BISMARCK-The North Dakota University System has reported an unauthorized access to an employee's email account in July, an account which contained thousands of people's personal information.
Core Technology Services, the information technology arm of the NDUS, discovered in July there had been unauthorized access to an NDUS employee's email account. Evidence indicates the account credentials were stolen through a successful "phishing" campaign, the system office said Friday.
No credit card or bank account information was contained in the email account, NDUS said. The suspicious activity was discovered July 12, and a forensic analysis was conducted to properly understand the scope of the incident.
"It is possible the attacker was not aware personal information was in various emails in the account, but to be safe, the NDUS has notified all those who may have been affected," a NDUS news release said.
The account contained personal information, such as names and Social Security numbers of about 9,400 individuals, according to the system office. Law enforcement has been contacted, and the account was properly secured.
A majority of the individuals affected were students, said Darin King, vice chancellor of information technology and chief information officer.
"Information security is very important to us, and NDUS has consistently worked to minimize these types of interferences," NDUS Chancellor Mark Hagerott said in a statement. "It is a sobering reality that education is often targeted by criminal elements in today's global assaults on IT systems."
In response to incidents like this one and to help prevent them in the future, NDUS says it is continually modifying its systems and practices to enhance the security of sensitive information. One such effort underway is to enable multifactor authentication on the NDUS email system.
"There is no indication that any of the personal information was accessed," King said. "Nevertheless, we are making every effort to inform people of the situation and are taking every possible precaution to safeguard our systems."
Hagerott led the NDUS staff in a security measures protocol meeting immediately following the incident.
"It is important that all faculty, staff and students from the 11 campuses within the university system - especially new, incoming freshman - are reminded never to put personal identifiable information, such as social security information, in emails," Hagerott emphasized.
NDUS is providing free identity theft protection services to those individuals who want to take steps to guard against identity theft or fraud as a precautionary measure. A letter has also been sent to the affected individuals, which provides additional information on identity protection and the services being offered, NDUS said.
King said the people who received the letters from the university system also should have received information about a company called AllClear, which is a company that deals with credit monitoring and credit restoration. Those affected will have coverage for a full year, he said.