NC Community Colleges Notify Patrons of Library Server Security Breach

News Release From NC Community College System
Raleigh, N.C. – The NC Community College System Office began notifying nearly 51,000 library users from 25 community colleges that a security breach occurred on a computer server containing their personal information, including Social Security or driver’s license numbers. All reviews and investigations indicate that no personal information was accessed by the intruder. However, library users with such information on the server will soon begin receiving letters explaining the attack, steps being taken to prevent future breaches and actions they may take to protect their credit and to ensure protection from identify theft.
On Sunday, August 23, 2009, a computer hacker accessed the library patron information on the computer server, housed in the community college System Office in Raleigh, via the Internet by decoding a user password. The breach was discovered on Monday, August 24 during a routine security review and was reported to the state’s Information Technology Service (ITS). The System Office’s Information Services division immediately began an investigation to trace the activity of the attacker and the extent of the breach.
Forty-six community colleges that participate in the Community College Libraries in North Carolina consortium (CCLINC) maintain information on more than 270,000 library users on this server. The investigation revealed that 12,400 driver’s license numbers, originally collected by 18 colleges to help identify library users, were stored on the server.
The System Office’s Information Services team began coordinating and consulting with partners such as ITS, CCLINC Steering Committee and the affected colleges to determine the next steps.
The community colleges whose library user information included driver’s license numbers are Alamance, Beaufort, Blue Ridge, Brunswick, Central Carolina, College of The Albemarle, Gaston, Halifax, Johnston, Martin, Pamlico, Piedmont, Richmond, Rowan-Cabarrus, Tri-County, Vance-Granville, Wake Tech and Wilson.
The ongoing review revealed on October 19, 2009, that Social Security numbers of 38,500 library patrons were also stored on the breached server. Community colleges whose library patron information included Social Security numbers were Bladen, Haywood, Lenoir, Nash, Pamlico, Richmond, Roanoke-Chowan, Sandhills, Southwestern, Tri-County, Vance-Granville and Wilson. The addition of the seven new colleges impacted by the computer intrusion brought the total number to 25. The Information Services division expanded their investigation to include this new data, the additional colleges and the extra steps needed to remove Social Security numbers.
“Finding the Social Security numbers added another layer onto an already complex investigation,” said Dr. Saundra Williams, Senior Vice President of Technology and Workforce Development in the System Office. “We went from 12,400 library users to nearly 51,000 so the scope of our review was greatly increased. We felt it was necessary to be extremely cautious each step of the way to prevent future breaches and to ensure that the information was dealt with appropriately.”
Each of the affected colleges has started removing the personal data, and the System Office is taking additional steps at the server level to ensure this personally identifiable information is no longer stored or recorded for library patrons.
“We regret this situation has occurred, and we apologize to those with information on the server,” Williams said. “Our colleges and our System Office are making every effort to ensure that personal information is permanently removed from our records.”
Letters to affected library patrons state whether the personal information stored on the server included their Social Security number, their driver’s license number, or both. The letters also contain information for recipients to use in checking and securing their credit status. Library patrons at the affected colleges who have questions about the letters or about the status of their personal information can call (919) 807-7241 or e-mail LibraryInfo@nccommunitycolleges.edu. Calls and e-mails will be returned Monday-Friday, 8 a.m. to 5 p.m., except on state holidays. Those seeking more information are encouraged to use the above contact information as most community colleges are closed for the holidays until Monday, January 4, 2010.
Those wanting more information related to checking their credit status or protecting personal information may visit the NC Attorney General’s Web site by clicking here.