Security breach at Goshen College — letter e-mailed to students and parents

The following letter was sent May 11, 2007 to students and parents affected by the May 5-7, 2007 computer security breach

 

Goshen College is sending this letter to inform you that a computer system containing personal information about you — and other current and prospective students and some of their parents — was compromised. On Saturday May 5, a computer in the Admissions Office was accessed from an off campus site. This computer then was used to attack other computer workstations on campus.

Based on activity in log files, we suspect the hacker's motive was to acquire access to our computers, which could then be used to send out spam — not to obtain confidential student data. We believe after extensive analysis that no information was taken, but we are continuing to investigate this incident.

The potential for improper access extended from May 5 to May 7 due to a breach of our computer security systems. There would have been the possibility to review the following information in your file:  your name, address, birth date, Social Security number, and phone numbers. Your file did not contain bank or credit card information.  Upon discovering the breach, our staff immediately addressed the situation. Goshen College and our Information Technology Services team have implemented additional internal controls and safeguards for personal information.

Malicious use of the Internet continues to rise with hackers targeting computer systems of local, state and federal government agencies, businesses, homes and other organizations.   Other colleges and universities over the past year have experienced similar breaches, although actual identity theft in these cases is rare. At Goshen College, we are committed to continually improving security protocols, cooperating with law enforcement agencies as needed and informing our constituents in the rare cases when hackers do gain access. 

While the nature of this incident leads us to believe that no data loss occurred, our goal is to make sure you have information to protect yourself.  As a result, attached are recommendations from independent sources and various government agencies concerning steps to take after the suspected unauthorized access to personal information. We suggest you consider requesting a free initial fraud alert to be placed on your credit file by contacting any one of three major credit-reporting agencies — Equifax, Experian or TransUnion. Additional information will be available on our web site, www.goshen.edu. You can contact the Goshen College Information Technology Services Office any time by e-mail at itsecurity@goshen.edu or call us Monday through Friday, 8 a.m. to 5 p.m. EDT, at 1-866-877-3055.  On Friday, May 11, 2007, you may call until 9 p.m EDT. and on Saturday, May 12, 2007, you may call from 9 a.m. until 5 p.m EDT.

Please accept our sincere apologies.  We regret the occurrence of this event.  Our goal is to ensure that it does not happen again.

Sincerely,

John D. Yordy
Executive Vice President and Provost