In a world of highly protected digital information, Ferris State University experienced a major blow that could affect 58,000 people.
Ferris learned on July 23 that an unauthorized person had breached network security and gained access to the names and social security numbers of approximately 39,000 students, faculty and staff.
Additionally, 19,000 current, former and prospective students’ names and campus-wide student identification numbers were accessible.
Second-year Ferris optometry student Emily Carlson’s name and ID number were in the files accessed. She said she trusted Ferris to keep such information safe.
“That’s personal information that you don’t just give away to anybody,” she said. “I just hope that someone didn’t get ahold of my social security number. You hear about people getting their identities stolen, and you never think it could happen to you.”
Despite the sensitivity of the information, affected individuals were not notified until Aug. 14, nearly three weeks after the incident occurred. The university did not release a statement regarding the data security issue until Aug. 15.
Carlson initially learned about the data security breach from her hometown news outlet. She proceeded to check MyFSU for additional information but found none.
“I figured my information wasn’t in the file since I hadn’t heard anything from Ferris,” Carlson said. “I was surprised when I got a letter in the mail dated three weeks after [the incident happened].”
Sandy Gholston, Ferris’ news services and social media manager, defended the university’s delay in notifying the public.
“There’s a due diligence period the university had to undertake before making sure we had the correct information to notify the public,” Gholston said. “There was a delicate balance of getting information to people quickly and accurately.”
Carlson believes the university should have informed her sooner.
“I shouldn’t have heard about it on Facebook or the Detroit news first,” she said.
John Urbanick, Ferris’ chief technology officer, wrote in a press release that the university immediately shut down the breached server, which is used to operate Ferris’ website, and hired a leading national computer forensic firm to help investigate the incident. The firm also will assist in blocking any further unauthorized access.
The investigation did not find any evidence that the unauthorized party actually reviewed or removed any information,
Urbanick wrote. The university has not received any reports from students or employees that their information has been misused.
“The investigation is still in progress,” Gholston said. “Once the investigation is closer to completion, we’ll have a better idea of what happened and what the steps need to be going forward.”
The struggle to protect sensitive data from hackers is an “ongoing battle,” Gholston added.
On Aug. 14, the university mailed letters to the approximately 58,000 individuals whose information was in accessible files. The individuals whose names and Social Security numbers were viewable are being offered one year of free credit monitoring to address concerns. Students whose names and campus-wide student identification numbers were accessible may request a change to their campus-wide ID number by visiting ferris.edu.
A dedicated call center has been established to address questions and concerns from affected individuals. The call center is open from 9 a.m. to 7 p.m. Monday through Friday. The toll free number is (877) 283-6566. Identity theft resources and answers to frequently asked questions can be found on Ferris’ website.
Carlson is anxious for more news and hopes the university will be able to provide answers as to how a security breach of this magnitude could occur.
“It’s scary to think about,” she said. “There’s a lot of unknowns.”