Oregon State University is notifying 34,000 current and former employees that a computer containing some of their personal information was recently infected by a virus.
In a press release issued Wednesday, the university said its computer experts believe it is “highly unlikely that the virus put any of that information in the hands of unauthorized users.”
However, the release added, “records for many of those employed between 1999 and 2005 contained Social Security numbers as the ‘unique identifier’ in each employee’s record, and the presence of those numbers raises the potential, however remote, of identity theft.”
Jon Dolan, chief information security officer for OSU, said the university doesn’t want to unnecessarily alarm anyone.
“We really found no evidence of (information) being removed,” he said. The notification was the result of extra caution and to comply with the Oregon Consumer Identity Theft Protection Act.
“Since we can’t prove that (the data) wasn’t lost, we felt it was the best thing to do,” he said.
Letters explaining the situation, and what people can do to protect themselves from identity theft, were mailed out to affected employees Tuesday.
OSU was notified of the possible data breach on June 28 after an employee reported the anti-virus software on her computer was alerting her to a virus.
Dolan, who received a notification letter of his own, said Wednesday afternoon that only a few hotline calls had been received.
It is the first time the university has had this type of situation.
“We have never sent notifications on this scale,” Dolan said.
He only knew of two other similar incidents at the university. In one case, the data at risk had been collected by a student, and OSU assisted the student on how to notify affected people. In the other incident, two Social Security numbers were possibly exposed when a laptop was stolen.
Two years ago, hackers breached the computer system of the OSU Bookstore, which is a separate legal entity from OSU, and accessed credit card numbers, names and addresses. The store contacted about 4,700 customers that their information may have been compromised.