40,000 Social Security numbers exposed in UH Manoa security breach

Hawaii Independent Staff

MANOA—The University of Hawaii at Manoa today began notifying about 53,000 people listed in a system database that a recent security breach may have exposed personal information, including over 40,000 Social Security numbers and 200 credit card numbers.

The information was housed on a computer server used by the campus’ parking office. The breach occurred on May 30 and was discovered on June 15. The system was immediately isolated, and an investigation was launched to determine scope of the breach and identify individuals who may have been affected.

Letters were mailed to affected individuals on Saturday, July 3; recipients should begin receiving those letters on the next business day, Tuesday, July 6. In addition, an email notice will be sent to affected individuals at their most recent email address on record.

The FBI and Honolulu Police Department have been notified, and a forensic investigation has been initiated.   

To protect personal information from further unauthorized access, Social Security numbers are no longer used for parking transactions, and are being purged from all current and historic parking office databases. Additional security measures that are being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks.

The database contained personal information, including names, Social Security numbers, addresses, driver’s license numbers, vehicle information, and credit card information of two main groups of individuals: UH Manoa faculty and staff members employed in 1998 or anyone who had business with the UH Manoa Parking Office between January 1, 1998, and June 30, 2009.

The possibility exists that addresses will not be located for all affected individuals—predominantly visitors to the campus who either appealed parking citations or who had vehicles towed at UH Manoa between January 1, 1998, and June 30, 2009.

Affected individuals should:

*      Obtain and carefully review credit reports. Order free credits reports from all three credit agencies by going to the website at http://www.annualcreditreport.com or by calling 877-322-8228.
*      Review bank and credit card statements regularly, and look for unusual or suspicious activities.
*      Contact appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.

Inquiries may be made by calling UH Manoa at (808) 956-6000 on weekdays between the hours of 8:00 a.m. and 4:30 p.m., or by going to http://www.hawaii.edu/idalert/ for answers to frequently asked questions, and other related information.


10 Frequently Asked Questions on unauthorized access to computer server at UH Manoa campus

1. What happened?
A routine audit conducted on June 15, 2010, discovered unauthorized access to a computer server used by the UH Manoa Parking Office had occurred on May 30, 2010.

2. Am I affected?
Approximately 53,000 records were stored in the database. Of this total, approximately 41,000 Social Security numbers and 200 credit card numbers were exposed.  The database contained data on two main groups of individuals:

a.    UH Manoa faculty and staff member employed in 1998.
b.    Anyone who had business with the UH M?noa Parking Office between January 1, 1998, and June 30, 2009.  This includes:
c.    Anyone who purchased parking permits, including staff of the East-West Center, UH Foundation and Research Corporation of the University of Hawai‘i (RCUH).
d.    Any campus visitor who had a vehicle towed or appealed a parking citation.

3. What information was in the compromised database?
The database contained personal information, including names, Social Security numbers, addresses, driver’s license numbers, vehicle information, and credit card information. Information on other individuals included their UH identification numbers, which are not sensitive.

4. Has the data been misused?
At this time, UH Manoa has no evidence that personal information was actually accessed, but we also cannot determine with certainty that it was not accessed.

5. Is there an investigation into this incident?
A forensic computer expert has been retained to further investigate this matter. The Honolulu Police Department and FBI have been notified, and have been asked to investigate any potential criminal activity related to this incident.

6. What is the campus doing to prevent future security breaches?
Social Security numbers are no longer used for parking transactions, and are being purged from all current and historical Parking Office databases. Additional security measures being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks.

7. How will affected individuals be notified?
Letters to affected individuals were mailed on Saturday, July 3, 2010, and should be received starting on the next business day, Tuesday, July 6.  In addition, an email notice will be sent to affected individuals at their most recent email address on record.

8. What should affected individuals know and do?
Carefully monitor your financial information and take protective measures against identity theft, which include:
·      Obtaining and carefully reviewing credit reports.  Free credit reports from all three credit agencies may be obtained at http://www.annualcreditreports.com or by calling 877-322-8228.
·      Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.
·      Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.
If your identity or account has been compromised, you may take actions such as requesting refunds, closing accounts, and placing your credit records in a state of “fraud alert” or “freeze.” Please know that we are making every effort to ensure that this incident does not recur.

9. If I did not receive a notification letter, does that mean my information was not in the compromised database?
Not necessarily. The campus has been collecting addresses of affected individuals, but not all addresses could be located—predominantly visitors to the campus who either appealed parking citations or who had vehicles towed at UH Manoa between January 1, 1998, and June 30, 2009.

10. How can I get more information?
On weekdays between the hours of 8:00 a.m. to 4:30 p.m., call (808) 956-6000, or go to the webpage at http://www.hawaii.edu/idalert/. Updates will be posted as new information becomes available.