I want to ride my bicycle Get the lowdown on everything cycling in our parks and trails special issue. PAGE 4
Keep BS out of the BCS
Sports columnist Lanny Holstein offers his take on the college football playoff debate. PAGE 2
THE
VOLUME 111, ISSUE 150
DAILY NEBRASKAN WWW.DAILYNEBRASKAN.COM
HACK’N NU
WEEK OF JUNE 4, 2012
Following a massive cyber attack, University of Nebraska officials take steps to notify the hundreds of thousands potentially affected Katie Fennelly Daily Nebraskan
At about 10:15 p.m. on Wednesday, a University of NebraskaLincoln information technology employee discovered a breach of the University of Nebraska Student Information System (NeSIS). By Friday evening, the university announced to the public that a breach had occurred. The database, which is used by the four NU campuses— UNL, University of Nebraska at Omaha, University of Nebraska at Kearney, University of Nebraska Medical Center as well as the Nebraska College of Technical Agriculture—houses personal records for students and staff, as well as parents and people that applied to the
university but did not enroll. Melissa Lee, NU’s communications director, said the breach affected as many as 654,000 people. “We are continuing to analyze the database,” Lee said. “That number (654,000) is likely to go down, as there are some people who are counted twice, myself included. Many university employees are also alumni.” While the university hasn’t released any specifics on the nature of the breach, it continues to call it a “sophisticated and skilled attack.” “It wasn’t just somebody poking around,” Lee said. “This person knew what they were doing.” The university has enlisted the UNL police department to head the investigation and has
contacted the FBI. It also brought in a forensics firm with the goal of reconstructing what happened, as well as identifying weaknesses in the university’s database system, Lee said. On Saturday, the university emailed about 21,000 people who have bank account information stored in the records database. The email advised people to monitor their financial accounts though at this point there have been no reports of suspicious activity. “At this time there is no clear
SECURITY | PAGE 6
BEA HUFF | DAILY NEBRASKAN
After security breach, NU’s legal liability comes into question Potential lawsuits loom despite proper notification Katie Fennelly Contributed by Kevin Moser Daily Nebraskan On Wednesday, the University of Nebraska-Lincoln Police department confirmed it has identified an individual in last week’s security breach of the University of Nebraska’s Nebraska Student Information System. The university seized a computer and related equipment from a UNL undergraduate student. At this time, no name has been released and charges haven’t been filed. It’s unclear whether one or more people are suspected in the attack. While the university attempts to nail down the problem, its legal liability may be coming into question — bringing about the posibility of lawsuits. The university went public
with the security breach Friday, May 26, nearly 48 hours after discovering the hack. Students and those with financial information tied to their accounts were notified the following day. University faculty and staff were notified the following Tuesday. While it was originally thought the breach only compromised the University of Nebraska’s security — which includes the University of Nebraska-Lincoln, the University of Nebraska at Omaha, the University of Nebraska Kearney, the University of Nebraska Medical Center and the Nebraska College of Technical Agriculture — it’s now believed that personal information from individuals in the Nebraska State College System. The college system’s three campuses – Chadron State College, Peru State College and Wayne State College – also use NeSIS and may have been compromised too. Under Nebraska’s Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006, any entity in the state that houses personal information must notify
affected Nebraska residents in a timely matter if security is compromised. While a timeframe for notifying the public isn’t given under the statute, James O’Connor said he believes the university acted in good faith. O’Connor is the chairperson of the technology and intellectual property practice group at Baird Holm law firm in Omaha, Neb. O’Connor’s group regularly handles information breaches similar to the university’s. “The legal threshold (for notifying individuals) in Nebraska is if the data will be misused,” he said. “So far, I think they have done a great job informing the affected individuals. They have taken the right steps.” But just because the university has followed appropriate legal procedures doesn’t mean everyone affected by the breach is content. Mike Jones, an NU Board of Regents candidate, criticized the delay in notifying the public. “That’s valuable time that people could have used to take the steps needed to protect
themselves,” he said. UNL Police Chief Owen Yardley said the university waited 48 hours to inform the public so as to not impede his department’s investigation. “In order to assist with the criminal investigation, police asked the university not to release information about this security incident during the first 48 hours as work was done to verify the identity of the individual involved and necessary legal steps were taken to seize the property,” Yardley said in a May 30 news release. While it’s highly unlikely the university will face legal action about the notification process, it’s unclear whether the university will face a lawsuit, O’Connor said. “When these large-scale data breaches occur, there’s always a possibility of a class action lawsuit,” he said. “This would likely be where people are saying that the university did not exercise reasonable and appropriate security safeguards.” In the past, organizations including Citigroup and Sony have faced class action lawsuits
SECURITY | PAGE 6
PROTECT YOUR IDENTITY From an email sent to University of Nebraska students by Joshua Mauk, the information security officer for University of Nebraska:
WHAT YOU CAN DO NOW 1. We recommend that you contact one of the three primary credit reporting agencies to place a free Initial Security Alert (90-day) to your credit report. This can be done online or via phone and will alert you to any attempt to establish or extend credit in your name. The three companies are TransUnion (“Initial Fraud Alert”) (800) 680-7289, Experian (“Initial Security Alert”) (888) 397-3742 or Equifax (“Initial 90-day Fraud Alert”) (800) 525-6285. You need only register with one agency and the others will be alerted. 2. If you have a bank account associated with your student information account, you should have already received an advisory notice. Monitor your bank accounts carefully and report any suspicious activity to your financial institution immediately. 3. Follow updates on the situation and access additional resources, including a video on using fraud alerts, at our website: nebraska.edu/security. In addition, you can submit questions and comments regarding this incident at the website. We will monitor these comments and respond to all questions submitted as quickly as possible. 4. A telephone service center will be instituted in the future to assist employees, students, parents and alumni whose personal information may be at risk. Check the website for information on contacting the service center.