DRAFT
This FAQ is directed towards supervisors of employees, but is also relevant in most regards to the employees themselves whose accounts are compromised.
How was the account compromised?
In most cases, we don't know for certain. In fact, except in rare circumstances, CIS knows less about how the account was compromised than the compromised user. Sometimes, the user will recall responding to a phishing message or clicking on a suspicious link. Certainly, those are vectors by which an account can become compromised. If the same password is used across multiple accounts (for instance, SPU, Facebook, and Google, etc.) and one of those systems is breached, a hacker could use that breached password to access the SPU account as well.
Why was there no notification?
Whenever we mark any account as compromised, an email is sent to the employee's SPU email address, as well as any other email addresses we have on file. However, we often see that the hacker is logged into the SPU email account already and deletes the notification sent there, perhaps before the employee sees it. Further, many employees do not have any other email addresses on file. We strongly encourage all users to have an additional email on file: Update External Email Address.
What data was compromised?
We will work with employees to identify what data may have been compromised. There are two main subsets of data that may be at risk:
- Office365 (including Email, Sharepoint, OneDrive, etc.) - We can determine whether a malicious user logged in to Office 365, but may not be able to verify what they viewed or edited. Typical usage in Office 365 is to use the Email account to send phishing messages targeted at other SPU users. As part of this, mailbox rules might be created to hide the suspicious activity.
- Other Data systems (including Banner, Canvas, etc.) - We can determine whether a malicious user logged in to our Single Sign-On portal, but may not be able to determine quickly all applications that were accessed. Specifically with Banner, we can identify what pages were loaded (in both Self-Service and Banner Admin). Typical targets here include pay stub and direct deposit information. If there are specific data systems you are concerned about, we can attempt to identify or verify what access may have occurred.
Was sensitive personal data compromised?
If Office365 resources were accessed, the extent of personal data at risk is limited to what is present in email history, OneDrive, etc., as well as any third party accounts for which the SPU email address would provide access (for instance, if access to the email allows resetting the password to an online banking account).
if Banner was accessed, then pay stub and W2 information may have been exposed, including the SSN.
Will CIS provide credit monitoring?
Unless the compromised account occurs due to an institutional data breach, CIS will not provide credit monitoring or other follow-up investigation. As noted in the Computer Acceptable Use policy, "Users must take appropriate and reasonable measures to protect the integrity, exclusiveness, and confidentiality of individual resources and account credentials."
CIS assistance to an employee whose account is compromised only includes initial notification, verification of whether institutional data was breached, and restoration of access.