Get the latest Syracuse news delivered right to your inbox.
Subscribe to our newsletter here.

On Feb. 23, a senior in the College of Visual and Performing Arts received a photo from her mom of a letter. Her private data, the letter from Syracuse University read, may have been leaked.

The data leak affected about 9,800 SU students as well as alumni and applicants after someone gained unauthorized access to an employee’s email account. Data such as Social Security numbers and names were exposed in the leak.

The Daily Orange granted the VPA student anonymity for this story, as identifying information such as her name could be used maliciously due to the data leak.

Aside from the initial letter, the VPA student said that she has not gotten any communication from the university about the data breach.

“The only contact from the university was that one little letter,” she said. “I have not gotten any follow up about it which, unfortunately, was not surprising because I feel that the university isn’t great at handling situations.”

The D.O. also spoke with another student, a senior in the Newhouse School of Public Communications, who was affected by the breach and wished to remain anonymous. Her name, Social Security number and home address were leaked, she said.

The university offered all those affected a year of Experian IdentityWorks for free. The product, “helps detect possible misuse of your information and provides you with identity protection support focused on immediate identification and resolution of identity theft,” according to the letter sent to those affected.

Both students said it wasn’t enough.

While the school gave one year of the protection software, the possible ramifications of the data leak can last their entire lives, the Newhouse senior said.

“I’m not asking for a lot, but could I get protection after the year at least?” she asked.

After talking with the university, the student was told SU would evaluate a possible extension of the service after a year, she said. She is planning to contact the school about the possibility.

Eric Ferguson, communications manager for SU’s Information Technology Services, did not comment on whether the university would extend subscriptions of Experian IdentityWorks.

Since concluding an investigation, the university did not find any misuse of exposed information, Ferguson said in an email statement to The D.O. The university also did not find “any evidence that private personal information was actually viewed,” he said.

“We have provided information security training for employees, migrated employee email to Microsoft Office 365 (which provides additional security through multi-factor authentication), formed a campus-wide Personal Identifiable Information Task Force and added multi-factor authentication to MySlice,” Ferguson said in the email.

---

MORE COVERAGE:

• Student files class action lawsuit against SU over data breach that affected 10,000
• Here’s what to do if Syracuse University exposed your data
• SU defends response to data breach amid criticism, anger
• SU data breach exposes nearly 10,000 names, Social Security numbers

---

ITS announced in a campus-wide email on Thursday that MySlice would be undergoing maintenance for an update, including adding two-factor authorization, the upcoming weekend. The email was sent two days after The D.O. initially contacted the department about possible safeguards for SU’s data.

Ferguson did not comment further on the employee training, the newly created task force and the full investigation into the data leak.

The VPA student said that she has not had any major incidents pertaining to her data since the breach. But she is worried.

“It’s a huge fear of mine, and it’s a fear that I shouldn’t have to worry about because I trusted the university with that information,” she said.

Worried about what may happen after the year of protection is over and she graduates, the Newhouse senior wants some form of compensation.

“This could potentially be something I have to pay for for the rest of my life, through either protection or something like that, so they should be giving us some sort of compensation or like tuition reduction,” she said.

The VPA student said that since the leak was the fault of the university, only getting one year of the monitoring service felt “cheap.”

“They are making it seem like such a minor issue when it’s a really major issue,” she said. “We trusted the university with this information.”

Published on September 28, 2021 at 11:38 pm

Contact Kyle: [email protected] | @Kyle_Chouinard