facebook twitter  youtube
corner graphic
Unauthorized Server Access

Updated: February 20, 2014

In an email from the Chancellor on Jan. 31, 2014, we learned that one of our college servers was accessed by an outside source without authorization. The vulnerability has since been corrected, and we are actively working with the authorities and computer forensic specialists to investigate the full extent of the incident. In an effort to answer your looming questions in a timely manner, this web page has been created. Early in the investigative process, TSTC IT security analysts identified that employee-identifying information did reside on the server. 

The college continued to investigate the server and found a small amount of student information resided on the server containing student-personally identifiable information. Notifications were sent to approximately 2,800 former students from TSTC Waco that were affected.

Although we have no evidence at this time that any data was actually stolen, we wanted you to be alerted to the incident and to the possibility that a theft of TSTC data may have occurred.

If you have questions not answered on this web page, please email us at datarisk@tstc.edu or call 800-592-8784..

Below are the FAQs answered on this page.

How often do data breaches happen?

According to Privacy Rights Clearinghouse, 30 colleges and universities across the United States had data breaches in 2013. Since the organization began compiling information on data breaches in 2005, there have been more than 600 data breaches at U.S academic institutions, resulting in the compromise of 12.5 million records. See more at: https://www.privacyrights.org/data-breach/new

Articles online illustrate how colleges across the nation, indeed the world, are subject to such vulnerabilities given the nature of the times in which we live. See:

What Happened?

On January 30, 2014, a network security analyst in the Office of Information Technology at Texas State Technical College System discovered employee personally identifying information was located on a server that was remotely accessed by unauthorized parties. The server was contained and taken down. The files contained the information about TSTC employees as of November 2013. Initial investigation indicates the files were on the server from November 4, 2013 to January 30, 2014.

The college continued to investigate the server and found a small amount of student information resided on the server containing student-personally identifiable information that was on the server from May 16, 2006 and Oct. 30, 2008 to January 30, 2014. Notifications were sent to 2,867 former students from TSTC Waco that were affected. These are students who attended TSTC Waco primarily in Summer 2006 with some who also attended in Fall ’06, Spring and Summer ’07.

Although we have no evidence at this time that any data was actually stolen, we wanted those affected to be alerted to the incident and to the possibility that a theft of TSTC data may have occurred.

If you have questions not answered on this web page, please email us at datarisk@tstc.edu or call 800-592-8784..

We deeply regret this situation and are taking steps to protect TSTC employees and students who may be at risk. The College has immediately blocked access to the files and is conducting an extensive investigation. Forensic analysis does not indicate that any of the data on the compromised machine was actually stolen.

Why was personal information included in these files?

The employee files contained information relevant to conducting College business. The source files have been deleted and are no longer accessible and the matter is being investigated fully.

Likewise, the student files contained names and social security numbers of students for reports relevant to conducting College business. The source files have now been deleted and are no longer accessible.

When were the affected records created?

The employee records were created on Nov. 3, 2013.
The student records were created on May 16, 2006 and Oct. 30, 2008.

How many people were potentially affected by this incident?

At this time, the investigation has revealed that all TSTC employees (less than 2,000) on the November payroll were included in a file on the server for use in fulfilling our quarterly employment reporting requirements.

Further computer forensic investigation revealed that two additional files containing former TSTC Waco student information from Summer 2006-Summer 2007 affected 2,867 students.

What actions did the College take in response to this incident?

The College immediately took a number of parallel steps to investigate and limit the exposure of this information. As soon as the incident was confirmed, the College immediately activated its business continuity plan and followed security incident procedures including:

  • The College immediately took the server down.
  • The source files were deleted and are no longer on the server.
  • The College’s OIT security response team began conducting an in-depth and thorough forensics investigation of the incident to determine what occurred and the nature of the information involved.
  • The College’s OIT team contracted with an external forensic analysis team to assist with the analysis of the data that could have been accessed to determine the full extent of the information that may have been exposed.
  • The College engaged a nationally recognized identify theft firm to protect employees affected as soon as it was confirmed that their sensitive information may have been accessible.
  • On January 31, 2014, the College sent a system-wide email to the account of each employee notifying them of the risk and offering recommended actions for identity protection.
  • The College created a web page with further identity protection recommendations and frequently asked questions on the TSTC System Office website.
  • The College released a news release to statewide media announcing their actions as a result of the potential threat.
  • The College brought down certain websites to allow the OIT team to evaluate their security protocols as a precautionary measure to assess security protcols on critical applications.
  • The College created an email address where questions can be directed that are not answered on this webpage: datarisk@tstc.edu.
  • The College created a toll-free number for the OIT help desk to handle calls from those students verifying whether their name was on the list (800-592-8784)
  • The College engaged the identify theft firm to protect former students affected as soon as it was confirmed that their personal information may have also been accessible.
  • The College researched current addresses for former students affected.
  • The College mailed letters to former students affected, notifying them of the risk and offering recommended actions for identity protection.
  • The College updated the FAQ page to include answers to questions former students may have about the incident.
  • The College released a news release announcing that notifications are being made to former TSTC Waco students that were affected.

Why were Social Security numbers included in these files?

Social Security numbers are used to track employment and used in mandatory quarterly State reporting.  Likewise, student SSNs were used as unique student identifiers for students to complete a graduate report.

Which students were possibly affected by the vulnerability?

Computer forensics has identified a small amount of student information resided on the server that was vulnerable to unauthorized access. Only students who attended TSTC Waco in the summer of 2006 and a small number of students from academic year 2007 (Fall 2006, Spring and Summer 2007) were included in the files containing the student names and social security numbers.

Students who graduated prior to Summer 2006, or who enrolled after Summer 2007 were not affected. The college has sent each potentially affected former student a letter at their last known address. The letter to affected students will contain information on how to enroll for the prepaid identity protection service either through a toll-free number or website.

How do I verify that I am not affected?

Students from TSTC Harlingen, Marshall, West Texas and North Texas were not included in this vulnerability issue. Most TSTC Waco students from Summer 2006 were affected, and less than 100 Waco students from the academic year 2007 (Fall 2006, Spring and Summer 2007).

If you have not received a letter, but were a student at TSTC Waco during this time period, you can call the College Office of Information Technology toll-free number, at 800-592-8784.. They can confirm whether your name and social security number was at risk due to the illegal access to the server. The OIT Help Desk is available 7 a.m. to 9:30 p.m. Monday – Friday; and 8 a.m. to 5 p.m. Saturday and Sunday.

When was the information on the server?

The College believes that the employee files containing personal employee information were on the server between November 4, 2013 and January 30, 2014.

The College believes the student files containing the names and social security numbers of TSTC Waco students from 2006-2007 were placed on the server in May 2006 and October 2008 where they remained until January 30, 2014.

Is my personal information still at risk of disclosure?

No. Upon learning that these files were inadvertently accessible on the server, the College immediately took steps to disable the server. A further investigation is ongoing to discover the cause of this information being stored on the server and appropriate action will be taken to ensure that personally identifiable information is protected from unauthorized access.

Are law enforcement and other agencies involved in investigating this incident?

Yes. The College is actively working with the FBI, and Office of Inspector General, and Department of Education.

Does the College have any indication that anyone has suffered identity theft as a result of this incident?

At this time, the College has no way to know whether information has been or will be misused. It is recommended that employees take the following steps to protect their identity:

  • Place a "fraud alert" on your account with a credit agency. A call to one of the three nationwide credit-reporting agencies is enough. As soon as that agency processes your fraud alert, it will notify the other two agencies, which will then place fraud alerts in your file.
  • Place a “credit freeze” on your credit file with the consumer reporting agencies which prevents criminals from opening new lines of credit in your name.
  • Consult the Federal Trade Commission website on identity theft at www.consumer.gov/idtheft/
  • Carefully examine all credit card billings and other such statements to verify charges. If anything looks suspicious, promptly report the incident as suspected identity theft, employees also should file a report with the Federal Trade Commission at www.consumer.gov/idtheft or at 877-ID-THEFT (438-4338).

If my personal information was accessed by an unauthorized party, does that mean that I will become a victim of identity theft?

Not necessarily. Even if someone did access your information, this does not mean that you have been, or will become, a victim of identity theft or that the unauthorized individual intends to use your personal information to commit fraud. The College notified you about this incident so you can protect yourself. You can do this in several ways: by placing a fraud alert on your credit file; by placing a security freeze on your credit report; and by reviewing your credit reports regularly. Each of these measures is described within this FAQ page.

What is a fraud alert and how does it work?

Most credit card companies and other creditors will not issue credit without first checking an applicant’s credit history. A fraud alert tells potential creditors that they should contact you first before issuing new credit in your name, thereby preventing someone from fraudulently obtaining credit without your knowledge. A fraud alert will not prevent you from using your credit cards or other accounts. A fraud alert, however, may slow the process of receiving new credit since the purpose of the fraud alert is to help protect you against an identity thief opening new credit accounts in your name. When you place a fraud alert on your account, potential creditors receive a message instructing them to re-verify the identity of the person applying for credit before approving the credit application. There is no charge for placing a fraud alert on your credit file. An initial fraud alert lasts for 90 days and is free. You may renew the fraud alert at no cost for an additional 90 days. There is no limit to the number of times you can renew the fraud alert.

You can place a fraud alert on your credit file by contacting any one of the three national credit bureaus (Equifax, Experian, and TransUnion). As soon as one credit bureau confirms your fraud alert, the others are also notified to place fraud alerts on your credit file. You can contact the credit bureaus as follows (the links below will take you directly to the fraud alert section of the website for each credit bureau):

Below are the three nationwide credit reporting agencies:

Equifax, 800.525.6285; PO Box 740241, Atlanta, GA 30307-0241, www.equifax.com

Experian, 888.397.3742, PO Box 9532, Allen TX 75013, www.experian.com

TransUnion, 800.680.7289, PO Box 6790, Fullerton, CA 92834-6790, www.transunion.com

If you would like a College representative to assist you in using one of these websites to place a fraud alert on your credit file, call or visit your college Human & Organization Development office.

What is a security freeze?

A security freeze prohibits a credit bureau from releasing your credit report without your consent.  However, placing a security freeze may delay, interfere with or prohibit the timely approval of any application you then make regarding a new loan, credit, mortgage, insurance, government services or payments, rental housing, employment, investment, license, cellular telephone, utilities, digital signature, Internet credit card transaction or other services, including an extension of credit at a point of sale. Because of this, you may need to remove or temporarily lift the security freeze.

You would need to place a security freeze at each individual credit bureau. The fee for placing a security freeze on a credit report in Texas is $10.83 (includes tax). If you are a victim of identity theft and submit a valid investigative or incident report, complaint with a law enforcement agency or the Department of Motor Vehicles (DMV), the fee will be waived.

Why should I review my credit report?

You should regularly review your credit reports and monitor your accounts for unusual activity. In addition to your right to one free credit report per year, placing an initial fraud alert entitles you to a free credit report from each of the three credit bureaus. You can use these reports to review and monitor your credit report periodically.

To get your free report, go to www.AnnualCreditReport.com or by calling (877) 322-8228.
To track your credit during the year, you can request a free report from a different credit bureau every four months.

If you discover information on your credit report arising from a fraudulent transaction, you should request that the credit-reporting agency delete that information from your credit report file.

If you have general questions about identity protection, the FTC produces a brochure, “What to Do If Your Personal Information Has Been Compromised,” which contains helpful information and links to additional information the FTC has on this issue. The FTC has additional information regarding identity theft.

What is credit monitoring?

Credit monitoring services protect primarily against new account fraud. This form of fraud occurs when a criminal uses your personal information to open credit card, mobile phone, or other financial accounts using your name, social security number and other personal information. New account fraud can be difficult to detect because the criminal generally has billing statements sent to an address other than your real address. You can learn more about credit monitoring at https://www.privacyrights.org/fs/fs33-CreditMonitoring.htm#1.

Does the College provide credit monitoring services?

In an abundance of caution, the College will be offering premium identity theft protection for one year for all TSTC employees. We have partnered with CSID to provide one year of their Breach Protector™ credit monitoring and identity theft restoration coverage. CSID is an independent company that specializes in protecting and restoring its subscribers’ credit and identity. CSID has sent each employee their personal activation PIN and procedures, using the addresses we have on file for employees.

Likewise, the 2,867 TSTC Waco former students affected were mailed a letter to the most current address available, along with instructions and a personal activation PIN. Former students are encouraged to use the PIN number to subscribe at no cost to the credit monitoring and identity theft restoration protection courtesy of TSTC.

Because the College cares for our employees and students, we have already purchased the identity theft protection service for all affected. The College has paid for this protection whether or not the service is activated. The College urges students and employees to help us be good stewards of our resources, and accept this coverage for their benefit. 

Will the college have access to my credit information since they are purchasing this service for me?

No. The college has purchased the identity theft service for employees and students affected whether they activate their subscription or not as an act of good faith to help you protect your identity. The college has no right to personal credit information of our employees or former students. Only you, as the owner of the service, can activate and access your identity theft subscription. 

I received a letter from TSTC about CSID identity theft services, is this for real or a scam?

A letter went out from CSID using a copy of TSTC letterhead as an important notice to those who were involved in the potential exposure of your personal identifying information. This letter is for real and is not a scam. To verify it, please see the website on the letter, call CSID, or simply activate your CSID account using the PIN code provided. TSTC has partnered with CSID to provide one year of breach Protector, a premium credit monitoring and identity theft restoration coverage at no cost to you. This has already been paid for and we urge you to accept his gift and protect yourself from the potential threat.

If I wasn’t an employee in November, will I still receive identity theft protection? 

The College is providing a premium identity theft protection plan for all employees included in the Nov. 3, 2013 employment report. All other employees will also receive one-year of the basic identity theft protection from CSID as an employee benefit.

If I wasn’t a student in 2006-2007, will I still receive identity theft protection?

The College is providing the identity theft protection plan for only the 2,867 students involved, those who attended TSTC Waco in the Summer 2006 term and approximately 100 students from the 2007 academic year who were also included.

Should I contact the Social Security Administration to change my Social Security number if my Social Security number was part of the information that was contained on the compromised server?

The Social Security Administration is unlikely to change your Social Security number in the absence of any evidence that your Social Security number is actually being misused. In addition, according to information on the Social Security Administration’s website, changing your Social Security number may create additional problems because you would lose your existing credit history and because other government agencies (including the Internal Revenue Service and the Department of Motor Vehicles) and private businesses (such as banks and credit reporting companies) are likely to have records under your current Social Security number.

What should I do if I believe my personal information has been used fraudulently?

You should immediately: (1) report the crime to your local law enforcement agency, (2) contact any creditors involved, and (3) notify all three credit bureaus. You may also choose to put a credit freeze on your file; please note that there may be a cost associated with this. Additional guidance is available on the Federal Trade Commission’s website.

Did the affected files contain any information about my bank account?

No. Our investigation of this incident indicates that the affected files did not contain bank account information.

Did the affected files contain any information about my credit cards?

No. Our investigation of this incident indicates that the affected files did not contain credit card information.

What should I do if I have not received my letter from CSID about the Identity Theft Protection?

Employees should call your HOD representative (below) and update the address on record to ensure you receive important notifications sent to your home. Also, HOD can email you a copy of the letter and help you get your PIN code to begin your Identity Theft Breach Protector service.

Students should call the Office of Information Technology toll-free number, at 800-592-8784. The OIT Help Desk is available 7 a.m. to 9:30 p.m. Monday – Friday; and 8 a.m. to 5 p.m. Saturday and Sunday.

Who can I contact if I have additional questions?

The following College personnel stand by to answer any questions employees may have:

TSTC Harlingen: Mary Prepejchal, 956.364.4042

TSTC Marshall: Felicia Hill, 903.923.3233

TSTC Waco: Kelly Contella, 254.867.2368

TSTC West Texas: Brian Kight at Brownwood 325.641.3918; Sherry Strickland at Breckenridge 254.559.7707; Hannah Love for Abilene & Sweetwater 325.236.8277

Students should call the Office of Information Technology toll-free number, at 800-592-8784.The OIT Help Desk is available 7 a.m. to 9:30 p.m. Monday – Friday; and 8 a.m. to 5 p.m. Saturday and Sunday.

If they cannot answer your question, they will take your name and phone number and forward that information to the security response team, and a College employee will contact you with a response. Additionally, commonly asked questions will be added to this website as they arise. If questions you have are not answered on this web page, please email us at datarisk@tstc.edu.

I work at TSTC but don’t have easy access to a computer. Where can I get assistance?

The Human & Organization Development Office is available to assist College employees. You can stop by the office any work day during normal office hours and they are happy to assist you.

Also, if questions you have are not answered on this web page, please email us at datarisk@tstc.edu.

Why did TSTC disable websites on the Feb. 1 weekend?

On Saturday, Feb. 1, the OIT team brought down several websites to evaluate their security protocols as a precautionary measure on our most critical applications.

What do I do if my CSID PIN code is not working?

On Feb. 10, the College began getting reports from some employees that their CSID PIN codes, required for activating their Breach Protector service, are not valid. By the afternoon of Feb. 10, CSID had reactivated the assigned PIN codes. If for some reason your PIN code does continues to not work, please call CSID's Breach Protector phone number, available 24/7 at 877-274-5565 or email CSID at support@csid.com.  If the issue is not resolved, email us at datarisk@tstc.edu.











TSTC home page information request form Request Information Spanish translation