bank account information.

Back to Top

Did the affected files contain any information about my credit cards?

Our investigation of this incident indicates that the affected files did not contain credit card information.

Back to Top

Did the affected files contain any information about University research subjects or UNC Health Care System patients?

Our investigation of this incident indicates that the affected files did not contain research or health care patient information.

Back to Top

Did the affected files contain any information about the University’s alumni or donors?

Our investigation of this incident indicates that the affected files did not contain alumni or donor information.

Back to Top

Did the affected files contain any University student information?

Yes. Approximately 150 former students are thought to be affected. The University sent notices about this event to all of these former students.

Back to Top

Who can I contact if I have additional questions?

The toll-free call center assisting the University can provide answers to the frequently asked questions; you can contact the center at 1.866.458.3184. Representatives are available to answer your phone call, in English and in Spanish, between 9:00 a.m. and 6:00 p.m. Eastern Standard Time, Monday through Friday, until February 10, 2014. If the call center representatives cannot answer your question, they will take your name and phone number and forward that information to the University, and a University employee will contact you for additional assistance. You also can send your questions directly to the University at incident_questions@unc.edu, and a University employee will contact you.

Back to Top

I work at Carolina but don’t have easy access to a computer. Where can I get assistance?

The Facilities Services Human Resources Office is available to assist University employees. You can stop by the office in room 110 of the Giles Horney Building on Airport Drive.

Back to Top

What if I need translation services for languages other than Spanish?

The Facilities Services Human Resources Office is available to assist University employees. You can stop by the office in room 110 of the Giles Horney Building on Airport Drive.

Back to Top

Are there translation services for Burmese and Karen speakers?

(Burmese and Karen translation below):

Burmese1 Burmese2

Back to Top