Nearly two months after Ferris State University experienced a network security breach with the potential to affect 58,000 people, the investigation is coming to a close.
“The investigation is not complete at this point,” Sandy Gholston, Ferris news services and social media manager, said. “We should have more information in the next week or so.”
Ferris learned July 23 that an unauthorized person had breached network security and gained access to the names and social security numbers of approximately 39,000 students, faculty and staff.
Additionally, 19,000 current, former and prospective students’ names and campus-wide student identification numbers were accessible.
“The university needs to explain what happened, how it happened and how they’re going to keep it from happening again,” Ben Blaska, a Ferris junior computer networks and systems and electrical/electronics engineering technology major, said. “They need to make sure that they listen to cyber security boards or advisors and investigate all possible vulnerabilities and patch them up.”
John Urbanick, Ferris’ chief technology officer, wrote in a press release following the incident that the university immediately shut down the breached server, which is used to operate Ferris’ website, and hired a leading national computer forensic firm to help investigate the incident.
The university hired Navigant Consulting, Inc. to assist in investigating the incident, according to Gholston.
Navigant is “a specialized global, expert services firm dedicated to assisting clients in creating and protecting value in the face of critical business risks and opportunities,” according to its company website.
Gholston did not know how much the university would be paying Navigant for its services since the investigation is still in progress.
Despite the sensitivity of the information, affected individuals were not notified until Aug. 14, nearly three weeks after the incident occurred. The university did not release a statement regarding the data issue until Aug. 15.
The investigation did not find any evidence that the unauthorized party actually reviewed or removed any information.
To date, the university is “not aware of any” reports from students, alumni or employees that their information has been misused, Gholston said.