Overview of the Incident

During the regular course of business on August 26, 2010, a report containing the social security numbers of employees authorized to operate State of Arkansas vehicles was inadvertently sent via email to 144 ASU email addresses. In the file that was inadvertently distributed were First Name, Last Name, Social Security Number, Driver’s License Number, and driving record “points” information of full and part-time employees. 

To support affected individuals during this time, we have developed an Information Verification Tool.  Use this site to determine whether or not your information was in the file that was disclosed.

Consumer Protection Information

In addition to proactive efforts to prohibit further disclosure or distribution, we are making a general consumer protection document available for the use of all members of the ASU Community.  Included in the document are  the telephone numbers and contact information for the three major credit bureaus.   It is a generally accepted best practice for consumers to contact one of the credit bureaus to place a fraud alert on your credit  file.

What Steps have been Taken

A report containing social security numbers of authorized drivers was distributed to 144 faculty/staff at 8:55 am, 26-August-2010.

Internal technical response team began analysis and incident control measures at 9:05 am, August 26, 2010.  Recalls and message deletion completed by 10:45 am.

Communications planning began at 2:00 pm, August 26, 2010 with Executive staff and Legal Counsel.

Email communication was sent to the campus as a whole on August 27, 2010 alerting users to the breach.  Direct email was also sent in the form of an official notice at the same time. 

Network controls and filters implemented August 27, 2010 to prohibit attachment forwarding.

The 144 original recipients were contacted on August 27, 2010 with instructions on removing the subject file and information about the liabilities of the information therein.

The database containing this information was removed from the file server and social security numbers were deleted, 30-August-2010. 

The Arkansas Department of Finance and Administration has concurred  that it no longer needs social security numbers to validate driving records.  Any future reports will not include social security numbers.

The incident response website was brought online on Monday, 30-August-2010.

What Happens Next

The university will be providing a second notification via postal letter to all affected individuals.  The letters will be mailed the week of August 30, 2010 to the last known address.

The university is obtaining quotes for a fraud monitoring package for affected employees.  Affected employees will be communicated with as such via email.