University of Florida

About the Office

Privacy Facts

Policies and Procedures

Information Privacy Statement

Online/Internet Privacy Statement

Social Security Number Privacy

Report a Privacy Incident

Incident Report (pdf - 32k)

Complaint Form (pdf - 28k)

Identifying Privacy Violations

How to Report a Violation

Privacy Training

FERPA Training

HIPAA Training

Confidentiality Statement (Health)

SSN Training

Red Flag Rules

Answers to Commonly-Asked Questions Regarding the LDAP Directory Server Configuration Error

Q: What happened?

A: On Tuesday, January 20, 2009, the University of Florida discovered a configuration error in its LDAP directory service that would allow anyone to query the directory for fields that are normally protected from unauthorized access. A human error was made while making changes to the directory service that created the exposure. The error was fixed immediately after it was detected and the 9 digit number field was permanently removed from the directory. Reviewing the directory logs, we discovered queries that might have returned the name and a 9 digit directory field that is the Social Security Number (SSN) for 101 users. The query response screen did not identify the 9 digit number as an SSN.

Q: How did this happen?

A: The University of Florida’s Privacy Office was notified on January 22, 2009 about the configured error in the directory service. With the incident's discovery, we initiated a security investigation. It was determined that the configuration error was made four months earlier. Law enforcement was also notified about the exposure.

UF immediately corrected the directory configuration and permanently removed the field that contained the 9 digit number from the directory.

Q: I received a notification letter from the University of Florida about a directory configuration error. Does that mean someone stole my personal information?

A: Not necessarily. In this particular incident, any queries that returned the 9 digit number field would not have labeled the number as an SSN, so anyone looking at the query response would not immediately recognize the number as an SSN. Also, we do not know who ran queries and we do not know their intentions. Although they might not have been authorized to see the information, their reasons for running the query might not have been malicious. At this time, we do not have evidence that your information or anyone else's was stolen. However because we are not able to guarantee that it wasn't, we are erring on the side of caution by notifying everyone whose SSN might have been returned from the directory since the configuration error was introduced.

Q: Will UF contact me to ask for private information because of this event?

A: UF will not contact you to ask for personal information such as your SSN, credit card or banking information. If someone does contact you claiming to represent UF, you should not give out personal information. Unfortunately, in similar circumstances at other institutions, people have reportedly been contacted by individuals fraudulently claiming to represent the university and asking for personal information. UF recommends caution if you receive similar phone calls, e-mails, or text messages.

Q: Why did you have my personal information?

A: The directory contained information that was, prior to 2003, necessary to identify you (SSN). Since then, the SSN is no longer used as an identifier, so the digit field was removed from the directory.

Q: What personal information was involved? When was it available to the unauthorized intruder?

A: The personal information included a combination of UFID and SSN. If you need information, please contact the UF Privacy Office Hotline at 1-866-876-HIPA

Q: Is this information still at risk of disclosure to an unauthorized person?

A: The field that contained the 9 digit number was removed from the directory and the configuration error that allowed queries of that field was fixed.

Q: If my information was among the files exposed or stolen, does this mean that I will become a victim of identity theft?

A: No. The fact that someone had access to your information does not mean that you are a victim of identity theft or that they intend to use the information to commit fraud. The university notified you about the incident so you can protect yourself. The best way to protect yourself is to place a fraud alert on your credit file and review your credit report. In this incident, we are not certain that anyone's information was viewed or downloaded.

Q: How will I know if any of my personal information was used by someone else?

A: You should place a fraud alert on your credit report or freeze your existing accounts which will alert you if someone is trying to use your personal information illegally. Contact one of the three credit report agencies below:

Equifax - 1 (800) 525-6285
P.O. Box 740241
Atlanta, GA 30374
http://www.equifax.com

Experian - 1 (888) 397-3742
P. O. Box 9532
Allen, TX 75013
http://www.experian.com

Trans Union - 1 (800) 680-7289
P. O. Box 6790
Fullerton, CA 92834
http://www.transunion.com

After you place a fraud alert or freeze, ask that credit agency to send you a credit report. When it arrives, review it carefully. If you find anything that looks wrong or suspicious or that you don’t understand, call the credit agency at the telephone number listed on your credit report and review the report with a member of the staff. If information in the credit report cannot be explained, you may wish to file a report of suspected identity theft with your local police or sheriff's department.

Q: Do I have to pay for the credit report?

A: No. When you place an initial fraud alert on your credit report, you are entitled to one free credit report from each of the three nationwide consumer-reporting companies. Or you may order a free credit report at http://www.AnnualCreditReport.com.

Q: What is a fraud alert?

A: Most credit card companies and other creditors won’t issue credit without first checking the applicant's credit history. A fraud alert tells credit issuers that there is possible fraud associated with the account and gives them a number to call before issuing new credit in your name. This prevents others from fraudulently receiving credit in your name. When you call the credit bureau fraud line, you will be asked for identifying information and will have an opportunity to enter a number for creditors to call. Credit bureaus will send you a confirmation letter which should include instructions on how to order a free credit report. You should then request a credit report.

Q: How long does a fraud alert last?

A: An initial fraud alert lasts 90 days and it is free; you may renew it for an additional 90 days.

Q: Will a fraud alert stop me from using my credit cards?

A: No; a fraud alert will not stop you from using your existing credit cards or other accounts.

Q: Can I still apply for credit after I place a fraud alert on my credit report?

A: Yes, but a fraud alert may slow the process of receiving new credit since the purpose of a fraud alert is to help protect you against an identity thief opening credit accounts in your name. Potential creditors receive a special message alerting them to the possibility of fraud, and they know they should re-verify the identity of a person applying for credit.

Q: What is a Credit or Security Freeze?

A: A notice placed by you that prohibits the credit reporting agency from releasing any credit information to a third party without your written authorization. A freeze is a permanent action, but can be lifted temporarily as needed, using a password. Lenders would not have access to your credit report to approve new credit. Your information can still be released to your existing creditors. To place, you must request in writing to each of the three credit agencies. There is a $10 fee to place, remove, or temporarily lift. No fee is charged if you provide proof that you are a victim of identity theft or are more than 65 years old.

Q: How else can I request my free annual credit file disclosure?

A: Go to the Identity Theft Resource Center at http://www.idtheftcenter.org/ and the Annual Credit Report site at http://www.AnnualCreditReport.com. While credit bureaus offer fee-based monitoring services, it is up to individual parties to determine whether they wish to pay for such services.

Q: Should I order all my credit file disclosures at one time or space them out over 12 months?

A: It is entirely your choice whether you order all three credit reports at the same time or order one now and others later. The advantage of ordering all three at the same time is that you can compare them. On the other hand, the advantage of ordering one now and others later is that you can keep track of any changes or new information that may appear on your credit report (for example, one credit report every four months). Remember, you are entitled to receive one free credit report through http://www.AnnualCreditReport.com every 12 months from each of the nationwide consumer credit reporting companies such as Equifax, Experian and TransUnion. If you order from only one company today you can still order from the other two companies at a later date.

Q: I called the credit bureau fraud line and they asked for my Social Security number. Is it okay to give it?

A: The credit bureaus ask for your Social Security number and other information to identify you and avoid sending your credit report to the wrong person. However, UF advises caution if you are contacted by someone who claims to represent UF and asks for personal information. UF will not contact you but instead will wait for you to contact us if you have any additional questions. In the case of a fraud alert, potential creditors will contact you to confirm your identity before issuing new credit in your name.

Q: Do I have to call all three credit bureaus?

A: No, you only need to contact one and request that credit bureau pass your request for fraud alert to the other bureaus.

Q: Why can't I talk to someone at the credit bureaus?

A: Each of the three bureaus uses an automated telephone system. If you are having difficulty reaching one, try another.

Q: How long does it take to receive my credit report?

A: Your report will be mailed to you within 15 days. Please allow 2-3 weeks for delivery.

Q: What is Credit Monitoring and do I have to pay for the Service?

A: Credit monitoring services protect you primarily against new account fraud. This form of fraud occurs when a criminal uses your personal information to open credit card, mobile phone, or other financial accounts using your name, Social Security number, and other personal information. Credit monitoring does not actually stop the opening of new accounts, but it usually enables you to learn about the fraudulent accounts sooner than it takes for debt collection companies to track you down. You must pay for the use of a credit monitoring service.

Q: Why doesn't UF buy a years' credit monitoring subscription for me?

A: UF does not pay for credit monitoring services. By utilizing the free fraud alerts and reviewing free credit reports for suspicious activity, you can engage in periodic monitoring of your own credit. Additionally, independent research by a consumer watchdog group indicates most credit monitoring services are ineffective. For further information about the effectiveness of credit monitoring services, go to http://www.privacyrights.org/fs/fs33-CreditMonitoring.htm#1.

Q: Should I contact the Social Security Administration and change my Social Security number?

A: The Social Security Administration very rarely changes a person's Social Security number. The possibility of fraudulent use of your number probably would not be viewed as justification. Also, there are drawbacks to changing your Social Security number. For example, you would lose your credit history, which could make it difficult to get new credit, go to college, rent an apartment, open a bank account or get health insurance.

Q: Should I close my bank account?

A: No; the illegally accessed database does not include any information about bank accounts.

Q: Should I close my credit card or other accounts?

A: No; the illegally accessed database does not include any information about credit card accounts or driver’s licenses.

Q: I receive e-mails from E-Bay, PayPal, and other online resources including banks. Does this mean my identity has been stolen?

A: No this does not mean your identity has been stolen. However, a common method of obtaining personal information to use in identity theft is to send emails claiming to be from one of these types of companies. It is called "phishing" and you should not respond to any of these emails.

Q. What should I do if I discover fraudulent use of my personal information?

A: You should immediately report the crime to your local law enforcement agency, contact any creditors involved and notify the credit bureaus. Detailed information is available on the Federal Trade Commission’s Identity Theft web site at http://www.ftc.gov/bcp/edu/microsites/idtheft/.

Q: Was there any Human Resources (personnel), UF student/academic or UF foundation information stored on the server?

A: Not really. The directory contains only public information about faculty, staff and students. UF is a large organization and the directory is intended as a service to help find individuals within the organization. Typical directory fields are listed below. To see your directory listing, visit the UF Phonebook.

• Name
• Affiliation
• Organization
• UFID
• Email address
• Postal Address
• Telephone Number
• Title

Frequently Used Sites

• News
• Calendar
• Directory
• MyUFL
• ISIS
• Web Site Listing
• Campus Map
• WebMail
• Ask UF

© University of Florida, Gainesville, FL 32611; (352) 392-3261.

General Site Information

• Contact
• Disability Services
• Privacy Policy
• Search

This page was last updated February 19, 2009.

This page uses Google Analytics (Google Privacy Policy)