IT staff discover unauthorized access to departmental servers

Information technology staff announced April 22 they had discovered a breach affecting five departmental servers on campus. An extensive analysis has revealed the compromised servers contained Social Security numbers of 29,780 students enrolled at Iowa State between 1995 and 2012.

There’s no evidence any of the data files were accessed, and there was no student financial information in the records. The servers were hacked by an unknown person or persons who intended to generate enough computing power to create bitcoins. Bitcoins are a type of digital money that can be used to buy merchandise anonymously.

“We don’t believe our students’ personal information was a target in this incident, but it was exposed,” said senior vice president and provost Jonathan Wickert. “We have notified law enforcement, and we are contacting and encouraging those whose Social Security numbers were on the compromised servers to monitor their financial reports.”

In addition, Iowa State is reaching out to another 18,949 students whose university ID numbers were located on the compromised servers. University IDs are generally used in combination with a password, and have no use beyond campus. The exposure of these numbers poses no financial threat, Wickert said.

Individuals whose personal information may have been exposed are being notified by mail this week.

Free, expert help in identity protection

The university has retained AllClear, a national firm that specializes in identity protection, to assist those affected by the breach. AllClear representatives, available at 877-403-0281, are knowledgeable about how to watch for and deal with identity theft and fraud.

For those with exposed Social Security numbers, Iowa State will purchase one year of credit monitoring. Those who wish to do so may opt for a second free year of monitoring at the end of the first. This service can be activated through AllClear.

How to know if you may be affected

The compromised servers contained Social Security numbers of some students who took a class in:

  • Computer science (1995-2005)
  • World languages and cultures (2004, 2007, 2011-2012)
  • Materials science and engineering (one class only in ENGR101 in fall 2001 and MATE214 in spring 2001)

Two other servers – one located in agricultural and biosystems engineering, and a second in materials science and engineering – were accessed, but they did not have any files containing personal information.

What’s being done to secure information

The five compromised servers are network-attached storage devices made by Synology. Other Synology users have reported similar (bitcoin mining) attacks by criminals. Iowa State has thoroughly examined all information on the compromised servers. Any files containing SSNs or other personal student information have been deleted.

Out of an abundance of caution, the university has decommissioned, removed from the Internet and destroyed compromised servers. Other servers of the same type are no longer accessible through the internet, have received software updates to prevent hacking, and will be replaced as soon as possible.

University officials are accelerating implementation of Iowa State’s new Data Classification Policy, which provides enhanced security standards and guidance.

The Information Technology Services team will work to improve security on mobile computers by encrypting information stored on them. ITS also will begin a process to improve network security by implementing stronger password standards.

The university has begun deploying software that regularly scans computers, servers and other devices to locate protected information.

“Iowa State has always taken information security very seriously, and we will continue to take every possible action to safeguard the personal information of those who learn and work here,” Wickert said. “We have well-regarded cyber defense experts here who not only protect university data, but educate others on how to prevent computer attacks. Unfortunately, Iowa State is not immune to hacking, but we are disappointed and sorry for the inconvenience this incident may cause.”

Be vigilant of phishing scams

Iowa State University, the ISU Foundation and the ISU Alumni Association regularly and legitimately request information from students, faculty, staff and alumni. However, no one from Iowa State will ever ask for your Social Security number over the phone or via email.

If you suspect fraud or question whether a request you receive is legitimate, please contact the ISU Foundation at 515-294-4607, the ISU Alumni Association at 515-294-6525, or Iowa State’s computer security team at serverbreach@iastate.edu.