Most of the time, when I talk about data breaches I'm telling you about some large company that's had customer information stolen or a hospital that has had patient records and insurance claim numbers compromised. I've said before that anyone can be a target, though, and this breach proves it: the University of Nebraska recently reported that it's Student Information System (NeSIS) has fallen victim to what it calls a "sophisticated and skilled attack."
NeSIS doesn't contain credit card numbers, but it does contain information that is potentially more damaging. The system lists application data for students going as far back as 1985, including those who applied to the school but weren't accepted. Some employee data is also contained in the system, as is information about the parents of students who applied for financial aid. Information contained in the system includes Social Security numbers, current addresses and financial aid information, making it a perfect target for identity thieves.
So far there have been no reported cases of identity theft or bank fraud associated with the breach, but university officials caution both current and former students to monitor their bank accounts and asking that they report any suspicious activity to the proper authorities. The university is working with the police and the FBI to try and determine exactly how bad the breach was; it's estimated that as many as 650,000 records or more could have been accessed across the university's four campus locations.
Individual identified in university security breach
One thing that makes the NeSIS breach a bit different than some of the other breaches I've mentioned here, is the way that the University of Nebraska is handling it. The breach was discovered on May 25th and the university immediately started trying to stop the breach and prevent further access. Within a week they had contacted law enforcement, sent out a bulletin to those who might have been affected and a suspect had even been brought in for questioning. Unlike some data breaches that only come to light when information is leaked to the press, the university has been very proactive both in trying to contain the damage and in informing those who were put at risk when their system was accessed.
IT security specialists have praised the quick response to the breach, while at the same time condemning the fact that the data wasn't encrypted and that a loophole in their system would have allowed the intruder to bypass encryption even if it was. I agree; while it's great that they traced the intrusion back to its source in a timespan shorter than it takes most breaches to be initially reported, stronger overall security would have prevented much of the danger to start with.
I hope that companies and other universities learn from the University of Nebraska when it comes to stepping up their response times for data breaches, and I also hope that the university learns from its own mistakes and begins to take the security of its students and employees more seriously.
For more information about the incident, who was impacted and what steps should be taken by those impacted visit the University of Nebraska's website: Security Incident
Leave a comment