Data Theft Information Center

Avoid ScamsThe University of Texas at Austin Responds to Data Theft

As one of the world’s largest academic institutions, The University of Texas at Austin maintains and uses vast information resources, including personal information collected from students, alumni, faculty and staff, vendors and others with whom we do business. It has long been the university’s policy and practice to treat personal information with the utmost care and diligence. In April 2006, a deliberate theft of data from the McCombs School of Business served to highlight the necessity of this commitment. It also underscored the ubiquity, severity and sophistication of today’s threats to information security.

Fraud Alert Update

If you believe your personal information has been compromised you may place a fraud alert with the national credit bureaus, good for 90 days. The alert may be renewed indefinitely.

Step-by-step instructions can be found at the Fraud Alert, Data Theft and Identity Theft Resources page.

The McCombs Help Center page addresses many subjects regarding the data theft, as well as questions involving credit and credit protection.

  
Jay Foley Interview

"The thieves are getting smarter."

Jay Foley, cofounder of the nonprofit Identity Theft Resource Center, discusses the growing problem of data theft and identity theft in America.

Foley Interview - wmv
Foley Interview - QuickTime

  

Since the data theft in April, 2006, the University focused its work on three areas relating to the data theft and the issue of data security in general:

Security: Ways we are improving security measures to ensure this never happens again.

Remediation: Steps being taken to lessen the exposure of Social Security numbers in our systems.

Protection: Resources and tips for responding to identity theft concerns.

Security

We carefully examined all of our existing security systems. A full security audit was conducted by the UT Information Security Office. In addition, we called in independent consultants and major IT firms to do a comprehensive evaluation of our systems and applications.

Specific security steps were implemented to eliminate vulnerabilities. We cannot comment in detail on the steps taken, as it would not be in the interest of ongoing security, but we can tell you that we took definitive steps to secure the safety of information on our server. This includes removing all Social Security numbers from the McCombs server, and disabling several administrative programs containing personal information.

We cooperated with law enforcement authorities. Cyber Crimes Unit investigators from Texas Attorney General Greg Abbott’s office investigated the data theft at McCombs, in coordination with the Federal Bureau of Investigation and the UT Police Department. Internet security and data theft are obviously enormous global problems, and any institution with a substantial database is at risk. Data theft is a serious crime. While we still do not know who committed this crime, it is apparent from the evidence that this was a dedicated, highly skilled attack carried out by someone who knew exactly what they were doing. We do not know the motivations for the theft.

We added security resources. McCombs has significant resources dedicated to computer system functionality and security, and we added additional security expertise and technical capability to ensure that we can fully implement the recommendations highlighted by our security audits.

Remediation

McCombs has made changes in compliance with the University’s remediation plan. We have disabled several administrative programs, and removed all Social Security numbers from the McCombs server.

The University has an active remediation effort campus-wide. The University has spent tens of thousands of work hours and millions of dollars upgrading our databases to eliminate sensitive data where possible. At an institution the size of UT Austin, with more than 150 separate business units, it’s an enormous task. But this is being taken very seriously, under direction of the Information Security Office.

Protection

UT Austin communicated with nearly 200,000 individuals regarding the theft. This includes 45,000 e-mails, followed by 80,000 letters to those with SSN’s compromised. Tens of thousands of all-clear e-mails and letters were sent, followed by an additional 60,000-plus letters to those with non-sensitive information compromised. The University far exceeded the legal notification requirements, and made an attempt to contact everyone for whom we have a valid address or e-mail.

Our call center and response teams handled thousands of inquiries. Our data theft call center handled over 9,000 calls from concerned individuals, and our on-site response team followed up with approximately 6,000 personal calls or e-mails, answering specific questions and gathering updated contact information.

Identity protection resources have been shared. This site provides valuable information to help protect against identity theft, including step-by-step instructions on filing a free 90-day fraud alert. In addition, we provide links to both government resources and commercial programs for credit protection and monitoring.

We will report any evidence of identity theft. To date, the University has not seen any patterns of identity theft resulting from the data theft at McCombs. It has been estimated there are over 50 million data thefts every year, so naturally it would be difficult to link a specific incident of identity theft to this particular crime. However, we are taking any report of suspicious activity seriously, and are turning that information over to authorities investigating this crime.