Notice to Employees
Employees of Eastern Illinois University from 2000-2005 may be affected by a recent incident involving improper disposal of coarsely shredded documents containing their names and Social Security numbers. As a prank, these shredded documents were taken out of Records Management by a student worker and dumped in various locations — the Coles County Sheriff's Department first made us aware of the situation at 10 a.m. on Friday, April 15. The student worker in question has admitted to his actions, which took place on Thursday, April 14. We believe we have recovered most, if not all, of the material taken, and to date we have received no reports of any inappropriate use of the compromised data. After combing through the documents, it appears a bulk of the information comes from 2002, with small amounts also related to 2001, 2003 and 2004. Material from 2000 and 2005 were also being shredded at the time this incident occurred, but we have no evidence that material from these years has been compromised.
Although the university's paper records disposal procedures follow state guidelines, it will institute additional safeguards to avoid future incidents of this nature. In the meantime, EIU is in the process of securing the services of Experian, a credit monitoring service, and will provide a year's membership, free of charge, to any potentially affected employees who wish to enroll. Affected employees will receive a letter containing information on how to enroll. If you still have questions after reading the following FAQs, we have set up a toll-free hotline at 877-678-6082; it will be available beginning Friday, April 22, at 12:30 p.m. until 4:30 p.m. After that, it will be available daily from 8:30 a.m. until 4:30 p.m.
Frequently Asked Questions
On April 14, 2011, a student worker removed material from our facility that handles shredding of confidential information. The material included information for the periods 2000 through 2005.
What types of people were affected by this incident?
At this time, we believe only employees or past employees could be affected. There is no indication that any student information was a part of the shredded material. However, some information regarding dependents of employees or employees who were students at that time may also be a part of the compromised material.
I received a notification that my personal information, specifically my name and Social Security number, has the potential to fall into the hands of unauthorized people. What does that mean?
Coarsely shredded material was removed from EIU’s shredding facility. A student worker, who was shredding confidential information, removed two bags of shredded material to “prank” another student. After a local farmer contacted the Coles County Sheriff’s Department, it was discovered that shredded material was disposed of alongside a country road. This material was later identified as documents originating from Eastern Illinois University. Staff was dispatched to the location and the material was collected. Shortly after the material was recovered, it was determined that the shredded material was not shredded in a proper manner, revealing names and associated Social Security numbers of employees. Further research indicates the material spans across years 2000 through 2005. Those employed by the university during those years could be affected. We believe we have secured all the missing material; however, we are notifying you now because some of the material was outside our control for approximately 96 hours.
Why would my name and Social Security number be listed on the shredded documents?
Reports generated to assist offices in performing normal work functions are routinely created and stored for a period of time as backup for office reporting, research and internal/external audits. During the periods identified, most offices were still using Social Security numbers as the identifying information for employees. While this practice has primarily changed, documents with Social Security numbers do exist from the past and must be maintained in accordance with state retention and disposal schedules.
When did you become aware of the potential compromise?
The Coles County Sheriff’s Office was notified the morning of Friday, April 15, by a local farmer who indicated there was shredded paper on his property and was looking for assistance in removing the material. Subsequently, EIU personnel were contacted, and an investigation into the incident began. On Monday, April 18, additional material was located at other locations, and that too was recovered.
Why didn't you react quicker in advising employees of the potential compromise?
Any delay in notifying employees was attributed to finding out as much as we could about the incident, including a thorough investigation of what made up the material as well as researching what outside assistance we could acquire to aid any affected employees.
How do we know additional information, besides what has been identified, hasn’t been compromised as well?
As part of the shredding and disposal process, departments must submit thorough paperwork and documentation to the Records Management office and obtain approval from the Records Management administrator. Included in this paperwork is descriptive information of the material to be shredded and disposed of. Therefore, we are confident we know and understand the data these documents contained.
What specific information has the potential to be accessed and misused?
The documents that have been identified could contain names and Social Security numbers. There is no indication that any other personal data was a part of the shredded information.
Is the facility responsible for shredding or the student identified in the incident being disciplined or admonished in any way?
A thorough investigation continues by both the University Police and the administration. It is not known at this time if any criminal charges will be levied towards the student, but the student has been dismissed from his student employment position. While the act of shredding was done in accordance with State of Illinois disposal rules, the university is working on creating additional procedures to address any weakness in the current process and enhance future security and protection of personal information.
How many people were affected?
At this time, we believe approximately 3000 people could be affected.
What are you doing to help the people who may be affected by this incident?
We are in the process of securing a credit monitoring company, Experian, which will assist affected employees in protecting their personal information. More information on this will be provided in a letter to affected employees.
When will the credit monitoring service become available to me?
Once the letter goes out to affected employees, the credit monitoring service, Experian, will be made available to those identified employees/past employees. Information on how to take advantage of this service will be provided in the notification letter.
I am worried that someone will steal my identity . . . if not immediately, then later. How will I know if this happens and how are you going to continue to protect my identity?
To help you detect the possible misuse of your personal information, we have arranged for you to enroll in credit monitoring for one full year at no cost to you.
Because of this incident, I do not want to provide my Social Security number to any department or area at Eastern Illinois University. What should I do if I am asked for this information?
Most offices no longer ask for a Social Security number to identify you as an employee. Your E-number is your official employee number and should be used throughout the campus when making inquiries or providing information. However, there are certain areas where your Social Security number will be required, and withholding that information would not be advised in some cases. For example, Social Security numbers are required for the issuance of your year-end W2 wage statement. In addition, when enrolling in benefits with the State of Illinois, your Social Security number must be provided. In any case, when a Social Security number is requested, you should ask what it is being used for and base your decision on whether or not to provide your number on the answers you receive to your questions. You should know a committee has been established that is looking at all the university’s past and current practices regarding the collection and use of Social Security numbers. An identity protection group is working on preparing a policy for Social Security number usage and protection procedures in accordance with the Identity Protection Act 5 ILCS 179. This policy must be in place by July 1, 2011.
How will you be communicating additional information on this incident?
After affected employees have been identified, a letter will be issued to each of those employees or former employees. In addition, as new information becomes available, we will continue to provide announcements, emails and other correspondence to ensure that employees are being kept up to date on this incident.
What should I do to help protect myself? Where should I report suspicious or unusual activity or what steps should I take if I believe that I have become a victim of identity theft?
- Place a security freeze on your credit file (if permitted by state of residence); a 90-day security alert gives you time to verify if you are a victim of fraud. If you determine you are a fraud victim, you may add a seven-year victim statement to your credit report.
- Place fraud alerts on your credit files. Contact the fraud department of one of the three major credit bureaus:
- Close the accounts that you have confirmed or believe have been tampered with or opened fraudently. Use the FTC’s ID Theft Affidavit (available at www.consumer.gov/idtheft) when you dispute new unauthorized accounts.
- File a local police report. Obtain a copy of the police report and submit it to your creditors and any others that may require proof of the identity theft crime.
- File your concern with the FTC. The FTC maintains a materialbase of identity theft cases used by law enforcement agencies for their investigations. By filing a concern, it helps the FTC learn more about identity theft and the problems victims are having so FTC representatives can better assist you. The FTC’s Identity Theft Hotline toll-free number is 877-IDTHEFT (877-438-4338) or you can visit their website at www.ftc.gov .
- Inform creditors: If you determine that a fraudulent account exists, you should contact each creditor and inform them the account was opened without your consent and provide the necessary documentation to support your claim. Document all contacts: Make notes of everyone you speak with; ask for names, department names, phone extensions and record the date you speak with them.
- Understand the process: Each creditor may have a different process for handling a fraud claim. Make sure you understand exactly what is expected from you, and then ask what you can expect from the creditor. At the conclusion of an investigation, ask the creditor for documentation that states you are not responsible for the debt.
- Follow-up: Make sure everything a creditor/credit reporting agency has requested is received. It is always a good idea to make a follow-up call or send a letter for confirmation.
- Review reports regularly: Obtain another report several months after you believe everything is cleared up. If a new fraudulent account is discovered, you know how to handle it. If your credit report is back to normal, you can feel confident that all issues were resolved as you expected. It would be a good idea to check your credit report again in six months and a year later.
- Don’t throw away files: Keep all notes and correspondence in an accessible file in case they are needed in the future.
How can I find out more about identify theft?
The FTC has an excellent website on identity theft available at www.ftc.gov/bcp/edu/microsites/idtheft.
Will I be able to obtain a copy of the police report for this incident to assist in any credit reporting follow-up I may need to accomplish to ensure my credit remains in tact?
To receive a copy of the police report, please call the toll-free number at 877-678-6082. Customer service representatives can help with this request.
Is the university facing any litigation as a result of this incident?
Unknown at this time.
How often does Eastern update data security safeguards?
Many of our security safeguards are updated daily or as technology or options become available. We monitor our processes routinely and also employ a data security expert who advises us of security standards and who works with us in securing all of our data.
How will I be able to distinguish what is legitimate information coming from EIU and what has the potential to be fraudulent in nature?
Letters or correspondence from EIU will have identifying logos and information, along with contact information if you are unsure. Criminals take advantage of situations like this to try to obtain personal information like credit and debit card numbers, social security and driver’s license numbers. If you receive an e-mail or correspondence that appears to be from us, or a telephone call from someone claiming to be a representative of the credit monitoring company assisting us, do not provide any personal information of any kind. Further, if you suspect you have received such a “hoax” email or call, please report it to EIU, using our toll- free number: 877-678-6082.
Do you suspect that my information has been used fraudulently?
The university does not suspect the information has been or will be used for fraudulent purposes. However, by securing the credit monitoring service, we believe we are acting appropriately to employees’ concerns and being good stewards of your information.
Regarding the credit monitoring service, will my spouse and/or my child be covered?
No, your spouse and/or child will not be covered under the membership unless he/she was notified that his/her information was also affected by the potential compromise.
Should I close my current credit cards or other accounts to protect myself now?
There is no need to close any credit cards or other accounts if no fraudulent activity has been detected. You should, however, continue to monitor your credit cards and other accounts for potential fraudulent activity.
If, as an affected employee, I choose to enroll in the credit monitoring service, will it be safe for me to provide all the personal material requested in order to enroll in the membership service?
Yes, the process of sending and receiving your information is encrypted using Secure Socket Layer (SSL) encryption. This technology helps ensure that your sensitive information is protected. Preferred web browsers are: Internet Explorer 8 and Internet Explorer 9, Firefox 3 and Firefox 4, Google Chrome 10, or Apple Safari 5.
What will be covered by the identity theft insurance* that is included in my product membership?
Identity theft insurance* is underwritten by Chartis Inc. Please refer to https://www.experian.com/data-breach/credit-monitoring-service.html for specific information regarding the identity theft insurance.
Does the one year credit monitoring membership start from the date I enroll or from the time I am or was notified about the offer?
The free one year credit monitoring membership starts/begins on the date you enroll.
I understand with this membership I will be provided an activation code. What is the process for consumers who are having problems with their activation codes?
The personalized, single-use activation code should be entered exactly as provided in the notification letter that you will receive. Please take caution in ensuring that you enter the code correctly. If you enter the activation code correctly and continue to experience problems with your enrollment, please contact Experian at 1-866-252-8809.
What happens to the credit monitoring membership if my employment status changes?
The one-year credit monitoring membership is not contingent on continued employment. Once you enroll, your membership is good for one year. However, please be sure to use your personal email address, not your work email address, when enrolling in the credit monitoring membership.
If I want to keep the credit monitoring membership longer than one year, may I do that?
You may continue membership at your expense after the one complimentary year. You will automatically be sent a renewal notice prior to the expiration of your credit monitoring membership. That email will contain instructions on how to continue/extend your membership. If you do not respond to the renewal requests, your product membership will be cancelled.
NOTE: If you still have questions after reading these FAQs, please contact the hotline set up for this incident at: 1-877-678-6082.