UConn Responds to Data Breach at School of Engineering
The University is responding to a criminal cyberintrusion through which hackers apparently originating in China gained access to servers at UConn’s School of Engineering. UConn has implemented a combination of measures intended to further protect the University from cyberattack, and to assist individuals and research partners whose data may have been exposed.
Frequently Asked Questions Regarding Notification of Disclosure
1. What was the cause of the incident?
On March 9, 2015, Information Technology (IT) staff in the School of Engineering detected that malicious software, or “malware,” had been placed on a number of servers that are part of the School’s technical infrastructure.
The University’s Information Security Office (ISO) was immediately notified, began a process of investigation to determine what devices, files, data and systems had been impacted, and began remediation with the School’s IT staff.
Given the complexity of the incident, the ISO secured the services of Dell SecureWorks to conduct a forensic analysis of the cyberattack, and to support and enhance the capabilities of the School of Engineering IT staff in the investigation.
Through analysis by Dell SecureWorks and internal staff, it was determined that a hack originating from a Chinese IP address injected malicious software on a number of servers that are part of the School of Engineering’s technical infrastructure. It also was determined that the first penetration of a server on the School of Engineering network occurred on September 24, 2013, with further penetration of the system occurring after that date.
A press release was issued by the University about the incident in July 31, 2015 that further describes the incident and the University’s investigation. The press release can be found on UConn Today at http://today.uconn.edu/2015/07/uconn-responds-to-data-breach-at-school-of-engineering/.
Although the University has no direct evidence that any data was exfiltrated, it is proceeding as if that were the case by notifying individuals with personal information that could have been compromised in an excess of caution.
2. I’ve been informed that my SSN/ITIN was part of the security incident, however I’m unclear why my information was found on the School of Engineering’s servers. Can this be explained?
Our business practice requires, in some cases, that personal information and SSN’s be stored within our organization for purposes such as admissions, financial aid or identity management. The University of Connecticut has a large internal population of more than 30,000 faculty, staff and students (full time, part time, continuing education, etc.). We also work closely with an even larger groups of external business partners and organizations. You may have in the past had a direct or indirect connection to UConn that at the time required the collection of your SSN/ITIN. Or, you may have a recent, current or ongoing relationship with UConn that require us to retain your SSN/ITIN. It was during our extensive search of all of the School of Engineering’s computer systems that your SSN/ITIN was discovered.
3. Why specifically was my SSN/ITIN stored on a School of Engineering server?
Many School of Engineering business practices either currently do, or at the time of the collection of your SSN/ITIN from you did, require that user data be extracted from source systems and stored on School of Engineering computers or servers to complete.
4. What specific information was disclosed about me?
To date there is no direct evidence that any data was accessed or disclosed from the School of Engineering’s servers; however, there also is insufficient evidence to conclude that data was not accessed or disclosed. Given the inability to assure that the data has not been accessed or disclosed, the University is taking appropriate steps to provide notification to potentially impacted individuals and entities.
If you received notification it is because your Social Security number (SSN) was identified in one or more files stored on School of Engineering servers and/or computers. Specific file types include:
- Student Grades, coursework and similar academic information
- School of Engineering Graduate Admissions Documents
- Class Roster information
- Employee Data
5. Why was this information about me stored on the School of Engineering servers and/or computers?
The data was stored by various administrative staff and/or faculty for them to conduct appropriate University business, such as to support academic, research, business and/or other administrative functions that required such data.
6. Who was responsible for the security of my information?
The University leverages both a central security office and staff within the School of Engineering to provide appropriate security controls. The data in question was stored within the School of Engineering network.
7. What did you do when the information was accessed and what are you doing about this so it does not happen again?
The University’s Information Security Office (ISO) was immediately notified, and jointly began a process of investigation and remediation with the School of Engineering’s IT staff. The School immediately notified faculty, staff, students, visitors, and emeriti that their credentials were potentially compromised, recommended that anyone that might have potentially affected data on the School of Engineering servers or computers reset their passwords. The team also surveyed the entire school (Engineering faculty, staff and students) to assess whether any potentially sensitive or personal data was stored on the concerned servers. The University subsequently brought in Dell SecureWorks to conduct a comprehensive incident response, including analysis of the cyberattack and a search for active threats that may have been missed in the initial response.
Additional steps have been taken to rebuild any compromised systems and additional system monitoring has been implemented to enhance security controls.
6. Were there other individuals affected by this breach, or am I the only one?
Given the complexity of this incident, UConn is in the process of continually reviewing data and will continue to notify impacted individuals when and if their SSN’s are determined to have been on the concerned servers or computers. At this time several thousand individuals are receiving a similar notice.
7. Does UConn still need to maintain my SSN/ITIN? And if not, has it now been purged from the University’s systems?
The School of Engineering is actively identifying and removing all electronic personal information from its systems that do not have a specific regulatory or business need to be retained. Much of this work has already been completed. Additionally the School of Engineering is working in combination with the University’s central IT services to enhance and strengthen other information security standards and policies to ensure personal information is secure.
8. Have you notified the police?
The University is working with appropriate law enforcement agencies. It is the understanding of the University that the investigations remain ongoing.
9. Will we receive any additional information or update?
Should additional information become available we will post an update here.