UW Law School security breach may have exposed sensitive data

December 6, 2016

On Nov. 3, 2016, the University of Wisconsin–Madison became aware that a database within its Law School was the target of computer hacking. The database contained Social Security Numbers and name pairs corresponding with Law School applicants from 2005-2006. No other personal identification information was contained in the files.

Since learning of the incident, the university has removed from the server the records that were likely accessed by the attacker. Security measures have been increased, including implementing additional vulnerability identification programs, evaluating current computer applications and decommissioning those no longer needed, tightening credentials for access to databases, and deploying additional network intrusion detection. Notices were mailed and emailed to the 1,213 individuals affected by this unauthorized access on Dec. 6, 2016.

The incident has been reported to law enforcement for further investigation, and to three national credit reporting agencies. The individuals affected by this breach will receive free credit monitoring for one year to help protect them against identify theft.

FAQ for those affected by the Law School data breach

Is this letter for real?

Yes, the letter was sent by the University of Wisconsin Law School.

Exactly what happened?

On Nov. 3, a computer security incident on the University of Wisconsin–Madison campus may have exposed records containing the names and Social Security Numbers of former University of Wisconsin Law School applicants.

The Law School became aware of an outside computer hacker on its server containing admissions applicant information from 2005-2006.

An internal investigation revealed that the attacker likely obtained 1,213 unique Social Security Number and name pairs corresponding to Law School student applicant data.

Why am I only being contacted now?

Our Cybersecurity Office first needed to investigate exactly what happened, who was affected, and how the data was accessed (and by whom) in order to determine next steps. Once it was determined which records were accessed, we used several sources to locate current contact information for as many of the 1,213 applicants as possible. We also contacted authorities to investigate the hacker. And we made arrangements with a theft prevention services provider for affected individuals. Wisconsin state law requires that notice be provided within 45 days of the discovery of the unauthorized access. A team expedited this work as quickly as possible.

Is my personal data at risk?

Based on our assessment of the circumstances, we cannot be certain. We are contacting you so you know and have options for protection. As soon as the Law School became aware that a server containing your name and Social Security Number was attached, the information was immediately removed. Due to this incident, we are offering theft protection services through ID Experts, a data breach and recovery services expert, to provide you with MyIDCare for one year. MyIDCare will help you monitor your situation and resolve issues if your identity is compromised.

Has my personal data been misused?

We cannot say for sure whether or how the hacker used the data. We strongly encourage you to register for this free identity theft protection service. You can enroll online at www.idexpertscorp.com/protect and provide the membership code listed in your letter.

Were addresses, telephone numbers or other personal data accessed?

The server that was compromised contained your name paired with your Social Security Number. No other personal data was accessed.

Who did this?

We are in the process of an investigation, which indicates the attack originated from inside the United States. We are working with local authorities in the jurisdiction where we believe the hacker lives.

What steps is the university taking to prevent this from recurring?

The Law School and the university have taken additional security measures, including implementing an additional vulnerability identification program, evaluating current computer applications and decommissioning those no longer needed, tightening application credentials for access to databases and deploying additional network instruction detection.

We are very sorry the personal data was accessed by this hacker.

Why was my personal data included in this server?

We have to collect Social Security identification for our admission process. This information is used to match the admissions application to the individual’s Free Application for Federal Student Aid (FAFSA).

Was this incident reported to the authorities?

Yes, and the University of Wisconsin Police Department is leading the law enforcement investigation into this matter.

What can I do to help protect my personal information?

We strongly encourage those affected to register for this free identity theft protection service. You can enroll online at www.idexpertscorp.com/protect with the membership code listed in your letter.

Your 12 month MyIDCare membership will include the following:

  • Tri-Bureau Credit Monitoring, which monitors and reports changes by Experian, Equifax and TransUnion to your credit report.
  • CyberScan Monitoring, which monitors criminal websites, chat rooms and bulletin boards for illegal selling or trading of personal information.
  • Access to the ID Experts Team, which will provide up-to-date information on new identity theft scams, tips for protection, legislative updates and other topics associated with identity protection.
  • Complete Recovery Services, which will work with you to assess, stop and reverse identify theft issues.
  • Identity Theft Insurance, which is a useful tool in the event of a confirmed identity theft.

How did UW select its identity protection vendor? 

We were provided potential vendors from our insurer. ID Experts was selected by the Administrative Leadership Team (ALT) based on a number of positive factors. They had several services that met our criteria, including the ability to perform Lexis/Nexus address search, triple bureau credit monitoring, cyber scan service, ID theft insurance, fully-managed ID theft recovery and responsive customer service.   

ID Experts was also used by the U.S. Office of Personnel Management and U.S. Department of Defense for a 2015 event involving 21.5 million individuals whose personal information was breached. ID Experts representatives has also reassured us that any questions or concerns will be addressed to our satisfaction. 

What should I do if I have further questions?

You can contact Jennifer Hanrahan at the UW Law School at 608-890-0202.