UPDATE: NEWS RELEASE | 3.14.14
Call center opens in response to suspicious activity on NDUS server
The North Dakota University System (NDUS) has contracted AllClear ID to provide call center support and identity protection services to those affected by the suspicious server activity. The call center can be reached at (855) 711-5990 and will open at 8 a.m. on Friday, March 14. The call center is open 8 a.m. - 8 p.m. Monday - Saturday. AllClear ID can also be reached by emailing firstname.lastname@example.org. All those affected will be notified via email, if the NDUS has their valid email address, starting Friday as well. Those who do not receive an email and are concerned that their information may have been included are encouraged to contact the call center. Callers will then be able to find out if their information was housed on the affected server.
On February 7, the NDUS discovered suspicious activity on a server. Unfortunately, the impacted server housed personal information, such as names and Social Security numbers, for more than 290,000 current and former students and about 780 faculty and staff. The server was immediately locked down. The internal investigation, as well as an external forensic team, found no evidence that any personal information was accessed, copied, transmitted or printed. However, NDUS is offering identity protection services to those whose information was housed on the server as an extra precaution.
"Thankfully, there is no evidence that the attacker accessed the personal information housed on this server," said Interim Chancellor Larry C. Skogen. "We do understand, however, that incidents like this can be distressing, so we've taken the extra step of offering identity protection services for the next year to all those affected."
Those affected are automatically enrolled in the AllClear Secure identity protection program for the next 12 months. If a problem arises for any reason, an individual can simply call (855) 711-5990 and a dedicated investigator will do the work to recover financial losses, restore credit and make sure their identity is returned to its proper condition. AllClear ID maintains an A+ rating at the Better Business Bureau.
UPDATE: Call Center to Open Friday, March 14 | 3.10.14
The AllClear ID call center will be available to answer questions regarding this incident starting at 8 a.m. CST on Friday, March 14. Callers will be able to find out if their information was housed on the affected server. Please note that the call center will NOT ask you for your social security number to verify your identity. Those affected will also continue to be notified via email if the NDUS has their valid email address.
The call center can be reached by calling (855) 711-5990 after 8 a.m. CST on Friday, March 14.
UPDATE: Outside Investigation Confirms NDUS Findings | 3.10.14
The Center for Internet Security, Multi-State Information and Analysis Center, has completed its Forensic Analysis of the North Dakota University System server breach. Their report confirms our internal team's investigation. The executive summary says, "From the available logs, it did not appear that any of the Personally Identifiable Information stored on the server was exfiltrated."
The report cannot be released in its entirety because it contains specific security information surrounding the NDUS IT system that is considered sensitive. It is classified as Amber, which means that "recipients may only share information with members of their own organization who need to know."
UPDATE: NDUS Contracts AllClear ID to Provide Identity Protection Coverage | 3.7.14
Today, we signed a contract will AllClear ID, Inc. to provide Identity Protection Coverage for one year to the people whose information was contained on our server. Those affected are automatically eligible to use this service - there is no action required on their part. If a problem arises, our constituents simply call AllClear ID and a dedicated investigator will do the work to recover financial losses, restore their credit and make sure their identity is returned to its proper condition. AllClear ID maintains an A+ rating at the Better Business Bureau.
AllClear ID is also ramping up a call center that will be available in about a week to take calls and answer any questions our constituents may have about this issue or the service that is being provided.
UPDATE: News Conference Audio Recording Available | 3.5.14
Click here to hear the audio recording of the news conference from 2:30 p.m. on March 5 conducted by conference call.
NEWS RELEASE | 3.5.14
NDUS reports suspicious server activity, data access not evident but possible
Core Technology Services, the information technology arm of the North Dakota University System, has discovered and shut down suspicious access to one of the university system's servers. An entity operating outside the United States apparently used the server as a launching pad to attack other computers, possibly accessing outside accounts to send phishing emails.
Unfortunately, personal information, such as names and Social Security numbers, was housed on that server. There is no evidence that the intruder accessed any of the personal information. As a precautionary measure, steps are being taken to inform all who could potentially be impacted by the suspicious activity.
"Information security is of the utmost importance to us, and it is very unfortunate this has happened" said NDUS Interim Chancellor Larry C. Skogen. "We are working diligently to help make sure this doesn't happen again. It's disturbing that higher education is often targeted by criminal elements in today's global assaults on IT systems."
Records of more than 290,000 current and former students and about 780 faculty and staff resided on the server. No credit card or bank account information was contained in the records. The suspicious activity was discovered on Feb. 7, and the server was immediately locked down. A thorough internal investigation and forensic analysis was conducted to understand the cause and scope of the incident. Law enforcement has been contacted, and the server information was also sent to a national forensic organization to confirm the internal analysis.
"There is no indication that any of the personal information was actually accessed," said Lisa Feldner, vice chancellor for information technology and institutional research. "Nevertheless, we are making every effort to inform people of the situation and are taking every possible precaution to safeguard our systems."
In response to incidents like this one and to help prevent them in the future, NDUS is continually modifying its systems and practices to enhance the security of sensitive information. To support this effort, NDUS removed all access to the affected server and revalidated each individual user, initiated more stringent intrusion detection measures, and developed a taskforce to address how we access data even more securely.
NDUS has established a web page that provides more details about the incident. It will be updated on a regular basis as new information becomes available. In addition, NDUS is making arrangements to provide identity protection services for one year for all those who wish to use it. A call center will be established soon to assist those who have additional questions. More information about these services will be posted on the website as soon as it is available.
"We completely understand that this incident could be distressing," said Skogen. "We certainly hope that no one experiences any negative impact from this intruder's actions, but we are providing resources for those who would like them, and we will keep people apprised of any new developments."
FREQUENTLY ASKED QUESTIONS | 3.5.14
Question: What happened?
Answer: On February 7, 2014, it was discovered that there had been unauthorized access to a North Dakota University System (NDUS) server containing private information. The attacker(s) compromised existing login accounts to gain access to the server. How this was accomplished is currently under investigation.
Question: Does this mean someone stole my personal information?
Answer: We don't believe any personal information was stolen. Our investigation, as well as the investigation of an external forensics organization, revealed that even though an unauthorized person(s) did gain access to the server, there was no evidence that any sensitive information was accessed or transferred from the server. Based on the forensic investigation, it is likely the intruder's intent was only to use the server's processing power to launch attacks on other computers and systems. The intruder may not have even been aware that the sensitive information was stored on this server. We do not have sufficient evidence, however, to determine without a doubt that the information was not acquired. The North Dakota University System is, therefore, taking the precautionary measure of distributing an advisory to all individuals whose information was on the server, so that they can take appropriate steps if concerned.
Question: What personal information was involved? Who and how many individuals were affected?
Answer: The server contained the name, Social Security number, and other student information for 291,465 current and former students including some Fall 2014 applicants. The server also contained the Social Security number and employee ID number for 784 faculty and staff members.
Question: How do I know if my information was included?
Answer: The North Dakota University System will be sending an email to all those affected individuals for whom a valid email address is available starting Friday, March 7.
Question: How did NDUS discover the exposure?
Answer: It was discovered through the victim of an attempted attack that the server was being used to launch attacks against other computers and systems, possibly accessing outside accounts to send phishing emails. This led to the discovery that existing accounts on the server had been compromised. How these accounts were compromised is still under investigation.
Question: When was the data possibly exposed to the unauthorized person(s)?
Answer: Current information indicates the unauthorized access began in late October 2013 and continued until it was discovered on February 7, 2014. Core Technology Services stopped the unauthorized access and secured the server when the attacker was discovered.
Question: Does the information contain any credit card or bank account information?
Answer: No. The investigation did not reveal that any bank account or credit card information was housed on the compromised server.
Question: Was North Dakota's ConnectND (CampusConnection) system breached?
Answer: No. The ConnectND (CampusConnection) system was not affected or involved in this incident.
Question: Why was there a delay in notifying me about this incident?
Answer: We needed time to conduct an investigation and forensic analysis to properly understand the scope of the incident and who was affected. We also needed to make sure the server was properly secured prior to making notifications that could attract the attention of other attackers.
Question: Is this information still at risk of disclosure to an unauthorized person?
Answer: The server involved in this incident has been secured. The North Dakota University System is committed to maintaining the privacy of student and employee information and has taken many precautions for the security of personal information. In response to incidents like this one and to help prevent them in the future, the University System is continually modifying its systems and practices to enhance the security of sensitive information. To support this effort, the University system removed all access to the affected server and revalidated each individual user, initiated more stringent intrusion detection measures, and developed a taskforce to address how we access data even more securely.
Question: Were parents of affected students impacted by the data exposure?
Answer: Not that we are aware of, unless the parent was also one of the affected students or employees.
Question: Is Fall 2014 applicants' data included?
Answer: Yes, information for approximately 1,300 applicants for the Fall 2014 term was on the server.
Question: Do current students, faculty and staff need to be issued new student or employee IDs?
Question: How is the University System responding?
Answer: We have taken multiple steps to secure the affected server and the user accounts and data on the server including removing all access to the affected server and revalidating each individual user, and initiating more stringent intrusion detection measures. We also contacted law enforcement and have engaged an external forensics organization to help us understand the cause and scope of the incident and to assist us with preventing this type of incident in the future. We are notifying the affected individuals, and offering identity protection services for the next 12 months at no cost to those who we know are affected by this incident.
Question: What is the University System doing to prevent this from happening again?
Answer: The University System is continually modifying its systems and practices to enhance the security of sensitive information. To support this effort, the University System removed all access to the affected server and revalidated each individual user, initiated more stringent intrusion detection measures, and developed a taskforce to address how we access data securely. Sadly, higher education is a common target for IT assaults like these.
Question: Has anyone reported fraudulent activity due to this incident?
Answer: No, we are not aware of the fraudulent use of anyone's personal information.
Question: What can I do to protect myself?
Answer: We are offering identity protection services for the next 12 months at no cost to those who we know are affected by this incident. This will help you resolve any possible misuse of your personal information and provides you with superior identity protection services focused on immediate resolution of identity theft.
In addition, you can also review your credit reports to look for any unusual activity. To get your free report, go to https://www.annualcreditreport.com/. To track your credit throughout the year, you can request a free credit report from one of the three credit bureaus every four months. You can also request a free initial fraud alert to be placed on your credit files by contacting any one of the three major credit bureaus:
Question: What should I do if I discover fraudulent use of my personal information?
Answer: An identity protection service is being put in place to help anyone affected. More information about this service is included in the notification email to those affected, and will be posted here once finalized.
Question: Will the University System contact me to ask for private information because of this event?
Answer: The University System will not make unsolicited contact with individuals to obtain their private information. To help keep private information safe, only release this information if you initiated the communication.
Question: I did not receive a notification email. Does this mean that my personal information was not involved in the incident?
Answer: The North Dakota University System will be sending an email to all those affected individuals for whom a valid email address is available starting Friday, March 7. If you receive an email, it will specify which elements of your personal information were affected. The toll-free call center will be available soon for you to contact if you believe the University System does not have your current email address. This website will be updated with contact information once the call center is available.
Question: Who should I contact if I have any additional questions concerning this security exposure?
Answer: We are working to establish a call center as soon as possible for any additional questions. This website will be updated with any new information we receive.