Cyber Incident Victim: Iowa State University
Date:
Apr 2014
Location:
United States of America
Summary
Iowa State University experienced a breach of five departmental servers, exposing Social Security numbers of 29,780 students and university ID numbers of 18,949 additional individuals. The unauthorized access was attributed to attackers seeking to exploit server resources for bitcoin mining rather than targeting personal data directly. While no evidence indicated access to or theft of the exposed information, the university notified affected individuals, provided credit monitoring services for those with compromised Social Security numbers, and decommissioned the compromised hardware. Security enhancements included removing internet accessibility for similar servers, deploying encryption for mobile devices, implementing stronger password standards, and accelerating data classification policies to improve protection of sensitive information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2014, Iowa State University's information technology staff identified unauthorized access to five departmental network-attached storage servers manufactured by Synology. The breach investigation revealed these servers contained Social Security numbers for 29,780 students enrolled between 1995 and 2012, though no evidence indicated the data files were accessed or exfiltrated. Analysis showed the intrusion aimed to exploit server computing resources for bitcoin mining operations rather than targeting personal information. Two additional servers in agricultural and biosystems engineering and materials science and engineering were compromised but contained no sensitive data. The exposed Social Security numbers belonged primarily to students who took courses in computer science (1995-2005), world languages and cultures (2004, 2007, 2011-2012), and specific materials science engineering classes from 2001. University officials confirmed no student financial information resided on the affected systems.
Iowa State immediately notified law enforcement and initiated mail notifications to all 29,780 individuals with exposed Social Security numbers, while separately contacting 18,949 additional students whose university ID numbers were present on compromised servers. The institution retained AllClear Identity to provide affected individuals with one year of complimentary credit monitoring, extendable to a second year upon request, alongside dedicated fraud assistance via a toll-free hotline. All breached servers were permanently decommissioned, physically destroyed, and removed from internet accessibility. Surviving Synology servers received critical software updates before being isolated from external networks pending replacement. The university accelerated implementation of its Data Classification Policy to strengthen security standards, initiated mandatory encryption for mobile devices, deployed scanning software to locate protected data across systems, and began developing enhanced password requirements. Senior administrators emphasized these measures built upon existing cybersecurity protocols while acknowledging the breach highlighted persistent vulnerabilities despite institutional defenses.