S Drive Incident

What Happened?

  • On August 26, 2008 IT staff at Clarkson became aware of a security issue where an unauthorized individual was able to access files holding the personal information of certain faculty and staff. The individual was not malicious and had quickly alerted campus officials when the vulnerability was found.
  • The server holding those files was immediately secured by limiting access to only the Security Officer and his backup.
  • Staff then began a wider inspection
  • It was determined that a security layer was open for one day that allowed this individual to access the file.
    • The file contained personal information for approximately 245 individuals, including (names, Social Security numbers and birth date information).
    • The file did NOT contain any credit card data. .
  • We have completed an initial examination and are in the process of completing a thorough investigation.
  • We have established that the file was vulnerable for one day.
  • We have been able to determine conclusively that the information was not accessed by anyone other than the person who reported the vulnerability.
  • We therefore feel very confident that the data was not otherwise acquired.
  • We met with the individual that accessed the file and have determined that the information has not been misused. The individual notified the Clarkson administration immediately after gaining access.
  • There is no evidence that the information has been misused, but we take this event very seriously and are notifying individuals listed in the file as well as the entire campus community.
  • Further IT security measures are being taken and the situation will continue to be monitored.

Who is Affected?

  • Approximately 245 individuals – The group includes these types of people:
    • o The 245 individuals are miscellaneous P-Card holders.
  • Information includes the (full name, Social Security number, and birth date)
  • The entire campus community is being made aware of the situation and the steps we are taking.
  • Affected individuals will be notified separately with further information.
  • We are communicating this information prior to completing our detailed review because we do not want misinformation to begin to cause undue concern.

What is Being Done?

  • Clarkson takes this matter very seriously and is working to inform everyone affected as soon as possible.
  • Notification letters will be sent to each individual listed in the file.
  • A thorough information technology audit is underway.
  • Security procedures and IT processes are being reviewed, revised and will continue to be strengthened.
  • We are running a process called Spider against our network storage to identify files with potential PII information.
  • We are contacting the owners of this data and are looking at ways to reduce the risk these files create.
  • We are currently reviewing our storage structure on our network drives and are looking at ways of segregating PII data.
  • We will be offering training on how to handle PII information (IE. encrypting and password protecting files with PII information).
  • We will be doing a full review of who has access to Adminstrative Systems that holds PII information.
  • We will be reviewing and flagging Adminstrative Systems that store PII information and will work with the owners of the systems to determine if the PII information is actually needed.
  • We will be proposing possible solutions to identify PII information on University owned workstations.

Who can I contact?
If you have any questions or concerns, you may contact Gard Meserve via phone (315-268-6752) or via email (gmeserve@clarkson.edu).

What can I do?