Virus hits personal information at The University of North Carolina Greensboro
Technorati Tag: Security Breach
Date Reported:
12/15/08
Organization:
The University of North Carolina at Greensboro ("UNCG")
Contractor/Consultant/Branch:
None
Location:
Greensboro, North Carolina
Victims:
"faculty, staff and student employees, including former UNCG employees"
Number Affected:
Unknown
Types of Data:
Personal information including "names, Social Security numbers, direct deposit routing and banking account information"
Breach Description:
GREENSBORO, NC – Employees at The University of North Carolina at Greensboro have been notified about a security breach, with potential data loss from a computer which contained personal information used to process the institution’s payroll.
Reference URL:
UNCG University News
The Business Journal of the Greater Triad Area
Report Credit:
Steve Gilliam, University Relations
Response:
From the online sources cited above:
GREENSBORO, NC – Employees at The University of North Carolina at Greensboro have been notified about a security breach, with potential data loss from a computer which contained personal information used to process the institution’s payroll.
Notification was sent on Monday to UNCG’s faculty, staff and student employees, including former UNCG employees, who have received payment from UNCG since April of this year.
“This is a very, very serious matter, and the university is taking all the necessary steps to assure the security of our employees’ personal and business information,” said Vice Chancellor for Business Affairs Reade Taylor
“At this time, we are advising employees to check direct deposit accounts with their banks to ensure that no unauthorized activities, such as unknown or suspicious withdrawals, have been made."
“We believe the risk to actual data is low, but we can’t take chances. We are notifying people about the situation, whether there is a risk or not.”
[Evan] This is the right attitude, in my opinion. This statement is a demonstration that Reade Taylor and UNCG understand the roles and responsibilities of owners vs. custodians of information.
The situation was detected on Thursday afternoon (Dec. 11), when a payroll employee received a notification of a virus alert while attempting to access data.
[Evan] A virus alert in and of itself may not constitute a breach, but as you read later, this computer was actually infected for quite some time.
The computer was located in the Accounting Services office.
It was discovered that the computer had been infected with a virus which may have allowed an unauthorized person to gain access to personal information.
[Evan] I am interested in knowing which virus.
Staff from UNCG’s accounting/payroll and information technology services areas are working to determine the level of access that unauthorized persons would have to employees’ personal information.
Material on the affected computer included names, Social Security numbers, direct deposit routing and banking account information.
After checking, there is evidence that the virus has been on the workstation since April of this year.
[Evan] Ugh. Since April? We usually recommend daily updates to virus programs and definitions, at a minimum. I think it is safe to assume that this computer, which is/was used to access sensitive information on a regular basis, had not been updated for quite some time.
IT staff members have not been able to determine whether or not any personal data has actually been accessed.
[Evan] This would require a forensic analysis.
Steps were taken immediately to see that personal information was protected from future unauthorized access.
[Evan] Containment is a critical step in an effective information security incident response.
When the security breach was discovered, UNCG technicians came to the site of the incident, made a copy of the data on the affected workstation, and took the workstation offline.
The hard disk of the affected workstation was reformatted.
[Evan] So much for the forensic analysis, eh? Investigation is also a very important step in a good incident response. Due to the fact that this system has been tampered with, i.e. reformatted and put back into service, there is a significantly smaller chance of conducting a thorough investigation that produces results. In this case, an investigation would be warranted in an effort to determine things such as how the system was compromised, was any data leaked, where did the attack (infection) originate from, and who may be responsible. Now we are left with what? In past experience, I have seen more wrong incident responses than I have seen right ones.
The workstation was reloaded with a clean copy of the operating system, and best practices were used to ensure that this image was protected, that the most current virus protection programs were loaded, and that the most current virus protection pattern file was in use.
A Web site, fsv.uncg.edu/incident, has been developed for employees to visit.
Employees with questions can call weekdays from 9 a.m. to 5 p.m.
Commentary:
UNCG did the right thing in making the decision to notify the affected people. It also appears that they did the right thing by identifying the problem and containing the damage as part of their incident response. Unfortunately, they damaged evidence by reformatting the hard drive and returning the system to service. Effective incident response requires formalization (policy & procedures) and regular practice (semi-annual or annual exercises). If you encounter an incident, and you do not have training on how to handle it, contact a good consultant (of course you could call me too ;)).
It seems as though we haven't had a virus infection breach in a long time on The Breach Blog, which is little surprising given the frequency of occurrences. Virus infections are still very, very common and can be damaging. Chances are good that these breaches are grossly under-reported.
We recommend multi-tiered virus protection to many of our clients. When I say multi-tiered, I mean using virus protection on gateways (mail, web, etc.), servers, and client workstations. There was a day (years ago) when we wouldn't recommend virus protection on servers due to I/O performance issues, but those days are long gone. Another important protection against virus infections is regular patching of operating systems (servers, network devices and other infrastructure) and applications.
Past Breaches:
Unknown
Date Reported:12/15/08
Organization:
The University of North Carolina at Greensboro ("UNCG")
Contractor/Consultant/Branch:
None
Location:
Greensboro, North Carolina
Victims:
"faculty, staff and student employees, including former UNCG employees"
Number Affected:
Unknown
Types of Data:
Personal information including "names, Social Security numbers, direct deposit routing and banking account information"
Breach Description:
GREENSBORO, NC – Employees at The University of North Carolina at Greensboro have been notified about a security breach, with potential data loss from a computer which contained personal information used to process the institution’s payroll.
Reference URL:
UNCG University News
The Business Journal of the Greater Triad Area
Report Credit:
Steve Gilliam, University Relations
Response:
From the online sources cited above:
GREENSBORO, NC – Employees at The University of North Carolina at Greensboro have been notified about a security breach, with potential data loss from a computer which contained personal information used to process the institution’s payroll.
Notification was sent on Monday to UNCG’s faculty, staff and student employees, including former UNCG employees, who have received payment from UNCG since April of this year.
“This is a very, very serious matter, and the university is taking all the necessary steps to assure the security of our employees’ personal and business information,” said Vice Chancellor for Business Affairs Reade Taylor
“At this time, we are advising employees to check direct deposit accounts with their banks to ensure that no unauthorized activities, such as unknown or suspicious withdrawals, have been made."
“We believe the risk to actual data is low, but we can’t take chances. We are notifying people about the situation, whether there is a risk or not.”
[Evan] This is the right attitude, in my opinion. This statement is a demonstration that Reade Taylor and UNCG understand the roles and responsibilities of owners vs. custodians of information.
The situation was detected on Thursday afternoon (Dec. 11), when a payroll employee received a notification of a virus alert while attempting to access data.
[Evan] A virus alert in and of itself may not constitute a breach, but as you read later, this computer was actually infected for quite some time.
The computer was located in the Accounting Services office.
It was discovered that the computer had been infected with a virus which may have allowed an unauthorized person to gain access to personal information.
[Evan] I am interested in knowing which virus.
Staff from UNCG’s accounting/payroll and information technology services areas are working to determine the level of access that unauthorized persons would have to employees’ personal information.
Material on the affected computer included names, Social Security numbers, direct deposit routing and banking account information.
After checking, there is evidence that the virus has been on the workstation since April of this year.
[Evan] Ugh. Since April? We usually recommend daily updates to virus programs and definitions, at a minimum. I think it is safe to assume that this computer, which is/was used to access sensitive information on a regular basis, had not been updated for quite some time.
IT staff members have not been able to determine whether or not any personal data has actually been accessed.
[Evan] This would require a forensic analysis.
Steps were taken immediately to see that personal information was protected from future unauthorized access.
[Evan] Containment is a critical step in an effective information security incident response.
When the security breach was discovered, UNCG technicians came to the site of the incident, made a copy of the data on the affected workstation, and took the workstation offline.
The hard disk of the affected workstation was reformatted.
[Evan] So much for the forensic analysis, eh? Investigation is also a very important step in a good incident response. Due to the fact that this system has been tampered with, i.e. reformatted and put back into service, there is a significantly smaller chance of conducting a thorough investigation that produces results. In this case, an investigation would be warranted in an effort to determine things such as how the system was compromised, was any data leaked, where did the attack (infection) originate from, and who may be responsible. Now we are left with what? In past experience, I have seen more wrong incident responses than I have seen right ones.
The workstation was reloaded with a clean copy of the operating system, and best practices were used to ensure that this image was protected, that the most current virus protection programs were loaded, and that the most current virus protection pattern file was in use.
A Web site, fsv.uncg.edu/incident, has been developed for employees to visit.
Employees with questions can call weekdays from 9 a.m. to 5 p.m.
Commentary:
UNCG did the right thing in making the decision to notify the affected people. It also appears that they did the right thing by identifying the problem and containing the damage as part of their incident response. Unfortunately, they damaged evidence by reformatting the hard drive and returning the system to service. Effective incident response requires formalization (policy & procedures) and regular practice (semi-annual or annual exercises). If you encounter an incident, and you do not have training on how to handle it, contact a good consultant (of course you could call me too ;)).
It seems as though we haven't had a virus infection breach in a long time on The Breach Blog, which is little surprising given the frequency of occurrences. Virus infections are still very, very common and can be damaging. Chances are good that these breaches are grossly under-reported.
We recommend multi-tiered virus protection to many of our clients. When I say multi-tiered, I mean using virus protection on gateways (mail, web, etc.), servers, and client workstations. There was a day (years ago) when we wouldn't recommend virus protection on servers due to I/O performance issues, but those days are long gone. Another important protection against virus infections is regular patching of operating systems (servers, network devices and other infrastructure) and applications.
Past Breaches:
Unknown
Posted by Evan Francen at 12/16/2008 11:00 AM 
Categories: University of North Carolina Greensboro, Virus
Categories: University of North Carolina Greensboro, Virus
Posts Atom 1.0
Comments