UW-Madison responds to Wiscard data exposure

Dec. 10, 2010

by John Lucas

UW-Madison takes IT security very seriously and makes consistent and strong efforts to protect tens of thousands of computers and users based on campus. The university has a detailed set of procedures designed to investigate, notify when appropriate and improve security in affected areas.

On Oct. 26, 2010 the Wisconsin Union, which administers the campus ID card system, became aware that a database within the system had been compromised by outside attackers. As is common in these situations, the identities of those who committed these acts remains unknown. The incident has been reported to law enforcement.

One of the files in the database contained old university photo ID numbers, containing embedded social security numbers (within the ID number,) along with corresponding cardholder names. Cards bearing these numbers were invalidated in 2008 and the practice of issuing them ended in 1998. No other personal data, such as addresses was included.

During an extensive investigation and examination, the university discovered that the database had been compromised and accessed numerous times dating back to 2008. However, system logs do not show file transfers that would suggest the affected database was downloaded.

There is no evidence to suggest that this personal data was accessed or misused by those who compromised the database. As a precaution, we are in the process of notifying approximately 60,000 individuals who might be affected by this situation.

If you are a Wiscard user and you did not receive a postal mail letter about this incident, you were not affected in this incident.

Individuals who might have been affected have received details about this situation, along with information about a contact website at wiscard.wisc.edu/incident, by email at wiscard@union.wisc.edu or by calling 608-890-2141.

Since learning of this issue, the university has taken numerous steps to remedy the situation, including the following: including ensuring all Wisconsin Union networks reside behind a restrictive firewall, deploying network intrusion detection and implementing a vulnerability identification program. In addition, records containing Social Security numbers in the database have been taken offline.

This incident illustrates the continuing security challenge the university faces with on an ongoing basis. The university will continue to upgrade its security to avoid similar such situations in the future.

UW-Madison suggests that it is a best practice for everyone, affected by this incident or not, to request a free credit report and carefully inspect their own credit scores. Other best practices include reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities and contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.