An inability to detect intrusions was partially to blame for the North Dakota University System server breach that left the personal information of more than 290,000 former and current students, staff and faculty vulnerable, according to a system official.
Lisa Feldner, a vice chancellor in charge of information technology, gave an update on the server breach to the State Board of Higher Education Thursday.
Even though she was the state’s chief information officer for seven years when she left to join NDUS last may, she said she was unaware state’s Information Technology Department, which oversees NDUS’ data network, didn’t have any intrusion-detection measures in place.
“It was not requested before I got here, which was a surprise to me,” Feldner said.
Those security measures are currently being implemented, but she also stressed the importance of continuing to educate people about keeping their identity secured, as the server was likely breached through someone’s personal laptop using malicious software, or “malware.”
ADVERTISEMENT
“Password changes more frequently would have also stopped it,” she said.
Feldner also addressed accusations that the department took too long to notify the public of the server breach, which was discovered in February after going undetected for four months.
She said the breach was investigated by the NDUS IT department, the state’s cyber security center and federal investigative agencies, so the process took awhile.
“You can’t physically look through that many files,” she said.
The department is now confident the server was used as a jumping off point for accessing other information and that personal information wasn’t compromised, she said, but NDUS is still offering free identity-protection services to those affected for the next year.
Feldner said all of the emails alerting students, faculty and staff of the services were completed last Thursday, but since not everybody affected has email addresses, the department is “relying on the media and other public affiliates to try and notify people.”
The call center that was opened to field questions about the incident has received 826 calls as of March 22. It can be reached at (855) 711-5990 from 8 a.m. to 8 p.m. Monday through Saturday.
