Link to Kirkwood Community College


1) What happened?

Sophisticated hackers, using an international IP address, unlawfully accessed the Kirkwood website on March 13, 2013. Specifically, the hackers gained access to archived application information from February 2005 until March 13, 2013 that may have included applicant names, birthdates, race, contact information and social security numbers. No financial data or academic records including grades and financial aid information, etc was stored in this system.


2) What is the application system?

The application system is an electronic database containing admissions records for individuals who applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013. The system may include impacted individuals name, birth date, race, contact information, and social security number. Continuing education and non-credit data is not stored in the system. The data base contains only information collected from individuals at the time of admissions. No financial data or academic records including grades and financial aid information, etc was stored in this system.


3) Who is affected by the breach?

Together with law enforcement and an external security services firm, Kirkwood determined the possible extent of the breach and to what degree, if any; individuals’ personal information may have been compromised. Due to the investigation, we were able to determine the records for individuals who applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013 were accessed. This system may include name, birth date, race, contact information, and social security number. We were unable to determine if the information was actually stolen or simply accessed.

Personal financial data, continuing education records, and student records were not stored in this system and were not accessed in the unlawful breach.


4) What actions did Kirkwood take?

  1. The college immediately took down Kirkwood.edu until the suspicious activity could be isolated. This allowed the college to revoke the unauthorized access quickly.
  2. The college took action to correct the breach and prevent further unauthorized access to individuals’ personal information.
  3. The college notified local and federal law enforcement. Together we were able to identify the international IP address responsible for the attack.
  4. The college has engaged a leading firm specializing in data breaches and forensic analysis to assist in the investigation. These steps have helped to fortify the system.
  5. The college has communicated with the impacted individuals and offered identity protection and restoration services at no cost to the individual.


5) Has my personal information been compromised? How will I be notified about this?

If you are affected by the breach, Kirkwood will notify you in writing. At this time, there is no clear evidence that any personal information was downloaded. If your information was in the system, you will be receiving a letter. If you did not receive a letter but you believe you applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013, you can contact verify@kirkwood.edu.


6) Does the breach affect students in all Kirkwood locations?

Yes.
 

7) I am an alumnus of Kirkwood. Are my records affected?

The college’s alumni database and student records system were not accessed. However if alumni applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013 the application record was part of the unlawful breach.
 

8) When and how did the incident(s) occur?

On March 13, 2013, a staff member of the Information Technology department detected suspicious activity in the web-based admissions application. The activity in the system indicated that an individual may have gained access to the application database. The college immediately took Kirkwood.edu off line until the suspicious activity could be isolated.  This was a sophisticated and skilled attack on our system. The breach was shut down within minutes after the suspicious activity was discovered.
 

9) Does the college have any indication that any person has suffered identity theft as a result of this incident?

At this time, the college has no evidence or reports of identity theft connected to this incident. However, we have set up a hotline to assist the impacted individuals with questions and concerns. However, we have contracted with a security and restoration firm and each person impacted by this unlawful theft attempt has been contacted directly with information to assist them through the process.

In addition to the option of working with our security firm you should personally take some precautionary actions.  These are:

  1. Fraud Alert. Place a fraud alert on your credit file. The alert will tell creditors to contact you before they open any new accounts or change your existing accounts. You can place this alert by contacting any of the three major credit bureaus. When you place an alert with one credit bureau, the others are notified to place fraud alerts as well. If the applicant information belongs to a minor, a parent or legal guardian can contact the three Credit Bureaus listed below to inquire if a credit file has been established using your child’s information.

    Equifax
    P.O. Box 740241
    Atlanta, GA 30348
    800-525-6285
    www.equifax.com

    Experian
    P.O. Box 2104
    Allen, TX 75013
    888-397-3742
    www.experian.com    

    TransUnion
    P.O. Box 2000
    Chester, PA 19022
    800-680-7289
    www.transunion.com

    Even if you do not find any suspicious activity, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit reports periodically can help you identify problems and address them quickly. You may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account.
     
  2. Report Suspicious Activity. Kirkwood has contacted both local and federal law enforcement agencies to notify them of this event. If you find suspicious activity on your credit reports or have reason to believe your information is being misused, please contact your local law enforcement to file a report. While talking with law enforcement, remember to get a copy of the police report; many creditors want the information it contains to absolve you of the fraudulent debts.

    You can also call state or federal agencies if you believe you are the victim of identity theft. The Iowa Attorney General’s office has general information available on its web-site at:

    http://www.iowaattorneygeneral.org/

    You can call the Consumer Protection Division of the Iowa Attorney General’s Office at
    1-888-777-4590. On the federal level, if you believe your information is being used, you should file a complaint with the FTC at www.ftc.gov/idtheft or at 1-877-ID-THEFT (877-438-4338).

 

10) I understand minors are not eligible for continuous credit monitoring, what are they eligible for?

  1. Enhanced Identity Theft Consultation and Restoration
    Licensed Investigators, who truly understand the problems surrounding identity theft, are available to listen, to answer your questions, and to offer their expertise regarding any concerns you may have. And should your child’s name and credit be affected by this incident, the investigator will help restore their identity to pre-theft status. The investigators do most of the work.
     
  2. Contacting the Credit Bureaus
    As a parent or legal guardian you can contact the three Credit Bureaus listed in question nine (9) above to inquire if a credit file has been established using your child’s information.
     

11) I am a parent of a Kirkwood student. Is my information at risk?

No parent information is stored in the application system.
 

12) Are college faculty and staff impacted?

Personnel and other employee records are not impacted. Only individuals who applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013 were impacted.
 

13) Is there a local contact for my questions?

If you did not receive a letter but you believe you applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013, you can contact verify@kirkwood.edu.
 

14) I took a continuing education class at Kirkwood. Was my information accessed?

No. Continuing education information was not accessed.
 

15) My child took Kirkwood college credit classes while in high school, was his/her information accessed?

Potentially, high school concurrent enrollment students do apply to the college so if they applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013 they will receive a notification letter.
 

16) I took Kirkwood college credit classes while in high school, was my information accessed?

Potentially, high school concurrent enrollment students do apply to the college so if you applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013 you will receive a notification letter.
 

17)  I made an online gift to the Kirkwood Foundation/KCCK. Was my information accessed?

No donor records were accessed, no event registration information was accessed, no “Alumni & Friends” registrations were accessed.
 

18)  I am a donor to the Kirkwood Foundation. Was my information accessed?

No donor records were accessed, no event registration information was accessed, no “Alumni & Friends” registrations were accessed.
 

19)  I registered online for a KCCK event or Kirkwood Foundation event. Was my information accessed?

No donor records were accessed, no event registration information was accessed, no “Alumni & Friends” registrations were accessed.
 

20)  I registered on the Kirkwood Alumni & Friends site. Was my information accessed?

No donor records were accessed, no event registration information was accessed, and no “Alumni & Friends” registrations were accessed.
 

21) I am (or was) a health science student at Kirkwood and the college has my required medical records, were they accessed?

No student medical records were accessed.
 

22) My child participated in a KICK camp. Was his/her information accessed?

No. This is a Continuing Education program and continuing education information was not accessed.