Oregon State University is notifying 34,000 current and former employees that a computer containing some of their personal information was recently infected by a virus, even though the university’s computer experts say it is “highly unlikely” that the virus put any of that information in the hands of unauthorized users, OSU officials say.
The university is making the notification out of an abundance of caution and to comply with both the letter and spirit of the Oregon Consumer Identity Theft Protection Act. While there is no evidence that individual information has been accessed by a third party, officials are going to such lengths, in part, because records for many of those employed between 1999 and 2005 contained Social Security numbers as the “unique identifier” in each employee’s record, and the presence of those numbers raises the potential, however remote, of identity theft.
“We don’t want to unnecessarily alarm individuals, because in this case we have no evidence that any data was extracted, nor any evidence of identity theft linked to this security breach,” said Jon Dolan, chief information security officer for OSU. “Notifying individuals gives them the opportunity to take preventive measures, should they so choose, to place extra protections on their credit information and further minimize any individual risk.”