University officials continue to piece together their response to the Feb. 18 data security breach, confirming yesterday the approved members chosen for a task force that will develop a course of action for the administration moving forward.
In an email sent Tuesday afternoon, university President Wallace Loh announced the creation of the President’s Task Force on Cybersecurity, a 12-person team comprising university employees, students and cybersecurity professionals that has 90 days to develop a proposal for future improvements.
“They’re looking for needles in this very large haystack,” said former provost and current geology professor Ann Wylie, the task force’s director. “There is no static place you can arrive at in which you have solved all these problems. That’s not possible. And so the only thing that you can do is to continually re-evaluate the security measures that you have in place.”
Loh charged the task force with three priorities: find sensitive personal information in the databases and either purge or protect it, self-hack the system on a regular basis to discover weaknesses and strike a balance between databases operated by the university and those operated by its individual colleges.
“Our university’s entire cybersecurity system is only as strong as its weakest link,” Loh wrote in the email.
Last week’s cyberattack raised questions about the sophistication of this university’s digital security infrastructure, with some students and alumni wondering how vital information such as Social Security numbers could be accessed and copied from such a large, established institution.
“I don’t think any organization can ever be 100 percent secure if they’re connected to the Internet,” said Wylie, who will also serve as interim information technology vice president. “I don’t feel that we are negligent or inattentive to these issues. They’ve been front and center in IT for a long time. It’s just a continual process that we can never let down our guard.”
To protect affected individuals, the university increased its one year of free credit monitoring to five years Tuesday. The service will cost the university about $6 million if all 309,079 affected people sign up, said Brian Ullmann, the university’s marketing and communications assistant vice president.
But on the first day of registration, some students, faculty and affiliates who called the university hotline multiple times heard conflicting answers as to whether their information was compromised in the attack, according to an article published Tuesday by Capital News Service.
Crystal Brown, university chief communications officer, said calls to Experian, the credit monitoring service provider, exceeded expectations and led to technical difficulties. More than 40,000 calls were made within the first three hours, she wrote in an email.
Because of the unexpectedly high volume of calls, Ullmann said Experian did not have a sufficient number of on-call operators tasked with handling the data breach, which caused miscommunication.
“[Some callers] automatically rolled to other operators who weren’t as trained on it, and then those operators gave out incorrect information because they hadn’t been properly trained,” Ullmann said. “That issue has been largely resolved.”
Experian is the same credit service provider that handled the aftermath of a 2010 security breach at Ohio State University that affected about 760,000 people. But because that university waited nearly three months to inform its students, letters had already been sent out with instructions on applying for protection online.
Letters will be mailed out as the definitive alert to those who were affected at this university, Ullmann said, but not for another two weeks or so. The university has only alerted about 127,000 of the more than 309,000 affected so far by way of email or automated call, he added.
Experian is in the process of matching Social Security numbers with addresses to which they can mail the letters, Ullman said.
“[It] is the only way that we can ensure contacting every single one of the 309,000 people,” Ullmann said.