Data Exposure

Many individuals at Appalachian State University have job duties that require regular access to and use of confidential data.  Unfortunately, in the course of using this information, it only takes one minor accident like an unintended email attachment, lost device, or misplaced printout to cause a major issue for the App State community.

To help lower the risks of accidental data loss, the ITS Office of Information Security has provided the following guidelines and recommendations, as well as a complete list of Data Elements and their classification levels.

Generally speaking, confidential data relates to any App State information whose unintended disclosure, modification, or loss could result in significant financial, legal, or reputational impacts on App State.

The following types of data are regularly confidential in nature:

  • Social Security Numbers (SSNs)
  • Employer Tax Identification Numbers
  • Drivers License Numbers
  • Passport Numbers
  • State Identification Card Numbers
  • Checking or Savings Account Numbers
  • Credit or Debit Card Numbers
  • Personal Identification (PIN) Code
  • Electronic Identification Numbers
  • Passwords
  • Biometric Data
  • Digital Signatures
  • Privately-Owned Trade Secrets
  • Critical University Application Files (e.g. Financial System Applications Files)
  • Private Contributor Records
  • Pre-Patent Research Data
  • Human Subject Research Data
  • Medical Records (PHI)
  • Disability Records
  • Data Protected by Non-Disclosure Agreements
  • Criminal Investigation Records

If you believe you have files that contain the type of information listed above, the ITS-OIS recommends that you consider the 4 Computing Habits listed below.

The accidental exposure of confidential data occurs while the information is being used. Therefore by actively observing a few habits, each of us can do our part to help protect the App State from unintended data leaks. 

Know if your files contain confidential data. Take time to review and confirm the content of files before you copy or transmit them. Accidents occur most often when we are rushed.

When you've finished using/reviewing a file that contains confidential data, it is important to determine if the file needs to be retained.  

  • Does retaining the file serve a business need?
  • Are there contractual or legal requirements for retaining the information?
  • Can the data easily be obtained from an authoritative source (i.e. database records) if it is needed again?

If you have files that contain confidential data and these files do not need to be retained, then it is best to delete them.  When it comes to confidential data on App State devices, always remember that less is more! When removing files, remember to delete the files AND empty your trash.

If sensitive data is to be retained then it should be protected.  Steps that you can take to help improve the security of confidential data include:

  • Moving confidential data to your Personal Drive (P: Drive on Windows, Ustor on Mac); Moving confidential data to your P drive has many benefits including: 
  • ensuring that data is not stored on mobile devices which can easily be lost or stolen
  • speeding up restore operations
  • and maintaining secure remote access to this data if needed.
  • Do Not Email Confidential Data. Standard email messages are not sufficiently secure for exchanging confidential data with internal or external recipients; it is far too easy to make mistakes attaching files.
  • Do Not Store Confidential Data On Removable Media.  Standard USB drives, external hard drives, and other portable storage devices are not secure and are very easy to lose.
  • Lock Your Screen and Clear Your Desk
    • If you step away from a computer that contains confidential information, lock your computer screen. 
    • If you are leaving your computer for more than a few minutes, then (if feasible) you should also lock your office.
    • Make sure that any printouts that may contain confidential information are not left visible to individuals who are not authorized to view this material.

Developing and observing these four habits goes a long way toward preventing accidental data exposure.

Business Email Compromise (BEC)

Cybercriminals are constantly coming up with new ways to get what they want. 

Cybercriminals have developed a new attack called CEO Fraud, also known as Business Email Compromise (BEC).

  • high-level administrators. They send an email to faculty and staff members to trick you into doing something you should not do.
  • Cybercriminals search social media sites(LinkedIn, Facebook, etc.) to learn more about App State employees and to target specific employees.
  • Targets are chosen based on the Cybercriminal's goals, for example, money, tax information, etc.
  • The term Spear Phishing is a custom message which targets select people in an organization. This tactic is used to gain confidential information.
  • Spear Phishing is very effective because these attempts are incredibly realistic and appear to come from someone you know.
  • These emails often create a tremendous sense of urgency, demanding you take immediate action and not tell anyone.

The cyber criminal's goal is to rush you into making a mistake.

  • Wire Transfer: The cybercriminal researcher who works with App State’s finances. An email is sent pretending to be the target's boss. The email says there is an emergency and money has to be transferred to a certain account.
  • Tax Fraud: Cybercriminals target employees in Human Resources and an email is sent from a senior executive demanding certain documents be provided immediately.
  • Attorney Impersonation: Criminals may impersonate a senior leader with an email saying an attorney will be contacting them. The criminal calls pretending to be the attorney with a tremendous sense of urgency involving confidential matters.
  • Use your instincts: If it doesn’t feel right, it may be an attack.
  • A sense of urgency, odd tones, different email addresses, or phone numbers can indicate potential risk.
  • When in doubt, call the person at a trusted phone number or meet them in person (don’t reply via email) to confirm if they sent the email.
  • Never bypass security policies or procedures.
  • If you receive such a request and are not sure what to do, contact your supervisor, the Help Desk (828) 262-6266, or forward the email to the Office of Information Security at

Social Engineering Attacks through Email and Messaging

Social Engineering is the art of manipulating people so they give up confidential information.

Criminals are usually trying to trick you into giving them your passwords or bank information or access your computer to secretly install malicious software that will give them access to your passwords and bank information.

Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software.

Social Engineering Tactics

Baiting: Removable media containing malicious software or hardware (USB Killer) and online ads presenting promises designed to entice users to click on malicious links.

Scareware: Involves fictitious threats, such as pop-ups that entice users to install "tools" to update drivers or scan for problems.

Pretexting: Involves impersonation, and relies on victims' tendency to trust, such as fake emails from a supervisor requesting "a quick favor"; or unexpected invoices.

Phishing: Common examples include fake notifications about exceeded email account quotas and password resets.

Spear Fishing: Requires researching specific targets to craft credible-looking messages by posing a trusted source, such as fake notifications about shared documents.

You are the best defense against becoming a target.  Attackers have learned that the easiest way to get what they want is to target YOU! They want your passwords and any personal information they can get.  Attackers will try to do this via phishing emails, text messages, and phone calls. These types of messaging are prime tools for social engineering attacks. Look for red flags, such as grammatical errors, typos, urgency, sender's address, etc.

It's important to remember the following about phishing attempts:

  • App State will never ask for your password! If a message asks you to validate, reauthenticate, or repair your computer or account, it is likely a phishing message. 
  • Don't take the appearance of an email or website as a mark of legitimacy. Phishing emails can copy images, logos, and text to try to fool you.   
  • The 'From' field in email messages can easily be faked.  Don't assume that an email is legitimate based on the sender in the ‘From’ field.
  • If you receive a phishing message, send it to for direct review.

If you need to exchange confidential data

Be Careful When Sending Email

Gmail provides a handy Global Address List (GAL) that suggests recipients (auto-completes) from a list of all App State faculty, staff, and students. When you first email someone with a common name, make sure you are emailing the correct person by checking their username in our campus directory at the top of the homepage. 

"Phishing" refers to the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

Phishing is a form of social engineering.

Like all universities, Appalachian State University is frequently phished for account credentials.

A Phishing attempt for account credentials usually starts with an email that indicates that you MUST do something to validate, extend your storage, view quarantined messages, etc (see list of Phishing samples below). The message will almost always convey a sense of urgency. This is an attempt to get you to act quickly without thinking.

  • Always remember that ITS will never ask you to provide your password either via phone, email, or other communication mediums.
  • Keep in mind that phishing emails can look very legitimate and include the same images, logos, and text associated with the organizations they are attempting to masquerade as. Don't take the appearance of an email or website as a mark of legitimacy. 
  • Be aware that the “From:” field in email messages can easily be fabricated. Don't assume that an email is legitimate based on the apparent sender in the "From:" field. 

If you receive a message asking you for this information you can forward this to for direct review.

The following are recent phishing messages received by one or more App State users.   Please know that we are not aware of every phishing message that makes it to every user.  App State Students are receiving a high number of fake job offers.  If you have a suspicious message and it's not on this list then it could still be a phishing message. When in doubt please contact support at 828-262-6266 or contact IT Support Services .

Identity Theft

Identity Theft occurs when someone steals your personal information and uses it without your permission for illegal gain. Identity theft is the fastest-growing crime in America.  Every year, more than 9.9 million Americans become a victim of identity theft, a crime that costs them roughly $5 billion.

While it is impossible to completely prevent identity theft from occurring, there are some steps that can help you lower your risks:

  • Review your annual credit report and billing statements for any unusual activity. 
  • Store personal information in a safe place at home and at work. Don't leave it lying around.
  • Don't carry your Social Security card in your wallet or write it on your checks.
  • Watch out for "shoulder surfers". Use your free hand to shield the keypad when using pay phones and ATMs.
  • Collect mail promptly. Ask the post office to put your mail on hold when you are away from home for more than a day or two.
  • Tear up or shred unwanted receipts, credit offers, account statements, expired cards, etc., to prevent dumpster divers from getting your personal information.
  • Don't respond to unsolicited requests for personal information in the mail, over the phone, or online.
  • Keep the software on your home computer up-to-date including virus-detection software.

The following items can be signs of a possible identity theft issue:

  • You see withdrawals from your bank account that you can’t explain.
  • You don’t get your bills or other mail.
  • Merchants refuse your checks.
  • Debt collectors call you about debts that aren’t yours.
  • You find unfamiliar accounts or charges on your credit report.
  • Medical providers bill you for services you didn’t use.
  • Your health plan rejects your legitimate medical claim because the records show you’ve reached your benefits limit.
  • A health plan won’t cover you because your medical records show a condition you don’t have.
  • The IRS notifies you that more than one tax return was filed in your name, or that you have income from an employer you don’t work for.
  • You get a notice that your information was compromised by a data breach at a company where you do business or have an account.

If you believe that you may be a victim of Identity Theft, it is advisable to take some quick actions right away to begin addressing this.  This list of steps is often helpful:

  1. Place a fraud alert with the credit reporting companies and strongly consider placing a credit freeze.
  2. Get your free credit reports.
  3. Create an Identity Theft Report by filing a complaint with the Federal Trade Commission and your local police department.
  4. If you have experienced tax refund fraud, then you can report this by filing an Identity Theft Affidavit (Form 14039) with the IRS.

Additional Resources

Identity theft refund fraud is a widespread fraudulent scheme where criminals use stolen identity information to file bogus tax refund claims. This form of identity theft has grown substantially over the past few years. In 2013, the IRS estimated that it sent over three million fraudulent refunds to criminals which cost taxpayers around $5.2 billion dollars.

While taxpayers are not financially liable for fraudulent returns, the time and effort in responding to this common form of tax fraud can be considerable; Additionally, experiencing this type of fraud often implies that your identity information has been collected by criminals.

In 2013, over three million fraudulent refunds were issued. Cost to taxpayers: $5.2 billion.

How to Protect Yourself

One of the reasons that this form of fraud is so successful is that identity thieves have over the years gained access to large amounts of identity information (e.g. names, dates of birth, SSNs); Additionally, the IRS typically only uses basic personal information to identify taxpayers. While there is no perfect defense against this type of fraud, there are some steps that can certainly help.

For electronic filings, the IRS validates the identity of the taxpayer by asking for previous Adjusted Gross Income or an electronic filing PIN. While not a complete defense, establishing an E-File PIN can raise the bar for identity thieves who attempt to E-File a fraudulent return in your name. To establish an E-File PIN you can visit the IRS site listed below:

Identity thieves depend on trying to get their fraudulent return filed before you file your legitimate return. Therefore if possible, try to file your return as soon as possible to help lower the likelihood of someone submitting a fraudulent return before you do.
  • Paper Documents - Keep your Social Security Card or other personal documents in safe and preferably locked locations (file cabinet, personal safe, or bank deposit box). Shred any unneeded materials that may contain this information.
  • Limit Sharing - Limit sharing of your personal information (social security number, account info, date of birth). This information should not be posted on social networks and also question whether companies or businesses need access to this information to assist you.
  • Personal Cyber Security - Keep your personal computer and mobile device safe by following a few basic security best practices.

Given the high risk for Identity Theft, Social Security Numbers are classified as confidential data in our Data Classification Guidance and should only be stored in Banner, Fortis, uStor and transmitted through FileShare.

See Something - Say Something!

Information Security is a shared responsibility for all Appalachian staff, faculty, and students.  

  • If you see a risk with an App State process that involves social security numbers, or other confidential data, please contact so we work together to create a new secure business process.

Given the high risk for identity theft, social security numbers are classified as Confidential Data in our Data Classification Guidance and should only be stored in Banner, Fortis, uStor, and transmitted through FileShare.

You Are The Target

As a public institution, we have a lot of information about our faculty and staff publicly available online, including our organizational charts.  It is important to recognize that cybercriminals can use this information, and other public information, to target us and compromise App State information and systems.  

Security tools, such as vulnerability scanning, as well as reports from our App State community, help us identify cyber threats.  We keep an updated list of tips for our employees at:

Report any suspicious behavior on your computer to the Help Desk at 828-262-6266) or bring your computer to the Technology Support Center on the first floor of Anne Belk Hall for a security check-up.

Search Knowledge Base

Submit a Service Request