Over winter break, students attempting to access the University of Connecticut’s website were greeted by a prompt to download malware. UConn officials chose not to directly notify students, faculty and staff on Dec. 27 about the malware threat that remained on the site for approximately five hours between 11 a.m. and 4 p.m.
UConn deputy spokesman Tom Breen said that the university did not want to “overlook or misinterpret a vital piece of information about the incident, which led them not to share the information publicly” in an email Monday, Dec. 28.
While it is important to gather correct information before releasing a definitive statement on a university problem, the administration should have quickly notified users that a problem existed.
When the university community accesses UConn webpages, they do not expect to be putting themselves at risk for malicious software, as these websites are typically secure. Should malware appear on a university site, the university should quickly notify users that a problem has been observed and urge them to proceed with caution.
While the administration may have to gather information about the problem, this should not impede prompt notification that a problem has been observed. A notification email could simply state that a problem exists and that the university is investigating the problem and working to address it.
It could also explain that any preliminary observations expressed in this early email would be subject to change in the light of future information. Clearing up vital pieces of information concerning an incident of this nature is important, but this task should not delay notification that the incident is occurring.
The university should not unnecessarily prolong the risk of visitors contracting malware from one of its websites by declining to notify Web users of a problem that is currently addressing. An email sent after the issue is already resolved does little to help those who may have contracted malware because they were unaware of the issue.
Visitors to UConn’s websites likely do not expect the university to immediately diagnose the problem and notify them of the remedy. They do, however, expect the University to warn them that the threat exists so they can take appropriate precautions.
The need to gather more information is not an adequate explanation for the lack of a provisional notification that would have better enabled students, faculty and staff to protect themselves.