The records of almost a quarter-million people whose information is on file at Western Connecticut State University might have been vulnerable to theft since 2009, the university announced Thursday.
People affected by the vulnerability are being offered two years of identity theft protection.
The security hole, which has since been fixed, was found in the process of a route security audit, not after the detection of a breach, Interim Associate Vice President Paul Steinmetz told The Press Thursday morning.
“It was a regular maintenance, kind of looking at the system,” he said. It was discovered by the University Computing — our IT department.”
The security vulnerability was caused by a misconfiguration, rather than a flaw in software licensed from a vendor, Mr. Steinmetz said.
The vulnerability existed from April 2009 to September 2012 and potentially exposed information, including Social Security numbers, of about 235,000 people whose records were collected by the university over a 13-year period, the school said in a statement this morning.
The affected group includes students, their families and those who had other associations with the university, as well as high school students whose SAT scores were purchased in lists, a common practice in higher education.
Although WCSU has found no evidence that records were inappropriately accessed, to protect those potentially affected, Western is offering up to two years of ID theft protection at no cost through a company named AllClear ID.
Everyone in the affected groups will receive a letter explaining the protection being offered and the steps they may take to access AllClear ID services.
A WestConn spokesman said that when he became aware of the issue on Sept. 26, 2012, WCSU President James W. Schmotter immediately activated the Board of Regents security incident response plan. The regents Information Security & Policy Office conducted an investigation to determine what happened and identify and remediate security vulnerabilities campus-wide. The university also informed the Connecticut Attorney General’s office of the issue.
“We are disappointed that the potential existed to have these records exposed but we will do everything we can to protect our students, their families and others with whom we have worked,” Mr. Schmotter said. “The steps we are taking and the solutions we are offering to every one of those affected are designed to address any problems this situation may have caused.”
Since discovery of the exposure, the university has dramatically increased its information protection capacity with new layers of protection. The university will continue to assess and improve all aspects of its information security.
All those affected will receive notification through the postal mail. In addition, Western has set up a searchable database that contains the names of all affected individuals. Instructions can be found at www.wcsu.edu/securityincident.
A list of frequently asked questions, provided in English, Spanish and Portuguese, is also available at that site, along with other information.
WCSU and AllClear ID have set up a hotline at (855) 731-6012 to answer questions from those affected. The hotline will be staffed from 9 a.m. to 9 p.m., Monday through Saturday.
For more information, call Paul Steinmetz at (203) 837-9805.