North Dakota University System Hasn't Completely Fixed "High Risk" IT Security Problems From 2011


The North Dakota University System is scrambling to respond to a massive server security breach which exposed nearly 300,000 confidential student records, and hundreds of faculty records, to possible infiltration. They’ve set up a call center for those impacted by the breach, and they’re offering to pay for free credit monitoring and identity theft services, but that may be too little too late for some.

The breach was on-going for an unbelievable four months before it was detected, and after it was detected the NDUS sat on it without notifying the public or even those affected for another month.

As I reported on Friday, a 2011 audit of the NDUS had “high risk” findings in the area of IT security, including the undocumented use of “shadow systems” and security profiles that allowed NDUS officials to access far more information than they were entitled to.

Forum Communications reporters picked up on this story Friday evening (without any credit to SAB for breaking it, I might add), and NDUS spokeswoman Linda Donlin told reporter Anna Burleson that some steps have been taken to fix the issues.

The key word there being “some.” And Donlin would neither confirm nor rule out the possibility of their contribution to the data breach (According to a posting on the NDUS website, their security breach was detected after “the discovery that existing accounts on the server had been compromised”).

When I emailed Donlin on Friday, I asked if the issues raised in the audit were addressed. Donlin sent me this in reply:

Yes, much has been done to address those two issues, and we have even gone further than the recommendations in the report, especially since Dr. Lisa Feldner came on board last summer.
To address those two issues:
  •  Initiated multiple projects to eliminate shadow systems, such as SharePoint. These projects are in various stages of implementation.
  •  Reviewing and restricting user access. Some of that is already done.

You’ll note that despite Donlin’s best efforts to portray something different, it’s clear that today in 2014, going on three years from the date of the audit, the issues security issues have not been fully addressed. The fixes for the “shadow systems” are only in “various stages of implementation.” Only “some” of the review and restriction of excessive user access has been completed.

I’ve asked Donlin for May a breakdown of the “shadow system” projects and what stage of implementation can currently be assigned to each, as well as how much “some” of the review of user access represents (10 percent? 90 percent?). Donlin says she’ll have an answer for me on Monday.

But is anyone else thinking the NDUS should have had an answer for this a couple of years ago? Because for the hundreds of faculty, and the hundreds of thousands of students, who were victims of this data breach these reviews are, again, too little too late.

Just another moment of competence and accountability brought to you by the highly-paid personnel in the North Dakota University System.