BYU had yet to release the cause of Y-Expense’s shutdown as of Monday, July 3, and the university did not issue a timetable for it coming back online.
The Y-Expense reporting system has been inaccessible since June 20. Those attempting to access the system continue to be met with a message that reports Y-Expense is temporarily down for maintenance.
A security breach is among the possibilities for the shutdown, according to the Office of Information Technology help desk.
Y-Expense services allow university credit card holders to document and approve both travel expense reports and purchase expense reports. The system pulls financial information directly from JP Morgan Chase, allowing users to process anything that has been purchased with a BYU credit card. Also affected are a system called Fast Track and the campus’ cell phone account processing system.
BYU services are periodically taken offline for maintenance or upgrades, but routine maintenance is typically announced well in advance. That was not the case with the current shutdown. The university’s technology office has yet to provide the reason for the required maintenance or address the concern through its Twitter account as it has in the past.
Without these services, university faculty and administrators have been unable to process new expenditures since last week. The absence of these services means accounting departments are unable to see what is being bought, pay vendors or complete travel authorizations for university employees.
Campus departments have been encouraged in a Tuesday, June 27 email from the BYU Controllers Office to delay the processing of any reimbursements, new travel authorizations or requests for new cell phones on campus accounts until the problem is resolved.
The Office of Information Technology Help Desk on Tuesday confirmed Y-Expense is currently undergoing maintenance and said a security breach is among the possible reasons the system was shut down. This information was similarly echoed by employees of the Purchasing and Travel Office.
In the case of a possible data breach, the university may be required to “notify in the most expedient time possible without unreasonable delay,” according to Utah’s Protection of Personal Information Act. These notifications would be sent to the “owners or licensees of the information of any breach of security immediately following the person’s discovery of the breach if misuse of the personal information occurs or is reasonably likely to occur.”
The university has made no official confirmation of a security breach or other software or computer hardware problem. “The system is under maintenance and will be returned to service as soon as possible,” said university spokesman Joe Hadfield.