There are a couple of disturbing facts about yesterday’s revelations about a security breach into a North Dakota University System server that don’t seem to be getting a lot of attention from the media.
First, it appears as though the university system sat on their knowledge of this breech – not alerting the media or the public or even the hundreds of thousands of student and faculty whose private information was potentially exposed – for about a month.
“The suspicious activity was discovered on Feb. 7, and the server was immediately locked down,” reported the University System yesterday in a posting about the security issue on their website.
Last year the media went bonkers over the fact that the North Dakota Department of Health hadn’t sent out to media a press release about the Tioga oil spill until a couple of days after it had happened, and North Dakota Democrats swooped in to score some political points. Something tells me that the university system failing to report this problem for a month won’t get the same treatment.
Because the oil industry is evil, and higher education is not. Or something like that.
Second, the scope of the intrusion is startling. Buried in the university system’s lengthy online release about the security problems is this:
Current information indicates the unauthorized access began in late October 2013 and continued until it was discovered on February 7, 2014. Core Technology Services stopped the unauthorized access and secured the server when the attacker was discovered.
So the server was compromised for four months before it was even detected? And then the university system sat on that news for another month before anyone in the public was told about it?
Meanwhile, the university system is claiming that no personal data related to students of faculties was accessed as a result of the hack. That’s the spin most in the state media are leading with at this point. But how believable is that claim? I’m not an expert, but I think it’s safe to say that such assurances are a little hard to believe given the duration of the infiltration.
Remember, this is the same group of people that accidentally misplaced thousands of NDSU President Dean Bresciani’s emails just as the legislature was requesting copies of them.
The legislature’s interim Information Technology Committee is scheduled to meet next week on the 13th, and while I don’t see this specific issue on the agenda yet, members of that committee are telling me that they plan to ask some pointed questions of higher ed officials (who are on the agenda to give an unrelated presentation) some pointed questions.