McLaughlin: Iowa State makes best of recent security breach situation

Courtesy of Wikimedia Commons

Columnist McLaughlin argues that Iowa State handled the security breach in the right way. They could not completely prevent it, but they dealt with and corrected the issue.

Curran Mclaughlin

On April 22, Iowa State announced in a news release that the information technology staff had discovered a security breach in five departmental servers around campus. After further assessment, Iowa State IT determined that the servers contained the Social Security numbers of 29,780 students who were enrolled in the university between 1995 to 2012. Iowa State immediately rushed to patch the problem once they caught it and, so far, has done an extremely good job in how they have dealt with the problem.

Iowa State reported that there was no sign that the data files were accessed and there was zero student financial information in the breached files.

The identity of the hacker/hackers are unknown. The intentions of the hacking were to use the computer power of the servers to create a digital form of currency called bitcoin.

“We don’t believe our students’ personal information was a target in this incident, but it was exposed,” said Senior Vice President and Provost Jonathan Wickert in Iowa State’s news release. “We have notified law enforcement and we are contacting and encouraging those whose Social Security numbers were on the compromised servers to monitor their financial reports.”

Iowa State also plans on taking good precautions and contacting another 18,949 additional students whose university ID numbers were stored in the servers that were attacked. These ID numbers did not come with their corresponding password and would not serve much purpose outside campus either way.

Iowa State plans on taking a course of action through a national firm known as AllClear, which specializes in identity theft, to assess damages caused by the breach. On top of notifying all students and alumni who may be compromised from the breach, Iowa State has taken the high road and provided those students one year of free credit monitoring from AllClear.

Iowa State has done everything in their power to do right by those who are compromised by the bitcoin mining breach.

There was nothing that the university could do. Even though Iowa State undoubtedly has great protection for all computers and servers, it is impossible to have an impenetrable defense. No matter how well the university fortifies their system, there will always be a gap in the digital armor that can be exploited.

With that said, Iowa State handled the situation in the right way. They could not completely prevent a breach, but they thoroughly dealt with and corrected the issue.

Immediately after discovering the vulnerability, the university’s IT team eliminated  the problem and improved the system to defend against such hackings. Iowa State then notified the authorities to get to the bottom of the attacks.

Iowa State identified the main purpose of the attack was to take advantage of the computing power of the Iowa State servers to generate the internet currency bitcoins. With no solid evidence that the Social Security numbers and student ID numbers were even looked at by the attackers, Iowa State didn’t leave anything to chance.

Iowa State put all students at any marginal risk of financial theft on notice. They are working with AllClear to help protect these same students.

Iowa State could have very well done considerably less work in this situation, considering they are fairly certain that the files on the servers were not even touched during the bit mining, especially given that only Social Security and student ID numbers were at risk, and there were no financial records in the targeted files.

Iowa State went the extra mile to keep everything in check. They’ve fully fixed the fault in their system that allowed the breach. Along with that, to make sure their students and alumni are safe, they took great security measures.

Iowa State made sure that there were no mistakes and no false assumptions that could lead to thousand of identities stolen. That was the exact action that the university should have taken. They’ve handled the situation effectively and in the best possible manner.