Oklahoma State University: The STATE's University
Visit the OSU Home Page

Security Incident

Information regarding the security breach
May 14, 2006, the Graduate and Professional Student Government Association (GPSGA) was notified that the personal information of some graduate students had been found on Google. Google had acquired this information during their normal search engine internet scan. The data was accessible by Google because the GPSGA travel reimbursement application did not store the data collected in a secure folder. The personal information exposed consisted of information provided by graduate students using the GPSGA application and included name, e-mail address, mailing address, citizenship, social security number and/or OSU ID card number.

Upon being notified, OSU's Information Technology Office of Information Security immediately took the necessary steps to remove the information from the web server hosting the pages as well as all search engines including Google and Yahoo. We have no evidence that your personal information has been accessed or used for illegal or malicious activities. However, the potential risks associated with identity theft are very serious matters. OSU and the GPSGA are taking precautionary steps by informing and advising all affected students about safeguard measures aimed at protecting privacy. Notification was sent to all individuals whose information was found on any of the search engines.

What happened?

A travel reimbursement application developed by the GPSGA that collected personal information from graduate students stored the information in an unsecured folder. Google and other search engines then acquired, or cached, the information. When the cached pages were discovered and reported to OSU Information Technology, security experts were called in to investigate and take steps to remove the exposed information.

Who is affected?

Graduate students who used the GPSGA travel reimbursement application since December 2005 are the only individuals whose personal information was exposed. Less than 100 students are affected by this incident.

When was my person information exposed?

The personal information you provided to GPSGA when using their online travel reimbursement application appeared to be accessible between December 2005 and May 2006.

What specific items of my personal information were involved?

Only the personal information you provided GPSGA when using their online travel reimbursement application. The specific items were your name, e-mail address, social security number, OSU ID card number, mailing address, and citizenship.

What is being done now?

The files containing the personal information have all been removed from the system. Additionally, it has been confirmed that any pages cached by the top ten search engines have all been removed from those systems. GPSGA is reviewing their travel reimbursement application to minimize the number of personal identification items collected. The application is also being re-written so that any information collected is stored in a secure manner. Information Technology's Office of Information Security will test the security of the application prior to it being made available for use. Additional information will be released at http://www.idalert.okstate.edu

If my information was among the files exposed or stolen, does this mean that I'm a victim of identity theft?

No. The fact that someone may have had access to your information doesn't mean you are a victim of identity theft or that they intend to use the information to commit fraud. We wanted to let you know about the incident so that you can take appropriate steps to protect yourself. The best way to protect yourself is to place a free fraud alert on your credit files and review your credit reports.

Has my information been used to steal my identity?

At this time, we have no indication that the information contained on the computer has been used for illegal or malicious purposes. However, the potential risks associated with identity theft are very serious matters, and that is why we have contacted affected individuals.

What is OSU doing to prevent this from occurring again?

GPSGA has been informed of available web development training offered by OSU Information Technology. A full list of courses is available at http://www.techsupport.okstate.edu/train/. Information Technology is also reviewing current web service processes, including searches for unsecured personal information.

What should I do?

You should carefully review any bills that you receive in the near future, especially credit card transactions, to ensure that the charges associated with your accounts are accurate. For additional information about identity theft, visit www.consumer.gov/idtheft or call toll free 877-ID-THEFT (877 438 4338); TTY: 866 653 4261. We also encourage you to read through the Frequently Asked Questions on this website.

The State's University
Oklahoma State University - Stillwater | Stillwater, OK 74078 | 405.744.5000
Copyright © 2006 Oklahoma State University | All rights reserved