Academic Technologies - Barnard College
Security update - January 2007

                               

This notice was originally posted on our website on June 8, 2006.  As of January 24, 2007 please direct any questions you may have regarding this incident to the Help Desk at (212) 854-7172.

On Tuesday, June 6, 2006, Barnard College became aware that a "hacker" accessed one of our computers. That computer contained personal information, including the names and social security numbers of a majority of the current members of the Barnard Community, the classes of 2004 and 2005, and a small number of Columbia University students who used the Barnard swipe card system. There is no clear indication at this time that the intruder in fact accessed the personal information on the computer, however, to be cautious, the College wanted to advise you of this event and keep you informed of our ongoing investigation and efforts. We will continue to investigate the computer logs to attempt to determine if any personal information was, in fact, accessed. 

This is a very serious issue for us, and we know it is a very serious concern for you. We have already taken all of the steps necessary to correct the situation and to prevent this from happening again. 

We encourage you to protect yourself against the potential misuse of your personal information by contacting one of the three major credit reporting agencies, each of which has an automated phone fraud alert process. The fraud alert tells creditors to contact you before opening any new accounts or making any changes to your existing accounts. More information on fraud alerts and protecting your identity can be found at www.consumer.gov/idtheft

If you place a fraud alert, the agency you contact will notify the other two agencies. Fraud alerts will then be placed automatically on your accounts at those two agencies as well, and all three agencies will separately mail credit reports to you at no cost. Please contact one of these agencies to place a fraud alert under your name: 

Review your credit reports for any suspicious activity. If you see any accounts you did not open or incorrect personal information, call the credit bureau(s) or your local law enforcement agency (e.g., city police department) to file a report of identity theft. 

We have investigated this matter thoroughly and taken steps to reduce the chance of any future computer breaches. 

Please also be aware that Barnard College will not initiate any contact with you to confirm any information, such as your address or Social Security number. If you receive a contact with such a request, it will not be from the College, and you are advised not to respond.

If  you have other questions or concerns, please call the Help Desk at (212) 854-7172. 

FAQs - added  June 19, 2006

How can I check my credit report?
 By law, you are entitled to request one free credit report every 12 months from each of the 3 nationwide consumer credit reporting companies.
See https://www.annualcreditreport.com/cra/index.jsp .

What is a Credit Freeze?
 A credit freeze prohibits any access to your consumer credit report or credit score and, without this information, a business will not issue new credit to anyone. If you, yourself, want to get new credit you must use an assigned PIN number to allow access to your credit file. Legislation allowing consumers to place a credit freeze is in effect or pending in 23 states. In several of these states, there is a fee for this service. 
See http://www.consumersunion.org/campaigns//learn_more/003484indiv.html  for state-by-state information.

FAQs  - added  June 12, 2006

What happened to cause this unauthorized computer access?
 Based on our investigation, a single computer that runs the software for the College's swipe card access system was "hacked," we believe from an overseas location. At the time it was hacked, it was connected to the internet to receive remote technical assistance from the software vendor. It was not connected to the College's administrative computer system. This computer is now permanently disconnected from the internet.

The computer had the names and social security numbers of most current students (including some Columbia students who lived in Barnard's residence halls), faculty and staff, and alumnae from the classes of 2004 and 2005. No parent social security numbers or other financial information was on the computer.

What has the College done to protect my personal information?
 In addition to rectifying the current security breach, the College currently houses all major administrative systems behind a secure firewall in a unique network segment called a "trusted zone". Each system requires at least an account ID and strong password for access. The College began a project to remove SSNs from common use last year having joined a university-wide effort to remove all use of SSNs as identifiers. The project is progressing.

Should my parents or guardians be concerned about their social security numbers being accessed?
 No. Your parents or guardians social security numbers were not on the computer, nor was any family financial information

What if I don't have any credit cards or other credit accounts? Should I still contact one of the credit reporting agencies?
 Yes, you should still contact one of the credit reporting agencies. A fraud alert is still important because it will make it more difficult for someone to open a new account under your name.

I called one of the credit reporting agencies to put on a fraud alert and they asked for my Social Security number. What should I do?
 All three reporting agencies require your social security number in order to put a fraud alert on your credit report.

I am a student from another country and do not have a social security number. What should I do?
 If you do not have a social security number, the number assigned to you on the computer cannot be used to open credit accounts in your name, and the risk to you is minimal.

FAQs - June 9, 2006

What happened to the College's computer system? 
A single, stand-alone PC was "hacked" by someone, most likely from an overseas location. The hacker placed an unauthorized program on the computer, which then sought, unsuccessfully, to locate other computers on the network that might be vulnerable. By monitoring the flow of network traffic, we were informed of the additional activity coming from this single computer. Once notified, it was promptly removed from the College's network.

Do you know if someone has actually gotten personal information about me? 
The College's investigation has revealed evidence of "hacking" but there is no indication at this time that confidential files were copied or that the hacker was seeking this information.

Is this personal information still at risk from another attacker? 
 No. The accessed system has been removed from the network, and the problem corrected. The rest of the College's computing systems have been carefully reviewed and are protected. We will continue to monitor all of our systems and maintain proper and effective security. We have also engaged the services of an outside computer security consultant to investigate this incident, and we are making all necessary contacts with law enforcement agencies.

I have reviewed the website and still have questions. How can I contact someone? 
If, after visiting the website, you have other questions or concerns, please  call the Help Desk at (212) 854-7172.

Will I be contacted if more information is available about the status of my personal information? 
Yes. The College will post updates and answers to common concerns on our website, and we will contact you directly if important additional information is available.

 

Details for the three major credit reporting agencies: 

 

Tools to safeguard your computer  
Protect your computer from viruses.  Find and destroy spyware and trojans.  Install these software programs to minimize risk for your personal computer. 

Commercial programs provided by the College  to Barnard students, faculty and staff       Use these free programs to eliminate spyware from your computer.
Norton AntiVirus  Ad-aware SE Personal 1.06 
Pest Patrol SpyBot 1.4

Other links

Federal Trade Commission  https://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_ORG_CODE=PU03  

The Department of Justice  http://www.usdoj.gov/criminal/fraud/idtheft.html 

original 06/08/06    last update 01/24/07