University and outside law enforcement agencies continue to investigate the computer information security breach that occurred in September in which unknown perpetrators accessed the sensitive identity information of 7,847 current and former UGA employees.
Recent reports indicate that breaches of a similar nature also have been perpetrated in other states and at other universities—most notably a case in South Carolina—according to Timothy Chester, UGA vice president for information technology.
New information has UGA officials re-emphasizing the need for strong MyID passwords. At the same time, the university is looking to roll out additional security measures in the coming months to protect systems with sensitive information.
As a precaution, UGA is providing free credit monitoring to those affected by this incident and also to those affected by last year’s disclosure of information.
To request these services or for answers to questions regarding this incident, individuals should call the EITS Help Desk at 706-542-3106 or visit http://fraudconcerns.uga.edu.
On Sept. 28, unknown perpetrators successfully reset the MyID passwords of two UGA employees who had access to university information systems. The hackers were able to successfully download human resources information, including the sensitive identity information of nearly 8,000 employees.
The university has since notified the affected individuals by mail.
Chester and his wife, Gail Chester who works in Finance and Administration, were two of the employees impacted by the breach. He said they already have signed up for free credit monitoring and encourage others to do so also.
Signing up is simple. After contacting the EITS Help Desk, employees are given the Web address of the credit monitoring agency and a promotional code that gives them one year of free monitoring. Users will then sign up for the service online.
As of Columns’ press time, there have been no confirmed reports of unauthorized use of the stolen data. Employees who believe they are the victims of identity fraud should contact EITS.
Chester said the investigation so far into UGA’s breach and information from other recent breaches shows a trend in which perpetrators identify employees with access to sensitive information and then take advantage of potential weaknesses with log-in information.
An unknown vulnerability has been discovered in the commercial software used by UGA for resetting forgotten passwords. That feature has since been disabled and is now being investigated as a possible root cause for the breach.
UGA faculty and staff should remain diligent in maintaining strong passwords, Chester said. Additionally, employees should take notice if they receive email informing them of a password change. If employees receive such a notification when they did not change their password, they should alert EITS immediately.
Users needing to change their passwords or get new MyIDs should do so on campus from an on-campus computer, as a firewall has been set up to block off-campus access. Employees who don’t work on the Athens campus should call the EITS Help Desk.
Following up on new lessons learned, the university is taking steps to add security measures to accessing critical information, Chester said.
“What we are learning is that usernames and passwords are not always enough to protect sensitive information,” he said. “We’re going to have to step it up a notch.”
In the next 90 days, EITS plans to implement additional protection requiring some employees with access to sensitive information to have hardware authentication to access that data.
Chester said that he is available to attend meetings of students, faculty and staff to answer questions and hear concerns. He can be contacted at tchester@uga.edu to arrange participation at such meetings.
