Oklahoma State University: The STATE's University
Visit the OSU Home Page

Construction Management Technology Security Incident

June 19, 2006, the Construction Management Technology (CMT) department was notified that the personal information of a small number of students had been found on Google. Google had acquired this information during their normal search engine internet scan. The data was accessible by Google because a spreadsheet designed to assist students applying for upper division entry into the CMT program was accidentally placed on the website prior to removing the personal information. The personal information exposed consisted of name, social security number and grades for specific classes.

Upon being notified, CMT immediately took the necessary steps to remove the information from the CMT website, and notified OSU's Chief Information Officer (CIO). The CIO assigned the Office of Information Security (OIS) to review and determine the extent of the incident. The OIS immediately took the necessary steps to remove the information from all search engines including Google and MSN. We have no evidence that your personal information has been accessed or used for illegal or malicious activities. However, the potential risks associated with identity theft are very serious matters. OSU and the CMT department are taking precautionary steps by informing and advising all affected students about safeguard measures aimed at protecting privacy. Notification was sent to all individuals whose information was found on any of the search engines.

What Happened?

A spreadsheet designed to be downloaded and used by students when applying for upper division entry into the CMT program was accidentally placed on the website prior to removing the personal information of 20 students. The search engines Google and MSN then acquired, or cached, the information. When the cached pages were discovered and reported to the CMT department, OSU Information Technology security experts were called in to investigate and take steps to remove the exposed information.

Who is affected?

Twenty students who applied for entry into the Fall 2005 CMT upper division program.

When was my personal information exposed?

The spreadsheet was put on the CMT website in early April 2006 and removed the morning of June 19, 2006. All cached files were removed from the search engines. This was verified the morning of June 30, 2006.

What specific items of my personal information were involved?

The specific items were your name, social security number, and class grades for courses to consider when applying for entry into the CMT upper division program.

What is being done now?

The file containing the personal information has been removed from the system. Additionally, it has been confirmed that any pages cached by the top ten search engines have all been removed from those systems. The CMT department is altering their procedures for website management to include verification that no personal/sensitive information is included in any file prior to posting on the web. The server hosting the website will be scanned by Information Technology's Office of Information Security to verify no other confidential or sensitive information is exposed. If necessary, additional information will be released at http://www.idalert.okstate.edu

If my information was among the files exposed or stolen, does this mean that I'm a victim of identity theft?

No. The fact that someone may have had access to your information doesn't mean you are a victim of identity theft or that they intend to use the information to commit fraud. We wanted to let you know about the incident so that you can take appropriate steps to protect yourself.

Has my information been used to steal my identity?

At this time, we have no indication that the information contained on the computer has been used for illegal or malicious purposes. However, the potential risks associated with identity theft are very serious matters, and that is why we have contacted affected individuals.

What is OSU doing to prevent this from occurring again?

The CMT department has been informed of available web development training offered by OSU Information Technology. A full list of courses is available at http://www.techsupport.okstate.edu/train/. Information Technology is also reviewing current web service processes, including searches for unsecured personal information.

Will OSU or CMT contact me to ask for private information because of this event?

In similar cases at other institutions, people have reportedly been contacted by individuals claiming to represent the University and who then proceed to ask for personal information, including social security numbers and/or credit card information. Please be aware that OSU or CMT will only contact you about this incident if additional helpful information becomes available. We will not ask for your full Social Security number. We will not ask for credit card or bank information. We recommend that you do not release personal information to any contacts of this nature that you have not initiated.

What should I do?

You should carefully review any bills that you receive in the near future, especially credit card transactions, to ensure that the charges associated with your accounts are accurate.

Individuals whose personal information was involved with this incident can request a free initial fraud alert to be placed on your credit files by calling any of the three major national credit bureaus:

(Mailing addresses for the fraud unit of each credit bureau is available on the Security Resources page of this website.)

When contacting the credit bureau, request the following:

  1. Instruct them to flag your file with a fraud alert including a statement that creditors should get your permission before opening any new accounts in your name.
  2. Ask them for copies of your credit report(s). (Credit bureaus must give you a free copy of your report if it is inaccurate because of suspected fraud.) Review your reports carefully to make sure no additional or fraudulent accounts have been opened in your name or unauthorized changes made to your existing accounts.
    NOTE: In order to ensure that you are issued free credit reports, we strongly encourage you to contact the agencies DIRECT LINE (listed above) for reporting fraud. We do not recommend that you order your credit report online.
  3. Be diligent in following up on your accounts. In the months following an incident, order new copies of your reports to verify your corrections and changes, and to make sure no new fraudulent activity has occurred.
  4. If you find that any accounts have been tampered with or opened fraudulently, close them immediately. To ensure that you do not become responsible for any debts or charges, use the ID Theft Affidavit Form developed by the Federal Trade Commission to help make your case with creditors.

For additional information about identity theft visit Resources and the Frequently Asked Questions on this website.

The State's University
Oklahoma State University - Stillwater | Stillwater, OK 74078 | 405.744.5000
Copyright © 2006 Oklahoma State University | All rights reserved