Security breach at Goshen College — letter mailed to students and parents

The following letter was mailed May 15, 2007 to about 3,700 students and parents affected by the May 5-7, 2007 computer security breach

 

Goshen College is sending this letter to inform you that a computer system containing personal information about you — and other current and prospective students and some of their parents — was compromised. On Saturday May 5, a campus server was accessed from an off campus site. This computer then was used to attack other computer workstations on campus.

Based on activity in log files, we suspect the hacker's motive was to acquire access to our computers, which could then be used to send out spam — not to obtain confidential student data. We believe after extensive analysis that no information was taken, but we are continuing to investigate this incident.

The potential for improper access extended from May 5 to May 7 due to a breach of our computer security systems. There would have been the possibility to review the following information in your file:  your name, address, birth date, Social Security number, and phone numbers. Your file did not contain bank or credit card information.  Upon discovering the breach, our staff immediately addressed the situation. Goshen College and our Information Technology Services team have implemented additional internal controls and safeguards for personal information. Goshen College has revised its policies so that unless you are being actively recruited, your Social Security Number has already been purged from the computer system in question.

Malicious use of the Internet continues to rise with hackers targeting computer systems of local, state and federal government agencies, businesses, homes and other organizations.   Other colleges and universities over the past year have experienced similar breaches, although actual identity theft in these cases is rare. At Goshen College, we are committed to continually improving security protocols, cooperating with law enforcement agencies as needed and informing our constituents in the rare cases when hackers do gain access. 

While the nature of this incident leads us to believe that no data loss occurred, our goal is to make sure you have information to protect yourself.  As a result, attached are recommendations from independent sources and various government agencies concerning steps to take after the suspected unauthorized access to personal information. We suggest you consider requesting a free initial fraud alert to be placed on your credit file by contacting any one of three major credit-reporting agencies — Equifax, Experian or TransUnion. Additional information will be available on our web site, www.goshen.edu. You can contact the Goshen College Information Technology Services Office any time by e-mail at itsecurity@goshen.edu or call us Monday through Friday, 8 a.m. to 5 p.m. EDT, at 1-866-877-3055. 

Please accept our sincere apologies.  We regret the occurrence of this event.  Our goal is to ensure that it does not happen again.

Sincerely,

John D. Yordy
Executive Vice President and Provost