The evening of March 30 took the university by surprise, as Bradley employees were notified of a data breach.
University spokeswoman Renee Charles said approximately 4,700 current and former employees’ personally identifiable information may have been accessible to unauthorized users. She also said that students would not be affected by this breach unless they are dependents of university employees.
“We immediately identified malware on two computers [on March 26] that were removed from the system and deactivated,” she said. “We have our internal computing services, external computing service experts, the FBI and the [Internal Revenue Service] all working together on this.”
Charles said one or two employees had initially reported a suspicious IRS notification that informed the individuals their tax returns would not go through when filed.
As more employees were found to be receiving the same notification, Charles said the university immediately opened an internal investigation.
“The malware may have been able to capture this personally identifiable information such as names, dates of birth and social security numbers,” she said.
Charles said although the university is unaware exactly how the malware was transferred onto the computers at this time, the goal of the investigation is to determine where it came from.
Retired Associate Provost of Information Resources and Technology (IRT) Chuck Ruch said viruses such as malware can be transferred onto devices in ways as simple as clicking a link in an email.
“If someone sends you something that appears to be a PDF file, but they hid malware in it, when you click on them, then they work in the background and install [while you’re looking at the PDF],” he said.
Ruch also said although nothing like this happened in the 10 years he worked in IRT, the only real way to remove any sort of risk is to not use the Internet at all.
“There is no silver bullet to keep things like this from happening,” Ruch said. “People are always subject to manipulation by people with nefarious intent.”
Charles said the university has always taken precaution with Internet safety and has been hiring security auditors to come and audit the university’s system annually for the last five to six years.
Ruch said this is an important part of internet safety.
“Security auditors come with the goal to try and break into our machines,” Ruch said. “They find vulnerabilities, and we fix them to prevent things from happening.”
Charles said the university is sorry for this breach of information and will do everything possible to solve the issue.
“We so sincerely apologize for this happening because we take it very seriously,” she said. “[In the annual audits], we receive high rankings every year. We just had one six months ago. We’re very sorry, and we’ll do everything we can to help people protect themselves.”
There are three primary venues Charles said employees can utilize during this time.
The first is the Bradley website created to address this problem, which provides frequently asked questions, a step-by-step process of what do if you think you’ve been affected, resource links and credit reporting help pages.
The second piece of the plan is offering a one-year subscription, at no charge, to LifeLock services for all Bradley employees. Charles said in order to accept this offer, employees must go to the Bradley webpage and use the direct link and code.
Finally, the university has created a call center that is on-campus and available each day to help those who may have been affected.
“We may never know why this happened, but we are looking and trying to get as many answers as we can,” Charles said. “The best way to help do that is to call the resource center. They are local people answering questions on campus right now, and it helps us gather information [for the investigation] too.”
Charles said what the university does next will depend upon what the investigation turns up.
Ruch said he believes in the staff working to find a solution.
“I have the utmost confidence in my IRT staff that I left behind,” he said. “The security guys are second to none.”
For more information, visit the webpage at bradley.edu/databreach or contact the call center at (309) 677-4653.