College Reports Breach of Confidential Employee Information via Unknown Outside Source, Investigation On-Going Limited Student Data May Also Be Affected
An internal review by Northwest Florida State College on October 1 – 5, 2012 has indicated a breach in the security of college’s computer systems which has compromised the personal information of some 3,200 current and retired college employees. The investigation is ongoing with both an external expert consultant and a cybercrimes investigator from the Okaloosa County Sheriff’s Office.
At this point in time, the personal information of employees includes name, birthdate, employee Direct Deposit bank routing and account number information, and Social Security number. Approximately 50 employees to date have reported issues with identity theft, including the college president, faculty and staff.
The breach was an unlawful, unauthorized acquisition of computerized data by an entity/person outside the college that materially compromised the confidentiality of personal information maintained by the college. The employee data was breached between May 21 to September 24, 2012.
“The integrity of the NWFSC system has been restored and there is no indication of any additional instances of compromise of personal information,” said Dr. Ty Handy, college president. “An investigation is ongoing on the full nature and scope of the breach. As soon as the issue was identified last week, the college began to alert employees through a series of all-campus e-mails and will provide an additional formal notification, which is required by law to be sent out within 45 days, as more complete information becomes available.”
“As we determine the full scope of the matter, we will be able to issue the more formal notifications,” said Dr. Ty Handy. “We hope, by the end of this week to know precisely which persons have had their information compromised. We will not wait 45 days to provide the individuals affected direct contact regarding this but will do it as soon as we can.”
“We provided information to employees as soon as we had an indication that there was an issue – when we initially had reports from five employees that their direct deposit accounts had been unlawfully accessed,” said Handy. “We needed employees to take immediate steps to individually review and protect their personal data. As they did, more employees began to report issues once they reviewed their information. We brought in the sheriff’s office and have asked each employee affected to a complete an affidavit detailing their issues. I understand the Sherrif’s office is consolidating all the affidavits and is handling this as a single case. Some employees had the bank account where they receive direct deposit of their pay checks accessed and funds removed, a few others have had fraudulent credit card charges or accounts set up in their names.”
Handy elaborated further, “We know that from May 21, 2012 until September 24, 2012 one or more hackers accessed one folder on our main server. This folder had multiple files on it. No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in identity theft for at least 50 employees. We know that by working between files, data regarding name, Social Security number, date of birth, and Direct Deposit Account numbers were accessed. Additional directory information such as address, phone numbers, college email address, etc. was also likely compromised.”
“We speculate that this was a professional, coordinated attack by one or more hackers. We believe that the hackers are having to do specific work to pull together enough information about an individual employee to steal their identity. We do not believe that they have accessed this information on all 3,200 individuals in the file, but that the potential does exist,” Handy said.
In terms of student data, Dr. Handy noted, “In addition to the employee data, it appears that some student information including public directory information, as well as birth date and social security number, may have been accessed, but we have no evidence at this point that shows that this information was taken. There is no indication that any student academic files have been compromised.” Handy stressed that the college has had no complaint reports from students to date. “We will formally send student notifications when we have more complete information.”
“We also believe that a few vendors (less than 40) with whom we do electronic funds transfers for bill payments may also have had account information taken but, again, we have no concrete evidence that this information was taken.”
Dr. Handy stressed what is currently known and what is still speculative, based on the on-going nature of the investigation. “We know that three specific mechanisms have been used to engage in identity theft. The first is to use PayDayMax, Inc. as a conduit for taking out a personal loan which is repaid by debiting the employee’s personal bank account. The second is the same process using Discount Advance Loans. The third is to apply for a Home Depot Credit Card in an employee’s name and then use that card. We know that current employees and all retirees/past employees since 2002 who have had direct deposit of their pay have potentially had their information compromised. We know that the total number of potentially impacted employees is about 3,201.”
Dr. Handy noted that the college is working to set up a website which should be up by the end of the week which will include information and updated posting on the issue. The site address will be announced as soon as it becomes available.
UPDATE (October 10, 2012): A website with the latest information about the data security breach is available at http://www.nwfsc.edu/security/.