Updated: April 22, 2014.
About the breach
Information technology specialists have discovered a breach affecting five departmental servers on campus. In-depth analyses revealed the compromised servers contained Social Security numbers of approximately 29,780 students enrolled at Iowa State between 1995 and 2012. There was no student financial information in the records, and there's no evidence any of the files were accessed.
The servers were hacked by an unknown person or persons seeking to generate enough computing power to create a type of digital money known as bitcoins.
While university officials don't believe personal information was the target, the information was exposed. So officials have taken these actions:
- Letters were mailed April 22 to all individuals whose SSNs were on compromised servers. In the letters, senior vice president and provost Jonathan Wickert urged recipients to monitor their financial reports and offered them free university-funded credit monitoring.
- Letters from Provost Wickert also were sent April 22 to another 18,949 students whose university ID numbers (not SSNs) were on compromised servers. University IDs generally are used in combination with a password and have no use beyond campus. The exposure of these numbers don't pose a financial threat.
- Law enforcement officers were notified of the breach as soon as officials discovered that students' personal information was on the compromised servers.
Free, expert help in identity protection
The university has hired AllClear, a national firm that specializes in identity protection, to assist those affected by the breach. AllClear representatives, available at 877-403-0281, are knowledgeable about how to watch for and deal with identity theft and fraud.
Free credit monitoring
For those with exposed Social Security numbers, Iowa State will purchase one year of credit monitoring. Those who wish to do so can opt for a second free year at the end of the first. AllClear, 877-403-0281, can set up credit monitoring.
Three compromised servers contained the SSNs of some students who took classes in:
- Computer science (1995-2005)
- World languages and cultures (2004, 2007, 2011-2012)
- Materials science and engineering (one class only in ENGR101 in fall 2001 and MATE214 in spring 2001)
Two other servers, one in agricultural and biosystems engineering and a second in materials science and engineering were accessed, but those servers did not have any files containing personal information.
Steps to secure information
In response to this incident, the university is taking these steps to better secure information:
- The compromised servers, all network-attached storage devices made by Synology, have been thoroughly examined. Any files containing SSNs or other personal student information have been deleted.
- Files containing SSNs have been deleted from those servers.
- Compromised servers have been removed from the Internet and destroyed. Other servers of the same type are no longer accessible through the Internet, have received software updates to prevent hacking and will be replaced as soon as possible.
- Officials are identifying file servers on the campus network to ensure that protected information is either removed or stored appropriately.
- The university has deployed software that regularly scans computers, servers and other devices to locate protected information.
- Officials are accelerating implementation of ISU's new Data Classification Policy, which provides enhanced security standards.
- University-owned laptops will be encrypted.
- Stronger password standards will be enforced.
Beware of phishing scams
Iowa State University, the ISU Foundation and the ISU Alumni Association regularly and legitimately request information by phone, mail and email. However, no one from Iowa State will ever ask for your Social Security number.
If you suspect fraud or question whether a request you receive is legitimate, please contact:
- ISU Foundation, 515-294-4607
- ISU Alumni Association, 515-294-6525
If you suspect a caller is phishing for personal information, you also may report such incidents to:
- Iowa State’s computer security team at firstname.lastname@example.org
President, provost unveil plans to boost information security
Inside story, April 24, 2014
Iowa State, IT staff discover unauthorized access to servers
News release, April 22, 2014
SSN letter to students (PDF)
April 22, 2014
ISU ID letter to students (PDF)
April 22, 2014