Legislator: Lack Of NDSU Cooperation On IT Security Contributed To Payroll Breach


Yesterday I broke the news that the North Dakota University System has seen another IT security breach. This time it involved a phishing scam that saw the payroll deposits of university system employees diverted.

Tu-Uyen Tran has more details:

It happened during the most recent payroll cycle when the employees fell victim to what’s known as a phishing scam, which involves emails pretending to be from official sources.

“The email asked employees to click on a link and verify their information for payroll distribution, and eight employees responded,” NDUS said in a statement. “Unfortunately, those employees’ paychecks were then re-directed to the scammer’s account. They reported the incidents, which were then reported to authorities.”

NDSU reimbursed the employees, the university system said.

In response to the incident, NDUS’ information technology department temporarily shut down a computer system storing employee information. The computer system was re-activated after IT workers found that it had not been breached. Employees will not be able to change their direct-deposit information online, however.

Some are now claiming that this was the result of a poor choice by the university system employees, and not lax security by NDSU, but today I spoke with Rep. Bob Skarphol (R-Tioga) who sits on the Legislature’s Budget Section which will be reviewing this matter next week.

According to Skarphol, this has breach has to do with NDSU trying to go its own way with its email systems and IT security.

“It’s because they weren’t under the umbrella of the security of the balance of the university system,” Skarphol told me during an interview on the Jay Thomas Show today on WDAY AM970.

Skarphol said the incident happened about sixty days ago, and criticized NDSU for not making the break public earlier. “It’s embarrassing,” he told me. “They don’t want to be forthcoming about what’s going on.”

Skarphol suggested that NDSU didn’t make the matter public because they wanted to avoid scrutiny of their refusal to participate in the unified NDUS email system, and their pushback against NDUS security protocols.

As I pointed out yesterday, Rep. Roscoe Streyle wrote for SAB recently about NDUS’s pushback against intrusion detection system. Back in July I wrote a lengthy article for Watchdog about NDSU President Dean Bresciani’s fit over joining the NDUS email system, including accusations from both Bresciani and NDUS CIO Lisa Feldner about an utter lack of trust over IT issues.