The NC Community College System Office began notifying nearly 51,000 library users from 25 community colleges that a security breach occurred on a computer server containing their personal information, including Social Security or drivers license numbers.
All reviews and investigations indicate that no personal information was accessed by the intruder. However, library users with such information on the server will soon begin receiving letters explaining the attack, steps being taken to prevent future breaches and actions they may take to protect their credit and to ensure protection from identify theft.
Isothermal Community College says that it was not affected by the breach because it is not part of the group included on the server.
On Sunday, August 23, 2009, a computer hacker accessed the library patron information on the computer server, housed in the community college system office in Raleigh, via the Internet by decoding a user password. The breach was discovered on Monday, August 24 during a routine security review and was reported to the states Information Technology Service (ITS). The system offices information services division immediately began an investigation to trace the activity of the attacker and the extent of the breach.
Forty-six community colleges that participate in the Community College Libraries in North Carolina consortium (CCLINC) maintain information on more than 270,000 library users on this server. The investigation revealed that 8,300 drivers license numbers, originally collected by 18 colleges to help identify library users, were stored on the server. Several colleges had ceased to collect personally identifiable information such as drivers license and Social Security numbers.
The System Offices Information Services team began coordinating and consulting with partners such as ITS, CCLINC steering committee and the affected colleges to determine the next steps.
The community colleges whose library user information included drivers license numbers are Alamance, Beaufort, Blue Ridge, Brunswick, Central Carolina, College of the Albemarle, Gaston, Halifax, Johnston, Martin, Pamlico, Piedmont, Richmond, Rowan-Cabarrus, Tri-County, Vance-Granville, Wake Tech and Wilson.
The ongoing review revealed on October 19, 2009, that Social Security numbers of 42,500 library patrons were also stored on the breached server. Community colleges whose library patron information included Social Security numbers were Bladen, Haywood, Lenoir, Nash, Pamlico, Richmond, Roanoke-Chowan, Sandhills, Southwestern, Tri-County, Vance-Granville and Wilson. The addition of the seven new colleges impacted by the computer intrusion brought the total number to 25. The information services division expanded their investigation to include this new data, the additional colleges and the extra steps needed to remove Social Security numbers.
“Finding the Social Security numbers added another layer onto an already complex investigation,” said Dr. Saundra Williams, senior vice president of technology and workforce development in the system office. “We went from 8,300 library users to nearly 51,000 so the scope of our review was greatly increased. We felt it was necessary to be extremely cautious each step of the way to prevent future breaches and to ensure that the information was dealt with appropriately.”
Each of the affected colleges has started removing the personal data, and the system office is taking additional steps at the server level to ensure this personally identifiable information is no longer stored or recorded for
“We regret this situation has occurred, and we apologize to those with information on the server,” Williams said. “Our colleges and our system office are making every effort to ensure that personal information is permanently removed from our records.”
Letters to affected library patrons state whether the personal information stored on the server included their Social Security number, their drivers license number, or both. The letters also contain information for recipients to use in checking and securing their credit status. Library patrons at the affected colleges who have questions about the letters or about the status of their personal information can call (919) 807-7241 or e-mail LibraryInfo@nccommunitycolleges.edu. Calls and e-mails will be returned Monday-Friday, 8 a.m. to 5 p.m., except on state holidays. Those seeking more information are encouraged to use the above contact information as most community colleges are closed for the holidays until Monday, January 4, 2010.
Those wanting more information related to checking their credit status or protecting personal information may visit the N.C. Attorney Generals website at http://www.ncdoj.com/Help-for-Victims/ID-Theft-Victims/Received-a-Security-Breach-Letter.aspx.library patrons.