About 4,585 past and present Montana State University employees have received notice that a computer virus may have allowed outsiders access to their Social Security numbers, though the university knows of no instances resulting in identity theft.
Letters were mailed out June 13 from MSU Vice President Terry Leist’s office, warning people about a security breach discovered March 5, according to Carol Schmidt, an editor with MSU’s communications department.
Employees were offered the chance to sign up for a free, one-year subscription to a service called ProtectMyID Alert, said MSU spokesman Tracy Ellig.
“These breaches are distressing, and we are taking them very seriously,” said Ellig, one of the employees affected. At the same time, he said he’s not losing any sleep over it.
“There’s no evidence this information was grabbed and taken,” he said. “To date, we’ve not had reports of any individuals having problems.”
Ellig said it took him about 90 seconds to sign up for the one-year service, which detects and warns people of computer activity that could be identity theft.
MSU has roughly 3,000 employees, so the security lapse potentially affects half again as many people. Ellig said it doesn’t affect anyone hired since June 2012.
When the problem was detected, MSU followed state rules and hired an outside computer forensics firm. It analyzed the hard drive of a computer in the human resources department and found “malware,” malicious software that had the ability to access people’s names and Social Security numbers. They couldn’t find any evidence that the information had been taken.
MSU employees’ names and Social Security numbers are supposed to be stored on a larger, secure server, accessible only by password, and aren’t supposed to be downloaded onto individual computers, Ellig said.
Asked why it took three months to notify employees of the breach, Ellig said MSU was following the state’s procedures exactly.
“When you have this many names, one of the challenges is finding accurate mailing addresses,” he said. “You’re dealing with people who no longer work at the university, or may have moved.”
As a result of the security breach, MSU has installed new identity-finder software, which searches individual desktop computers on campus to make sure they don’t have sensitive information like Social Security numbers, birth dates and credit card numbers.
“Information can end up on computers and the users do not realize it’s there,” for example, on a new employee’s computer, Ellig said. “We’re going through and trying to flag every computer that might have identity information.”
Screening started in the human resources department and will be used throughout the administrative computers.
MSU last reported an online security lapse in December 2012, when it was discovered that documents containing names, birth dates and Social Security numbers, including student loans and workers compensation forms, had been online and unencrypted for six weeks the previous summer.
The university is trying to take steps to eliminate breaches as much as possible, Ellig said, but it’s challenging in an organization as large and dealing with as much information as MSU, and no one can guarantee it won’t happen in the future.
Gail Schontzler can be reached at email@example.com or 582-2633.