3 IT employees for the North Dakota University System put on administrative leave for data breach

Investigation revealed some employees didn't think sever security was part of their job


Aug. 22--Three high-level employees who dealt with Internet security for the North Dakota University System have been put on administrative leave following a server security breach last winter.

At a State Board of Higher Education Audit Committee meeting Thursday, Vice Chancellor for Information Technology and Institutional Research Lisa Feldner said a workplace investigation revealed some employees didn't think server security was part of their job.

"One of the things we felt following the breach was that the team isn't as cohesive as I'd like to see it and there's a lot of, not finger-pointing per se, but employees saying 'That's his job, her job, somebody else's job.'"

The three employees who were put on leave are Richard Jacobson, William Walker and Marv Hanson, according to SBHE spokeswoman Linda Donlin.

The personal information of more than 290,000 current and past NDUS students, staff and faculty was vulnerable for four months before the hack was noticed Feb. 7. Several agencies, including the FBI, looked into the security breach and found that the hacked server was most likely used as a "launch pad" for an overseas entity to access other servers.

Updating security

This comes after the NDUS was warned about possible IT security flaws in a 2011 report, though university system representatives "couldn't speculate" as to whether the holes mentioned in the report were used to gain access to the server.

At a March SBHE meeting, Feldner blamed the server breach on a lack of intrusion-detection measures. Even though she was the state's chief information officer for seven years before joining the NDUS in May 2013, Feldner told the board she was unaware the highest level of intrusion detection had not been applied to the NDUS data network.

"I didn't realize in my former life that we weren't part of intrusion detection at the time," Feldner told the committee Thursday. "I thought when we put them on the network... I thought it applied to everyone."

Not changing passwords often enough also left the server vulnerable, she said.

Moving forward, Feldner told the committee the IT department has installed high-level intrusion detection on 75 percent of the NDUS network so far. Updated scanning tools that look for abnormalities and weaknesses in the system have also been upgraded.

"Security is everybody's job," Feldner said. "It's every employee's job to make sure things are secure and to understand the threats."

North Dakota State University recently requested to be excluded from the new security measures for a variety of reasons, including giving students and faculty a "false sense of security."

Felder's office denied the request, saying the concerns listed by the university weren't valid.

Copyright 2014 - Grand Forks Herald