University of Iowa News Release
June 1, 2005
UI: No Evidence Personal Information Taken In UBS Computer Breach
Although there is no evidence that any personal customer information was taken, the University of Iowa is alerting current and past University Book Store customers that a computer containing credit card numbers and student/employee ID numbers was improperly accessed from outside the UI network last month. As a precaution, the university wants potentially affected customers to know about the breach so they can make an informed decision on whether to take steps to protect themselves against the risk of identity theft and/or unauthorized credit card use.
The breach occurred on May 18 and was discovered later the same day. Upon discovering the breach, the University Book Store shut down and isolated the computer system, which may have contained up to 30,000 active credit card numbers. It should be noted that no other UI departments that accept credit card and/or ID charges are impacted.
An internal investigation by UI information technology authorities and by UI Police is under way, and the FBI has been notified.
According to Steve Fleagle, UI chief information officer, two independent firms have been retained by the UI to analyze the incident and determine the possible degree of exposure of personally identifiable customer information and also to determine what can be done to prevent similar occurrences in the future. The companies are VeriSign, a nationally recognized computer security firm, and The Starken Group of Cedar Rapids. Also, Visa and MasterCard have prescribed incident response checklists for such breaches, which are being closely followed in this case.
"The confidentiality of the bookstore customers' private financial information is one of our highest priorities," said David Grady, UI assistant vice president for student services, who supervises the book store. "Since this incident, we have been working closely with UI Information Technology Security Office and our consultants to understand how this breach occurred and to determine what steps we can take to avert a recurrence."
Since the records in the tampered system did not contain complete addresses of the credit card holders, the university cannot notify customers individually. Grady has announced that the UI has established an information website for anyone with questions about the incident http://news.uiowa.edu/bookstore/index.html
Information on placing a precautionary fraud alert on credit files is included on the website.
STORY SOURCE: University Relations, 101 Jessup Hall, Iowa City, Iowa 52242-1000.
MEDIA CONTACT: Steve Parrott, firstname.lastname@example.org, 319-335-0552, cell 319-530-6972