University of Iowa logo

Last update Wednesday, July 2, 2008 4:18 PM

Still have questions? Email ubs-online@uiowa.edu

UI Home

News Services Home

 

 

University Book Store Security Incident

On May 18, 2005 a computer containing credit card numbers and student/employee ID numbers of University Book Store customers was accessed without authorization from someone outside the UI network. Upon discovering the breach, the University of Iowa Bookstore shut down and isolated the computer system. There is no evidence the intruder obtained any data. Still, as a precaution, the UI wants University Book Store customers whose information may have been in the computers to know about the incident. (See the full news release about the incident at http://www.uiowa.edu/~ournews/2005/june/060105bookstore.html)

Below are answers to some questions Book Store customers may have in light of the incident. If you have further questions, please send an email to ubs-online@uiowa.edu

Q: Whose information specifically was on the server?

A: This server contained transaction information on credit card purchases at the University Book Store in the Iowa Memorial Union including through http://www.book.uiowa.edu/, at the Health Sciences Store in Hospital Ramp No. 3, and at the store in the UI Athletics Hall of Fame from January 3, 1994 to May 18, 2005. Credit card transactions from August 26, 1999 to May 18, 2005 contain cardholder names, credit card number, and expiration date. Transaction files from January 3, 1994 to August 25, 1999, contain credit card number and expiration date, but do not list cardholder names. It is estimated that the computer system may have contained up to 30,000 active credit card numbers. 

The server also contained student/employee ID numbers. There are no names associated with those numbers. The UI changed student/employee ID numbers from social security numbers to UI assigned numbers in fall 2003.

Back to top

Q. If my information was on the University Book Store server, does this mean that I'm a victim of identity theft?
 
A. No. Even if someone had retrieved your information, which does not appear to be the case here, it doesn't mean you are a victim of identity theft or that the person intended to use the information to commit fraud. As was stated above, there is no evidence that credit card or ID numbers were compromised by the intruder. However, if you think you may have used your credit card at the University Book Store during the timeframe cited above, the University wanted to let you know about the situation so that you can take appropriate steps to protect yourself if you are concerned.

Back to top

Q. I’d like to know with certainty that my personal information isn’t being used by someone else. What can I do?

A. The best way to protect yourself is to place a fraud alert on your credit files and review your credit reports, which you can obtain from one of three major credit bureaus: Equifax, Experian and Trans Union. If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make, these could be indications that someone else is using your personal information, without your permission.

Back to top

Q. My parents' credit card was used to pay for my books and supplies, do I need to inform them of this situation?

A. Anyone who used a credit card, including your parents, should review this material and determine the course of action most appropriate for them.

Back to top

Q. Do I have to pay for the credit report?
 
A. No. You can place a fraud alert on your credit report free of charge. Contact the fraud department at any one of the three major credit bureaus:
 
Trans Union: 1-800-680-7289 (http://www.transunion.com)
 
Experian: 1-888-397-3742 (http://www.experian.com)
 
Equifax: 1-800-525-6285 (http://www.equifax.com)
 
The fraud alert requests creditors to contact you before opening any new accounts or making any changes to your existing accounts. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will be automatically notified to place fraud alerts, and all three credit reports will be sent to you free of charge.

Back to top

Q. What is a fraud alert?
 
A. A fraud alert is a message that credit issuers receive when someone applies for new credit in your name. The message tells creditors that there is possible fraud associated with the account and gives them a phone number to call (yours) before issuing new credit. When you call the credit bureau fraud line, you will be asked for identifying information and will be given the opportunity to enter a phone number for creditors to call.

Back to top
 
Q. What should I look for on my credit report?
 
A. Look for any accounts that you don't recognize, especially accounts opened recently. Look at the inquiries or requests section for names of creditors from whom you haven't requested credit.
 
Note that some kinds of inquiries, labeled something like "promotional inquiries," are for unsolicited offers of credit, mostly from companies with whom you do business. Don't be concerned about those inquiries as a sign of fraud. (You are automatically removed from lists to receive unsolicited pre-approved credit offers when you put a fraud alert on your account. You can also stop those offers by calling 888-5OPTOUT.)
 
Look in the personal information section for addresses where you've never lived. Any of these things might be indications of fraud. Also be on the alert for other possible signs of identity theft, such as calls from creditors or debt collectors about bills that you don't recognize, or unusual charges on your credit card bills.
 
If you find items you don't understand on your report, call the credit bureau at the number given on the report. Credit bureau staff will review your report with you. If the information can't be explained, then you will need to call the creditors involved and report the crime to your local police or sheriff's office. For more information on what to do, see the Iowa Department of Transportation’s page, “When bad things happen to your good name,” at http://www.dot.state.ia.us/mvd/omve/theft.htm

Back to top

Q. I called the credit bureau fraud line and they asked for my Social Security number. Is it okay to give it?
 
A. The credit bureaus ask for your Social Security number and for other information in order to identify you and avoid sending your credit report to the wrong person.  No one from the University of Iowa will initiate contact with you directly about this incident.  If someone contacts you claiming to be from the University of Iowa and asks for personal information regarding this incident, we recommend that you not share the information until you can verify the request. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.

Back to top
 
Q. Do I have to call all three credit bureaus?
 
A. No. If you call just one of the bureaus, they will notify the other two. A fraud alert will be placed on your file with all three and you will receive a confirming letter from all three.

Back to top
 
Q. Why can't I talk to someone at the credit bureaus?
 
A. You must first order your credit reports. When you receive your reports, each one will have a phone number you can call to speak with someone in the bureau's fraud unit. If you see anything on any of your reports that looks unusual or that you don't understand, call the number on the report.

Back to top
 
Q. How long does it take to receive my credit report?
 
A. It could take about 20 days from the day you call the credit bureaus. It takes about 5 to 10 days from the time you call the credit bureaus to get your fraud alert confirmation letter with instructions on ordering your credit report. You should receive your reports in another 5 to 10 days from the time you order them.

Back to top
 
Q. How long does a fraud alert last?
 
A. An initial fraud alert lasts 90 days. You can remove an alert by calling the credit bureaus at the phone number given on your credit report. If you want to reinstate the alert, you can do so. If you are the victim of identity theft, you can place an Extended Fraud Victim Alert on your report by submitting a copy of a valid identity theft report that you have filed with a federal, state or local law enforcement agency. An Extended Alert will remain on your report for seven years.

Back to top
 
Q. Will a fraud alert stop me from using my credit cards?
 
A. No. A fraud alert will not stop you from using your existing credit cards or other accounts. It may slow down your ability to get new credit. Its purpose is to help protect you against an identity thief trying to open credit accounts in your name. Credit issuers get a special message alerting them to the possibility of fraud. Creditors know that they should re-verify the identity of the person applying for credit.

Back to top
 
Q. Can I still apply for credit after I place a fraud alert on my credit report?
 
A. You should still be able to get credit. While a fraud alert may slow down the application process, you can prove your identity to a prospective creditor by providing identifying information.

Back to top
   
Q. Should I close my credit card or other accounts?
 
A. This is certainly an option. Contact the bank issuing your credit card to proceed with this measure. (As a general privacy protection measure, you should always look over your credit card bills carefully to see if there are any purchases you didn't make. If so, contact the card company immediately.)

Back to top

Q. Will the University of Iowa contact me to ask for private information because of this event?
 
A. In similar cases at other institutions, people have reportedly been contacted by individuals claiming to represent the University and who then proceed to ask for personal information, including social security numbers and/or credit card information. Please be aware that the University of Iowa will not contact you directly with information regarding steps you should take to prevent possible fraud or identity theft; nor will the University ask for your full Social Security Number, University ID number, or Credit Card or Bank Account Number if you contact us, by email or telephone, for information. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.

Back to top
 
Q. What steps is The University of Iowa taking to improve the security of personal information on campus computers?
 
A. An in-depth security analysis is being performed on the replacement system, to ensure that protections for the system are maximized. In addition, we are evaluating the payment card industry standards for security to ensure we meet or exceed their recommendations. Other campus systems with similar data will also be evaluated.

Back to top
 
Q. Can I continue to purchase items from the bookstore while this case is being investigated?

A. Yes. We have taken steps to prevent a reoccurrence of this type.
 
In addition, like all VISA and MasterCard merchants that meet specified transaction thresholds effective June 30, 2005, the University Book Store is required (1) to conduct an annual self-assessment of systems that process, store, or transmit cardholder data and (2) to engage an independent security firm to conduct a quarterly network scan (a non-intrusive scan to remotely review networks and Web applications based in the externally facing Internet Protocol (IP) address provided by the merchant).

Back to top