Danbury’s Western Connecticut State University is in the process of notifying students, their families, and other constituents that their personal information may have been exposed to unauthorized access by a computer system vulnerability that has since been corrected. WestConn has found no evidence that records were inappropriately accessed.
The vulnerability existed from April 2009 to September 2012 and potentially exposed information, including Social Security numbers, of about 235,000 people whose records were collected by the university over a 13 year period.
The affected group includes students, their families and those who had other associations with the university, as well as high school students whose SAT scores were purchased in lists, a common practice in higher education.
Although WestConn has found no evidence that records were inappropriately accessed, to protect those potentially affected, Western is offering up to two years of ID theft protection at no cost through a company named AllClear ID.
Everyone in the affected groups will receive a letter explaining the protection being offered and the steps they may take to access AllClear ID services.
When he became aware of the issue on Septemver 26, WestConn President James W. Schmotter immediately activated the Board of Regents (BOR) security incident response plan. The BOR Information Security & Policy Office conducted an investigation to determine what happened and identify and remediate security vulnerabilities campus-wide. The university also informed the Connecticut Attorney General’s office of the issue.
“We are disappointed that the potential existed to have these records exposed but we will do everything we can to protect our students, their families and others with whom we have worked,” Schmotter said. “The steps we are taking and the solutions we are offering to every one of those affected are designed to address any problems this situation may have caused.”
Since discovery of the exposure, the university has dramatically increased its information security capacity with new layers of protection. The university will continue to assess and improve all aspects of its information security.
All those affected will receive notification through the postal mail. In addition, Western has set up a searchable database that contains the names of all affected individuals. Instructions for navigating the database can be found at wcsu.edu/securityincident.
A list of frequently asked questions, provided in English, Spanis,h and Portuguese, is also available at that site, along with other information.
WestConn and AllClear ID have set up a hotline at (855)731-6012 to answer questions from those affected. The hotline will be staffed from 9am to 9pm Monday through Saturday.
For more information, call Paul Steinmetz at (203)837-9805.