DRAFT
THIS IS A DRAFT.
How was the account compromised?
In most cases, we don't know for certain. In fact, except in rare circumstances, CIS knows less about how the account was compromised than the compromised user. Sometimes, the user will recall responding to a phishing message or clicking on a suspicious link. Certainly, those are vectors by which an account can become compromised. If you use the same password across multiple accounts (for instance, SPU, Facebook, and Google, etc.) if one of them breaches your password, a hacker could use that breached password to access your SPU account as well.
What data was compromised?
We will work with employees to identify what data may have been compromised. There are two main subsets of data that may be at risk:
- Office365 (including Email, Sharepoint, OneDrive, etc.) - We can determine whether a malicious user logged in to Office 365, but may not be able to verify what they viewed or edited. Typical usage in Office 365 is to use the Email account to send phishing messages targeted at other SPU users. As part of this, mailbox rules might be created to hide the suspicious activity.
- Other Data systems (including Banner, Canvas, etc.) - We can determine whether a malicious user logged in to our Single Sign-On portal, but may not be able to determine quickly all applications that were accessed. Specifically with Banner, we can identify what pages were loaded (in both Self-Service and Banner Admin). Typical targets here include pay stub and direct deposit information. If there are specific data systems you are concerned about, we can attempt to identify or verify what access may have occurred.
Looking at the data another way, there are two classes of data that may be at risk:
- Personal Data - Pay stubs, W2 (including SSN), personal contact information, etc.
- Institutional Data - Student records, financial data, etc.