The University's breach announcement did not list the specific types of sensitive personal information exposed/stolen:
"Files on the server contained confidential, personally identifiable information of approximately 34,000 individuals."
McClatchy news service reported that the sensitive personal information exposed/stolen included the names, addresses and Social Security numbers of staff, researchers, and student at the College of Education since 2005.
The university advised breach victims to check their credit reports at the three major credit reporting agencies (e.g., Experian, Equifax, and TransUnion), and to place a fraud alert on their credit reports. The university did not name the credit monitoring/resolution service it has retained to assist breach victims, nor if it will provide that service freely to breach victims.
Organizations usualyy provide a couple years of free credit monitoring services after data breaches like this. This is the sixth breach at the University of South Carolina. Prior breaches:
- March 2011: 31,000 records exposed/stolen on 8 campuses affecting faculty, staff, retirees, and students
- June 2008: 7,000 records exposed/stolen during an office theft at the Moore School of Business
- September 2007: 1,482 students' files, including Social Security numbers, test scores, and grades, were exposed on an Internet-connect computer
- August 2006: 6,000 current and former students' sensitive information was exposed/stolen
- April 2006: 1,400 students' sensitive information, including Social Security numbers, was attached to and distributed in an email message by a faculty member
Given this poor history, the university's chief security officer and IT staff need to step up faculty/staff training and data security procedures at the school.