ROCK ISLAND — More than a week after many students, staff and alumni of Augustana College learned that their personal information had been compromised in a data breach, alumni are demanding answers.
“The college won’t tell us anything,” said Emily Cudworth, who graduated from Augustana in 2013 and now lives in suburban Chicago. “We’re just really looking for some more information, some answers.”
Earlier this month, Augustana officials sent out letters to an unknown number of students, staff and alumni to notify them that their sensitive information — including Social Security numbers and dates of birth — had been stolen in a malware attack.
According to the letter, which was signed by Kirk Anderson, chief financial officer and vice president of administration, Augustana officials discovered the attack in mid-February.
After an internal investigation, sometime around the start of April the school confirmed that the server that was affected by the attack contained Social Security numbers and dates of birth, according to the letter.
“Augustana currently has no evidence of attempted or actual misuse of the information,” the letter said.
It is unknown who was behind the attack or how many people were affected. The Dispatch-Argus-QCOnline.com has been able to confirm that at least one person who graduated from Augustana as early as 2008 has received the letter. Alumni from the 2010s also have confirmed receiving it.
For affected alumni, the data breach has stoked frustration and anxiety, with questions still swirling about the nature of the attack and lingering risk.
The issue, many alumni have said, is a lack of communication by the college. Multiple Augustana graduates said they only heard about the data breach from a Dispatch-Argus article that was shared by alumni on Facebook.
“It’s incredibly frustrating,” said Madison Wynes, a 2014 Augustana alum and recent law school grad now studying for the Illinois bar exam. “We’re at that age where I can hopefully buy a house and build up my credit, and this breach could potentially have some major problems down the road for my credit and finance.”
Some Augustana alums who have not received the letter said that is unclear if they have not received it because their information was not breached or, instead, if the letter was sent to an out-of-date address.
“If someone is unsure if they have been impacted, they can email email@example.com to confirm and obtain the necessary information to enroll in free credit monitoring,” said Ashleigh Johnston, director of public relations and social media for Augustana in an email to the Dispatch-Argus.
Numerous alumni have complained that the notifying letters were sent to old addresses, or to the address of their parents.
Robert Connelly, a 2013 Augustana grad who now works as a reporter in Galesburg, said that as of Tuesday, he still had not received the letter. It was sent, he said, to an address that his parents moved from about seven years ago.
“Obviously they have my address on file because I’m getting the alumni magazine,” Connelly said. “Every place I’ve lived — Peoria, Youngstown, Galesburg — the alumni magazine has followed me everywhere. But when there’s a breach of data, they sent (the letter) to an outdated address from seven years ago.
“How difficult is it to get a piece of mail from Rock Island County to Knox County?” Connelly added. “I’m a crime reporter, and I’ve gotten letters from inmates in prison faster than I’ve gotten a letter from Augustana.”
Johnston said that the college has addressed the vulnerabilities from the attack and will continue to implement best practices for IT security.
“The college is deeply sorry for the inconvenience this may cause and continues to express our regret to the individuals who have reached out,” she said.
The issue of where the notifying letters were sent has some alumni worried that their information might be jeopardized again.
“If those letters were sent to the last address Augustana had, that could create a whole additional set of risks,” Wynes said. “These letters do have personal information in them. This is not something I would want someone else to have access to.”
Individuals whose data were stolen have been directed to a free assistance line at 855-662-8108. In the wake of the breach, the college has launched a number of measures, including complimentary two-year credit monitoring and identify-theft safeguards.
“From the usage rates created by our external partners, the calls to the free assistance line and the number of people signing up for the free credit monitoring match the averages of what they typically see,” Johnston said.
For alumni, a refrain has emerged: They want to hear from the college directly.
“There are many people who give the impression of, ‘Why are you worrying about this? This is being overdramatic about nothing.’ Maybe it is,” said Wynes. “But I’d rather be overdramatic about nothing than ignore something that could have serious consequences and not try to seek a remedy.”