"I Didn't Go To NDSU To Spend The Next Year Monitoring My Credit"


Over the weekend I reported that North Dakota University System IT security holes flagged in a 2011 auditstill haven’t been fully addressed today in 2014. That’s a big problem as the system grappled with a massive security breach that exposed hundreds of thousands of student records to hackers, as well as hundreds of faculty records.

In response, the NDUS set up a call center to help students concerned about the security of their data and identity. But according to this review I received from a NDSU student, by way of a state legislator, the call center leaves much to be desired:

It is the worst ever. On one hand they say “yes your social security number was accessed” but don’t worry about us. Also the burden is 100% on us to monitor our credit for any fraud and notify them if we suspect anything. I’m sorry but I didn’t go to NDSU to spend the next year monitoring my credit. Not to mention, if I were the thief, I’d probably be smart enough to wait the one year until this “protection” dropped off. Four members of our staff were affected and none of us are happy with having to get a number off a press release and find out that way.”
Be prepared for an information dump. I asked if I would be mailed anything and said that all the information he was giving me was confusing and overwhelming. Even if I think something fishy is going on, am I really suppose to hang on to the press release to call that number to report? He told me he could email me something, which he did and it basically says “under federal law you are entitled to receive your credit report three times a year” and listed the numbers to call. Target did a MUCH MUCH MUCH classier job of taking care of their breach. It sounds like we got the most basic, primitive level of “protection” available. If that is what the threat requires, so be it, but as for anyone’s peace of mind, it was a waste of money.
It is just scary to hear that someone has your social security number and that NDUS tried so very poorly to even let you know. Shows how little they care.
Speaking of poor notification, the mother of a student who applied to NDSU forwarded this email about the security breach they just received today. It’s worth noting that the breach was detected a month and a half ago, in early February, and the systems were originally compromised four months before that.
This story has been much in the news in North Dakota, but a lot of NDSU’s students – current and former – not to mention applicants aren’t from North Dakota. The idea that they’re just being notified of this problem directly a month and a half after the NDUS was aware of it speaks to incompetence, and a rather cavalier attitude about the right of the victims of this breach to be aware of it.
From: NDUS CHANCELLOR <noreply@ndus.edu>
Subject: Update: Possible Data Exposure
Date: March 17, 2014 9:48:41 AM CDT


We are writing to inform you of an incident that may have involved your personal information, such as name and social security number. On February 7, 2014, we discovered suspicious activity on a North Dakota University System (NDUS) server. It was immediately locked down and NDUS revalidated each individual user and initiated more stringent intrusion detection measures. An attacker(s) apparently compromised existing login accounts to gain access. An internal forensics team believes that the server was being used to launch attacks against other computers and systems, possibly accessing outside accounts to send phishing emails. We contacted law enforcement, and we engaged an external forensics organization to confirm our findings. On February 28, NDUS officials were thoroughly briefed on the nature and scope of the incident, and a public announcement was made on March 5. Our internal team found no evidence that any personal information was accessed. An external forensic investigation has now confirmed this finding. However, we are notifying all those whose information was on the server in an effort to keep you informed.

Even with the low possibility of exposure, we want to make you aware of steps you may take to guard against identity theft or fraud. Please review the Information about Identity Theft Protection section included below.

As an added precaution, we have arranged to have AllClear ID protect your identity for 12 months at no cost to you. The following identity protection services start on the date of this notice and you can use them at any time during the next 12 months.

AllClear SECURE: The team at AllClear ID is ready and standing by if you need help protecting your identity. You are automatically eligible to use this service – there is no action required on your part. If a problem arises, simply call (855) 711-5990 and a dedicated investigator will do the work to recover financial losses, restore your credit and make sure your identity is returned to its proper condition. AllClear ID maintains an A+ rating at the Better Business Bureau.


Larry C. Skogen, Ph.D.
Interim Chancellor



When you receive your credit reports, review them carefully. Look for accounts or creditor inquiries that you did not initiate or do not recognize. Look for information, such as home address and Social Security number, that is not accurate. If you see anything you do not understand, call the credit reporting agency at the telephone number on the report.

For more information on what you can do to protect yourself, contact AllClear ID or visit the Federal Trade Commission’s Identity Theft website, http://www.consumer.ftc.gov/features/feature-0014-identity-theft.