Donna Alexander, the vice president for information technology at the University of Tampa, attended the scheduled faculty senate meeting last Friday to talk about the recent data breach at UT.
As The Minaret previously reported, students in an online production class recently came across an unsecured file on the UT server that contained the social security numbers and other personal information of close to 30,000 current and former students, faculty and staff. The file had apparently been online for months.
Alexander’s presence was a surprise to the faculty senate, an audio recording of the meeting indicates. “OK, so now the agenda is going to become a bit of a random walk for several reasons,” said faculty senate president Evan Chipouras after her arrival, according to the MP3 recording. “But the first step in the random walk. . . . Donna Alexander has turned up from IT to speak to the group about the data breach issue.”
Though the faculty senators were unaware Alexander was coming, it did not stop them from voicing their concerns about the data breach. They discussed and asked questions about a range of related issues, including auto-enrollment in the identity protection service the university is offering, possible IT department harassment of the students who reported the problem and the general exposure of sensitive information.
“We know that the text file was exposed and [faculty] were not in the text file,” said Alexander. “There were a couple of databases that were also in an area that could have gotten accessed, but we know by the logs that they were not [accessed], except by the student that reported them. And so we feel like that [faculty information] is safe, and it’s not just us feeling that. This is a bigger group making that decision, but it’s safe.”
Alexander told the senators that an error led to the text file being in the wrong place. “We [IT] did it,” she said. “It was our fault. It was to troubleshoot an issue and it’s not uncommon practice in IT when you’re troubleshooting something to make copies of things and do all kinds of things like that. The fatal error in this case was that it was in a directory that . . . ended up being searchable. . . . [T]hat was our problem. That was our fatal error.”
While the file was created in July 2011, Alexander said the file wasn’t accessible for some time. “[The file] wasn’t really available, it wasn’t accessed [for quite some time]. We have the logs. We know exactly when Google . . . made it searchable. . . . It was much later. It was in February. That’s not something that we’ve been putting up yet, because we don’t want it to look like we’re trying to minimize this. The date of the file was July 12th. That’s what we’re taking responsibility for.”
Despite being asked several times how many times the file had been accessed, Alexander declined to definitively answer. “Well, you know that’s not as simple [to] answer, and I’m not trying to be evasive, it’s really the truth,” she said at one point. “As you can imagine, once IT found out that this information was there, there was a flurry of hits. I mean, it just went wild, because we were hitting it and we were checking it and we were doing all of that so the number went ‘vooom!’, huge, and huge is a relative term, I mean I’m not talking hundreds. I’m not talking thousands. It’s way less.”
Alexander offered to look into putting the actual number up on UT’s online FAQ page covering the data breach.
“Prior to that, even then it was a handful,” she explained. “It was way, way less than that. So it was very minimal exposure, and I hesitate to use the word minimal with this situation at all because none of it is minimal, but that is what we’re seeing and that’s why, you know, to give you an answer, it’s going to be misleading.”
According to the audio recording, she continued by saying, “I mean, I looked at some of it. . . . I looked at a lot of it, believe me, but I counted things up and did all of those things, but I haven’t done that till today.” The text file was found on March 13th, according to UT’s website on the incident.
Alexander was more definitive on whether anyone would be auto-enrolled in identity protection. “No, and we’ve asked that question repeatedly, because if we could auto-enroll, we would do it,” she said. “We would love to do that, but what we’re being told by the bureau we’re working with is we cannot auto-enroll someone in a service like this that has to do with sensitive information, that they won’t allow us to do it. I don’t understand [why we cannot auto-enroll].”
The protection service is listed on the data breach webpage, where UT identifies the provider as “Experian, a national identity protection service.”
The meeting continued with professors expressing concern for the students who notified UT of the breach. The Minaret previously reported that students Rupert Azarcon and Cody Thayer felt harassed by the IT department after they alerted the school to the issue. “I can understand the perception, because we did repeatedly contact them to follow up,” Alexander responded. “And I can understand certainly how they would feel threatened by that, but every contact with the student was prefaced with, ‘This is not in any way to accuse you or make you in any way accountable, blameable, for anything that happened, that is not why we are contacting you.’ The reason we went about contacting them repeatedly, which was unfortunate and I wish we hadn’t done it that way, it was just because we would think of another thing we could do to try to make it better.”
In the MP3 recording, Alexander states, “It was to protect them. And I know that sounds hollow, but it’s really, really true. Because if anything were to come of this, if we take the right process and procedure, that we can prove this student– and we have the documentation– did not have anything else [to do] with this information. It clears them and protects them. And that was the whole gist of the contact with the students, and I’m sorry that it didn’t come across that way, and I can understand why they might have felt that way, but that was never the intent.”
When questioned about Azarcon and Thayer being asked to sign documents without legal representation, Alexander again asserted it was to protect them. “The students were asked for an accounting of what happened in writing, and the reason again . . . I keep repeating it, was to protect them. And so it’s all there. It all can be referred back to if it needs to be in the future, whereas if you don’t have something in writing, its just in your memory and you just forget.”
The TBO articles covering the data breach case feature a current UT student, Phillip Deret, who believes his identity was stolen due to the data breach, as well as several alumni and a former faculty member who express concerns about not being eligible for paid identity protection by UT. According to the school’s related online FAQ, “UT has decided to pay for each potentially impacted individual to sign up, if they desire, with Experian, a national identity protection service.”
The webpage also notes, “The individuals whose records were included in the database files containing the additional 22,722 records are not at risk.”
In an email interview with The Minaret, Donna Alexander stated, “No one eligible for the service will be turned away. For the potentially impacted individuals, the 6,818 Fall 2011 enrolled students, UT will send each person a letter that will contain information on how to enroll for the prepaid identity protection service.”
On the same Friday that Alexander was speaking with the faculty senate, a global email was sent with details about the retirement party of Steve Magriby, director of IT. The email, which students did not receive, encouraged recipients to RSVP and attend the event.
Magriby’s retirement announcement comes only weeks after the data breach was discovered. The subject of the email was “Steve Magriby’s Retirement Celebration.” The message read, “This is a broadcast message from the Office of Information Technology. The place just won’t be the same without him! Steve Magriby is announcing his retirement after 42 years with the University of Tampa. Please join us for a celebration in his honor.”
Additional reporting by Chelsea Daubar.
Rich Solomon can be reached at r.solomon14@gmail.com.
Kudos to the Minaret for notifying the UT community about this very serious error by the administration. I agree with Prof. LaRose (above), my opinion is that UT would not have disclosed at all–but for the knowledge that media articles were on the horizon. Magriby retirement…ballast off a sinking ship….apparently UT does not realize that the people they have alienated through their smoke and mirror approach to this problem will likely remain alienated for years. They either don’t realize, or don’t care. Good job.
Rich,
You and your colleagues at The Minaret have done a great job exposing and covering this very serious issue which I believe would not have been made pulic.