Published: July 31, 2005

The University of Colorado at Boulder is investigating a new incident of unauthorized access to computer servers containing information on the CU-Boulder identification card used by students, faculty and staff.

The incident creates a potential identity theft problem for all of CU-Boulder's 29,000 students, some former students and any of the approximately 7,000 teaching and research faculty and staff members who are holders of the Buff OneCard. It will not affect incoming students who are not scheduled to receive their Buff OneCards until the start of the semester.

Most, but not all, faculty and staff members have a Buff OneCard. Students must use the card for campus identification purposes.

The Buff OneCard has many uses for students including outside door access for campus buildings, Student Recreation Center access, library material checkout and other miscellaneous uses. The 6,000 students who will live in residence halls will receive new access cards for the fall 2005 semester. Some faculty and staff members also use the card for building and laboratory access.

The campus card office is developing a schedule to reissue new cards to all affected cardholders. In the meantime, starting Wednesday, Aug. 3, immediate card replacement will be available at no cost at the Buff OneCard office at Willard Hall room 182.

Sensitive information that may have been compromised includes Social Security numbers, names and photographs. There is no evidence that personal information was stolen or used and no financial information was affected. However, the university is notifying individuals of potential identity theft so they may take precautions. In addition, law enforcement agencies are assisting with the university's investigation.

"As a consequence of this incident, we will take steps to further increase security of the Buff OneCard," said Larry Drees, director of the Buff OneCard program.

The university will issue letters and e-mail messages to affected individuals about the unauthorized access, said Drees. The university also is providing instructions on how to protect against potential fraud and identity theft.

The server breach was reported to the campus Information Technology Services department on July 27. The servers have been isolated and taken offline. Analysis is being conducted to determine what information might have been accessed.

Affected individuals are being contacted through mailed letters and e-mail communication. Information about the Buff OneCard incident has been posted on a campus Web site -- -- with links to the Buff OneCard site and the News Center site. The online resource page will help affected persons determine the steps they should take to protect their identity.

In addition, a hotline has been established to respond to individual inquiries. The hotline number is (303) 492-0600.

"The recent increase in the number of security incidents at CU-Boulder and throughout the country points to the need for continuous improvement in the maintenance of sensitive computerized data," said Dan Jones, information technology security coordinator for CU-Boulder. "We are using these security incidents to redouble our efforts to ensure that campus policies and security measures promote a high level of integrity and confidentiality."

The university has moved to limit the use of Social Security numbers and other personally identifiable information where use of such information is not necessary. As part of those changes, on April 10 the university finished converting all 30,000 students' identification numbers from Social Security numbers to a new unique student ID number that cannot be used for obtaining or extending credit.

Facts °µÍø½ûÇø Identity Theft

Identity Theft

Identity theft (also known as identity fraud) is one of today's fastest growing crimes. While it might appear that the true victims of this crime are merchants and lenders who extend credit to the thief in another person's name, they are not alone. All consumers pay higher prices to offset fraud losses, while the victims whose identities are stolen suffer greatly because of the loss of their good name.

What is the Difference Between Data Theft and Identity Theft?

Data theft occurs when someone obtains your personal information, such as your Social Security number in combination with other identifying information, without your permission. Identity theft occurs when that information is used for any fraudulent or other unlawful purpose. The goal of the identity thief is to steal personal information sufficient to impersonate a victim in order to obtain credit cards, loans, and other items of value in the victim's name. The unlawful acquisition of personal identifying information does not necessarily mean that identity theft has occurred.

Responding to Data and Identity Theft

If you know that information about you has or may have been stolen or inappropriately disclosed, you should consider placing a "fraud alert" on your file with the three major credit bureaus (see table below). This free service requests that a creditor contact you by phone at a designated number before opening a new account. The time an alert stays on your record varies for each credit bureau; however, you may request that the fraud alert be reinstated after the initial period has ended. In addition, you may qualify for a free copy of your credit report.

Review your credit reports and charge account billing statements carefully to ensure no fraudulent accounts have been opened in your name or unauthorized changes made to your existing accounts. Another indicator of possible fraudulent activity includes addresses listed for places you have not lived.

Editors: Some facts about identity theft compiled by CU-Boulder Information Technology Services follow.

Major Credit Bureaus

Place a Fraud Alert Order a Credit Report Address

Equifax

1-800-525-6285 1-800-685-1111 P.O. Box 740241

Atlanta, GA

Experian

1-888-397-3742 1-888-397-3742 P.O. Box 2002

Allen, TX

Trans Union

1-800-680-7289 1-800-916-8800 P.O. Box 6790

Fullerton, CA 92834

If You Are a Victim of Identity Theft

If your personal identifying information is being used by someone else for fraudulent or criminal purposes, such as applying for a credit card, obtaining loans in your name, making unauthorized purchases, or gaining access to your bank accounts or other private information, you can follow these steps:

- If you find any fraudulent accounts or unauthorized access on your record, contact the security departments of the creditors or financial institutions that granted the credit and close these accounts.

- If you discover misuse of your Social Security number, contact the Social Security Fraud Hotline at 1-800-269-0271.

- If your personal information is being used for fraudulent or criminal purposes, file a report with the police. Keep a copy of the police report in case you need proof of the crime to show the bank, credit card company, or others.

- If you are a victim of identity theft, you can also file a complaint with the Federal Trade Commission (FTC) by Internet: (click File a Complaint from the menu at the left). Telephone: 1-877-438-4338; or TDD: 202-326-2502.

- Keep a dated record of all communications with credit bureaus, creditors, financial institutions, and police, including dates.

Other Resources

These Internet sites provide information on steps you can take to protect your credit and identity.

Colorado Attorney General

(Web site has moved, with no valid forwarding address.)

The official Colorado Attorney General site is a good starting point for learning about personal data and identity theft. It also provides tips on how to protect yourself against different types of credit fraud.

Social Security Administration

The Social Security Administration is the government agency responsible for issuing and managing Social Security numbers. The agency's official site describes whom you should contact, when, and why. It also links to two useful fact sheets:

Fact Sheet: When Someone Misuses Your Number (05-10064)

Fact Sheet: Social Security-Your Number and Card (05-10002)

Department of Justice

The Department of Justice site describes what can happen if you are a victim of data theft or identity fraud. It provides steps for action, tips for reducing your risk of fraud, and phone numbers, addresses, and links to credit bureaus and other governmental agencies you may need to contact.

Federal Trade Commission

This site provides a document titled ID Theft: When Bad Things Happen To Your Good Name that includes information on steps to follow if you are a victim of identity theft.

Steps to Follow If You Are A Victim

ID Theft Information

This is the U.S. government's central Web site for information about identity theft, maintained by the Federal Trade Commission, offering government reports, consumer updates, and links to other sites.

Department of Education

Here you can find information about identity theft specific to students. Search the site under "identity theft" for more information