USC spends $110,500 for consulting after cyber attack on College of Education
As recent as 12 years ago, CarolinaCards issued to USC students, faculty and staff had Social Security numbers on them when they were distributed, according to Bill Hogue, USC’s vice president for technology.
Since then, Hogue said, the online world has become the “Wild West,” of identity theft and other crime — and after a security breach this summer, USC is paying a consulting firm about $110,500 to advise its community on what to do if their identities are stolen.
In an interview Wednesday, Hogue addressed the online attack on the College of Education’s Web server that may have compromised the information of 34,000 of USC’s students, faculty and staff this summer.
In response, USC has contracted Kroll, a company Hogue said “specializes in helping people to manage customer relations post-breach.” The university will pay Kroll about $3.25 per person who could have been made vulnerable in the attack.
The server contained “confidential, personally identifiable information” exposed during an attack detected on June 6, according to a Monday university release. University spokesman Wes Hickman said the information included whole and partial Social Security numbers of students, employees and other people associated with the college. When the attack began is not clear, Hickman said.
Hogue said USC’s decades-old technology infrastructure is slowly moving away from using Social Security numbers and other detailed personal information to identify USC’s community members. He referenced VIP, which allows students an option to sign in using their Social Security numbers, and said ceasing that is one of the goals of the $75 million OneCarolina initiative — an overhaul of USC’s digital academic and administrative services across all eight campuses.
“For years we used the Social Security number as a primary identifier,” Hogue said. “One of the reasons we’re doing OneCarolina is to get away from doing that.”
In the approximately two months since the attack was discovered, the university has conducted a forensic investigation into the files that were exposed to identify whose files were compromised and find their contact information, Hickman said.
The investigation involved an examination of more than 2,000 files on the College of Education’s server and an analysis of whose identity may have been vulnerable, Hogue said. He blamed the sheer number of files for why USC only began sending letters to those users Monday.
“The server had over 2,000 files on it. Every one of those files had to be examined,” Hogue said. “Some had sensitive information, some didn’t. Some were compromised, some weren’t.”
He added that the university didn’t want to unnecessarily scare members of its community whose files hadn’t been exposed, and weeding those out also took time.
“We didn’t want to leave anyone out, but we don’t want to scare unnecessarily,” he said.
While thousands were exposed, which files on the server were actually accessed in the breach is not clear, but USC has advised those affected to place fraud alerts on their credit files with major reporting agencies.
Hogue said tracing the origin of the attack is next to impossible and the university won’t expend the resources to attempt what would likely be an unsuccessful criminal investigation.
“The likelihood of it being fruitful is approaching zero,” he said. “If we thought there were any chance we could catch the criminal we would perpetrate.”
The bright side for USC folks whose identities might have been exposed: No files have been removed, Hogue said. Another: USC has a perfect record in cases like these.
“We don’t have any history of anyone’s ID being stolen,” Hogue said. “That doesn’t make me feel safe, that doesn’t make me secure, that doesn’t make me happy. But we haven’t experienced that to this point.
“We don’t expect hundreds of people to suddenly see bank accounts drained because of this.”
He added that USC plans to take measures to ensure the university is doing all it can to avoid future attacks.
“We’ll be spending a lot of time and effort (to educate the community) about how to do a better job of prevention,” Hogue said.