Written by: Laura Pollack and Mariana Braz
A security breach of Mercer’s student data files took place on August 24, 2012 according to a letter that was sent out to more than 14,000 students on September 28. From Mercer’s computer lab, the student was able to access the personal information, including social security numbers.
According to the letter sent to students, “the College does not believe that any identity theft, fraud or misuse of your personal information has occurred.”
In an interview with The VOICE, President Dr. Patricia Donohue and Executive Director of Information Technology Services Susan Bowen explained that the investigation was initiated immediately after the incident.
“We have no knowledge of any fraud. We can’t find evidence of the system being hacked other times,” said Donohue. “The reason the law requires us to tell everybody is in case there was an incident that we weren’t able to find or identify, but Mrs. Bowen’s team checked everything imaginable and was not able to find any evidence,” she explained.
An article published by The Times of Trenton on October 6, affirmed that the student personal information “was inadvertently open to public access in the school’s computer network for as long as two years.”
Despite the college not having any knowledge of fraud, the security breach is still classified as a hacking according to experts. Robert Rottkamp, Key Account Manager of Nettitude Inc., a company specialized in cyber security, explained that unauthorized access to student files is considered hacking.
“Accessing data without permission is generally a criminal offense potentially punishable by fines or even jail time. 500k/4 years”, said Rottkamp.
The letter sent out to the students recommends that students “remain vigilant” and “monitor all account statements.” Bowen did not explain exactly what would be done in case some of the information accessed was misused.
“We don’t anticipate any problems. If there are incidents, we advised people if they’re concerned to put a fraud alert on their account,” said Donohue.
Bowen also explained that Mercer has some procedures to make sure all the data is properly stored and secured. “What we did was audited all of our servers to ensure that the security was set correctly,” she said.
According to Bowen, auditing the servers is something that Mercer does on a regular basis, including the day of the security breach.
Despite the college’s reassurances, students are concerned with their data safety. Anajae Register, a Business Administration major, said, “I think the problem should be fixed because I don’t feel my information is secure at Mercer.”
Sylena Tanner, a Liberal Arts major told The VOICE, “[Mercer] didn’t do a good job securing the info.”
Other students are angered about the delay in relaying the information to the students. Despite the security breach taking place on August 24, the letters were not sent out to students until September 28.
“We should have been informed as soon as it happened. I don’t like the idea of someone messing with my social security number,” said Jabri Louis, an education major.
According to President Donohue, the reason behind the college not informing students for over a month was because of “all of the double checking and guarantees.”
Donohue said that if the college had found evidence of the system being hacked or multiple breaches the college would have informated students earlier.
“I don’t want to share bad information. Sometimes sharing no information is better than sharing bad information, until I’m sure I can tell you the facts,” Donohue said.
Mercer did not hire any outside security service to help them address any other possible weaknesses in the system, according to Bowen.
According to Martins Watts, Director of Nettitude Inc., a company based in New York City that specializes IT security and risk management assessment, hiring outside consultants is the appropriate to handle this kind of situation.
“It is absolutely appropriate for a breached organization to engage with a professional consultancy. Sweeping it under the rug does not address the problem…a more serious breach or a leaked story about this kind of breach not being remedied can both be embarrassing and catch the attention of would-be attackers,” explained Watts. Watts also said that while the college in referring to incidental improper “accessing” of data, the appropriate term to use in this case is, in fact, “hacking.”
According to New Jersey’s eletronica crime statutes, “2C:20-25-4: A person is guilty of computer criminal activity if the person purposely or knowingly and without authorization, or in excess of authorization: accesses any data, database…or computer network.”
The State Police of New Jersey have a special Cyber Crimes Unit with two specialized investigative squads and a hotline number to call. Part of the mission of the CCU, according to their website, is to assist in investigations where unlawful access of a computer network has occurred. It does not appear from any statements the college has made that they ever contacted the CCU.
Executive Director for Compliance and Human Resources, Jose Fernandez, told The VOICE that he would not comment on the situation.
When approached for a follow up interview, Director of IT, Susan Bowen, declined to answer further questions, saying she said she was not allowed to talk about the case anymore.
Michael Flaherty, Chief of Security told the Voice he doesn’t know what lab the student was in. “There are a lot of labs at Mercer. He/she could be anywhere on campus.”
He also said that he does not have any other information about the case and that the issues are under investigation by Susan Bowen and the IT Department.