Intrusion into UCF Network Involves Personal Data
Updated: May 19, 2016
UCF notified our campus community on Feb. 4 about an intrusion into the university’s computer network. We have updated the contents of the website to provide the latest information and recommendations to those potentially impacted.
For background, upon discovering the intrusion in January, university officials reported the incident to law enforcement and launched an internal investigation with the assistance of a national forensics firm. The incident involved the potential access to Social Security numbers, but not credit card information, financial records, medical or health records, or grades.
Letters were mailed Feb. 5 to current and former students, faculty and staff potentially impacted by the incident. Additional efforts were made to contact those whose initial letters were returned undeliverable.
The university offered one year of free credit monitoring and identity protection services from Experian’s ProtectMyID Alert. The deadline to sign up for the free services passed in early May. UCF also organized events on campus to provide students, faculty and staff with opportunities to learn about identity theft recovery and prevention.
If you haven’t received a letter and believe you may be included in the groups of potentially impacted current and former UCF students and staff and faculty members (see the first FAQ below), please contact the UCF service desk at 407-823-5117 between 7 a.m. and 7 p.m. EST Monday through Friday.
Frequently Asked Questions (FAQs)
- Who is potentially impacted?
- What specific information was involved?
- Did you report this incident to law enforcement?
- Can I get a copy of the police report?
- What should I do to help protect myself from identity theft?
- How are you going to prevent this from happening again?
- I want to change my UCF password. What is the best way to do that?
- Can you direct me to any campus resources focused on information security?
Who is potentially impacted?
The intrusion into the university’s computer network potentially impacted two groups.
- One group includes some current student-athletes, as well as some former student-athletes who last played for UCF in 2014-15. This group also includes some student staff members, such as managers, supporting UCF teams.
- The second group includes current and former university employees in a category known as OPS, or Other Personal Services. Examples of positions in this category include undergraduate student employees (including those in work-study positions), graduate assistants, housing resident assistants, adjunct faculty instructors, student government leaders and faculty members who have been paid for dual compensation/overload (for example, teaching additional classes). Employees who previously held but do not currently hold OPS positions may be included.
Letters were mailed Feb. 5 to individuals potentially impacted by the incident.
What specific information was involved?
For the group of student-athletes and student staff members supporting those teams, the information involved first and last names, Social Security numbers, student ID numbers, sport, whether they were walk-ons or recruited, and number of credit hours taken and in progress.
For the group of employees, the information involved first and last names, Social Security numbers and UCF-issued Employee Identification Numbers.
Medical records, financial information or grades were not involved for either group.
Did you report this incident to law enforcement?
Yes. Immediately upon learning of the incident, we reported it to law enforcement. The law enforcement investigation is continuing.
Can I get a copy of the police report?
Those who choose to freeze their credit may need to submit a police report as part of their requests. You can view a police report here: https://www.ucf.edu/wp-content/uploads/2016/02/Incident-Report.pdf
What should I do to help protect myself from identity theft?
If you find any suspicious activity on credit reports, call your local police or sheriff’s office, and file a police report for identity theft and get a copy of it. You may need to give copies of the police report to creditors to clear up credit records.
You should remain vigilant and continue to monitor statements for unusual activity going forward. If you see anything you do not understand or that looks out of the ordinary, or if you suspect that any fraudulent transactions have taken place, you should call the bank that issued the credit or debit card immediately to let them know what happened.
Those who accepted UCF’s offer of one year of free credit monitoring and identity protection services are receiving the following services:
- Year One: Free credit report; daily monitoring and alerts of suspicious activity on your credit report; identity theft insurance of up to $1 million; and fraud representative customer care.
- Ongoing: Experian fraud resolution support, through which a fraud agent can assist you with resolving issues that arise.
For those considering credit freezes or fraud alerts, this Experian website helps to explain the differences between the two options and whether they might be suitable for you:
- Go to Federal Trade Commission’s www.identitytheft.gov to report suspicious activity and get a recovery plan.
How are you going to prevent this from happening again?
Safeguarding personal information is of the utmost importance at UCF. To ensure our vigilance, President Hitt has called for a thorough review of our online systems, policies and training to determine what improvements UCF can make in light of this recent incident. An independent, outside firm will be involved with this review.
We have already begun taking several actions to help prevent this type of incident from occurring in the future. These actions include enhancing user account and password security and expanding campus-wide information security education and training.
Information about data security will be added to student orientations and some first-year courses. Information security became part of employee orientations in late 2015.
I want to change my UCF password. What is the best way to do that?
Use the NID password reset tool and follow the prompts. Remember UCF will never send you an email asking you to respond and provide personal information, login credentials, or passwords via email. Never share your password with anyone. Regard all unsolicited messages with extreme caution and alert the Security Incident Response Team at firstname.lastname@example.org if a message appears suspicious or asks you to reveal personal information or login credentials.
Can you direct me to any campus resources focused on information security?
Yes. The UCF Information Security Office has the following brochures dedicated to students and staff and faculty members.