ND university system enlists FBI in help on data breach; 300,000 affected

North Dakota University System officials said Thursday they have talked to the FBI and an independent cybersecurity group about helping with an investigation into a breach on the system's computer server.

The system's interim chancellor announced Wednesday that names and Social Security numbers of more than 290,000 current and former students and nearly 800 faculty and staff were on the server, which was hacked in early February. It's not known if the information was stolen. It did not include bank or credit card information.

An internal investigation found no evidence that any of the personal information was compromised, but officials are waiting on a similar forensics analysis by the nonprofit Multi-State Information Sharing and Analysis Center. Krista Montie, spokeswoman for the Troy, N.Y., group, declined comment on Thursday.

"It's a tremendous amount of information to do forensics on," said Darin King, deputy chief information officer for the university system's information technology support arm.

FBI spokesman Kyle Loven said Thursday that his office has talked with university system officials and will become more involved if needed.

"We'll have to see how the facts play out and based upon that information we will make an appropriate decision as to whether or not we will move forward with this or look at another option," Loven told The Associated Press.

Officials said an overseas entity apparently used the server as a launching pad to attack other computers and access outside accounts to send phishing emails. It was traffic that looked normal and went under the radar, King said.

"This was access to a specific account, which can look exactly like appropriate access to that account," he said.

King said routine checks on the system are done on a daily basis and a robust audit was performed in 2009. He said a similar audit had been scheduled for this fall, before the breach.

"It's a constant and ongoing thing because the threat landscape changes so quickly," King said. "You have to just view this as a day-to-day, minute-to-minute process."

Rick Dakin, CEO of Coalfire, a cybersecurity and audit firm, said universities are soft targets for hackers because they have a "treasure trove of information assets" and often don't have the money to keep up with security safeguards.

"They have always been targeted, but most attacks aren't publicly reported. Sometimes attacks aren't even detected," Dakin said.

University system officials said in a timeline released Thursday that the breach was first noticed on Feb. 7. Results of the three-week internal investigation were relayed to Interim Chancellor Larry Skogen at the end of the day last Friday, and he first passed the information to the state Board of Higher Education and then staff members and college presidents.

Officials needed to line up a vendor for identity protection and set up a website and call center before making the announcement public on Wednesday, university system spokeswoman Linda Donlin said. The website had been accessed about 4,500 times by Thursday morning.

Students at North Dakota State University reacted to the breach mostly with shrugs. Allyson Meyer, a freshman from Fargo majoring in accounting, said she's "worried a little bit" about the possibility of someone getting her Social Security number.

"You never know what kind of information is going to be found and who is going to find it," she said.

Seth Hass, a junior from Madison, Minn., said he felt better after he found out his financial information wasn't compromised.

"When I heard they didn't get that, I wasn't too concerned," Hass said. "Dealing with hackers is pretty common these days. I have heard it is very difficult to hack into a system. You have to be pretty smart."

Andy Mueller, a sophomore from Delano, Minn., said he figured state officials would "handle it quickly and figure it out," and doesn't think the university system's email alert to students alarmed many people.

"I guarantee most just saw the email and deleted it right away," Mueller said.

---

Editor's note: The data breach concerns the North Dakota University System, not North Dakota State University, as a previous headline stated. The headline has been corrected.