We know many people have questions concerning this incident. We try to answer some of the most common questions below. First, Mark Willis, Chief Information Officer, and Dan Han, Information Security Officer, talk about the server intrusion incident in the video below:
Q. I received the notification via e-mail/letter from VCU about the incident. Does that mean someone stole my personal information and is using it in some way?
A. Based on the forensic evidence, we believe the likelihood of this identity data being accessed or copied by the intruders is very low. Unfortunately, our extensive investigation was unable to determine with 100 percent certainty whether any sensitive information was accessed. As a result, we are informing these individuals of this event. See the links on the home page for more information on protecting yourself from identity theft.
Q. Exactly what personal information may have been exposed?
A. Personal information stored on the server varied based on the individual’s role:
1. If a student in Summer 2011 or Fall 2011, or a current University employee or affiliate (42,438 Individuals) – data included SSN, name, date of birth, eID, email (@vcu.edu), VCUCard number, home address, student academic program, job department & title
2. If a current VCU Health System or MCVAP employee, or Health System affiliate (16,857 Individuals) – data included SSN, name, date of birth, eID, Health System eeid, email (@vcu.edu), VCUCard number, job department & title
3. If a former University employee employed during or after November 2005 (19,172 Individuals) – data included SSN, name, date of birth, email (@vcu.edu), home address, job title
4. If a University student accepted for Fall 2011 who did not enroll at VCU (2,328 Individuals) – data included SSN, name, date of birth, eID, email (@vcu.edu), personal email, VCUCard number
5. If a former University student who did not attend after Spring 2011, or a former University affiliate, or a former VCU Health System or MCVAP employee, or a former Health System affiliate, any of whom was issued a VCUCard (95,772 Individuals) – data included SSN, eID, VCUCard number
Q. Why would data for VCUHS employees be in the University server?
A. VCUHS provides this type of data to the University for many administrative purposes such as issuing ID badges and parking passes, establishing RamBucks accounts, and verifying Service Awards.
Q. What is being done to protect these servers and systems in the future?
A. The first server has been moved behind the University firewall, and the vulnerabilities that were present on both servers have been patched. Additional monitoring has also been put in place for these servers. Both the University and VCUHS had already planned to engage external consulting firms to perform extensive security assessments to determine if any systems are at risk for unauthorized access. This testing will be expedited, and the results used to determine additional appropriate actions.
Q. Will VCU contact me to ask for private information because of this event?
A. VCU WILL NOT contact you and ask for your private information. In similar cases at other institutions, people have reportedly been contacted by individuals claiming to represent the University who then proceed to ask for personal information, including Social Security Numbers. Please be aware that VCU will only contact you with information regarding steps you should take to prevent possible fraud or identity theft; or if you ask us, by e-mail or telephone, for information. We will not ask for your Social Security Number, password, or any other personal information. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.
Q. Why isn’t VCU automatically offering identity theft protection services to all individuals as with previous incidents?
A. VCU was able to track the activities of the intruders on the two servers and found no evidence that personal data was accessed or copied. We believe that there is a very low likelihood that personal data was exposed or that there is a risk of identity theft. Therefore, we are not automatically offering identity protection services to all 176,000 individuals in this incident. However, for the peace of mind of concerned students, employees and affiliates, the University will honor individual requests for these services. Individuals who wish to make a request should call the Security Incident Information Center at (Toll Free) 1 (855) 886-2931 for more information.
Q. My identity theft protection letter I received mentions monitor and fraud alert services, whats the difference?
A. The monitoring service provides daily review of your credit histories with all three major credit reporting agencies (Equifax, Experian and TransUnion), monthly email notifications of no activity, immediate notification of key changes to any of the three agency reports, and one 3-in-1 credit report (all three agency reports in one file) and unlimited access/copies of your credit report. In the event you are the victim of identity theft, you have up to $1 million in identity theft insurance with no deductible and 24/7 access to service provider staff to assist and investigate.
A fraud alert is a flag to potential and existing creditors that there may be fraudulent activity within your credit history report. It also requests creditors contact you prior to opening new accounts in your name. Activating an alert on your account, however, does restrict your own access to your report.
The monitoring service is best used when there is a possibility your information may have been compromised (example: data breaches). The fraud alert is best used when you are 100% certain your information has been compromised (example: stolen wallet/purse that contains ID, credit cards, etc.).
Q. Can I continue the identity theft protection service after the VCU provided one year of free service expires?
A. VCU is covering the cost for one year of the identity theft protection service if you choose to enroll using the promotional code offered. If you choose to continue with the service at the end of the VCU paid period, you will be eligible to continue enrollment at the discounted price of $60 per year for as long as you remain in the program. If you discontinue the service and then elect to enroll at a later date, the regular service price would apply. The service provider will notify you approximately one month prior to the end of the service period and give you the opportunity to re-enroll. If you choose not to enroll, the service will simply end. Continuing enrollment is strictly your option; you are under no obligation to do so.
Q. Who should I contact if I have any additional questions concerning this incident?
A. Please contact the special Technology Services Security Incident Information Center at (Toll Free) 1 (855) 886-2931 or at firstname.lastname@example.org should you have any questions not covered here concerning this incident.