• Home
• People
• Search

• Duke Law >
• News & Events >
• Duke Law Security Breach Frequently Asked Questions

• Calendars
  • Calendar Highlights
• News Archives
• Faculty in the News
  • News Archive
• Alumni in the News
  • News Archive
• Conferences
  • Conferences Archive
• Publications at Duke Law
  • Previous Issues
• Webcasts, Audio & Video
  • Webcasts
  • Podcasts
• Event Planning
  • Duke Law Daily Announcements
  • Event Notice Form
  • Event Planning Guide
  • Flyer & Poster Templates
• Press Room
  • Faculty Experts

Duke Law Security Breach Frequently Asked Questions

Is it safe to submit my application to Duke Law School?
Yes. The application processing system was not exposed during the web attack because it is not connected with the web site server. The security of application materials (application form, personal statement, resume, etc.) has not been compromised.

If I was using the applications status checker, was my Social Security number exposed?
The application status tracker did not ask for or maintain any Social Security numbers. Unless the notification you received explicitly says your Social Security number was exposed, your Social Security number did not appear in either of the compromised databases and is not at risk.

What information was exposed?
Two databases were exposed during the attack on our web site. One contained information submitted by prospective applicants who were requesting information from the admissions office. That database contained about 1,400 Social Security numbers provided by prospective applicants.

A second, separate database contained information submitted by current applicants who were using our application status tracker. That database contained contact information, including email addresses, plus user-generated passwords. This database did not contain Social Security numbers.

About 60 people had information in both databases; those people received notifications telling them that both their Social Security numbers AND their passwords were exposed.

What steps have been taken to quickly notify those who had information exposed?
After the site was immediately taken down following the attack, our technical team began the process of assessing what information may have been exposed. We had concerns about two databases and ran tests on them over the weekend to determine whether the data had been downloaded or acquired. By Monday morning, when we could not definitely rule out the possibility of the intruders having downloaded the information, we began the process for notifying affected individuals. We coordinated our notification through law enforcement officials, who were also beginning an investigation, and we worked to reorganize the data into a format that would allow us to perform email and mail merges. The actual emailing of the notifications took several hours to filter through our email server; by late Tuesday evening, the emails had been sent. We then began processing the notifications for a hard-copy mailing, which was delivered to the U.S. Post Office on Thursday morning. Hard-copy letters are being sent only to individuals whose Social Security numbers may have been exposed.

If I used a credit card to pay my application fee, was my credit card information exposed?
No, that information was provided to LSAC and was never on our web server. No financial data was stored on this server.

My Social Security number and other personal information is on my application -- is that at risk?
No, information from law school applications is not stored on the web server.

I included personal information in an e-mail to the admissions office -- am I at risk?
No, the hackers had no access to the e-mail server.

I don't remember what my status checker password was -- how can I find out?
We have set up a password confirmation site where you can enter your email address and the password you think you may have used; a message will let you know whether the password is the one we have on file for you. Any data you submit on this page will be encrypted, and it will not be stored.

I didn't receive an e-mail but I heard about the breach -- am I at risk?
Most likely not, but it is possible that the email address you provided to us was wrong or has changed, or a spam filter may have prevented the email from being delivered. If you have any concerns, please contact us at (919) 613-7259 or webdata@law.duke.edu and we can look up your name to see whether you were affected.

If I see any evidence that my credit card or bank account may have been accessed fraudulently, what should I do?
Contact your bank or credit card company immediately. Your bank or credit card company will likely provide specific instructions for protecting your accounts and credit, but you also may want to place a fraud alert on your credit reports and consider freezing your credit, both of which you can do by contacting a credit bureau (see http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html for more information). Please also let us know of the incident. We will report any unauthorized account activity that may be connected to our security breach to the appropriate law enforcement authorities.

Duke University School of Law

• Accessibility Statement
• Contact Duke Law
• Duke University Home