Frequently Asked Questions Regarding Security Breach at CCSU

Debix/AllClear ID - Deadline for Enrollment is September 15, 2012

Please note: For those individuals who received a notice pertaining to the security breach in February 2012, the last day to sign up for Debix/AllClearID coverage is September 15, 2012.

This website is in response to a security breach at Central Connecticut State University that exposed a large number of CCSU faculty, staff, and students to potential identity theft and other misuse of personally identifying information.

To hear an audio recording of the public forum on the data security breach held at CCSU on March 13, please click here.

1. How do I find out if my personal information was compromised by the security breach?
The University is working with Debix/AllClearID, a company that provides extensive credit monitoring and related services, to provide written notification to those individuals whose personal information may have been compromised and to inform them what credit monitoring services are available - at no expense - to them. All individuals affected by this incident will be receiving a letter in the mail outlining how to enroll in protection.

 

2. What specific information was at risk of exposure?
Social Security Numbers and names for current and former CCSU faculty, staff, and students/alumni.

 

3. Why did it take so long for notification?
The short answer is: it took several weeks to adequately determine the scope and nature of the breach, and this created most of the gap between breach detection and notification. The longer answer: As noted (#4) below, the breach was discovered December 6, 2011; it was determined that the computer had been infected on November 28. CCSU IT and a certified forensic analyst examined the computer hard drive to determine the nature and scope of the breach. CCSU learned of the conclusions of the analysis on February 13, 2012. From that point on, Information Technology and Marketing & Communications collaborated to arrange for identity protection coverage through Debix, match SSNs with names and contact information, and implement communications. On February 16, President Miller announced the breach to the campus. On February 21 IT completed the matching of SSN with names and contact information and provided that data to Debix. And on February 22, an email alert was sent to those on campus for whom IT had been able to match SSN, name and email address. Because it was determined that there would be a gap of 6 to 10 business days between the uploading of contact information to Debix and the arrival of the letter from Debix, Marketing & Communications sent an email alerting the particular people whose SSN was on the infected computer so that they could take precautions during that interval.

 

4. How did the situation occur?
The University learned on December 6, 2011, that a computer in CCSU’s Business Office was infected with a “Z-Bot” key-logger virus designed to relay information obtained from the computer. As soon as it was discovered, the computer was immediately disabled. Subsequent forensic analysis revealed that the data on the computer had been exposed for approximately 8 days. The forensic analysis could not determine whether any data had actually been compromised, stolen, or misused. CCSU and the Board of Regents System Office, however, believe that the exposure warrants offering comprehensive credit/identity theft monitoring services to all those whose information was at risk. A Z-Bot typically works by sending precursor malware to take advantage of existing software vulnerabilities (not always related to security) and then establish a pathway for the Z-Bot to attack the computer and escape detection. The forensic analysis was unable to determine exactly the steps leading up to the attack, though it was apparently caused by a computer operator whose browser inadvertently landed on an online site that hosts Z-bots and other malware.

 

5. Why is the University offering two years of credit and personal identity theft protection? Why isn't it longer?
The State Attorney General has recommended that institutions provide two years of such coverage, and we believe that is standard for colleges and universities in Connecticut. However, there is good news: Debix will be providing, at no cost to individuals, a service it calls AfterCare. Below is the description of the program and it is annually renewable for as long as you wish to receive Debix coverage. Below is Debix's description of the program.

What happens after the two years of sponsored service expires?
Customers will be notified 30 days before their sponsored service is set to expire. If the customer takes no action their account will automatically be transitioned to AfterCare protection.

What is AfterCare?
To minimize brand tarnish and customer turnover, Debix Breach AfterCare provides expert identity repair service for consumers that begins after OnCall credit monitoring protection expires. This feature is provided to your customers as part of breach remediation at no extra charge.


What does AfterCare include?
Debix is in the unique position to be able to provide identity repair services to consumers so you can have long term protection after a data breach. AfterCare identity repair service includes:

 

6. What is being done so that it does not happen again?
The University’s Information Technology office is working with the System Office and others to develop procedures and, where necessary, to implement data infrastructure to protect data stored on computer hard drives and servers. University personnel and departments with access to sensitive information will receive additional training in data protection. This combination should significantly reduce the likelihood of data disclosures and increase awareness about identity theft prevention.

 

7. How many individuals were affected by this breach?
We have determined at this point that 18,763 people were affected by this breach. That number includes current and former faculty, staff, and students dating back to 1998.

 

8. Do we know if any personal information has been misused?
Based on forensic analysis we believe that there is no evidence of actual misuse of the personal data in the compromised database or that it has been retrieved or stolen. This does not mean that the data has not been misused, only that it has not been detected.

 

9. What steps did the University take before announcing the security breach?
Working with a computer security expert at the Board of Regents System Office, the University first determined the source and extent of the security breach. Once that was established, we worked to develop current contact information for those put at potential risk. We then established a contract with Debix to provide comprehensive credit and identity theft protection for those who may have been affected.

 

10. In comparison to other breaches, how damaging or serious is this?
We take all data security incidents seriously. Although recent computer security breaches at other institutions were two to three times the size of ours, and although we have no evidence that anyone’s personal information was retrieved or that any information was misused, the University believes that any incident that potentially exposes personal identity could risk compromising personal identity information and create significant problems for our faculty, staff, students, and others associated with them.

 

Resources
Federal Trade Commission Report: What to do if your personal information has been compromised. Click here (external link).

For further questions, email: McLaughlinM@ccsu.edu