Boise State University received notice recently from Fresno State University that a theft on their campus may have potentially involved some personal information that originated at Boise State, according to BSU spokesman Greg Hahn.
“At Boise State, we value the importance of protecting personal information and have sent additional notices to those affected to explain the incident, the measures taken and some steps they can do in response,” Hahn said.
An external hard drive stolen sometime in the last week of December, 2017, from a facility at Fresno State included personal information for some Boise State football camp attendees from 2007, 2008 and 2011 and others connected to the Boise State Athletics Department around the same time.
“Fresno State notified Boise State of the data security incident on March 6th and sent letters to individuals the university could identify as having been potentially exposed. Boise State officials worked through the data a second time to determine what may have been included and whether more individuals should be contacted,” Hahn explained.
Fresno State indicated some files included personal information, such as names, addresses, phone numbers, dates of birth, full or partial Social Security numbers and medical information including allergies, conditions, emergency contacts, insurance information and ID numbers.
In all, the Fresno State incident involved around 15,000 people. “Of those, about 3,000 are believed to be connected in some way to Boise State,” said Hahn.
Fresno State officials are investigating the origin of the Boise State information and how it ended up in their system, but that detail has not been shared publicly.
Boise State is sending a secondary notice to those individuals whose addresses could be determined, but the contact information of approximately 600 attendees of Boise State football camps from those three years could not be confirmed by either Boise State or Fresno State, “so Boise State is releasing this broader notice to alert anyone who believes they may have been affected and to outline the steps they can take to protect their personal information,” Hahn said.
Fresno State officials say they have no evidence that the device was stolen for the information that it contained, or that any of the information has been used improperly -- but the university has taken several steps to protect individuals affected. Fresno State is providing one year of free credit monitoring through Experian IdentityWorks and has established a dedicated call center to answer any questions. The call center number is (877) 646- 7924.
Fresno State recommends that all individuals potentially affected review their account and credit card information. If they see suspicious activities or services they did not receive, they should contact their bank or credit company.
“Though this breach occurred in California, Boise State is reviewing its data usage policies to determine if they can be strengthened or better enforced. In addition, new encryption and security measures are being implemented on certain Boise State computers and new training opportunities are being developed. Even before this incident came to light, all State of Idaho employees, including Boise State employees, were required to take an online cybersecurity training in order to increase general awareness and education about the issue,” Hahn stated.