The North Dakota University System (NDUS) is notifying more than 290,000 former and current students and roughly 780 faculty and staff that their personal information – including Social Security numbers – may be at risk after an unauthorized party gained access to one of its servers.
According to notifications posted to the NDUS website on Wednesday, Core Technology Services, which provides information technology services to the university system, which includes 11 campuses, was tipped off to the intrusion on Feb. 7 and immediately shut down the affected server – which was accessed using compromised credentials.
Officials soon learned that unauthorized access was initially gained in October 2013.
An investigation involving law enforcement and an outside forensics group revealed that the unauthorized party – thought to be based outside of the U.S. – was likely not going after the data, but instead was leveraging the processing power of the server to attack other computers and systems, according to the website.
It was a victim involved in those attacks that tipped off the NDUS.
“There is no indication that any of the personal information was actually accessed,” Lisa Feldner, vice chancellor for information technology and institutional research, said in a statement. That personal information includes names and Social Security numbers, among other data.
Aside from securing the server and the data, the NDUS has enhanced other security measures to ensure a similar incident does not occur, including initiating stronger intrusion detection, revalidating each individual user, and developing a taskforce to address accessing data securely, according to the website. All impacted individuals are being offered a free year of identity protection services, as well.
University breaches have been on the rise recently. The University of Maryland and Indiana University both recently announced incidents involving hundreds of thousands of victims, with the Maryland occurrence also being the result of an attack.
In a Thursday email correspondence, Mike Tierney, chief operating officer with SpectorSoft, told SCMagazine.com that universities are prime targets for attackers because identity theft is such a huge business.
“Personal information is bought and sold in bulk, often quite cheaply, and a rather sophisticated, structured market has developed,” Tierney said. “If a single credit card number sells for $10, hacking into a database where thousands of them can be acquired at one time – or, in the case of university databases, the underlying personal data needed to open thousands of credit card accounts – can be lucrative.”
Tierney said that the careless or malicious insider threat is a significant problem that still enables these types of massive breaches, and he added that improved security training is an important step to improving the issue.
“I encourage all organizations to review their employee training and ensure that security is part of the curriculum,” Tierney said. “The malicious insider calls for a combination of steps – from enforcing least privilege and ensuring access controls are in place to looking for signs that insider risk is transforming into insider threat. These signs are often found in the communications and online behavior of the insider.”