March 2015 IT Security Incident
STORRS, Conn. — The University of Connecticut is responding to a criminal cyberintrusion through which hackers apparently originating in China gained access to servers at UConn’s School of Engineering. UConn has implemented a combination of measures intended to further protect the University from cyberattack and to assist individuals and research partners whose data may have been exposed.
UConn IT security professionals, working with outside specialists, have no direct evidence that any data was removed from the School of Engineering’s servers. However the University is proceeding from an abundance of caution by notifying roughly 200 research sponsors in government and private industry, as well as working to determine how many individuals need to be notified about a potential compromise of personal information.
“UConn places the highest priority on maintaining the security and integrity of its information technology systems,” said Michael Mundrane, Vice Provost and Chief Information Officer at UConn. “That’s why, in addition to assisting individuals and research partners in responding to this incident, we’re taking steps to further secure our systems.”
The security breach was first detected by IT staffers at the School of Engineering on March 9, 2015, who found malicious software, or “malware,” on a number of servers that are part of the school’s technical infrastructure.
The School of Engineering immediately notified faculty, staff, students, visitors, and emeriti — as well as roughly 1,800 users of the Lync instant communication tool used across the University at the time — that their log-in credentials had potentially been compromised, and recommended those individuals change their passwords.
The University’s Information Security Office, in collaboration with School of Engineering staff and Dell SecureWorks, worked to identify the extent of the breach, secure the affected systems, and prepare a comprehensive review and response.
As a result of that process, this week the University began notifying research partners in government and private industry about the breach. Although the University has no evidence that any data was taken from the servers, or “exfiltrated,” the notifications are part of an appropriate, prudent response.
As part of the ongoing process of analyzing the extent of the attack, the University believes that personally identifiable information of consumers may have also been compromised. Those individuals whose sensitive information (such as Social Security numbers or credit card information) is determined to have potentially been compromised will be notified and provided with the option to enroll in identity protection services.
“The unfortunate reality is that these types of attacks are becoming more and more common,” Mundrane said, “which requires us to be even more vigilant in protecting our University community.”
In March 2015, information technology staffers at the UConn School of Engineering discovered malicious software on a number of servers that are part of the school’s technical infrastructure. This software potentially compromised data residing on these servers, including sensitive information pertaining to research and individual communications.
How did the University respond to this breach?
The University’s Information Security Office (ISO) was immediately notified, and jointly began a process of investigation and remediation with the School of Engineering’s information technology staff. The school immediately notified faculty, staff, students, visitors, and emeriti, as well as roughly 1,800 users of the Lync instant communication tool that their credentials were potentially compromised, recommended that anyone potentially affected reset their passwords, and surveyed the entire school to find out if any potentially sensitive or personal data was stored on the breached servers. The University subsequently brought in Dell SecureWorks to conduct a comprehensive incident response, including analysis of the cyberattack and a search for active threats that may have been missed in the initial response.
What did the investigation reveal?
Based on analysis done both internally by the University and by Dell SecureWorks, it was determined that the first penetration of a server on the School of Engineering network occurred on Sept. 24, 2013, with further penetration of the system occurring after that date. Although the University has no direct evidence that any data was exfiltrated, it is proceeding as if that were the case by notifying individuals with personal information that could have been compromised, as well as research partners outside the University.
How is the University assisting those whose data may have been compromised?
University officials are notifying individuals whose personally identifiable information could have been compromised by the security breach. Anyone who receives notification is eligible for enrollment in identity protections services at no cost for a year.
The University is also notifying approximately 200 public and private research sponsors who have executed contracts with School of Engineering faculty. Proceeding from an abundance of caution, UConn is notifying our research sponsors about the incident, although there is no direct evidence that research data was compromised.
What is the University doing to make its computer networks more secure?
Given the increasingly sophisticated threats against large organizations around the world, UConn has launched a comprehensive review of all related IT security practices and procedures. This review is part of a wider effort to protect University employees and sensitive data from attack.
Among the steps already taken are
- The access point for the attack was identified and the vulnerability patched
- All School of Engineering Active Directory passwords were reset
- Forensic analysis was conducted by internal security professionals as well as by an external firm
- All servers that contained any evidence of compromise were decommissioned and rebuilt
- More granular system firewall separation was implemented
- Account and system monitoring has been increased and tuned to identify any potential unauthorized access