Back in 2011 the North Dakota University System paid hundreds of thousands of dollars for a system-wide audit conducted by LarsonAllen LLP. This was perhaps one of the most sweeping reviews of the system’s performance ever conducted, and is certainly the most comprehensive recent audit available.
So it’s interesting, in light of a security breach in NDUS systems that exposed hundreds of thousands of student records for roughly four months without detection, that in the report issued in October of 2011 auditors flagged NDUS IT security as “high risk,” something NDUS officials at the time agreed with.
The entire audit – all 300 pages of it – is embedded below, but this is the pertinent section from page 290. As you can see, auditors flagged the use of “shadow systems” by NDUS employees for which there wasn’t a thorough accounting. Auditors also flagged “security holes” at smaller campuses which allowed employees to access more information than was necessary to complete their jobs.
According to a posting on the NDUS website, their security breach was detected after “the discovery that existing accounts on the server had been compromised.” How they were compromised “is still under investigation.”
The question is, were these security holes flagged going on three years ago addressed by the NDUS? I’ve asked that question of NDUS spokeswoman Linda Donlin. I’ll update when I get a response.
Meanwhile, retail giant Target (recently in the headlines for a security breach of their own) has come under fire for failing to report infiltrations into customer data for 12 days. Compare that with the North Dakota University System, which detected their own security breach in early February but didn’t report it to the media or the public until early March, a month later.