LACONIA — The Lakes Region Scholarship Foundation has mailed notices informing former Lakes Region high school students who had applied for scholarships during the period between 1996 and 2009 of a computer security breach incident, which may have resulted in the compromise of applicants' names, addresses and social security numbers.
Lakes Region Scholarship Foundation is a nonprofit corporation that provides scholarships to college bound students in the Lakes Region. According to Executive Director Joan Cormier, on Feb. 15 an employee of the foundation was contacted via telephone by a person purporting to be calling about a computer error message.
"Coincidentally," she said, "the employee who answered the telephone was in the process of installing an updated version of an anti-virus software program and had just witnessed an error message screen. Because of this fact, the employee assumed that the call was legitimate and gave the caller access to the computer system."
The person said that they were running a test of the system and then told the employee that they "had been hacked" and the computers were compromised. The employee became suspicious when the caller offered to fix the issue for between $399 and $599 and asked for a credit card. The employee then hung up, shut all computers down and contacted the Foundation's IT service provider, Cybertron Inc. of Belmont, who immediately responded.
Cybertron found that a certain program that would allow for future access of the system had been installed. Cybertron did not find any evidence that any files had been downloaded during the incident, or that any personal data had been compromised, and the foundation has since come to believe the security breach was intended as the first step in a now thwarted scheme to access its bank accounts.
In response to the incident, Cybertron immediately uninstalled the program that would have allowed for future access and took additional steps to ensure that the foundation's computers would not be accessed again as a result of the incident. The foundation contacted its banking institution to put holds on all electronically accessible accounts and subsequently closed and reopened bank accounts in order to safeguard the foundation's operating funds and the endowment funds used to provide scholarships.
"Our first concern was that we safeguard the funds that have been entrusted to us," said Cormer. "Thankfully, we acted quickly and decisively and not a penny was lost as a result of the incident."
The foundation also engaged Lawson Persson & Weldon-Francke of Laconia to ensure that it complied with all legal requirements relating to the incident. Prior to 2009, the foundation was required to collect and transmit Social Security numbers of those individuals who received scholarships to colleges and universities. Applicant names, addresses, other contact information and Social Security numbers were stored in Microsoft Access and Microsoft works database files and totaled 1,966 unique applicants. This information is protected under New Hampshire law and any unauthorized access of this information must be disclosed to those individuals who were affected. In this case, there was no evidence that personal information was accessed, but also no evidence to conclusively prove that it was not accessed.
Cormier said "regardless of whether we are legally required to do so, we have decided to notify all who may have had their personal data compromised. It would have been far easier to dismiss this incident and sweep it under the rug as a thwarted theft attempt. However, as an organization, we believe that it is important that we be upfront, open and honest with our applicants, donors, and the communities that we serve and, for that reason, we are proceeding as if an actual data breach has occurred."
In addition to the notices mailed to all potentially affected individuals, the foundation has also notified the New Hampshire Attorney General and nationwide consumer reporting agencies of the incident.
Computer data security breaches have become frequent occurrences in recent years with sophisticated large retailers, hospitals and financial institutions falling victim. However, Tracey Rich, vice president of Cybertron, ssaid "the major breaches are what make the 11 o'clock news but small-scale breaches occur far more frequently and impact a variety of organizations. Thankfully, the employee in this case acted appropriately when something didn't feel right. Unfortunately, others don't and the hackers are able to do substantial damage with the information that they are able to covertly obtain."
Rich said that there are a few simple rules that will help to avoid incidents like this.
"If you don't know someone and know them well, don't give them access to your computer system," he said. "Make sure that any new software that you are installing is authentic and doesn't include spyware or other malicious code that can be used to covertly access your computer. Beware of email attachments or hyperlinks in emails; if you question something, call or email the sender to verify that they actually sent it before opening a file or following a link. If you need to maintain personal information like Social Security numbers, make sure that these files are encrypted to prevent third-party access to them. Finally, password protect your systems and make sure that your passwords are not easily guessed."
Following these guidelines won't ensure that you won't be subject to a data breach, but they will greatly reduce the risk of one.
Former applicants, donors and members of the community with questions may contact the Lakes Region Scholarship Foundation at 603-527-3533.