2019 was a difficult year for Wichita State University in terms of cybersecurity. They started the year with a phishing incident that stole some employees’ paychecks, and it seems that they ended the year with another incident.
As their external counsel wrote on March 10:
In December 2019, WSU learned of a security incident involving unauthorized access to a computer server that WSU used to operate various student and employee web portals. WSU immediately secured this server and engaged a leading computer forensic firm to investigate the incident to determine its scope and impact. The investigation determined that an unauthorized
person gained access to this computer server between December 3, 2019 and December 5, 2019.WSU performed a comprehensive review of the server and, on January 13, 2020, determined that information stored in a historical database on the server contained the individuals’ names, email addresses, dates of birth, and Social Security numbers.
On March 6, 2020, WSU began mailing written notifications to the 1,762 potentially affected Iowa residents in accordance with Iowa Code Ann. §§ 715C.1 et seq. in substantially the same form as the enclosed letter.
Read their full notification to the Iowa Attorney General’s Office with a template copy of their notification to those affected here.
Although the notification does not make explicitly clear how the attacker gained access, their notification does say that as part of their attempts to prevent future problems, they are re-educating staff.