NDSCS reports malware activity found on Wahpeton and Fargo computers
North Dakota State College of Science Information Technology Services department has been alerted to malware activity on a number of NDSCS-owned computers in Wahpeton and Fargo and has taken immediate steps to ramp up security on its systems.
Personal information such as names, Social Security numbers and mailing addresses of more than 15,000 current and former students and employees were contained on some of the affected computers. Those whose information was found are in the process of being notified.
“We have found no evidence that any unauthorized individual accessed or is using the personal data,” said Cloy Tobola, NDSCS Chief Information Officer. “However we encourage all those affected to remain diligent in monitoring their personal information and to notify local law enforcement if they suspect any inappropriate or suspicious activity.”
The malware was discovered on September 1, 2014 and immediate action was taken to secure NDSCS systems. This included conducting a thorough internal investigation by NDSCS and North Dakota University System Information Technology experts. Law enforcement has been contacted, and key systems have been sent to a national forensic organization to confirm the analysis.
A toll-free hotline has been set up to answer questions and can be reached by calling 1-877-615-3755. The Call Center will open on Friday, October 10, 2014 at 8 a.m., CST, and will operate between the hours of 8 a.m. – 8 p.m., CST, Monday through Saturday for the foreseeable future.
As an added precaution, NDSCS has arranged to provide 12 months of identity protection to those affected at no cost to them. The College has also established a web page that provides more details about the incident. It can be accessed at www.ndscs.edu/data.
“We are committed to the privacy of student and employee information,” said NDSCS President John Richman, Ph.D. “We are continually reviewing our practices and processes to enhance the security of sensitive information. This incident serves as a reminder that we need to be even more vigilant in those efforts.”
Question: What happened?
Answer: On September 1, 2014, malware was discovered on a number of North Dakota State College of Science (NDSCS) computers in Wahpeton, N.D. and Fargo, N.D. During the process of removing the malware, ITS staff identified names and Social Security numbers of some current and former students and employees on a number of the affected computers. The College immediately took steps to increase the security on ITS systems. They also notified the North Dakota University System office and called in the University System information technology security staff to assist with an internal investigation.
Question: Does this mean someone stole my personal information?
Answer: We don't believe any personal information was stolen. Our investigation, as well as the investigation of an external forensics organization, revealed that even though the malware was on several computers, there was no evidence that any sensitive information was accessed or transferred from the affected computers.
Based on the forensic investigation, it is likely the malware was intended to be used on the affected computers to launch attacks on other computers and systems. The intruder may not have even been aware that the sensitive information was stored on the affected computers. We do not have sufficient evidence, however, to determine without a doubt that the information was not accessed. The North Dakota State College of Science is, therefore, taking the precautionary measure of distributing an advisory to all individuals whose information was on the affected computers.
Question: What personal information was involved? Who and how many individuals were affected?
Answer: The computers contained personal information such as names, Social Security numbers and mailing addresses of more than 15,000 current and former students and employees.
Question: Why was personal information stored in this way?
Answer: Although personal data is generally stored on secure servers, employees in various departments frequently need to work with this information for reports, analysis and other data verification. In doing so, some of these individuals need to store data on their local computer.
Question: How do I know if my information was included?
Answer: On or before Friday, October 10, the North Dakota State College of Science will be sending letters to all those affected individuals for whom a valid mailing address is available.
Question: How did NDSCS discover the exposure?
Answer: Monitoring systems detected suspicious network activity at NDSCS-Fargo and automatically removed those computers from the network. Once notified of this issue, ITS staff also blocked the affected computers in Wahpeton. During the process of removing the malware, ITS staff identified personal information stored on some of the computers.
Question: When was the data possibly exposed to the unauthorized person(s)?
Answer: Current information indicates the malware was present on some NDSCS computers in mid-August 2014.
Question: Was NDSCS’s ConnectND (CampusConnection) system breached?
Answer: No. The ConnectND (CampusConnection) system was not affected or involved in this incident.
Question: Why was there a delay in notifying me about this incident?
Answer: We needed time to conduct an investigation and forensic analysis to properly understand the scope of the incident and who was affected. We also needed to make sure the computers were properly secured prior to making notifications that could attract the attention of other attackers.
Question: Is this information still at risk of disclosure to an unauthorized person?
Answer: The computers involved in this incident have been secured. The North Dakota State College of Science is committed to maintaining the privacy of student and employee information and has taken many precautions for the security of personal information. In response to incidents like this one and to help prevent them in the future, NDSCS is continually improving its systems and practices to enhance the security of sensitive information.
Question: Were parents of affected students impacted by the data exposure?
Answer: Not that we are aware of, unless the parent was also one of the affected students or employees.
Question: Do current students, faculty and staff need to be issued new student or employee IDs?
Question: How is NDSCS responding?
Answer: We have taken multiple steps to address this issue. In addition to updating login information on administrative systems, we have installed additional monitoring and scanning software on individual computers and servers, and we are implementing an encryption process to lock files on employee computers. We have also reported this matter to law enforcement and the FBI.
The North Dakota University System staff and an outside security agency are currently conducting a security audit of NDSCS’s technology systems.
We are notifying the affected individuals, and offering identity protection services for the next 12 months at no cost to those who we know are affected by this incident.
Question: Is there a phone number to call for more information?
Answer: Yes, a toll-free hotline has been set up to answer your questions. The call center will open on Friday, October 10, 2014 at 8 a.m. CST. The number to call is 1-877-615-3755. The call center will operate between the hours of 8 a.m. –8 p.m. CST, Monday through Saturday.
Question: Has anyone reported fraudulent activity due to this incident?
Answer: No, we are not aware of the fraudulent use of anyone's personal information.
Question: What can I do to protect myself?
Answer: We are offering identity protection services for the next 12 months at no cost to those who we know are affected by this incident. This will help you resolve any possible misuse of your personal information and provides you with superior identity protection services focused on immediate resolution of identity theft.
In addition, you can also review your credit reports to look for any unusual activity. To get your free report, go to www.annualcreditreport.com. To track your credit throughout the year, you can request a free credit report from one of the three credit bureaus every four months. You can also request a free initial fraud alert to be placed on your credit files by contacting any one of the three major credit bureaus:
Question: What should I do if I discover fraudulent use of my personal information?
Answer: An identity protection service is being put in place to help anyone affected. More information about this service is included in the notification letter mailed to those affected, and will be posted at www.ndscs.edu/data when finalized.
Question: Will NDSCS contact me to ask for private information because of this event?
Answer: NDSCS will not make unsolicited contact with individuals to obtain their private information. To help keep private information safe, only release this information if you initiated the communication.
Question: I did not receive a notification letter. Does this mean that my personal information was not involved in the incident?
Answer: NDSCS will be sending letters to all those affected individuals on or before Friday, October 10, 2014 for all affected parties that have a current address on file with the University System. If you do not receive a letter and would like to confirm whether your information was potentially exposed, please contact the call center. Once the call center is available, the number will be posted at www.ndscs.edu/data.
Question: Who should I contact if I have any additional questions concerning this security exposure?
Answer: We are working to establish a call center to answer questions for affected individuals. That number will be posted at www.ndscs.edu/data as soon as it is available. This web page will also be updated with any new information we receive.
You have a few options from this point. The first and most recommended option would be to download one of the browsers below. If that is not possible, the second suggestion would be to update your current browser, you can follow the update link below for that. Otherwise, the site will still function in its current state, but in a limited capacity.