Skip to main content Skip to navigation
Security Incident – FAQ

Frequently Asked Questions

What happened?

On April 21, 2017, Washington State University learned that a locked safe containing a hard drive had been stolen. On April 26, we confirmed that the stolen hard drive contained personal information from some studies and evaluations conducted by WSU’s Social & Economic Sciences Research Center.

What did WSU do for affected individuals?

Washington State University provided one year of complimentary credit monitoring and identity theft protection services for individuals whose personal information was contained on the stolen hard drive. Enrollment instructions were included in the notification letters sent to individuals.

I never gave Washington State University my information. How did you get it?

The stolen hard drive contained documents that included personal information from studies and evaluations conducted by WSU’s Social & Economic Sciences Research Center (SESRC).  Public agencies regularly contract with the SESRC to evaluate their programs and services.  These agencies include school districts, community colleges and other customers.  As one example, school districts may provide student information to the SESRC to monitor and analyze performance.  In some cases, data sets provided by agencies were used for longitudinal studies that ran over the course of several years.  Federal law permits these public agencies to share personally identifiable information with the SESRC so that it can conduct these studies.

Is there information on the hard drive other than names and Social Security numbers?

For a small number of individuals, some additional information was on the hard drive. If you received a letter, it will state what personal information of yours was on the hard drive.

Was there information on the hard drive from my education records?

Federal law allows information to be shared, under certain circumstances, for studies related to predictive testing, student aid administration, or improving instruction. The hard drive contained some information on individual students provided to WSU primarily by educational agencies and other entities, including universities, colleges and school districts. Many of the studies done by SESRC were of Washington State educational programs. Some individual who attended school in Washington, primarily high school seniors during the years 1998 to 2013, may have had student information on the hard drive.

How many individuals were affected?

Approximately one million people were potentially affected by this incident. However, it is important to note that there is no evidence the personal information has been accessed or misused.

I want WSU to erase my data from its servers. Can you do that?

This incident is not closed and further investigation and action will occur.  The information on the stolen hard drive is needed for those investigations and cannot be deleted at this time.

Washington State University takes this issue very seriously. The university is committed to making improvements in its procedures and practices to help prevent this type of incident from happening again. The university will strengthen our information technology operations by completing a comprehensive assessment of IT practices and policies, improving training and awareness for university employees regarding best practices for handling data, and employing best practices for the delivery of IT services.

Did you offer credit monitoring?

Washington State University provided one year of credit monitoring and identity theft protection services for individuals whose personal information was contained on the stolen hard drive. Enrollment instructions were included in the notification letters sent to the individuals.

Do I need an enrollment code to obtain the credit monitoring WSU is providing?

The deadline for enrolling in WSU’s free credit monitoring program has passed. If you received a notification letter, your enrollment code was listed on the page that provides instructions on how to enroll in credit and identity monitoring services through Experian.

Has Washington State University notified local authorities/law enforcement?

Yes, the university notified local law enforcement regarding this matter.

Who stole the safe that contained the hard drive?

The university does not know who was responsible.

What have you done to keep this from happening again?

The university is committed to making improvements in its procedures and practices to help prevent this type of incident from happening again. The university will strengthen our information technology operations by completing a comprehensive assessment of IT practices and policies, improving training and awareness for university employees regarding best practices for handling data, and employing best practices for the delivery of IT services.