Ferris Network Security Breached

Unauthorized person gains access to personal information of 58,000 individuals

by Published: Aug 26, 2013

In a world of highly pro­tected dig­i­tal infor­ma­tion, Ferris State University expe­ri­enced a major blow that could affect 58,000 people.

Ferris learned on July 23 that an unau­tho­rized per­son had breached net­work secu­rity and gained access to the names and social secu­rity num­bers of approx­i­mately 39,000 stu­dents, fac­ulty and staff.

Additionally, 19,000 cur­rent, for­mer and prospec­tive stu­dents’ names and campus-wide stu­dent iden­ti­fi­ca­tion num­bers were accessible.

Second-year Ferris optom­e­try stu­dent Emily Carlson’s name and ID num­ber were in the files accessed. She said she trusted Ferris to keep such infor­ma­tion safe.

“That’s per­sonal infor­ma­tion that you don’t just give away to any­body,” she said. “I just hope that some­one didn’t get ahold of my social secu­rity num­ber. You hear about peo­ple get­ting their iden­ti­ties stolen, and you never think it could hap­pen to you.”

Despite the sen­si­tiv­ity of the infor­ma­tion, affected indi­vid­u­als were not noti­fied until Aug. 14, nearly three weeks after the inci­dent occurred. The uni­ver­sity did not release a state­ment regard­ing the data secu­rity issue until Aug. 15.

Carlson ini­tially learned about the data secu­rity breach from her home­town news out­let. She pro­ceeded to check MyFSU for addi­tional infor­ma­tion but found none.

“I fig­ured my infor­ma­tion wasn’t in the file since I hadn’t heard any­thing from Ferris,” Carlson said. “I was sur­prised when I got a let­ter in the mail dated three weeks after [the inci­dent happened].”

Sandy Gholston, Ferris’ news ser­vices and social media man­ager, defended the university’s delay in noti­fy­ing the public.

“There’s a due dili­gence period the uni­ver­sity had to under­take before mak­ing sure we had the cor­rect infor­ma­tion to notify the pub­lic,” Gholston said. “There was a del­i­cate bal­ance of get­ting infor­ma­tion to peo­ple quickly and accurately.”

Carlson believes the uni­ver­sity should have informed her sooner.

“I shouldn’t have heard about it on Facebook or the Detroit news first,” she said.

John Urbanick, Ferris’ chief tech­nol­ogy offi­cer, wrote in a press release that the uni­ver­sity imme­di­ately shut down the breached server, which is used to oper­ate Ferris’ web­site, and hired a lead­ing national com­puter foren­sic firm to help inves­ti­gate the inci­dent. The firm also will assist in block­ing any fur­ther unau­tho­rized access.

The inves­ti­ga­tion did not find any evi­dence that the unau­tho­rized party actu­ally reviewed or removed any infor­ma­tion,
Urbanick wrote. The uni­ver­sity has not received any reports from stu­dents or employ­ees that their infor­ma­tion has been misused.

“The inves­ti­ga­tion is still in progress,” Gholston said. “Once the inves­ti­ga­tion is closer to com­ple­tion, we’ll have a bet­ter idea of what hap­pened and what the steps need to be going forward.”

The strug­gle to pro­tect sen­si­tive data from hack­ers is an “ongo­ing bat­tle,” Gholston added.

On Aug. 14, the uni­ver­sity mailed let­ters to the approx­i­mately 58,000 indi­vid­u­als whose infor­ma­tion was in acces­si­ble files. The indi­vid­u­als whose names and Social Security num­bers were view­able are being offered one year of free credit mon­i­tor­ing to address con­cerns. Students whose names and campus-wide stu­dent iden­ti­fi­ca­tion num­bers were acces­si­ble may request a change to their campus-wide ID num­ber by vis­it­ing fer​ris​.edu.

A ded­i­cated call cen­ter has been estab­lished to address ques­tions and con­cerns from affected indi­vid­u­als. The call cen­ter is open from 9 a.m. to 7 p.m. Monday through Friday. The toll free num­ber is (877) 283‑6566. Identity theft resources and answers to fre­quently asked ques­tions can be found on Ferris’ website.

Carlson is anx­ious for more news and hopes the uni­ver­sity will be able to pro­vide answers as to how a secu­rity breach of this mag­ni­tude could occur.

“It’s scary to think about,” she said. “There’s a lot of unknowns.”

  • Thomas Wilson

    Will there be a fol­low up to this. I would love to hear more form the Ferris CTO or some of their secu­rity ana­lysts on the IS team about how this hap­pened and what mea­sures they’ve taken to tighten security.