Campus ID Card Incident, October 26, 2010

On October 26, 2010, the University of Wisconsin-Madison became aware that a database within the campus ID system was hacked. One of the files in the database contained old university photo IDs that had social security numbers embedded in the ID number along with corresponding cardholder names.

This website contains information for individuals who received a letter from the Wisconsin Union concerning this incident. A copy of the letter is posted on this site [PDF File].

Frequently Asked Questions

Is my personal data at risk?
There is no evidence that the unauthorized individuals were aware of your personal data in the compromised database or that it has been retrieved. However, we wanted to make you aware of the incident and let you know what we have done to prevent this from happening in the future.

Has my personal data been misused?
Currently there is no evidence that anyone’s personal information was retrieved or that any information was misused.

Were addresses, phone numbers or other personal data accessed?
No.

Who did this?
As is common in these situations, the perpetrators’ identities remain unknown.

If the university learned of this on October 26, why wasn’t I notified sooner?
The university has a detailed set of procedures designed to investigate,
notify (when appropriate,) and improve security in affected areas. In this
incident, the university has taken a number of steps since October 26 to
conduct an extensive IT investigation, draft information, print letters and
mail to those potentially affected. Since learning of this
issue, the university has taken numerous steps to remedy the situation,
including the following: including ensuring all Wisconsin Union networks
reside behind a restrictive firewall, deploying network intrusion detection
and implementing a vulnerability identification program. In addition,
records containing social security numbers in the database have been taken
offline. This incident illustrates the continuing security challenge the
university faces on an ongoing basis. The university will continue to
upgrade its security to avoid similar such situations in the future.

What steps is the university taking to prevent this from recurring?
Since learning of this issue, we have added additional security measures, including ensuring that all Wisconsin Union networks reside behind a restrictive firewall, we’ve deployed software to detect when there is an attempt to access the network without authorization and we’ve implemented a vulnerability identification program. Also, all card numbers containing social security numbers are now offline.

Why was this personal data included in this database?
Campus ID cards were previously based on social security numbers. These records were still in our system for archival and record retention purposes. The law requires us to maintain this data for at least seven years. Since learning of this breach, we have taken this information offline.

If I have an active WISCARD account, is it vulnerable to this unauthorized access?
No.

Was this incident reported to the authorities?
Yes.

What can I do to help protect my personal information?
It’s recommended that everyone should monitor their financial information by:

  • Review all financial statements regularly and report fraud immediately.

  • Request a credit report regularly and review it for any inaccuracies or fraud. Report anything that isn't right immediately to the credit reporting agency and to law enforcement. Each of us are allowed one free credit report from each of the three major credit reporting agencies annually. That's three free credit reports a year or one every four months. For instance, if you request one free report from TransUnion in December, one from Equifax in April and one from Experian in August, you can watch your credit report throughout the year. You can request your credit report by phone or online. You will be required to provide your social security number, so use the trusted resource provided. To request your free credit report you may call 1-877-322-8228 or online at www.annualcreditreport.com

  • Placing a Fraud Alert on your credit report. Doing so can add a layer of protection for you and can inform a creditor that may be asked to open an account in your name that something has affected you, like a compromise. The creditor may decline to open the new account until you can verify that it is indeed you requesting the new account. It's free to place a Fraud Alert and can be done on the phone or online. The Fraud Alert is for 90 days and can be renewed. You will need to provide your social security number, but if you use the resources listed below you can trust it to be safe.

    TransUnion 800-680-7289 or www.transunion.com
    Experian 888-397-3742 or www.experian.com/fraud
    Equifax 888-766-0008 or www.equifax.com
    (CSC - Credit Services)

  • If you believe fraud has happened to you, contact the Wisconsin Office of Privacy Protection at 1-800-422-7128 or email at DATCPWisconsinPrivacy@Wi.gov

Why isn’t the university offering free credit monitoring?
There is no evidence to suggest that this information was accessed or improperly used by hackers. The university suggests that it is a best practice for everyone, affected by this incident or not, to request a free credit report and carefully inspect their own credit scores. You can do so at: https://www.annualcreditreport.com/cra/index.jsp. The decision not to offer free credit monitoring is consistent with university practices in these situations.

Additional information is available below:

What should I do if I have further questions?
Contact us at: wiscard@union.wisc.edu or 608 890-2141