On November 19, ETSU notified potentially affected individuals about a recent incident where an unauthorized person gained access to the email accounts of two University employees. That same day, ETSU also chose to notify the entire campus of this incident in hopes we can all continue to work together to protect personal information.
The information provided here reflects current investigative findings, as well as general best practices everyone should take to protect their personal information.
As part of ETSU’s response to the incident, appropriate law enforcement agencies were notified and their investigation is presently ongoing.
On October 17, 2018 ETSU ITS discovered that an ETSU employee clicked on a phishing email that resulted in an unauthorized person having access to her email mailbox. Immediately upon discovery, ETSU ITS disabled the employee’s email access, reset the employee’s username and password, and commenced an investigation. As part of the initial investigation, on October 26, 2018, ITS discovered a second employee mailbox was also affected. Immediately upon discovery, ETSU ITS disabled the second employee’s email access, reset the employee’s username and password, and commenced an investigation.
Because of the nature of the two employees’ job duties, the employees’ email mailboxes contained emails that included personal information about other University employees. ETSU takes the privacy and security of personal information very seriously. Out of an abundance of caution, ETSU chose to notify all potentially affected employees of this incident so that employees could take steps to protect their personal information.
At this time we do not know that anyone’s personal information was actually accessed. We do know that there was a period of time where an unauthorized person had the opportunity to access the employees’ emails. Employees whose personal information was contained in either of the mailboxes have been notified directly with instructions.
At this time, we know that an unauthorized person had access to the two employees’ email mailboxes after the employees clicked on a phishing email. We do not know whether individual emails contained in the employee email mailbox were actually accessed. Employees whose personal information was contained in either of the mailboxes have been notified directly with instructions.
Current investigative findings indicate that the employees’ email mailboxes contained emails with first and last names, social security numbers of employees and the employees’ spouses and dependents, and other personal information. Employees whose personal information was contained in either of the mailboxes have been notified directly with instructions.
There is no evidence that other ETSU systems were compromised. The ETSU network and systems, including Banner, D2L, and other financial and student information systems, remain secure. Investigative findings indicate exposure is limited to the contents of two employees’ email mailboxes. Again, we do not know that the contents of the employees’ emails were actually accessed, just that the potential for access existed.
If ETSU discovered the personal information of other individuals in your family, household, or otherwise, was contained in either of the mailboxes, their names will be listed on the notice you received. Because ETSU does not maintain mailing addresses or emails for these individuals, we have instructed you in the letter to notify the individuals of this incident and the resources ETSU is providing. If there are any questions please call: 423-439-3338 Monday through Friday between 8am and 4:30pm.
This incident was self-discovered. An ETSU employee reported receiving a suspicious email from another ETSU employee on October 17, 2018. That same day, ETSU ITS identified the employee and immediately took action to protect ETSU employee information and data.
Because of the potential exposure of personal information including social security numbers, ETSU strongly encourages employees to take immediate action. Employees whose personal information was contained in either of the mailboxes have been notified directly with instructions.
Everyone should always be vigilant in monitoring credit, banking and other financial transactions. You can request and receive one free credit report every twelve months from each of the three national credit bureaus. In today’s cybersecurity environment, it is best practice for everyone to continually monitor their accounts each year. For more information on free credit reports, see https://www.consumer.ftc.gov/articles/0155-free-credit-reports.
When you receive your credit reports, review them carefully. If you find any items you don't understand on your report, call the credit bureau at the number given on the report. Credit bureau staff will review your report with you.
You may wish to consider requesting a fraud alert on your credit bureau records. Requesting a fraud alert is free and can make it harder for an identity thief to open accounts in your name. A fraud alert is a message that credit issuers receive when someone applies for new credit in your name. The message tells creditors that there is possible fraud associated with the account and alerts them to contact you before issuing new credit.
You can contact the fraud department at any one of the three major credit bureaus:
- Trans Union: 1-800-680-7289 (https://www.transunion.com)
- Experian: 1-888-397-3742 (https://www.experian.com)
- Equifax: 1-888-766-0008 (https://www.equifax.com)
As soon as one credit bureau confirms your fraud alert, the other two credit bureaus will be automatically notified to place fraud alerts.
You should be aware that a fraud alert may make it more difficult for you to obtain credit or process financial transactions, and you should exercise caution in doing so. While it will not affect your credit, it will slow down the credit application process.
Additional information and instructions may be found on the Federal Trade Commission's website: https://www.consumer.ftc.gov/articles/0275-place-fraud-alert
You may wish to consider activating a credit or security freeze. Requesting a fraud or security freeze is free and can restrict access to your credit report, which may make it more difficult for identity thieves to open new accounts in your name.
To place a freeze, contact each of the nationwide credit bureaus:
- Equifax: Equifax.com/personal/credit-report-services 1-800-685-1111
- Experian: Experian.com/help 1-888-EXPERIAN (888-397-3742)
- Transunion: TransUnion.com/credit-help 1-888-909-8872
Additional information and instructions may be found on the Federal Trade Commission’s website: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, you should file a complaint with the FTC at http://www.consumer.gov/idtheft or at 1-877-ID-THEFT (438-4338). Your complaint will be added to the FTC's Identity Theft Data Clearinghouse, where it will be accessible to law enforcement agencies for their investigations. The FTC also will advise you on further steps to take in the event your information is being used illegally.
ETSU has notified law enforcement and the appropriate state agencies of this incident. ETSU implements state of the art cybersecurity technologies, such as next-generation firewalls, email security, anti-spam, anti-phishing, and anti-malware tools to protect its network and systems. ETSU has already implemented a tag and warning system for untrusted external emails. Additionally, we continue to implement and evaluate technology and processes aimed at reducing human error: we are currently working on revising workflow processes that entail the sending and receiving of sensitive data via email, we are in the process of implementing two-factor authentication, and we are evaluating required security awareness training for all employees.
You should limit the use and disclosure of your social security number, financial information, and other personal information where it is not required. For example, if your bank account number or PIN is your social security number, you should ask the bank to give you a different number. Do not use the last four digits of your social security number, your mother's maiden name, your birth date, or other personal information as a password or password recovery hint. You should never share your ETSU or any other username and password with anyone, and you should not save or write these credentials in a place where someone can easily access them. You should use, or request to use two-factor authentication when available. You should take a closer look at the email sender or browser URL when you are asked to provide sensitive information or your username and password. For more information on steps you can take to practice good online safety, please visit https://www.stopthinkconnect.org/tips-advice/general-tips-and-advice.
If you would like to speak to someone about your questions or concerns over the telephone, please call: 423-439-3338 Monday through Friday from 8:00 AM – 4:30 PM. The Call Center will be closed Wednesday, November 21, Thursday, November 22, and Friday, November 23.