Certain members of the DU community received an urgent email from Director of Enterprise Risk Management Jeffrey Adams on Oct. 16, which notified them of a data breach experienced by International SOS, DU’s travel assistance service provider.
According to the email, a hacker illegally entered the International SOS system on Aug. 28 and viewed an unknown amount of personal data. A following email from the International SOS IT Team said this personal data may have included names, passport numbers and social security numbers.
“For any international travel, DU recommends you sign up with International SOS for increased security overseas,” said Robert Rudloff, assistant vice chancellor of University Technology Services (UTS). “It’s unfortunate that they had this breach.”
Rudloff said when International SOS discovered the breach, they thought it had only affected one part of their system that was not related to DU. When they found out it had affected other parts of their system, they contacted DU and other parties that may have been affected. He said they believe it is highly unlikely that DU data was viewed, but it is possible.
According to External Communications Manager Will Jones, approximately 400 DU community members who may have used International SOS services have been notified of this situation.
“International SOS is proceeding with great caution,” said Adams in his email. “They have briefed our management team on the situation, and we are satisfied that the situation has been contained.”
International SOS is now offering notified parties one year of free comprehensive identity theft protection coverage with CSID, the leading provider of identity protection and fraud detection.
Rudloff said International SOS does not know who the hacker was. He added that they do know how it was done, but they will not tell DU or other affected parties.
“Every organization, including us, is going to give out limited information on their security, because it’s not a good strategy to give out all your security information,” said David Hendrickson, information security manager of UTS.
However, Rudloff said International SOS told DU about the forensic specialist they brought in to assess the situation.
“They did a lot of work to understand what happened and make sure it won’t happen again,” he said. “From a security perspective, besides having the breach in the first place, they did everything right.”
According to Adams, there have been no confirmed events of misuse of any individual data as a result of this incident.
“International SOS has provided quality travel assistance services to students and other members of the university community who participate in the study abroad program for several years,” said Jones. “The university plans to maintain its contract with ISOS.”