EDUCAUSE SECURITY BREACH AND PASSWORD CHANGE INFORMATIO

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.educause.edu/educause-security-breach-and-password-change-information

In February 2013, EDUCAUSE discovered a security breach involving an
EDUCAUSE server. Below are answers to questions about this breach.


Who was affected and what data was involved?

Individuals with an EDUCAUSE website profile

Any information contained in individual EDUCAUSE website profiles
(e.g., name, title, e-mail address, username, and hashed password) may
have been compromised. As a result, individuals with an EDUCAUSE
website profile must change their password.
It is not necessary for InCommon account holders to update their
institutional credentials because EDUCAUSE does not have access to, or
store on any server, InCommon account information.



.edu domain accounts

The breach may have compromised the hashed passwords of .edu domain
holders. As a result, the designated administrative, technical, or
billing contact must change the domain password. Administrative and
technical contacts have already been notified by EDUCAUSE.


As a precaution, all passwords have already been deactivated;
therefore, individuals do not need to create new passwords
immediately.

Members and individuals who do not have an EDUCAUSE website profile or
are not a .edu domain holder are not required to take action.


Who was notified?

Individuals with active EDUCAUSE website profiles and administrative
and technical contacts for .edu domain accounts were notified via
e-mail on Tuesday, February 19. The e-mail notice was sent through our
mass e-mail marketing software (Informz). Links within the e-mail are
redirected through this marketing product.

Because e-mail delivery isn’t always guaranteed, EDUCAUSE also posted
messages in social media, on its website, in several constituent and
discussion groups, and on the .edu website.

Members and individuals who do not have an EDUCAUSE website profile or
are not a .edu domain holder were not notified because they do not
need to take any action. This includes individuals who subscribe
exclusively to our constituent and discussion groups. Prior to June 8,
2012, subscribers to EDUCAUSE groups were not required to have a
profile; therefore, many individuals who only use this service are not
affected.


Was any sensitive personal or financial information accessed?

Based on our investigation to date, we do not believe that any
sensitive personal or financial information has been accessed.


What steps has EDUCAUSE taken to prevent similar security breaches in
the future?

EDUCAUSE took immediate steps to contain this breach and is working
with Federal law enforcement, investigators, and security experts to
make sure this incident is properly addressed.

Along with outside security experts, EDUCAUSE has implemented
additional security measures to help prevent this type of breach in
the future.

As a precaution, all passwords have been deactivated. Individuals with
EDUCAUSE website profiles and .edu domain holders are being asked to
create a new password.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.