SU defends response to data breach amid criticism, anger
Nabeeha Anwar | Illustration Editor
The Daily Orange is a nonprofit newsroom that receives no funding from Syracuse University. Consider donating today to support our mission.
Romane Gutenbrunner was at work when she heard that a data breach at Syracuse University had exposed the names and Social Security numbers of nearly 10,000 students, alumni, applicants and their family members.
Gutenbrunner, a senior political science major, had seen posts about the data breach and the letters that those affected were receiving. She got home and checked her mailbox.
“I opened it, and I immediately knew,” she said.
Like thousands of others, Gutenbrunner quickly called her bank and made sure her family members knew to be on the lookout for suspicious activity. She also signed up for identity theft and credit monitoring services from Experian, a consumer credit reporting company SU coordinated with to provide temporary, free services to those affected by the breach.
Since letters about the security failure arrived in mailboxes across the country last week, those who’ve received them have said that the breach raises red flags about the amount of personally identifiable information SU employees have access to and the amount of time it takes SU to communicate about critical issues.
Despite the complaints, SU officials said they fulfilled their legal obligations to those affected by the breach and have taken aggressive action to strengthen cyber security at the university going forward.
“We feel like we’ve been very thorough in our response,” said Steven Bennett, senior vice president for international programs and academic operations, in an interview with The Daily Orange.
The breach occurred late on Sept. 25 after a university employee fell victim to a phishing attack in which the employee clicked a link and exposed their credentials to a “malicious actor,” Bennett said. The university locked the compromised account on Sept. 28.
“Usually that happens very, very quickly, and we’re able to isolate an account very quickly,” Bennett said. “In this particular case, it was a little bit longer than usual.”
After securing the account, SU’s Information Technology Services looked at the account to try to establish what information had been exposed. The department didn’t detect that any files were accessed or copied by the unauthorized party but couldn’t prove that the files weren’t accessed, either, Bennett said.
ITS didn’t respond to questions about when it became aware of the breach or how the department responded. SU’s general counsel also didn’t respond to similar questions.
On Oct. 6, SU escalated the investigation to a firm that specializes in data security. The firm finished its investigation on Jan. 4 and was unable to confirm whether files containing names and Social Security numbers had been accessed. The university sent letters to those whose information was exposed on Feb. 4.
To the outside public, you’re not saying anything or holding yourself accountable. My concern right now is that I didn’t hear from the people I pay $70,000 to in six months. I think that is unacceptable.Romane Gutenbrunner, SU senior
Helpline representatives whom students spoke to about the breach said they worked for Kroll, a corporate investigations and risk consulting firm based in New York City. Leonardo Saraceni, the company’s vice president of marketing, said Kroll does not comment on the existence or non-existence of a particular client relationship.
Gutenbrunner’s still upset about the university’s lack of transparency in reporting the failure to the university community.
“To the outside public, you’re not saying anything or holding yourself accountable,” she said. “My concern right now is that I didn’t hear from the people I pay $70,000 to in six months. I think that is unacceptable.”
The university’s public silence about the security breach has also added to confusion about what truly took place and what those affected should do next, said Morgan Horner, who graduated in 2018 with a degree in biology.
When Horner received her letter, which was postmarked from Georgia, she thought it was fake. She thought SU would’ve made an announcement if the security risk was real, she said.
“I’m just in shock,” Horner said. “That lack of transparency is making people think that it’s not real, and that’s frustrating.”
The letters sent to impacted people came from unusual addresses because SU partnered with an independent firm to handle the mailing, Bennett said. Outsourcing those services is standard practice when institutions encounter a large-scale breach, he said.
“To be sure, a number of people contacted me directly asking if they’re legitimate,” Bennett said. “I answered them all promptly.”
State law requires that institutions inform people of data breaches via United States mail. Since the firm SU partnered with had to track down the mailing addresses of applicants and other individuals not enrolled at the university, the process took considerable time, Bennett said. Still, SU believes its response time was average or slightly above average, he said.
“We had to validate U.S. mail addresses for all of these people. We had to line up a help desk. We had to set up the appropriate remediation,” Bennett said. “That takes a while. It’s not outside the norm.”
More stories about SU’s data breach:
- SU data breach exposes nearly 10,000 names, Social Security numbers
- Online learning threatens students’ privacy, experts say
- Editorial Board: After data breach, Syracuse University’s silence is glaring
It would’ve taken far longer to track down email addresses for everyone affected by the breach and reach out that way, and doing so is not best practice, Bennett said. He didn’t respond directly to questions about why the university didn’t put out a press release about the breach.
SU’s response isn’t good enough, said Horner, whose mother’s personal data was also exposed in the breach. The university’s offer to provide year-long identity theft and credit monitoring services is a temporary solution to a permanent issue, Horner said.
“It doesn’t give me much comfort at all, considering my (Social Security number) is with me for life,” Horner said.
The university is enacting steps to ensure personal data is better protected in the future, including establishing a task force to look at the management of digital documents, Bennett said. Samuel Scozzafava, vice president for information technology and chief information officer, will lead the task force.
“We are looking to tighten up the management of any document that has personally identifiable information in it,” Bennett said. “That was something that, in the wake of this event, we realized we really needed to do, and that’s underway at this moment.”
SU will also increase training for staff to prevent another similar breach and will move the entire campus to a two-factor authentication sign-in system by the end of the fiscal year, said Sarah Scalese, senior associate vice president for communications, in a statement.
I’m just in shock. That lack of transparency is making people think that it’s not real and that’s frustrating.Morgan Horner, Syracuse graduate
Students already use the sign-in procedure, but some faculty and staff don’t, Bennett said.
“We have what I would consider to be good cyber security defenses, but cyber security defenses can always be better,” he said.
Bennett said he understands the frustration of those who have been impacted by the breach but wants them to know that SU is enacting change.
“This was a really regrettable event. I understand it’s quite upsetting to some people,” Bennett said. “The university has learned a lot from this experience, and we’ve taken some important and meaningful steps and accelerated some other ones as a result.”
Published on February 14, 2021 at 10:45 pm
Contact Michael: msessa@syr.edu | @MichaelSessa3