All GC students received an email from Chief Information Officer Susan Kerr explaining the possibility of students’ information being on the dark web on Nov. 3. This data has the potential to include Social Security numbers as well as other Private Personal Information, or PPI.
MOVEit is a system used by many different organizations and corporations. It allows these groups to safely transfer files that may contain private and personal information from one file to another. However, in late May 2023, it was confirmed that an unauthorized party breached the MOVEit server and extracted data.
This breach has affected over 2,500 organizations, according to a tally by Emsisoft, a security software company. Banks, government records, school records, security companies and more were all affected by this assault. Colleges and universities across the world have been impacted by this situation, and GC is one of them.
“After reading this email that mentions the security breach affected hundreds of organizations, I fear my personal information is exposed in places I can’t monitor it on, like the dark web,” said Peyton Cusick, a junior computer science major. “It’s frustrating that if it is out there, there’s no way to get it back.”
Dr. Mikkel Christensen is an assistant professor of strategic communication with research in crisis communication. Crisis communication is how a person or organization protects its reputation and communications effectively during the event of threat or disruption to usual activities.
“They [GC] also do a pretty good job, from a crisis communication perspective, in the first email to basically blame someone else, and that sounds negative, but I think they kind of have a point in, well, it was MOVEit, not Georgia College,” Christensen said. “MOVEit, it was their fault.”
Kerr’s email listed several ways that students can make efforts to protect themselves from current and future identity and information theft. Her suggestions include regularly changing passwords, using different and complex passwords rather than relying on one for multiple platforms, checking bank statements, using multi-factor authentication and only using your Bobcat email address for GC purposes.
“The key is not so much being like, ‘Oh my God, my stuff is out there on the dark web,’ it’s ‘I’m going to make sure I keep myself safe on a day-to-day basis,” Kerr said. “All of those steps I outlined in that email, those are things you can do even if your SSN [Social Security number] is out there on the dark web. I got one of these emails, so my stuff’s out there too. I’m not freaking out about it because I know that I watch my accounts.”
All students at GC are already required to engage in some of these protective measures to ensure that their school accounts stay safeguarded. Using Duo two-factor authentication is mandatory to log into Unify and other GC accounts. This measure notifies students whenever a login attempt is made on their account and allows them to deny entry if they are not the ones signing in.
“I use it [multi-factor authentication], like Duo or on the phone texts or emails,” Cusick said. “I like it for things like important personal accounts, like banking or even retail websites because I save my card information and address on there, too.”
Additionally, students are all required to change their passwords every few months. That way, even if there was a break or leak of information and students’ passwords ended up on the dark web, the credentials would become useless, as there would be no way of determining the new password.
“Change it up so that even if they have some information, it’s outdated, and it doesn’t do them any good,” Kerr said.
Although some GC students may end up impacted by this information breach, it is not directly the fault of GC. MOVEit is commonly used by the University System of Georgia as a whole, along with many other corporations with access to similar sensitive information.
“This MOVEit breach was so expansive, so if your information got captured through that, it could’ve even been through another company,” Kerr said. “So it’s really hard to know exactly where it came from. Maybe it did come from us and the university system data, but we don’t know for sure.”
There is no way of knowing what, if any, information was accessed. Not every student will find themselves at risk, but there is no sure way to determine what information is no longer secure. Taking the measures outlined in Kerr’s email can help safeguard oneself against identity theft. Although changing passwords and using multi-factor authentication may seem like a hassle, it is much simpler than recovering from a breached bank account or stolen identity.