Cal Poly PomonaCal Poly Pomona is notifying 675 former student applicants that their personal information was inadvertently accessed. The information includes names, addresses, phone numbers and Social Security numbers; no financial data was involved. After a comprehensive review, there was no indication that anyone other than the individual who alerted the university had accessed the data.
On November 17, a former student notified the university that he accessed an Excel file containing his personal information. He came across the file while searching Google for information about himself. This file contained the personal information of applicants from 2001 and was stored on an old server scheduled for replacement in 2009. The university took immediate action to secure the file and remove the data. The Information Security Office began an investigation and determined that this data breach was unintentional as the file had been mistakenly placed in a publicly accessible folder.
As a matter of caution, the university is alerting those individuals whose personal information was in the accessed file.
“We sincerely regret that this data was not secure,” said Dr. Debra Brum, vice president for Instructional and Information Technology. “Everyone at the university plays a role in protecting personal information, and we take this responsibility very seriously.”
Cal Poly Pomona is constantly reviewing its information security program and controls. The university is in the process of implementing a multiyear and multi-layer program to bring all computers and servers to an optimal level of security.
On November 17, a former student alerted the university to an online file that contained personal information. Immediate action was taken to secure the file and remove the data. Cal Poly Pomona has no reason to believe that there was any malicious intent or that the acquisition of the data was intentional.
The information had been mistakenly placed in a publicly accessible folder on an old server scheduled for replacement in 2009. Cal Poly Pomona is constantly reviewing its information security program and controls. The university is in the process of implementing a multiyear and multi-layer program to secure all of the university’s information assets.
Cal Poly Pomona is notifying 675 student applicants from October 2001 by US mail. Letters will be sent the week of December 8.
Although we have no knowledge or evidence that any information was misused, people whose confidential information (name and Social Security number) resided in this file should know of this incident. This is in compliance with California laws regulating privacy of personal information.
This file contained the personal information of 675 applicants from 2001. The information includes names, addresses, phone numbers and Social Security numbers. No financial or academic data were involved.
The university experienced a breach in 2005, when a hacker used a newly identified weakness in a computer backup program, allowing them to take control of two machines. The exploit allowed the hackers to install a software agent (program) that bypasses system security protection. That case resulted in the notification of 31,077 current and former student applicants, students, faculty, and staff members by email and letter. There were also three cases when the university notified a total of 440 students that their SSNs had been improperly posted on campus web pages.
For all on-campus identification, we now exclusively use the Bronco Number. Employees are prohibited from using SSNs except where required, for instance for financial aid, employment eligibility, tax withholding, and to verify the authenticity of records received from other institutions. Cal Poly Pomona has an active program to educate employees about the sensitivity of SSNs and other personal information, and to remove this data from all unnecessary locations.
After the student communicated the issue, a team of experts undertook a comprehensive audit of the file and access logs. Given the age of the data, the university also worked to ensure that the contact information was up to date.
The server in question was implemented in the late 1990s and is scheduled for retirement in 2009. The university’s information security practices have been vastly strengthened since the server’s initial deployment. The university is in the process of implementing a multiyear and multi-layer program to bring all computers and servers to an optimal level of security. We have procedures in place for access to data, and we are in the process of revising our continuing education program for employees with access to confidential data.
There is always some risk; however, we are proactively monitoring our systems and continuously improving our processes, procedures and systems to ensure the safety of our data.
We wish we could, but computer security is an ongoing battle requiring considerable money and staff support. The university has to defend itself against criminals looking for private information they can use, malicious hackers who vandalize Web sites and major virus and worm attacks.
Read about identity theft, and follow the suggestions that seem most appropriate to your own situation. Everyone should learn about identity theft because it is a fact of life in the 21st century.
For those specifically impacted by this event, we recommend you request a credit report to look for unusual activity. California residents are entitled to a free credit report annually. You can request a report or fraud alert from one or more of the credit agencies at www.annualcreditreport.com. Monitoring and periodically reviewing your credit report is an effective tool in fighting identity theft. Additional information may be obtained from:
The fraud alert means you will be notified if someone attempts to change the credit limit on your card or attempts other unusual actions. The fraud alert can be renewed at no cost every 90 days.
You can email us at infosecurity@csupomona.edu or call (909) 869-5130. If you contact us, please provide your name and email address or phone number, but NOT personal information such as your Social Security number. Please note Cal Poly Pomona will only contact you regarding this matter if you ask us for information by email or telephone. We will not ask for your full Social Security number. We will not ask for credit card or bank information.
Please note Cal Poly Pomona will only contact you regarding this matter if you ask us for information by email or telephone. We will not ask for your full Social Security number. We will not ask for credit card or bank information. In similar cases at other institutions, people have been contacted by individuals claiming to represent the university and asking for personal information. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.
