Unauthorized Server Access
Updated: February 20, 2014
In an email from the Chancellor on Jan. 31, 2014, we learned that one of our college servers was accessed by an outside source without authorization. The vulnerability has since been corrected, and we are actively working with the authorities and computer forensic specialists to investigate the full extent of the incident. In an effort to answer your looming questions in a timely manner, this web page has been created. Early in the investigative process, TSTC IT security analysts identified that employee-identifying information did reside on the server.
The college continued to investigate the server and found a small amount of student information resided on the server containing student-personally identifiable information. Notifications were sent to approximately 2,800 former students from TSTC Waco that were affected.
Below are the FAQs answered on this page.
According to Privacy Rights Clearinghouse, 30 colleges and universities across the United States had data breaches in 2013. Since the organization began compiling information on data breaches in 2005, there have been more than 600 data breaches at U.S academic institutions, resulting in the compromise of 12.5 million records. See more at: https://www.privacyrights.org/data-breach/new
Articles online illustrate how colleges across the nation, indeed the world, are subject to such vulnerabilities given the nature of the times in which we live. See:
On January 30, 2014, a network security analyst in the Office of Information Technology at Texas State Technical College System discovered employee personally identifying information was located on a server that was remotely accessed by unauthorized parties. The server was contained and taken down. The files contained the information about TSTC employees as of November 2013. Initial investigation indicates the files were on the server from November 4, 2013 to January 30, 2014.
The college continued to investigate the server and found a small amount of student information resided on the server containing student-personally identifiable information that was on the server from May 16, 2006 and Oct. 30, 2008 to January 30, 2014. Notifications were sent to 2,867 former students from TSTC Waco that were affected. These are students who attended TSTC Waco primarily in Summer 2006 with some who also attended in Fall ’06, Spring and Summer ’07.
The employee files contained information relevant to conducting College business. The source files have been deleted and are no longer accessible and the matter is being investigated fully.
The employee records were created on Nov. 3, 2013.
At this time, the investigation has revealed that all TSTC employees (less than 2,000) on the November payroll were included in a file on the server for use in fulfilling our quarterly employment reporting requirements.
The College immediately took a number of parallel steps to investigate and limit the exposure of this information. As soon as the incident was confirmed, the College immediately activated its business continuity plan and followed security incident procedures including:
Social Security numbers are used to track employment and used in mandatory quarterly State reporting. Likewise, student SSNs were used as unique student identifiers for students to complete a graduate report.
Computer forensics has identified a small amount of student information resided on the server that was vulnerable to unauthorized access. Only students who attended TSTC Waco in the summer of 2006 and a small number of students from academic year 2007 (Fall 2006, Spring and Summer 2007) were included in the files containing the student names and social security numbers.
Students who graduated prior to Summer 2006, or who enrolled after Summer 2007 were not affected. The college has sent each potentially affected former student a letter at their last known address. The letter to affected students will contain information on how to enroll for the prepaid identity protection service either through a toll-free number or website.
Students from TSTC Harlingen, Marshall, West Texas and North Texas were not included in this vulnerability issue. Most TSTC Waco students from Summer 2006 were affected, and less than 100 Waco students from the academic year 2007 (Fall 2006, Spring and Summer 2007).
If you have not received a letter, but were a student at TSTC Waco during this time period, you can call the College Office of Information Technology toll-free number, at 844-927-9900. They can confirm whether your name and social security number was at risk due to the illegal access to the server. The OIT Help Desk is available 7 a.m. to 9:30 p.m. Monday – Friday; and 8 a.m. to 5 p.m. Saturday and Sunday.
The College believes that the employee files containing personal employee information were on the server between November 4, 2013 and January 30, 2014.
No. Upon learning that these files were inadvertently accessible on the server, the College immediately took steps to disable the server. A further investigation is ongoing to discover the cause of this information being stored on the server and appropriate action will be taken to ensure that personally identifiable information is protected from unauthorized access.
Yes. The College is actively working with the FBI, and Office of Inspector General, and Department of Education.
Does the College have any indication that anyone has suffered identity theft as a result of this incident?
At this time, the College has no way to know whether information has been or will be misused. It is recommended that employees take the following steps to protect their identity:
If my personal information was accessed by an unauthorized party, does that mean that I will become a victim of identity theft?
Not necessarily. Even if someone did access your information, this does not mean that you have been, or will become, a victim of identity theft or that the unauthorized individual intends to use your personal information to commit fraud. The College notified you about this incident so you can protect yourself. You can do this in several ways: by placing a fraud alert on your credit file; by placing a security freeze on your credit report; and by reviewing your credit reports regularly. Each of these measures is described within this FAQ page.
Most credit card companies and other creditors will not issue credit without first checking an applicant’s credit history. A fraud alert tells potential creditors that they should contact you first before issuing new credit in your name, thereby preventing someone from fraudulently obtaining credit without your knowledge. A fraud alert will not prevent you from using your credit cards or other accounts. A fraud alert, however, may slow the process of receiving new credit since the purpose of the fraud alert is to help protect you against an identity thief opening new credit accounts in your name. When you place a fraud alert on your account, potential creditors receive a message instructing them to re-verify the identity of the person applying for credit before approving the credit application. There is no charge for placing a fraud alert on your credit file. An initial fraud alert lasts for 90 days and is free. You may renew the fraud alert at no cost for an additional 90 days. There is no limit to the number of times you can renew the fraud alert.
Experian, 888.397.3742, PO Box 9532, Allen TX 75013, www.experian.com
TransUnion, 800.680.7289, PO Box 6790, Fullerton, CA 92834-6790, www.transunion.com
If you would like a College representative to assist you in using one of these websites to place a fraud alert on your credit file, call or visit your college Human & Organization Development office.
A security freeze prohibits a credit bureau from releasing your credit report without your consent. However, placing a security freeze may delay, interfere with or prohibit the timely approval of any application you then make regarding a new loan, credit, mortgage, insurance, government services or payments, rental housing, employment, investment, license, cellular telephone, utilities, digital signature, Internet credit card transaction or other services, including an extension of credit at a point of sale. Because of this, you may need to remove or temporarily lift the security freeze.
You should regularly review your credit reports and monitor your accounts for unusual activity. In addition to your right to one free credit report per year, placing an initial fraud alert entitles you to a free credit report from each of the three credit bureaus. You can use these reports to review and monitor your credit report periodically.
Credit monitoring services protect primarily against new account fraud. This form of fraud occurs when a criminal uses your personal information to open credit card, mobile phone, or other financial accounts using your name, social security number and other personal information. New account fraud can be difficult to detect because the criminal generally has billing statements sent to an address other than your real address. You can learn more about credit monitoring at https://www.privacyrights.org/fs/fs33-CreditMonitoring.htm#1.
In an abundance of caution, the College will be offering premium identity theft protection for one year for all TSTC employees. We have partnered with CSID to provide one year of their Breach Protector™ credit monitoring and identity theft restoration coverage. CSID is an independent company that specializes in protecting and restoring its subscribers’ credit and identity. CSID has sent each employee their personal activation PIN and procedures, using the addresses we have on file for employees.
Because the College cares for our employees and students, we have already purchased the identity theft protection service for all affected. The College has paid for this protection whether or not the service is activated. The College urges students and employees to help us be good stewards of our resources, and accept this coverage for their benefit.
Will the college have access to my credit information since they are purchasing this service for me?
No. The college has purchased the identity theft service for employees and students affected whether they activate their subscription or not as an act of good faith to help you protect your identity. The college has no right to personal credit information of our employees or former students. Only you, as the owner of the service, can activate and access your identity theft subscription.
A letter went out from CSID using a copy of TSTC letterhead as an important notice to those who were involved in the potential exposure of your personal identifying information. This letter is for real and is not a scam. To verify it, please see the website on the letter, call CSID, or simply activate your CSID account using the PIN code provided. TSTC has partnered with CSID to provide one year of breach Protector, a premium credit monitoring and identity theft restoration coverage at no cost to you. This has already been paid for and we urge you to accept his gift and protect yourself from the potential threat.
The College is providing a premium identity theft protection plan for all employees included in the Nov. 3, 2013 employment report. All other employees will also receive one-year of the basic identity theft protection from CSID as an employee benefit.
The College is providing the identity theft protection plan for only the 2,867 students involved, those who attended TSTC Waco in the Summer 2006 term and approximately 100 students from the 2007 academic year who were also included.
Should I contact the Social Security Administration to change my Social Security number if my Social Security number was part of the information that was contained on the compromised server?
The Social Security Administration is unlikely to change your Social Security number in the absence of any evidence that your Social Security number is actually being misused. In addition, according to information on the Social Security Administration’s website, changing your Social Security number may create additional problems because you would lose your existing credit history and because other government agencies (including the Internal Revenue Service and the Department of Motor Vehicles) and private businesses (such as banks and credit reporting companies) are likely to have records under your current Social Security number.
You should immediately: (1) report the crime to your local law enforcement agency, (2) contact any creditors involved, and (3) notify all three credit bureaus. You may also choose to put a credit freeze on your file; please note that there may be a cost associated with this. Additional guidance is available on the Federal Trade Commission’s website.
No. Our investigation of this incident indicates that the affected files did not contain bank account information.
No. Our investigation of this incident indicates that the affected files did not contain credit card information.
Employees should call your HOD representative (below) and update the address on record to ensure you receive important notifications sent to your home. Also, HOD can email you a copy of the letter and help you get your PIN code to begin your Identity Theft Breach Protector service.
The following College personnel stand by to answer any questions employees may have:
TSTC Harlingen: Mary Prepejchal, 956.364.4042
TSTC Marshall: Felicia Hill, 903.923.3233
TSTC Waco: Kelly Contella, 254.867.2368
TSTC West Texas: Brian Kight at Brownwood 325.641.3918; Sherry Strickland at Breckenridge 254.559.7707; Hannah Love for Abilene & Sweetwater 325.236.8277
Students should call the Office of Information Technology toll-free number, at 844-927-9900. The OIT Help Desk is available 7 a.m. to 9:30 p.m. Monday – Friday; and 8 a.m. to 5 p.m. Saturday and Sunday.
If they cannot answer your question, they will take your name and phone number and forward that information to the security response team, and a College employee will contact you with a response. Additionally, commonly asked questions will be added to this website as they arise. If questions you have are not answered on this web page, please email us at firstname.lastname@example.org.
The Human & Organization Development Office is available to assist College employees. You can stop by the office any work day during normal office hours and they are happy to assist you.
Also, if questions you have are not answered on this web page, please email us at email@example.com.
On Saturday, Feb. 1, the OIT team brought down several websites to evaluate their security protocols as a precautionary measure on our most critical applications.
On Feb. 10, the College began getting reports from some employees that their CSID PIN codes, required for activating their Breach Protector service, are not valid. By the afternoon of Feb. 10, CSID had reactivated the assigned PIN codes. If for some reason your PIN code does continues to not work, please call CSID's Breach Protector phone number, available 24/7 at 877-274-5565 or email CSID at firstname.lastname@example.org. If the issue is not resolved, email us at email@example.com.