[BreachExchange] UNL security breach puts thousands of current, former students' information at risk

Inga Goddijn inga at riskbasedsecurity.com
Wed Dec 21 18:24:34 EST 2016


http://www.ketv.com/article/unl-security-breach-puts-thousands-of-current-former-students-information-at-risk/8522433

University of Nebraska-Lincoln officials emailed students Tuesday to warn
them of a security breach.

The names, ID numbers and grades of 30,000 current and former students may
have been comprised over the last two years, the email read.

UNL officials said it discovered unauthorized access of a server that ran a
math placement exam.

You can read the email in full below:

"At some point in the last two years you participated in the Math Placement
Exam at the University of Nebraska-Lincoln.

"UNL officials recently learned of a security breach involving the server
that runs this placement exam. Among the items stored on this server were
NU IDs, grades for placement exams, and names of participants.

"The University‘s investigation found that there was unauthorized external
access to information on this server including possible access to files
containing both names and NU IDs. We immediately shut down the server and
have since moved the Math Placement exam to a secure platform.

We are notifying you because you are one of the people whose name, NU ID
number, and grades for placement exams were stored in a data file on this
server. Currently, we have no evidence that anyone has used this
information for illegal or malicious activity. We are sending you this
notification as a courtesy, and encourage you to monitor systems for which
you use your NU ID for access. We have no reason to believe that these
other systems have been compromised, as we have duplicate safeguards
protecting them. As a precaution, the MyRed system will automatically reset
your account and a temporary password will be sent to your email account.
Please login to MyRed using this temporary password and then reset your
password accordingly.

"We are sorry that your personal information may have been subject to
unauthorized access and we have taken measures to ensure that this
situation is not repeated. The University of Nebraska-Lincoln is committed
to maintaining the privacy of personal information and takes many
precautions to monitor and safeguard the security of its computers and
personal information. If you have further questions about this process or
about the incident, you can contact Alecia Kimbrough, Assistant Dean in the
College of Arts and Sciences, at 402-472-2891 or akimbrough at unl.edu. We
apologize for any inconvenience this may present to you."

The folllowing additional points were made by UNL spokesperson Steve Smith:

These are additional points from UNL spokesperson Steve Smith:

— The breach was limited to one server and was found during a routine scan
during a system update.

— There were several thousand letters sent out to students regarding this
event.

— No extensive personal information was on the server in question.

— An NUID, or Nebraska Unique Identification, is a unique 8-digit number
assigned to students, faculty and staff members during either admissions or
hiring.

— There is no evidence to think this information has been used for illegal
or malicious activity.

— We’ve taken steps to address the situation.

— Though this can be classified as a relatively minor risk, we are taking
the appropriate precautions. We also have asked letter recipients to
monitor systems for which they use their NU ID for access and to reset
their MyRed passwords as an extra precaution.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161221/4ccdfe8f/attachment.html>


More information about the BreachExchange mailing list