Information About Security Incident

On August 10, 2010, CCLA notified students, faculty, and staff of six Florida public colleges that some of their personal information, as defined by Section 817.5681(5)(a)-(c), Florida Statutes, was temporarily open to online access for a five-day period between May 29 and June 2, 2010. This page contains all pertinent information about this security issue, and will be updated as additional information becomes available.

• Media Release
• Notification e-mail to affected individuals
• Frequently Asked Questions about the security issue:
  
  General information about CCLA and the security issue
• Who is the College Center for Library Automation?
  The College Center for Library Automation (CCLA) provides automated library services and electronic resources to Florida's public colleges. CCLA was established in 1989, and is a cooperative effort between the Florida Department of Education's Division of Florida Colleges and the College Council of Presidents.
• What type of personal information was involved in this security issue?
  Personal information of students, faculty, and staff members at six of Florida's public colleges, as defined by Section 817.5681(5)(a)-(c), Florida Statutes, which states:

  For purposes of this section, the term "personal information" means an individual's first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements when the data elements are not encrypted: (a) Social security number; (b) Driver's license number or Florida Identification Card number; (c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

  The personal information contained in the temporarily exposed records was incorporated into a longer string of alphanumeric information, and was not specifically identified by type of information in any way. The exposed data did not include any personal financial information such as credit card or bank account numbers, or any library usage records.
• Who has been potentially affected by this incident?
  Students, faculty, and staff members at the following Florida colleges: Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College.
• Why were these colleges affected?
  All libraries maintain records for each user (borrower records), which include personal information. Because CCLA provides library management services to Florida's public colleges, the borrower records for college students, faculty, and staff reside in CCLA's system. These colleges were affected because their borrower records were contained in temporary work files that were being processed by CCLA at the time of exposure.
• How did this issue occur?
  CCLA has determined that the installation of a software upgrade left the personal data unintentionally accessible during the five-day period.
• During what time period was the sensitive information potentially exposed?
  The information was temporarily open to online access for a five-day period between May 29, 2010, and June 2, 2010.
• How and when was this issue discovered?
  CCLA staff was alerted to this issue on June 23, 2010, when a Florida College System institution advised CCLA that a student reported finding their own personal information embedded in a set of Google search results.
• What actions has CCLA taken to resolve this issue?
  Upon discovery of this issue, CCLA notified the leadership at all affected colleges and initiated a security investigation. CCLA also reported the incident to the Leon County Sheriff's Office Financial Crimes Unit in Tallahassee (Case #2010-140568). CCLA staff worked to ensure that all online access to the sensitive information was removed within 18 hours or less of discovery. Since that time, CCLA has continued its security investigation, and has now identified all affected students, faculty, and staff members.
• Why is CCLA notifying affected students, faculty, and staff now?
  CCLA has recently concluded its security investigation of this issue. While there is evidence that the data was available for viewing by unauthorized persons, there is no indication that any personal information has actually been obtained or misused. Nevertheless, CCLA is encouraging all potentially affected students, faculty, and staff to take steps to minimize their risk of identity theft.
• What actions has CCLA taken to ensure that this kind of incident will not reoccur in the future?
  After determining the cause of this issue, CCLA staff immediately took additional steps to ensure the security of all personal data. CCLA staff worked with representatives from Google to ensure that all borrower information was completely removed and that Google no longer had access to any of CCLA's secure servers. All sensitive information was purged from Google by June 24, 2010. CCLA has made every effort to ensure that internally used sites are not accessible by anyone outside of its internal network.
• Does CCLA have any specific information about who may have accessed the information?
  Unfortunately, CCLA is unable to identify the individuals who may have accessed the data or to determine what they may have done with any data that they accessed. There was insufficient evidence to make any determination.

Information for affected students, faculty, and staff
• What actions should I take to protect my personal information?
  CCLA recommends that all students, faculty, and staff members at the affected colleges place free fraud alerts on their credit files. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. CCLA also recommends that all affected parties review their credit reports for suspicious activity.
• How do I place a fraud alert on my credit file?
  You can place a fraud alert by calling any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others will be notified to place fraud alerts. You can make a request to have all three credit reports sent to you, free of charge, for your review. Following is contact information for the three major credit bureaus:

Equifax (800) 525-6285 www.equifax.com

Experian (888) 397-3742 www.experian.com

TransUnion (800) 680-7289 www.transunion.com

• What should I do if I find suspicious activity on my credit reports?
  If you find suspicious activity on your credit reports or have reason to believe your information is being misused, contact your local law enforcement office to file a police report. Inform them that CCLA has already filed a report with the Leon County Sheriff's Office Financial Crimes Unit in Tallahassee (Case #2010-140568). Get a copy of any police report that you file; many creditors will request the information it obtains to absolve you of any fraudulent debts. You should also file a complaint with the Federal Trade Commission (FTC) at www.ftc.gov/idtheft or at (877) 438-4338. Your complaint will be added to FTC's Identity Theft Data Clearinghouse, where it will be accessible to law enforcement officers for their investigations.

Important contact information
• Who can I contact for additional information about identity theft?
  To learn more about protecting yourself from identity theft, visit the FTC's Identity Theft site at www.ftc.gov/idtheft.
• How can I contact CCLA regarding this issue?
  Contact CCLA by e-mail at ciso@flvc.org or by telephone at (877) 506-2210.

Privacy Statement | Terms of Use | Careers | © 2010 CCLA | Contact Us