From a notification submitted by the college’s external counsel to the New Hampshire Department of Justice:
On October 5, 2017, Dallas County Community College District identified unusual activity in an employee email account. Dallas County Community College District immediately changed the employee’s credentials and launched an investigation, with the assistance of a third-party forensic investigation firm, to determine what happened. As part of the investigation, it was determined that certain employee email accounts were subject to unauthorized access and certain email messages and attachments stored therein may have been accessed or acquired by unauthorized individual(s). The unauthorized access to the impacted email accounts ranged in time from September 14, 2017 to December 18, 2017.
After an exhaustive search of the impacted email accounts, which included a manual review ofdocuments to identify information contained therein, impacted individuals were identified as of May 29, 2018.
You may be thinking that it took them a long time (too long?) to stop the breach (from discovery on October 5 to December 18) and that it took them too long to identify impacted individuals (from discovery on October 5, 2017 to May 29, 2018). If you thought that was too long, you’ll probably also think it was too long from May 29 until they actually sent out notification letters to affected individuals on August 17, 2018.
Ten months from discovery of unusual activity to notification that your Social Security number was caught up in a breach. Does that seem reasonable or too long? In this day and age, it seems too long to me.
The number of affected individuals is also not provided in this notification and I was unable to find any coverage of this breach on the college’s web site or in a news search on Google.
The college is offering those affected monitoring and restoration services, but only for 12 months. Given that SSN is durable, is 12 months really enough protection? If I was one of those notified, I wouldn’t be a happy camper right now.
You can read the full notification to the state and to affected individuals here. It is not clear to me from the notification whether these are employees who are affected, students, vendors, or some combination. Nor is it clear how the attackers gained access to the employees’ email accounts.