Oklahoma State University: The STATE's University
Visit the OSU Home Page

OSU Parking Services and Transit Incident

Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008.

Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed. The confidential information has been removed from the database.The illegal access was limited to the parking and transit server.

As a result of its investigation, OSU believes the intruder's purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal and inappropriate content. OSU contacted and worked with federal law enforcement authorities.

After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker; however, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.

We are not aware of any instances of misuse of this information or of any identify theft as a result of the temporary availability of this information. OSU recommends you carefully review any bills or financial transactions you receive in the near future to ensure that the charges associated with your accounts are accurate.

OSU President Burns Hargis said, "This breakdown in security is totally unacceptable. We are conducting a full review and will take whatever steps are necessary to protect our network from unauthorized access. This is a serious matter and we will deal with it aggressively. We regret the circumstances and concern this situation has caused."

What happened?

A server under the control of OSU Parking and Transit Services was compromised from a source operating outside of the United States. The server contained records of personal information, including Social Security numbers that were collected from individuals who had purchased OSU Parking Permits between July 2002 and March 2008. Once the intrusion was detected the IT Information Security Office took immediate action and removed the attacker's access to the server.

Who is affected?

All OSU faculty, staff and students who had purchased an OSU Parking Permit between July 2002 and March 2008 are affected.

When was my personal information exposed?

The server is believed to have been compromised on November 23, 2007. OSU learned of the breech on March 20, 2008 and blocked access to the server immediately.

What specific items of my personal information were involved?

The specific items were your name, social security number, address, email address, and phone number.

What is being done now?

All Social Security Numbers have been removed from the database. The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service's office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.

If my information was among the files exposed or stolen, does this mean that I'm a victim of identity theft?

No. The fact that someone may have had access to your information doesn't mean you are a victim of identity theft or that they intend to use the information to commit fraud. We wanted to let you know about the incident so that you can take appropriate steps to protect yourself.

Has my information been used to steal my identity?

At this time, we have no indication that the information contained on the computer has been used for illegal or malicious purposes. However, the potential risks associated with identity theft are very serious matters, and that is why we have contacted affected individuals.

What is OSU doing to prevent this from occurring again?

The IT Information Security Office has made security recommendations to the OSU Parking Office which include physical relocation of their server and database to a more secure location, additional training for server administrators, and added vulnerability assessments.

Will OSU or OSU Parking contact me to ask for private information because of this event?

In similar cases at other institutions, people have reportedly been contacted by individuals claiming to represent the University and who then proceed to ask for personal information, including social security numbers and/or credit card information. Please be aware that OSU or the OSU Parking Office will only contact you about this incident if additional helpful information becomes available. We will not ask for your full Social Security Number. We will not ask for credit card or bank information. We recommend that you do not release personal information to any contacts of this nature that you have not initiated.

What should I do?

You should carefully review any bills that you receive in the near future, especially credit card transactions, to ensure that the charges associated with your accounts are accurate.

Individuals whose personal information was involved with this incident can request a free initial fraud alert to be placed on your credit files by calling any of the three major national credit bureaus:

  • Equifax (credit reporting agency, http://www.equifax.com/)
    Direct line for reporting suspected fraud: 800-525-6285

  • Experian (credit reporting agency, https://www.experian.com/)
    Direct line for reporting suspected fraud: 888-397-3742

  • Trans Union (credit reporting agency, http://www.transunion.com/)
    Direct line for reporting suspected fraud: 800-680-7289

(Mailing addresses for the fraud unit of each credit bureau is available on the Resources page of this website.)

When contacting the credit bureau, request the following:

  1. Instruct them to flag your file with a fraud alert including a statement that creditors should get your permission before opening any new accounts in your name.
  2. Ask them for copies of your credit report(s). (Credit bureaus must give you a free copy of your report if it is inaccurate because of suspected fraud.) Review your reports carefully to make sure no additional or fraudulent accounts have been opened in your name or unauthorized changes made to your existing accounts.
    NOTE: In order to ensure that you are issued free credit reports, we strongly encourage you to contact the agencies DIRECT LINE (listed above) for reporting fraud. We do not recommend that you order your credit report online.
  3. Be diligent in following up on your accounts. In the months following an incident, order new copies of your reports to verify your corrections and changes, and to make sure no new fraudulent activity has occurred.
  4. If you find that any accounts have been tampered with or opened fraudulently, close them immediately. To ensure that you do not become responsible for any debts or charges, use the ID Theft Affidavit Form (http://www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf) developed by the Federal Trade Commission to help make your case with creditors.

For additional information about identity theft visit Resources and the Frequently Asked Questions on this website.

The State's University
Oklahoma State University - Stillwater | Stillwater, OK 74078 | 405.744.5000
Copyright © 2006 Oklahoma State University | All rights reserved