Computer Security Breach Puts NDSU Records at Risk

A security breach made a number of North Dakota State University (NDSU) human resources, payroll and student loan records vulnerable to unauthorized Internet access. The breach, which was not caused by a malicious attacker seeking records, occurred in a two-week period during the end of May and the first week of June.

Human resources and payroll records including some, but not all, of the following were vulnerable:

• Job descriptions with employee names but no private information.
• Employment records of individuals who left NDSU during 2005 and a portion of 2006.
• Waiver of retirement and health insurance forms with individual names and social security numbers. This form is primarily completed by student or part-time employees.
• Income tax reciprocity forms for NDSU employees who reside in Minnesota or Montana. The forms include names, addresses, and social security numbers.
• Criminal record disclosure forms, some of which contain Social Security numbers.
• Direct payroll deposit forms which contain names, social security numbers and bank account records. The records in the database are primarily from student and part-time employees.
• NDSU employee hiring data forms which contain names, social security numbers, military status and dates of birth. The records in the database are primarily from students and part-time employees.

In addition to these employee records, student loan records for 57 North Dakota students whose last name begins with the letter "A" were also vulnerable, as were some records of the Graduate School. The exact number of people affected is still being determined.

"We have removed the computers from online access, and individuals who are directly affected will receive further information. The exact number of people affected is still being determined," John Adams, vice president for business and finance, said. "NDSU also is reviewing procedures where private vendors have access to confidential information and the security measures they use to protect the data."

Adams said the records were on computers maintained by a third-party vendor under contract to archive electronic copies of paper documents. The records were subject to unauthorized access after computer maintenance was performed following a power surge that disrupted normal operations.

The machines are undergoing forensic examination to determine what records were vulnerable and if they were accessed. Information contained in portions of the database includes names, addresses, social security numbers, loan applications and other financial information.

"News such as this is never welcome, particularly when all the details are not yet available, but we wanted faculty, staff and students to know about the matter as soon as possible," Adams explained.