• About Us/Policies
• Accounts
• Cable TV/Video
• Computing Services
• Computing Sites
• E-Mail
• Enterprise Apps
• Hardware
• Help
• Hosting/File Storage
• ID Cards
• IT Security
• IT Training
• Media Services
• Network Services
• New to MU?
• Printing
• Research Computing
• Software
• Student Phones
• Telecom Services

Computer Security Questions and Answers

May 2007 Security Incident

What happened?

At 8 AM on May 4, 2007, University staff determined that a database had been attacked by an unknown hacker. IT staff disabled the account that was being used to access the database the same day and began performing computer forensics on the system. Additional details are noted in the UM System news release.

How was the system accessed?

Unauthorized access to sensitive information was obtained via the Internet.

Who was affected?

The affected individuals were employees of any campus within the University system in 2004 who were also current or former students of the Columbia campus.

Should I contact the police?

You should call your local law enforcement only if you have proof of fraudulent activity.

I received the notification letter from the University of Missouri about a computer security incident. Does that mean someone stole my personal information?

Yes. The University's investigation into this incident revealed that an unauthorized person accessed a database that contained names and Social Security Numbers. No bank accounts or other financial information, home addresses, birthdates or other personal information was revealed. Unless there is fraudulent activity, this will not affect your bank accounts, direct deposits, financial aid or credit applications.

What actions has the University taken?

Individuals whose name and Social Security Number have been unlawfully obtained by a third party have been notified of the unauthorized access with instructions on how to monitor their credit reports for suspicious activity. The University also has notified law enforcement authorities. If you received a letter, your personal information has been accessed. It does not mean your identity has been stolen but it does mean you are at risk.

Is this information still at risk of disclosure to an unauthorized person?

The database involved in this incident has been secured. The University of Missouri is taking precautions to minimize future security risks.

What can a hacker do with my name and Social Security Number?

They could gain credit in your name. That's why it is extremely important to put the fraud alert on your accounts so any new accounts must be approved by you.

What if I didn't get a letter?

The University has attempted to contact all users whose personal information was disclosed. If you did not receive a notification but are concerned about your personal information, you may call (573) 884-7222 or toll-free (866) 241-5619. This line has been activated and will be monitored by the University of Missouri from 8 AM to 5 PM CST, Monday through Friday. You may also contact the University by using our contact form. If you call, you must provide the last four digits of your Social Security Number. If you can't provide this information, we cannot discuss possible disclosure.

When I contacted the credit agency, a third-party vendor attempted to sell me additional services. What should I do?

University representatives have received varying reports regarding personal experiences calling credit agencies. While those agencies may ask you to purchase additional items such as credit scores, which are almost always generated for a fee, you are under no obligation to do so. If you're calling the agency, it's important to verify if there are any charges to you and what those charges are for. If you are generating a credit report on the Web, be mindful of clicking on popup ads and links to additional third-party services.

Remember, the companies you are contacting are in business to sell their products. You are not obligated to purchase anything in order to obtain a copy of your credit report. You also are entitled to an initial fraud alert for 90 days.

Purchasing a protection plan for your account may be a good safeguard if you are at risk. If you choose to buy a protection plan, you don't need the "extras" such as services to monitor your credit score or find your credit ranking. Any account associated with your Social Security Number is covered by your protection plan. You do not need to cover your spouse with a separate plan, even if you have joint accounts, unless your spouse is also affected by this incident. A protection plan should:

• Provide unlimited access to your credit report for the time you are covered.
• Monitor your credit accounts.
• Maintain a fraud alert on your account for one year or the length of your contract.
• E-mail alerts within 24 hours of key changes to your credit file.
• E-mail alerts within seven days of possible identity theft activity.
• Include Identity Theft/Fraud Expense Coverage.

Where can I get more information about what to do if my Social Security Number was released?

You can go to the Missouri Attorney General's Web site on identity theft or the Federal Trade Commission's Web site on identity theft.

What should I do to protect my personal information?

Individuals whose personal information was involved in this incident should request a free initial fraud alert to be placed on their credit files. There is a difference between a fraud alert and a credit report! Choosing the fraud alert is the most important thing you can do because it will prevent unauthorized attempts to gain your credit. You will be able to obtain a free fraud alert for 90 days. Request your free fraud alert by calling any one of the three major national credit bureaus:

• Equifax
  Direct Line for reporting suspected fraud:
  (800) 525-6285
  Fraud Division
  P.O. Box 740250
  Atlanta, GA 30374
  (800) 685-1111 / (888) 766-0008

• Experian
  Direct Line for reporting suspected fraud:
  (888) 397-3742
  Credit Fraud Center
  P.O. Box 1017
  Allen, TX 75013
  (888) EXPERIAN (888-397-3742)

• TransUnion
  Direct Line for reporting suspected fraud:
  (800) 680-7289
  Fraud Victim Assistance Department
  P.O. Box 6790
  Fullerton, CA 92634
  (800) 916-8800 / (800) 680-7289

A credit report will provide your credit history to date. It will allow you to determine if any of your previously-existing accounts have been accessed by unauthorized means. After you obtain your free credit report, inspect it carefully for any fraudulent activity related to your accounts. Check all of your account balances as well as the most recent credit activity. You are entitled to receive one free credit report every 12 months from each of the major credits agencies. That means you can stagger your requests and actually receive three credit reports in one calendar year. For instance, you can request one report now, one in one month and one every four months. You can continue this practice every year and have it coincide with tax time.

When contacting the Credit Reporting Agency, you should:

• Instruct them to flag your file with a fraud alert including a statement that creditors should get your permission before opening any new accounts in your name.
• Ask them for copies of your credit report(s). (Credit bureaus must give you a free copy of your report if it is inaccurate because of suspected fraud.) Review your reports carefully to make sure no additional fraudulent accounts have been opened in your name or unauthorized changes made to your existing accounts. Visit http://www.annualcreditreport.com/ to request a free credit report. You are entitled to receive one free credit report every 12 months from each of the nationwide consumer credit reporting companies: Equifax, Experian and TransUnion.
• Be diligent in following up on your accounts. In the months following an incident, order new copies of your reports to verify your corrections and changes, and to make sure no new fraudulent activity has occurred.
• If you find that any accounts have been tampered with or opened fraudulently, close them immediately. To ensure that you do not become responsible for any debts or charges, use the ID Theft Affidavit Form developed by the Federal Trade Commission to help make your case with creditors.

Can I request a new Social Security Number to try and prevent fraud from occurring?

To be considered for a request for a new SSN, you must have proof of fraudulent use of your SSN, such as a police report. The Social Security Administration will not allow you to request a new Social Security Number as a preventative measure.

If you have proof of fraud committed using your SSN, then there is a Social Security Administration form you can fill out to request a new number. The Social Security Administration evaluates these requests on a case-by-case basis. In addition, the new number remains tied to the old number, so you may still have to deal with any fraud committed under your old number.

According to the Social Security Administration site:

Only as a last resort should you consider changing your Social Security number. Changing your number may adversely impact your ability to interact with federal and state agencies, employers and others. This is because your financial, medical, employment and other records will be under your former Social Security Number. If you have done all you can and someone still is using your number, we may assign you a new number. We cannot guarantee that a new number will solve your problem.

If you do find suspicious activity on your credit report, call your local police or sheriff's office and file a police report of identity theft. You should get a copy of the police report in case it is needed to give to creditors to clear up your records. You should also contact the Missouri Attorney General's Identity Theft Hotline at (800) 392-8222 and file an Identity Theft Complaint Form with the Attorney General's Office.

Will the University of Missouri contact me to ask for private information because of this event?

In similar cases at other institutions, people have reportedly been contacted by individuals claiming to represent the University and who then proceed to ask for personal information, including Social Security Numbers and/or credit card information. Please be aware that the University of Missouri will only contact you about this incident if additional helpful information becomes available. We will not ask for your full Social Security Number. We will not ask for credit card or bank information. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.

Who should I contact if I have any additional questions concerning this security incident?

In order to answer any questions that you may have regarding this incident a special phone line, (573) 884-7222 or toll-free (866) 241-5619 has been activated and will be monitored by the University of Missouri from 8 AM to 5 PM CST, Monday through Friday. You may also contact the University by using our contact form.

What is the University doing to prevent future cases of unauthorized access?

We are reviewing systems, applications and procedures to mitigate the possibility of an event of this nature recurring. All companies or organizations using the Internet to serve their customers face this challenge. The University has and will continue to work diligently to secure its computer systems and information resources.