Since the information was disclosed, as one individual pointed out, ‘It opened Pandora’s box to other inefficiencies at Cheyney University.’ If we care anything about our accreditation and standing with other nationally-recognized organizations, then those responsible for this—directly and indirectly—must be held accountable.”
– Yasir N. Roundtree, Cheyney University Class of 2010
On Thursday, January 24, 2013, a Cheyney University of Pennsylvania employee accidentally emailed a document that included the names, addresses, social security numbers, and financial information of more than 2,100 current and former Cheyney University of Pennsylvania students.
The Thursday email was intended to advise students about the 1098-T form they would be receiving in the mail for tax filing purposes, but it accidentally included a confidential attachment called the 2012 Taxpayer’s Relief Act Log. Since the email’s friendly from line indicated that the announcement was from the “Cheyney Bursar Office,” many believe that the Bursar’s Office is the source of the incident.
At 11:51 a.m., an email from the Cheyney Bursar Office was sent to the Cheyney Student Community (which includes students who graduated within the last three to four years). The email asked students to “please refer to the attached letter for an update concerning the Information Breach” and next steps.
While it is true that access to the university-provided Wolfmail was forcibly restricted by the university on Friday morning, as it worked to retract the email from all student accounts, many question the letter’s claim that “staff realized the error within minutes and took immediate corrective action” since students were able to access and share the document overnight.
The letter, from Gwen Owens, Cheyney University Director of Public Relations, says that “the administration deeply regrets this error” and that the university is “taking the precaution of contracting with a credit monitoring company to prevent any misuse of your information.”
According to NBC10, students reached out to the media to report the breach in privacy and many of them produced copies of the log during interviews. NBC10’s Monique Braxton attempted to get a statement from Cheyney President Dr. Michelle Howard-Vital, but as you can see in the video below, an officer was placed outside of the president’s office to restrict access.
What to do Next?
A second letter from Cheyney University’s Vice President of Finance and Administration Al Skudzinskas was emailed to the Cheyney community on January 25 at 4:17 p.m.
Skudzinskas apologizes for the inconvenience and suggests that students enroll in a free credit monitoring program like Credit Karma or activate a 90-day fraud alert with one or more of the three main credit reporting agencies (Equifax, TransUnion, and Experian).
The university warns students that “no one who is assisting us with this matter will ever contact you by phone or email asking for personal information” and that students should not respond to any inquires about their private information. Instead, they should contact Layna Holmes-Butler, Assistant Vice President for Finance at (610) 399-2461 if they have questions.
The Cheyney Community Takes Action
In response to the security breach and recent disappointments, concerned Cheyney University alumni and employees created a Fix Cheyney Facebook Fan Page sharing information and demands.
Dr. Zoe Spencer, a former assistant professor of sociology in the Department of Social & Behavioral Science at Cheyney says, “An error of that severe magnitude is taken extremely seriously in the real world of professionals, businesses, corporations, and institutions who understand what that error means, personally, legally, economically, and socially.”
Dr. Spencer and other concerned members of the Cheyney community believe that Dr. Howard-Vital, Bursar Charlotte Cromer, and other university administrative officials should be held accountable for the breach in security. A growing list of demands from the Cheyney community is being shared via Facebook and some of the demands are as follows:
- Cheyney contact all effected students and alumni via email and telephone so that they are aware of the breach in security and can take actions to intervene and protect themselves;
- The person responsible be immediately removed from his or her position; and,
- The university pay for fraud alert protection, and monitoring for each effected person.
The image on the left, from the Fix Cheyney page, identifies the LifeLock Ultimate Plan as the preferred service, and supporters of this initiative are citing the 2012 University of Chicago data breach incident as precedence.
Other than the emails sent to students via the internal Wolfmail, Cheyney University has made no mention of the data breach via the university website, Facebook page, or @CheyneyUniv Twitter account. Many alumni protest that, were it not for the students calling the media and introducing the issue to the public, they would not have known about the breach in privacy and danger to their personal information because the university certainly didn’t perform a reverse 911 phone call or phone banking initiative to inform all of the students about the issue.
According to Facebook, some current students and alumni are already discussing the possibility of filing a class-action lawsuit and negligence claims. Anyone interested in pursing legal action is encouraged to contact Cheyney alumni, James Lee, Esq. of The Lee Firm at (267) 975-6843.
UPDATE: On January 28, 2013, Cheyney University of Pennsylvania added the following page to its website “to provide the latest information regarding the January 24, 2013 email that inadvertently went out to current and former Cheyney University students.” Although the Important Information Regarding Email Correspondence page does not feature any updates since January 25, 2013, it provides points of contact for student and media inquiries.
UPDATE 2: The university has distributed a mass mailing to all students whose name appeared on the January tax list. The letter was dated February 28—a full month after the incident occurred.