SCSU IT Security Incident

Frequently Asked Questions Regarding SCSU IT Security Breach 


This website is in response to a security breach at Southern Connecticut State University that occurred between March 16, 2013, and March 22, 2013, that may potentially have exposed the Social Security numbers of 1,030 individuals to potential identity theft and other misuse of personally identifying information.  The records exposed were from 2007.

1.    What happened?

Due to a malware infection on an administrative office employee’s workstation, stored files containing social security numbers from 2007 may possibly have been susceptible to exposure during the period of March 16, 2013 through March 22, 2013.  In total, 1,030 individual social security numbers may have been vulnerable to exposure, and all of these individuals are being notified by mail.  Further, they are being offered up to two years of identity theft protection insurance at no cost to them.

Upon identification of the vulnerability, Southern Connecticut State University (SCSU) took steps to correct the problem, and is implementing additional safeguards and controls to protect the University’s information assets.

2.    What information was exposed?

The exposed data involved people connected to the University, and included Social Security numbers associated with the University’s Accounts Payable Department.  As noted earlier, the vulnerable information was from 2007 records.

3.    How many people were affected by the incident?

The files in question contain Social Security numbers for 1,030 individuals.

4.    What actions did the University take?

Upon learning of this incident, the University immediately took a number of parallel steps to investigate and remediate the exposure.  Information technology professionals at SCSU, assisted by information security specialists at the Connecticut State Colleges and Universities System Office in Hartford, conducted a forensic analysis to try to determine if an exposure risk existed.  Once it was determined that there was the possibility that some individuals’ social security numbers could have been exposed, SCSU President Mary Papazian instructed senior members of her staff to implement the Connecticut Board of Regents’ approved notification plan, which includes sending letters and additional information to potentially affected individuals, along with the offer of up to two years of identity theft protection insurance at no cost to the affected parties.  In addition, a toll-free call center was established to assist concerned individuals who had received notification.  The President informed the State Attorney General’s office about this incident, a press release was issued to local media, and information regarding this incident has been posted on the University’s website.

5.    Does the University have any indication that any person has suffered identity theft as a result of the incident?

At this time, the University has no evidence or reports that the files in question were inappropriately accessed or that the information was used for identity theft or another crime.  The University will continue to monitor the situation carefully and has enhanced its internal review procedures to identify unusual activities.

6.    What steps is the University taking to prevent future incidents?

Since discovery of the exposure, the University is reviewing the response and forensic procedures it employs when a malware infection is detected.  Further it is reviewing technical safeguards that can help improve SCSU’s security risk posture.  The University will continue to assess and improve all aspects of its information security.

7.     Is the University offering any identity protection services to affected individuals?

Southern Connecticut State University is offering affected individuals two years of free identity protection services through a contract with AllClear ID, a company that provides extensive credit monitoring and related services.  If your personal information was contained in the files in question, you will be receiving notification in a letter sent through the postal mail.  We might also suggest you obtain copies of your credit report from all three national credit reporting agencies to ensure that your reports are accurate.  Information on how to obtain a free copy of your reports can be found at www.annualcreditreport.com.

8.    How do I know if I am affected?

The University has sent out notification letters to each individual whose Social Security number may have been exposed.  If you have not received a notification letter from Southern Connecticut State University, you may properly assume that your Social Security number was not among those affected.

9.    How can I get more information?

The University and AllClear ID have setup a hotline to answer any questions you may have. You may reach the hotline by calling (877-579-2262).