The News Site of North Carolina State University - Technician

Technician
The News Site of North Carolina State University - Technician

Technician
The News Site of North Carolina State University - Technician

Technician
Categories:

Data breach puts students’ information at risk

Gavin Stone, Staff WriterJuly 14, 2016
Sarah Keener
Data Breach Graphic

An unauthorized individual gained access to sensitive personal information of everyone who was enrolled in classes at NC State in 2013 due to a university employee mishandling student data.

The employee at fault sent an email from their university email account with a file containing the names, mailing addresses, student ID numbers and Social Security numbers of about 38,000 students as an attachment to an email on Dec. 7. 

On June 3, the same employee gave their account information to a third party who was impersonating another NC State employee, giving them access to their account and potentially students’ personal information. This is a scam tactic known as phishing. 

The university has shared the findings of the investigation with the FBI, which is not treating this as a major data breach because of the way in which the data was discovered by the third party. The FBI has not reported back to the university with any common warning signs of this breach being part of a larger pattern, according to Marc Hoit, vice chancellor for the Office of Information Technology and the university’s chief information officer.

Story continues below advertisement

Hoit said that this is a “small incident” in the FBI’s eyes because this information was “stumbled upon” and not found by deliberately hacking into the university’s secure systems, which would indicate a much more significant threat.

“A mistake was made,” Hoit said. “[The employee] didn’t use the proper process for transmitting the data. We still don’t believe that the data was actually accessed, but we’re being cautious and doubling our efforts to make sure people don’t do this.”

Andrew Kotynski, assistant director of Information Security Services, led the incident response team that investigated the breach. He said in an email that there is “a greater chance that the file was never touched.”

Kotynski also said his team was able to verify that the data was not sent to anyone other than the person who received the data from the university employee in December. However, Kotynski and his team were not able to confirm that the phisher did not download the file themselves.

The use of a university email account to send private student information of this degree is a violation of university policy governing the handling of “ultra-sensitive” data, according to Data Management Procedure REG 08.00.03.

University employees are not permitted to store ultra-sensitive data, which includes SSNs, credit card information, passwords, digital signatures and fingerprints, on any NC State server. This data is under the care of the provost and executive vice chancellors, the university registrar and the director of security and compliance according to REG 08.00.03.

The employee at fault, whose name and position are being withheld from the public under state law, will not receive any type of punishment, according to Hoit.

Hoit said he does not know why the employee chose to email the data rather than use a secure internal system or why the data was being sent in the first place, though he maintained that this person is “a good employee” and that this was “an honest mistake.”

“If somebody did something malicious there would be punishment,” Hoit said. “This person was getting work done, they were tired and they did what they did. We’ve all made mistakes, right?”

Hoit said that if this breach had been caused by a “bad employee” that continually made mistakes, different actions would have been taken.

“This person feels bad enough on their own,” Hoit said. “They know they made a mistake and caused some serious problems.”

Hoit said that based on the data recovered in the investigation, the phisher was targeting the office in which the employee worked and had compromised two other university employee accounts before reaching the one that contained the student data. 

The fact that the phisher sent three additional emails from the account containing the sensitive data while pretending to be the owner, tells Hoit that it’s more likely the phisher was not looking for the SSNs when they found them.

What’s worrying, according to Hoit, is that phishers are getting more sophisticated and using new tactics to gain the trust of their targets.

“It’s not just ‘Let me send you a badly written email pretending to be someone you know,’ where it’s pretty obvious [that it’s a scam], they’re having people check their English and grammar,” Hoit said. “They’re actually getting into people’s accounts and watching how they write things and maybe even cutting and pasting from a previous email so it sounds like the voice of the person they’re [pretending] to send it from. It’s gotten to be very serious business.”

Kotynski said that the IP address of the third party who illegally accessed the account was from a foreign country.

Chief Information Security Officer Mardecia Bell said that the data breach was “a little surprising” and that it shows that the university needs to be better at educating its employees on the best practices for protecting themselves online.

The university has taken steps to mediate the concerns about this breach by speeding up the full implementation of two-step verification across all university accounts, which previously had been progressing slowly. In addition to using their normal password, this two-step verification process requires users to use a six-digit code that is sent to their mobile device anytime they attempt to login on a computer that is different than their usual one and after every 30 days.

This makes phishing scams on Gmail accounts exponentially more difficult. In response to this data breach, all university employees must adopt the two-step verification process by the end of July, according to Hoit. This measure is optional to students.

Affected students will receive a free year of a credit monitoring service. This, along with the investigation, is covered by the university’s cybersecurity insurance policy. None of the costs incurred as a result of this data breach are being taken from student tuition fees.

Hoit said the most important thing to remember when you are unsure if an email is a scam is that, while the university may ask for your unity ID or your email address, it will never ask for passwords, SSNs or for the code from the two-step verification process.

Print this Story
More to Discover
More in News
An event organizer looks onto demonstrators piling in to hear guest speakers after the Raleigh May Day march at Bicentennial Plaza on Thursday, May 1st., 2025.
Raleigh May Day Protests
Graduating undergraduate students file into their seats before the University Commencement ceremony in Carter-Finley Stadium on Saturday, May 3, 2025. NC State conferred 7,234 degrees at the ceremony, including 5,079 bachelor’s, 1,783 master’s, 306 doctoral, and 66 associate degrees.
University Commencement Ceremony, 2025
Generic Technician Logo
International students’ SEVIS records restored after visa revocations
Bailey Lawson, a second-year studying graphic and experience design, models “The Return Home” by Mia Danford-Klein during the Art2Wear: Revive! show at the Gregg Museum of Art and Design on Thursday, April 24, 2025. “The Return Home” is a tribute to the cycle of life, death, and rebirth, and explores the balance between life’s fragility and strength using elements of nature.
Art2Wear: Revive!
A sign points students towards the Flower Moms tent at Wolf Plaza on Thursday, Nov. 14, 2024. The Free Moms engage with students every Thursday, chatting with them and giving out a variety of free goods.
Free Moms told to cancel weekly event during finals, prompting student backlash
A sign on the doors marks the continued closure of Poe Hall on Wednesday, Jan. 24, 2024. Poe Hall was closed in November 2023 due to the presence of environmental contaminants (PCBs).
Federal cuts halt Poe Hall Health Evaluation
Menu
Activate Search
Home
Data breach puts students’ information at risk