Data breach
After more than two weeks of this university scrambling to control the fallout from the Feb. 18 data breach and ensure some measure of financial security for those affected, complaints continue to roll in from students, faculty and alumni, who — searching for answers and assistance — have reportedly found little in the way of both.
Now, in the latest worrisome detail to come to light in what has been a confusing and frankly mismanaged affair, an investigation in October found that an online identity theft market acquired much of its information from Experian, the corporation responsible for the free five-year credit monitoring plan the university is offering.
Former Washington Post reporter Brian Krebs revealed that Experian subsidiary data collection service, Court Ventures, Inc., had been furnishing identity theft websites with Social Security and drivers license numbers, among other data.
The perpetrator, a 24-year-old Vietnamese man who posed as a private investigator to gain access to Experian’s information, was arrested in February 2013, and Experian stopped reselling data to U.S. businesses for fraud prevention and identification verification purposes.
Yet for the more than 300,000 university community members hoping to take advantage of the five years of free credit monitoring promised by the university after the cyberattack, Experian’s preventative measures offer only slight reassurance. Even though the company has taken swift action to prevent information from being compromised again, that’s not the most pressing issue at hand for the university community.
In the past two weeks, the company’s chief black mark has lain with its call-in lines, which students, faculty and alumni said were unable to provide them with information at times and, in some cases, offered conflicting answers regarding whether their information was compromised. Many who tried to call simply weren’t able to get through at all.
Brian Ullmann, this university’s marketing and communications assistant vice president, told The Diamondback last week that Experian was unprepared for the sheer number of calls it received. In addition, some operators hadn’t been briefed properly regarding the university’s data breach, a situation Ullmann said “has been largely resolved.”
“Largely resolved” isn’t good enough. The financial security of 309,079 students, faculty and alumni is on the line. The university expects to shell out $6 million to Experian if all those affected by the data breach sign up for credit monitoring, according to Ullmann. Though university officials have learned how the attack transpired, many questions remain regarding the breach and the future, and we shouldn’t settle for mediocrity in any of the attempts to address this cyberattack. There’s simply too much at stake.
Though much of the blame for problems rests on Experian’s shoulders, we must take the university to task as well. Some alumni affected by the cyberattack reportedly did not receive university emails notifying them of the breach, and the university’s hotline established shortly after the breach experienced the same overload of calls as Experian’s service.
Moreover, university President Wallace Loh’s initial assurance in a Feb. 19 email that “no financial, academic, health, or contact” data had been compromised rang hollow, especially with hundreds of thousands of Social Security numbers in the hands of an unknown attacker.
Sure, no one saw the cyberattack coming, and it’s possible that no level of preparation would have proven adequate in the face of such catastrophe. But the fact remains that the university community hasn’t had access to the information and assistance it needs — and that needs to change.
At face value, the $6 million figure for credit monitoring appears staggering, but the university’s allotted spending toward data protection amounts to less than $19.50 per affected person. If Experian’s services don’t cut it, and students, faculty and alumni continue to be left in the dark, this university needs to seek alternate means of protecting its community, regardless of cost. The university might pay the ACC $52 million in exit fees to enter the Big Ten Conference — a move this editorial board supported — but when push comes to shove, is it willing to spend what is needed to ensure its community’s financial security?
This editorial board urged students, faculty and alumni Feb. 25 to call the Experian hotline and sign up for credit monitoring services. One week later, even after all the complaints and qualms voiced, we have no choice but to echo our plea. For all its alleged inefficacy, this service remains the only free option afforded to individuals affected by the data breach, and the university community must make use of it.
So call, even when you can’t get through. Call, even if the answers you receive aren’t the ones you wanted or needed. Call, and hope the university does right by its community.
