Logan Ramsey - News Editor

Cybercriminal Breaches University Student’s Records

Aeral shot of ISU Pocatello campus
Photo Credit: Brandon Oram, Photo Editor

Logan Ramsey

News Editor

If you’re an Idaho State University student or alumnus, you may have had your personal data breached in a ransomware attack. The ISU Foundation sent out a letter on Aug. 28 warning students of the possibility that their data had been accessed by a cybercriminal.

Blackbaud, the third-party cloud software company the university is client to, discovered the breach on May 20, but the attack itself could’ve been as early as Feb. 7. With the help of independent experts and law enforcement, Blackbaud was able to stop the cybercriminal from accessing their fully encrypted files and expelled them from the system.

Before the criminal was locked out, they removed a copy of the backup file containing ISU students and alumni personal data. This wasn’t financial information, but personal contact information such as addresses, phone numbers and email addresses. ISU is one of many other universities that had their data breached.

In order to secure the data, Blackbaud, “paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” according to the ISU Foundation’s letter.

Based on law enforcement investigation, Blackbaud has, “no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.”

Blackbaud sent ISU a blanket notice and didn’t give any records of how many students and alumni had their data breached. Kyle McGowan, Vice President for University Advancement, said this is likely because neither Blackbaud or law enforcement knows exactly what records were breached.

“Anytime something like this happens, they bring in appropriate enforcement agencies and they investigate what happened and the level of risk. These cybercriminals obviously try to cover their tracks, so it’s not one hundred percent clear what particular records [were breached]. So we just notified everybody,” McGowan said.

ISU wasn’t required by law to disclose information about the breach, but McGowan said the ISU Foundation board insisted they send out the letter and communicate the possible risk to students.

The ISU Foundation is an independently run entity with a volunteer board of directors who, “invite people to participate in the long range mission of the University through financial support, volunteerism, engagement, networking, engaging alumni, business and industry and asking them to support our mission and vision for ISU,” McGowan said. They play a fiduciary role where they manage money that is donated to ISU to ensure the funds are allocated to its intended purpose.

All ISU Alumni have data on record with the foundation, but current students don’t need to have donated to the university to also have their data on file. If they’ve ever been a full-time university employee, volunteered for Alumni Relations in any capacity, been a part of the Bengal Booster Club or the Student Alumni Association, then the foundation likely has your data on file.

Currently, the ISU Foundation has access to 85,000 records, most of which are alumni. The foundation has access to 1,306 student records.

When an individual develops a “philanthropic relationship” with the university, then the foundation starts collecting more sensitive information like transaction records. These records don’t contain bank account information.

McGowan said that he doesn’t know if students are always notified when their information is added to the database, “but if someone signs up for something and gives us their information, then we have it.”

McGowan said that the university doesn’t sell that data. It’s used exclusively for university affairs.

“If people voluntarily provide us with contact information, we have a record of it. If that information is organized in such a way that we can access it, I think that’s pretty customary,” McGowan said.

The ISU Foundation recommends students, “remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities.”

Identity theft can be reported to the Federal Trade Commission online at IdentityTheft.gov or by phone at (877) 438-4338. It should also be reported to the victim’s financial institution and credit reporting agency.