August 20, 2015
The University of Rhode Island has learned of an incident involving the inappropriate collection, and possible use, of information related to some URI email accounts. If you’ve been notified that your account was affected, please refer to the FAQ below to learn more about the incident and take appropriate action. The University is actively investigating this situation and committed to putting measures in place to protect and maintain private information.
FREQUENTLY ASKED QUESTIONS
Based on the initial information that we have been able to obtain at this point, it appears that an individual who is not a student or employee of URI has inappropriately collected generally non-public information relating to some current and former URI students. Specifically, this person collected the names, URI email addresses, URI email passwords, and dates of birth of approximately 3,000 of URI’s current or former students, and in several cases also collected one or more of the student’s personal (non-URI) email addresses (e.g. Gmail, Yahoo, or Hotmail addresses), and sometimes the passwords associated with those personal email addresses. There is some evidence, in the information we have received, indicating that some URI students (or former students) personal email and/or Facebook accounts were also accessed.
How do I know if I was affected?
Current and former students who were identified as having their URI email and passwords compromised are being sent an email to their @my.uri.edu email address, alternate email addresses that we had on file, and a hard copy of the letter is being mailed to their last known or permanent address. The contents of the letter included information about the data security incident, detailed information on how to change their passwords, steps the University is taking, and information on how to report any concerns they had.
How much information was compromised?
At this point in time, the University is only aware of approximately 3,000 @my.uri.edu email addresses and passwords being compromised. We also discovered that some private email addresses (Gmail, Yahoo) and passwords were listed. If you have been notified about your URI email address being comprised, you should change all of your social media and private email address passwords immediately, especially those accounts which required the use of your URI email address as verification.
When did this occur?
The University is investigating the time-line of the data security incident. We are unable to confirm an exact date at this time. Law enforcement are involved in the investigation and as more information comes to light, we will share that information with affected parties and on the data security incident website.
Does this breach put me or anyone else in any type of danger? What are some of the risks associated with this breach of information?
Anyone, besides yourself, who possesses your personal email addresses and passwords compromises your digital security. Emails are often required for third party accounts, including verification that you were or are a student at URI. We encourage you to make every effort to secure and protect your digital identity at this time. The first step is to change all of your email and social media passwords as soon as possible and report any anomalies to your local law enforcement.
I am not a current student, do I need to change my email and e-Campus password(s)?
Even if you are not a current URI student, the University is recommending that you change your URI email and e-Campus password for your protection. This is standard practice when a data security incident has occurred.
What steps are being taken by the University?
We have reported the matter to the Rhode Island Attorney General’s Office and the URI Campus Police. While we have no reason to believe that the safety of any URI student is at risk, if you receive any type of unusual contact from an unfamiliar person or have any other safety related concerns regarding this incident, call your local police or sheriff’s office and file a police report.
I am concerned about my safety. How do I get a new URI Email Address?
We will be offering instructions on how to request a new URI email address shortly. This information will be posted on the data security incident website and will also be sent to your @my.uri.edu email account.
What steps should I take next?
It is important that you change your passwords, including those for e-Campus and your @my.uri.edu email address. To change your e-Campus password, log in to e-Campus at http://web.uri.edu/ecampus/student-access. Once logged in, click “Change My Password” on the left hand side under Menu. To change your @my.uri.edu password, please visit https://secure.ucs.uri.edu/cgi-bin/mychgpass.pl. If you need assistance changing either of these passwords or for other questions, please call 401.874.HELP.
I am concerned about my financial information being disclosed or that I will experience Identity Theft. What do I do?
In the letter you received, there is information about what to do if you are concerned about identity theft. Here is what the letter says:
If for any reason you come to suspect any attempt at identity theft, the Federal Trade Commission (FTC) recommends that you immediately contact your credit card or financial account issuer and close any affected credit/banking accounts. Share that your account may have been compromised and if you want to open a new account, ask the account issuer to give you a PIN or password to help control access. The FTC also recommends that you place a fraud alert on your credit file. A fraud alert lets creditors know to contact you before they open any new accounts or change your existing accounts. Contact any one of the three major credit bureaus using the information listed below; the company you contact is required to notify the other two, which will place an alert on their versions of your credit report as well.
- Equifax: 800 525-6285; equifax.com; P.O. Box 740231, Atlanta, GA 30374-0241
- Experian: 888 397-3742; experian.com; P.O. Box 9532, Allen, TX 75013
- TransUnion: 800 680-7289; transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
Once you place the fraud alert in your file, you are entitled to order free copies of your credit reports. Carefully review any credit reports you receive. Look for accounts you did not open. Look for inquiries from creditors that you did not initiate. And look for personal information, such as home address and Social Security Number that is not accurate. If you see anything you do not understand, call the credit agency at the telephone number on the report. Get a copy of the police report. You may need to give copies of the police report to creditors to clear up your records. You may also wish to file a complaint with the FTC at: www.consumer.gov/ or 1877-ID-THEFT (438-4338).