A data breach is never a good thing, but when the data breach isn’t discovered for three years, and then those responsible wait two months before notifying those affected and at risk of ID theft … Well, 24,000 University of Notre Dame employees are confronting that situation.
Files containing the employees’ names, Social Security numbers, birth dates and zip codes were posted on the Internet on a publicly accessible university website from August 2006 until October of this year when they were discovered. Social Security numbers are the most valuable piece of personal information for ID theft, and when combined with names and birthdates, ID theft is easily perpetrated.
The files were removed after their discovery in October, but university officials waited until November 20 to notify employees affected by the data breach, including student workers and a “large number” of temporary and on-call employees.
Consumers whose information is compromised in a data breach have a one in five chance of becoming ID theft victims within the next 12 months, according to analysis by Javelin Strategy and Research, an independent financial services research firm. The study results were released on November 20, the same day Notre Dame mailed the data breach notification letters.
There isn’t any information pertaining to the data breach on the university website’s home page or the news and information department’s page. Nor are there any links for employees who would like additional information.
None of the information appears to have been used to commit ID theft, according to Dennis Brown, Notre Dame’s assistant vice president for news and information. After mailing the notification letter, the university decided to offer credit-monitoring services to the affected employees, according to Gordon Wishon, the university’s chief information officer and associate vice president of information technology.
He advised employees to order and review their credit reports for evidence of ID theft. “That’s something the university cannot do.”
