Notre Dame de Namur University is notifying some financial aid applicants that their information may have been compromised when an employee fell prey to a phishing attack. In its notification letter (reproduced below), Henry Roth, the Chief Financial Officer and VP of Administration, writes that the university learned of the possible compromise on May 18. Investigation determined that the affected email account contained names, Social Security numbers, and other information provided with financial aid applications.
The number of students affected was not disclosed in in the notification to the California Attorney General’s office. Nor was the date when the compromise occurred, but from metadata on the AG’s site, it appears that the breach occurred on April 23, 2018. The notification to the state was submitted on June 20, 2018.
To help protect the affected individuals, the university offered a complimentary one-year membership of Experian’s® IdentityWorks. As part of their incident response and to reduce the likelihood of further incidents, staff are also being re-educated for awareness on these types of incidents.
It was only relatively recently that the U.S. Education Department started requiring Title IV institutions to report breaches to them. NDNU should fall under that requirement, although with Kathleen Styles, the Chief Privacy Officer at USED, reassigned involuntarily and talk of combining USED and Labor into one agency, it is not clear whether there will be any monitoring or enforcement of either privacy or data security in entities currently covered by the U.S. Education Department. In fact, this site is still waiting for part of the response to a Freedom of Information request filed seeking reports of data breaches.
And while some people were arguing in March that the department’s work would continue even after Styles’ reassignment, if this blogger had to guess, I would guess that we will go rapidly backwards on data protection and enforcement unless state departments of education or state legislatures start imposing both requirements and enforcement mechanisms. Prove me wrong, USED. Please.