Eastern Michigan University is still not releasing any new information regarding the data security breach that occurred earlier this month after two former student employees accessed the personal information of 45 students and provided it to a third party.
EMU Department of Public Safety Lieutenant Jeff Nesmith, said because the investigation is ongoing there isn’t much he can say about the matter.
“Really, we’re just continuing to work on it and work with federal agencies and trying to pursue this criminally,” Nesmith said. “There is still some ongoing analysis being conducted.”
Although the University cannot provide any additional details, Eastern’s Chief Information Officer Carl Powell provided insight into the different types of breaches and how exactly they can impact a business or in this case, an institution of higher education.
“Well, as you look at breaches, first you have to look at cyber breaches,” Powell said. “Security and data are not identical but they overlap.
“There are two different types of targets when it comes to breaches. They are either targets of intent or opportunity. A bank robbery would be the perfect example of intent and a group of hackers ‘just going around looking for opportunities,’ is an example of an opportunity.”
“So related to that, at universities, we encounter both of these on a daily basis,” Powell said. “There are those who are trying to root around or look for student and employee data.”
On the Division of Information Technology website, it says an incident response team was created to safeguard information technology systems and the sensitive client data they support.
The website also states the team works with university legal counsel, law enforcement, system administrators, human resources and management to offer an immediate response to IT security incidences from both internal and external sources.
Powell said he couldn’t comment as to whether the IRT team is being used in this situation.
“In that instance, I can’t really comment or make any external comments on that because the investigation is still underway,” he said, “Not to say there won’t be any in the future. I can’t give you specifics on that one, but I will say any time there is suspected electronic malfeasance, we may not activate the entire IRT, but we will definitely get our security team involved to work with EMU Police and other agencies. We work with groups as necessary.”
Sept. 3, 2010, EMU experienced a server security breach and log-in information was obtained, but no personal data such as social security numbers was taken. Powell said he believes EMU has stepped up security since then.
“Yes, in part,” Powell said. “One of the things to look at it is it was fairly robust. A software product from the vendor had a vulnerability in it that the hacker attacked. It can happen on your own personal computer. Now some actions we specifically took on this, was to look at the server in question. We did some unlinking of the personal info. No personal identifiable information was at risk, but we still wanted to increase the security. At no point was it at risk.”
One of the actions the university took was to mask some of the fields normally on display when logging onto the network.
“If someone is looking over your shoulder, someone wouldn’t be able to see that,” he said. We took some additional procedures.”
An exact number of how much the 2010 data breach cost was not given, but Powell said it did not exceed the insurance policy deductible of $100,000. If costs were to exceed the deductible in any case of a data or security breach, the University would provide additional funds.
“The University does have a policy for cyber security so that if something happened, we could get the proper results and not be limited with funds,” he said. “This is a policy available at all higher education entities.”
In the 2010 breach, an outside company, Kivu Consulting, was brought in to help. Powell said the organization helped EMU to “laser in” on what was at risk and what wasn’t. The company set up a call center with trained agents to help the affect individuals.
Powell said he doesn’t have the information available to say whether or not the university plans to do something like that in the case of the 2011 breach.
“At this point, the contact info is through Walter Kraft,” he said. “I will tell you that we’ve had meetings and we are very serious about responding in a timely format as we can.”
Powell has been in the IT field for 27 years and has had a variety of stints, including one with the Secret Service. Within the last ten years, Powell said he’s seen a considerable increase in breaches because of the expansion of the internet.
“Technology has made it easier,” he said. “Unfortunately, I’ve heard more of my fair share of horror stories.”
There have been financial organizations that have had hundreds of thousands of records stolen, Powell said.
“It does occur more frequently, but on the positive side, more individuals are more aware,” he said. “Ten years ago, I don’t think a reporter would have thought this would have been newsworthy. It’s not scaring people, but making them aware.”
The IT department has a little over 60 student employees and they don’t have access to much sensitive data, Powell said.
“They don’t have access to very confidential student records,” he said. “Once we bring them on board, we have training regimes and educate them on the dos and don’ts.”
The workers might have access to log-in information at the Help Desk, but that is done with the approval of the individuals themselves, he said.
Powell said he wants the EMU community to be confident in its security.
“We operate a very secure environment here and the ability to protect the sensitive data is very important here at EMU,” he said. “What I would mention for individuals concerned is to please call our Help Desk. There have been several students that have emailed concerns. We do our best to respond whether it be EMU systems or a personal system