West Virginia University recently discovered a file that was accessible on a public-facing site which included certain information related to individuals who were employed by WVU in 2013. The data available in the file included names, dates of birth, employee ID numbers, Social Security numbers, and chosen PEIA insurance plans and Mountaineer Flexible Benefits. Following this discovery, the University promptly ensured the file was removed and the information was no longer publicly accessible.
Frequently Asked Questions
Whose data was involved in this incident?
This incident involved approximately 7,000 individuals who were employed by WVU
in August 2013. People hired after August 2013 were not affected.
What information was involved?
The file included the individual’s name, WVUID number, Social Security number,
date of birth, salary, and other information related to the PEIA insurance plans
and Mountaineer Flexible Benefits, including selected coverage plans and associated
premium costs.
Where was the data available?
The personal information was mistakenly embedded within a presentation, which had
been created to provide aggregate information about WVU employees. This file had
been uploaded to a Faculty Resources webpage on West Virginia State University’s
website. It was not directly accessible via the WVSU website but could be found
by searching for it via Google.
Who had access to the data?
Anyone who visited this WVSU Faculty Resources website since 2016 would have had
access to view or download the file.
What actions did WVU take when alerted the data was public?
After discovering the incident on Sept. 29, 2023, WVU immediately reached out to
West Virginia State University to remove the file from its website. This was completed
within 1 hour of notification.
My information was included in this incident. Is there anything I can do to protect
my data?
To better protect your personal information on non-WVU services, you are encouraged
to turn on multi-factor authentication for all your personal accounts when it is
available and never approve a push notification that you did not initiate. While
WVU uses Duo Security, applications to protect your personal accounts such as
Microsoft Authenticator and
Google Authenticator are also easy to download and begin using.
What is the University going to do to help protect me?
WVU is offering a year of free credit monitoring to all individuals affected by
this incident. To sign up, contact the ITS Service Desk at
ITSHelp@mail.wvu.edu by Feb. 2, 2024, and be prepared to provide your WVUID
number.
What has WVU done to make sure this can’t happen again?
The affected data was assembled in 2013, approximately two years before WVU had
a
Social Security Number Protection Policy, which requires the use of a WVUID
number instead of SSN as a primary identifier.
WVU has a proactive approach to security and has since created many other acceptable use, security and privacy Policies and Standards to protect employee and student data. ITS also conducts regular cybersecurity awareness campaigns to help employees understand their responsibility to protect University and personal data. WVU requires annual security training for certain departments that routinely handle sensitive data, and ITS implemented a data loss prevention program to search for, monitor and limit the use of sensitive data throughout the University. Additional safeguards include protecting all WVU Login accounts with DUO two-factor authentication and pre-established recovery methods.
Is there someone I can contact with questions?
If you have general questions or need assistance related to this incident, you
should contact the ITS Service Desk at
ITSHelp@mail.wvu.edu.
Best Practices for Defending Your Data
- WVU employees should never use their WVU email accounts or Login password for personal business, including online shopping and banking. If you have done this, ITS strongly advises you to switch these services to a personal email account as soon as possible.
- For additional protection, ITS also advises setting up multi-factor authentication on all your personal accounts, especially services where you may be using your WVU email address as the username to log in. While WVU uses Duo Security, applications to protect your personal accounts such as Microsoft Authenticator and Google Authenticator are also easy to download and begin using.
- Remember, never approve any multi-factor authentication request unless YOU initiated it.
- Know the signs of Identity Theft.
- Consider these additional security tips:
- Secure your mobile devices, including your laptop and cell phone, with a password or biometric scan. Set your devices to automatically lock after a brief period of inactivity (no longer than 15 minutes).
- Ensure your personal devices are operating on the latest security software, web browser and operating system. Turn on automatic software updates to defend your machine against unknown risks. Current employees can install Sophos anti-virus on your personal devices for free at freeav.wvu.edu.
- Lock access to your credit with the three national agencies, Experian, TransUnion and Equifax, until you are actively looking to open a new line of credit or make a large purchase that requires a credit report. Apps from these companies provide the ability to easily unlock your credit report for a designated timeframe when you need to, then lock it again.