October 16, 2013
UA informs former law students of computer security incident
TUCSON, Ariz. - The University of Arizona is informing certain former law students and applicants to the James E. Rogers College of Law that an unauthorized intruder may have had access to their personally identifiable information.
An intruder accessed a server hosting the College of Law public website on July 29. Analysis of the server showed that the intruder may have accessed old class rosters and applicant lists that were stored on the server in error. The investigation identified 9,080 individuals whose names and social security numbers were potentially accessible. The University has attempted to notify all those affected by personal letter.
Following discovery of the breach, the server was immediately taken offline and the University of Arizona Police Department and FBI were notified of the intrusion. The case is currently under investigation by the FBI.
“We’re working to help make sure people are not harmed by this incident,” said Marc L. Miller, dean of the James E. Rogers College of Law. “We deeply regret the breach occurred and we’ve taken extensive measures to prevent this from happening again.”
The University has purchased 12 months of credit monitoring from Experian, which will allow affected individuals to monitor their credit activity at no charge. The College of Law also set up a toll-free number at 877-522-7970 for people to call with additional questions.
The compromised server also stored usernames and passwords used to access a College of Law intranet. Because people often use the same passwords for multiple purposes, the University is recommending that impacted individuals change their passwords if they have used the same credentials elsewhere.
The University no longer uses Social Security Numbers as personal identifiers except where required by law. Instead, all students, alumni, faculty and staff, and others whose records are kept for business reasons are assigned a personal University identification number. The files stored on the compromised web server predated this policy by several years.