Employee data included in NU security breach; suspect announced

breach2.jpg

"On Wednesday night, May 23, a security breach of the Nebraska Student Information System, the university-wide student information system, was detected. NeSIS contains Social Security numbers and date of birth for all employees. When the initial announcement was made Friday evening, it was unclear that employee data was included.

At this time, we have no direct evidence that this information was downloaded and we have no reports of identity theft stemming from this breach. We are working with an outside security firm to help analyze the level of risk of personal information being misappropriated and to make recommendations for any additional safeguards that are needed.

What you can do now:

1. We recommend that you contact one of the three primary credit reporting agencies to place a free Initial Security Alert (90-day) to your credit report. This can be done online or via phone and will alert you to any attempt to establish or extend credit in your name.

The three companies are TransUnion (http://www.transunion.com/personal-credit/credit-disputes/fraud-alerts.page), Experian (https://www.experian.com/fraud/center.html) or Equifax (http://www.equifax.com/answers/set-fraud-alerts/en_cp). You need only register with one agency and the others will be alerted

2. Bank account information for most employees is not stored in the NeSIS database and no credit card data is stored in the database; however, we suggest you monitor your bank accounts carefully and report any suspicious activity to your financial institution immediately. Employees who are in the database in another capacity – as students, parents or alumni, for example – will be notified if they have a bank account associated with their NeSIS account.

3. Follow updates on the situation and access additional resources, including a video on using fraud alerts, at our website: http://nebraska.edu/security. In addition, you can submit questions and comments regarding this incident at the website. We will monitor these comments and respond to all questions submitted as quickly as possible.

4. A telephone service center will be instituted in the future to assist employees, students, parents and alumni whose personal information may be at risk. Check the website for information on contacting the service center.

We appreciate your patience as we work through this difficult situation."

— Joshua Mauk , NU Central Administration

On May 30, NU Central Administration made the following statement to media related to a suspect:

"University of Nebraska officials today announced that an individual has been identified who they believe was responsible for the recent security breach involving student, alumni and employee records housed in the Nebraska Student Information System database.

UNL Police Chief Owen Yardley said, “We have seized computers and related equipment belonging to a UNL undergraduate student who we believe is involved in this incident. They are currently in the hands of law enforcement and undergoing analysis.” Yardley said the individual was identified by NU Computing Services personnel through IP addresses used to access the system.

The forensics process can be very time-consuming, he said, and the name of the individual will not be released until an arrest is made. Additional information will be released when it becomes available.

Yardley added, “In order to assist with the criminal investigation, police asked the university not to release information about this security incident during the first 48 hours as work was done to verify the identity of the individual involved and necessary legal steps were taken to seize the property.”

Joshua Mauk, NU information security officer, said the university and law enforcement officers are continuing to analyze how the breach occurred, and whether any information was downloaded.

A toll-free telephone number will be available on Friday to handle questions from those affected and updates continue to be made at http://nebraska.edu/security.