A month after discovering a computer server breach that may have compromised personal information for about 23,000 people, the University of New Mexico Foundation has begun sending notification letters about the incident.
The foundation on Monday mailed letters to the “potentially affected” donors, annuitants, foundation employees and vendors, according to a spokeswoman for UNM’s fundraising organization.
That’s a full month after officials first learned an “unauthorized individual” had gained access to a file server, according to details outlined in a foundation memo to trustees.
The May 10 memo, obtained by the Journal, cited April 17 as the breach discovery date.
According to the memo, the incident might have compromised contact information, donation amounts and checking/routing numbers for 22,000 donors, plus other data – such as Social Security numbers, birth dates and banking information – for more than 750 employees, vendors and annuitants – individuals who receive annual payments from charitable gift annuities that benefit the university.
The foundation says the breach did not involve its “advance donor database” that contains general information on more than 300,000 UNM alumni and donors.
The breached server contained human resources information and archive financial data. That might include copies of received checks that the foundation stores for audit purposes, spokeswoman Jennifer Kemp said.
Kemp explained the lag between the discovery and the notification process as the time it took the foundation to determine the breadth of the breach, secure the system and identify what and whose information might have been affected. Prior to mailing the letters, the foundation also hired a credit monitoring and repair service firm to help individuals possibly impacted.
“There are numerous legal requirements, as well as what we feel are moral requirements, that need to be completed to ensure we not only understand the scope of the incident but also identify the necessary actions that need to take place,” Kemp said in an email to the Journal. She added the foundation completed the steps “as soon as we possibly could.”
The foundation did not supply the Journal with a requested copy of the notification letter, but Kemp said it detailed the incident, the foundation’s response, the available credit monitoring and “general information about identity theft protection.” She said the foundation had notified federal law enforcement.
The Journal first reported on the breach late last week, and Kemp said the story generated “a few calls.” Nobody has reported any potential issues yet, she added.