North Dakota University System reports unauthorized account access
BISMARCK—The North Dakota University System has reported there was unauthorized access to an employee's email account in July, an account which contained thousands of individual's personal information.
Core Technology Services, the information technology arm of the NDUS, discovered in July that there had been unauthorized access to an NDUS employee's email account.Evidence indicates that the account credentials were stolen through a successful "phishing" campaign, the system office said Friday.
No credit card or bank account information was contained in the email account, NDUS said. The suspicious activity was discovered July 12, and a forensic analysis was conducted to properly understand the scope of the incident.
"It is possible the attacker was not aware personal information was in various emails in the account, but to be safe, the NDUS has notified all those who may have been affected," a NDUS release said Friday.
The account contained personal information, such as names and Social Security numbers of about 9,400 individuals, according to the system office. Law enforcement has been contacted, and the account was properly secured.
"Information security is very important to us, and NDUS has consistently worked to minimize these types of interferences," NDUS Chancellor Mark Hagerott said in a statement. "It is a sobering reality that education is often targeted by criminal elements in today's global assaults on IT systems."
In response to incidents like this one and to help prevent them in the future, NDUS says it is continually modifying its systems and practices to enhance the security of sensitive information. One such effort, currently underway, is to enable multi-factor authentication on the NDUS email system.
"There is no indication that any of the personal information was accessed," said Darin King, vice chancellor of information technology/chief information officer. "Nevertheless, we are making every effort to inform people of the situation and are taking every possible precaution to safeguard our systems."
Hagerott led the NDUS staff in a security measures protocol meeting immediately following the incident.
"It is important that all faculty, staff and students from the 11 campuses within the university system — especially new, incoming freshman — are reminded never to put personal identifiable information, such as social security information, in emails," Hagerott emphasized.
NDUS is providing free identity theft protection services to those individuals who want to take steps to guard against identity theft or fraud as a precautionary measure. A letter has also been sent to the affected individuals, which provides additional information on identity protection and the services being offered, NDUS said.