Unauthorized User Accesses NC State Email Account

A North Carolina State University email account was illegally accessed by an unauthorized person not associated with the university, creating the potential for the individual to view or have access to certain personal identifying information of some former and current students.

The accessed email account contained a file from 2013 that included names, mailing addresses, university ID numbers, and social security numbers and/or other email(s) which contained names and social security numbers. NC State provided notification to approximately 38,000 individuals whose information could have been accessed.

There is no evidence that any personal data have been retrieved or misused, or that fraud has been committed using this information. The account was accessed through a sophisticated phishing scam; NC State was first informed about the illegal access on June 3, 2016. NC State immediately investigated and learned that the account contained sensitive data. The university quickly initiated its incident response team, performed computer forensics, scanned the account for all possible data, developed the notification lists and retrieved credit monitoring codes for all potentially affected individuals.

The university took aggressive steps to avoid future unauthorized access to personal information. NC State’s actions included: (1) removing the file and email(s) containing personal identifying information from the compromised email account; (2) requiring affected university employees to change their account credentials and increase security protocols, including 2-Step Verification; and (3) requiring additional and focused information security protocols to be implemented within the affected unit as well as more broadly throughout campus to all systems containing sensitive data.

Additionally, NC State is providing credit monitoring services to affected individuals.

NC State is committed to protecting sensitive and confidential information and will continue to monitor the situation in conjunction with law enforcement. NC State sent notification letters to those affected as quickly as feasible and upon review of all the pertinent information. The university has also advised the North Carolina Attorney General’s Office and the following three major consumer reporting agencies: Equifax, Experian and TransUnion.

Those affected by the data breach should remain vigilant by reviewing account statements and monitoring free credit reports obtainable from:

• Equifax: 1-888-525-6285; P.O. Box 740256, Atlanta, Ga.  30374
• Experian: 1-888-397-3742; P.O. Box 9554, Allen, Texas  75013
• Trans Union: 1-800-680-7289; P.O. Box 6790, Fullerton, Calif. 92834

To obtain further information about preventing identity theft, contact the Federal Trade Commission (600 Pennsylvania Avenue NW, Washington, DC 20580, 877/382-4357, www.ftc.org) and the North Carolina Attorney General’s Office (9001 Mail Service Center, Raleigh, N.C. 27699-9001, 919/716-6400, www.ncdoj.gov)

– 30 –