Oct 092014

North Dakota State College of Science Information Technology Services department has been alerted to malware activity on a number of NDSCS-owned computers in Wahpeton and Fargo and has taken immediate steps to ramp up security on its systems.

Personal information such as names, Social Security numbers and mailing addresses of more than 15,000 current and former students and employees were contained on some of the affected computers. Those whose information was found are in the process of being notified.

“We have found no evidence that any unauthorized individual accessed or is using the personal data,” said Cloy Tobola, NDSCS Chief Information Officer. “However we encourage all those affected to remain diligent in monitoring their personal information and to notify local law enforcement if they suspect any inappropriate or suspicious activity.”

The malware was discovered on September 1, 2014 and immediate action was taken to secure NDSCS systems. This included conducting a thorough internal investigation by NDSCS and North Dakota University System Information Technology experts. Law enforcement has been contacted, and key systems have been sent to a national forensic organization to confirm the analysis.

A toll-free hotline has been set up to answer questions and can be reached by calling 1-877-615-3755. The Call Center will open on Friday, October 10, 2014 at 8 a.m., CST, and will operate between the hours of 8 a.m. – 8 p.m., CST, Monday through Saturday for the foreseeable future.

As an added precaution, NDSCS has arranged to provide 12 months of identity protection to those affected at no cost to them. The College has also established a web page that provides more details about the incident. It can be accessed at www.ndscs.edu/data.

“We are committed to the privacy of student and employee information,” said NDSCS President John Richman, Ph.D. “We are continually reviewing our practices and processes to enhance the security of sensitive information. This incident serves as a reminder that we need to be even more vigilant in those efforts.”


Oct 092014

Zachary Reid reports:

Richmond school officials are conducting an intensive internal investigation of student records after a School Board member shared confidential information about at least 20 students with a vendor that provides mental health services.

Tichi L. Pinkney Eppes, of the 9th District, publicly apologized a day after her colleagues were told about the breach, but they weren’t quick to offer forgiveness.


During a closed session at the end of its Monday work session, the board learned that on Sept. 10, a vendor tried to access an electronic file assigned to Eppes that contained the names of 20 students with discipline issues. Each name included a link that led to records for each of those students.

When the vendor didn’t know the password, it triggered a security feature in the school computer system that alerted officials about a possible breach.

“We can confirm that our security protocol worked,” Larson said. “But human things, we can’t control. We can’t guard against me giving you my password. … We don’t know beyond this what might have been shared.”

Read more on Times-Dispatch.  It’s not clear to me from any of the coverage I’ve read what the board member’s intentions really were, nor why she would ever be willing to share any student’s records with a vendor. That does not strike me as being within the discretion of a school board member.


Oct 042014

Carmen McCollum reports:

A student data system at Purdue University Calumet may have been hacked.

Purdue Calumet spokesman Wes Lukoshus said the university received information Tuesday night that one of its information systems that includes student information was vulnerable. It was someone from the West Lafayette campus who identified the vulnerability of one of Purdue Calumet systems and notified local campus officials, he said.

“The vulnerability was addressed immediately upon discovery,” Lukoshus said Wednesday. “The university is investigating how the vulnerability occurred and over what period of time.”

The types of data that may have been affected by the vulnerability include directory information such as student name, address, phone number and date of birth. Directory information does not include credit card information or Social Security numbers. Data is considered secure and students need not take any action.

Read more on NWI.

Oct 022014

Barbara Christiansen reports:

Employees of the Provo City School District may have an extra concern facing them as the district has discovered a data breach.

There was a phishing attack and someone gained access to an employee’s email account. That account contained files with sensitive, personal identification information for about half of the district’s employees. The district employs slightly more than 1,000 people.

No student records were affected, said Caleb Price, district spokesman.

Read more on Daily Herald.

As part of their response to the breach, they have implemented two-factor authentication. It’s a shame they didn’t implement it sooner, huh?

Sep 302014

An update to a previously noted breach. Michael Anderson Kruse reports:

Sep 302014

WGN reports:

A teacher’s backpack at an elementary school in suburban Hoffman Estates was stolen last week and one of the items now missing contains personal information about all the students and more.

The pack, known as a “crisis backpack,” has won awards and was developed by the Hoffman Estates Fire Dept to use in an emergency situation. It contains a whistle, a red vest for the teacher, tarp, flashlight, first aid kit, toilet paper, pens and pencils and a class list with a student’s first and last name and when they’re in the class; items that would be necessary for teachers in a lockdown situation.

The principal at Lincoln Prairie Elementary School went one step further and included students’ personal information like birthdate, gender, address, home phone, household members names and their phone numbers of the entire student body.

Read more on CITV.