A legislator just forwarded me this email from North Dakota University System Chancellor Larry Skogen:
A message from NDUS SYSTEM OFFICE
Dear students, faculty and staff,
Today the North Dakota University System will release the following information regarding suspicious activity that was detected and shut down on one of the NDUS servers that was used to store information from all North Dakota colleges and universities. Unfortunately, the server contained personal information for current and former students, as well as some faculty and staff members. There is no evidence that the intruder accessed any of your information, but we can’t rule out the possibility.
It is very unfortunate that this happened. NDUS is taking steps to communicate with all those who could potentially be impacted, and we’ve created a special website with detailed information about the incident. We’re also making arrangements for identity protection services for those who want it, and will soon have available a hotline staffed with personnel who can answer your questions.
Multiple steps are being taken to increase security and ensure that this doesn’t happen again. Thank you for your patience as NDUS works through this unfortunate incident. We certainly understand any frustration you are experiencing, and regret any inconvenience this has caused.
Larry C. Skogen
Interim Chancellor, North Dakota University System
The NDUS website has more, including news that the server contained information on nearly 300,000 past and present students and nearly 800 faculty (emphasis mine):
Core Technology Services, the information technology arm of the North Dakota University System, has discovered and shut down suspicious access to one of the university system’s servers. An entity operating outside the United States apparently used the server as a launching pad to attack other computers, possibly accessing outside accounts to send phishing emails.
Unfortunately, personal information, such as names and Social Security numbers, was housed on that server. There is no evidence that the intruder accessed any of the personal information. As a precautionary measure, steps are being taken to inform all who could potentially be impacted by the suspicious activity.
“Information security is of the utmost importance to us, and it is very unfortunate this has happened” said NDUS Interim Chancellor Larry C. Skogen. “We are working diligently to help make sure this doesn’t happen again. It’s disturbing that higher education is often targeted by criminal elements in today’s global assaults on IT systems.”
Records of more than 290,000 current and former students and about 780 faculty and staff resided on the server. No credit card or bank account information was contained in the records. The suspicious activity was discovered on Feb. 7, and the server was immediately locked down. A thorough internal investigation and forensic analysis was conducted to understand the cause and scope of the incident. Law enforcement has been contacted, and the server information was also sent to a national forensic organization to confirm the internal analysis.
“There is no indication that any of the personal information was actually accessed,” said Lisa Feldner, vice chancellor for information technology and institutional research. “Nevertheless, we are making every effort to inform people of the situation and are taking every possible precaution to safeguard our systems.”
In response to incidents like this one and to help prevent them in the future, NDUS is continually modifying its systems and practices to enhance the security of sensitive information. To support this effort, NDUS removed all access to the affected server and revalidated each individual user, initiated more stringent intrusion detection measures, and developed a taskforce to address how we access data even more securely.
NDUS has established a web page that provides more details about the incident. It will be updated on a regular basis as new information becomes available. In addition, NDUS is making arrangements to provide identity protection services for one year for all those who wish to use it. A call center will be established soon to assist those who have additional questions. More information about these services will be posted on the website as soon as it is available.
“We completely understand that this incident could be distressing,” said Skogen. “We certainly hope that no one experiences any negative impact from this intruder’s actions, but we are providing resources for those who would like them, and we will keep people apprised of any new developments.”
This happened nearly a month ago, and we’re just finding out about it now?
Update: Apparently the hackers had access to the server for as long as four months:
Current information indicates the unauthorized access began in late October 2013 and continued until it was discovered on February 7, 2014. Core Technology Services stopped the unauthorized access and secured the server when the attacker was discovered.