Notice of Network Security Event
Notice of Network Security Event
Dear Members of the NJCU Community,
As we approach a new academic year, the University would like to take this opportunity to provide an update and additional context about the June 2024 network security event now that our established dedicated assistance line is up and running. Below we also share general information about responding to cyber events to help provide the community with a better understanding of the expert guidance that the University followed to respond to this crime.
When a network security event is identified, it is treated with the utmost importance. The primary goals of addressing such an event include containment, recovery, investigation, and notification. Throughout the incident response lifecycle, these goals will sometimes be parallel, intertwined, or staggered depending on the stage of the response and the specific factors that are unique to each event. This is a time and resource intensive process, and there is simply no shortcut for doing an investigation securely and methodically — it takes time, especially, when an active threat needs to be authenticated and mitigated simultaneously without compromising the confidential steps taken to thwart the bad actor’s actions.
Immediately upon the University’s detection of the June network security event, we internally mobilized to contain the incident. We also engaged third-party specialists to assist us with responding to the event and worked with them to secure our environment, investigate, and provide notice of the event.
As a part of the initial containment process, NJCU’s computer network was proactively isolated, including disconnecting certain systems from the internet and shutting down other systems as needed. As part of the response to the event and to aid in the securing of our environment, the University forced a reset of all computer and account passwords, for which we appreciated everyone’s cooperation. The University worked very hard with our third-party specialists and vendors to bring systems securely back online as quickly as possible.
The June 2024 event was a criminal act. Recognizing such, the University quickly notified law enforcement, including the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), the Federal Bureau of Investigation, and the Department of Homeland Security, upon becoming aware of the event. The University also notified the State Appointed Monitor, its Board of Trustees and the Secretary of Higher Education of the event.
The University worked expeditiously to assess the incident and provide notice and resources to impacted individuals. The University issued a public notice to the media and posted information on its website regarding the event and has continued to update the website as more information became available. These notices included measures individuals could take immediately to protect themselves — such as having one’s credit frozen, monitoring one’s accounts, and obtaining copies of credit reports. Once available, the University announced the establishment of a toll-free assistance phone line and offered complimentary identity monitoring services — all paid for by NJCU.
The University is working hard to add additional security measures to protect against similar incidents moving forward. We will continue to work with our third-party specialists, state-wide partners, and law enforcement agencies to strengthen our collective efforts to defend against these criminal encroachments.
Unfortunately, we live in a time where cybercrimes are becoming increasingly more common. In fact, there have been reports of similar cyber events in the news over the last few months that have victimized both public and private institutions and organizations. Higher education institutions have increasingly become targets. These incidents may at times be difficult to detect and take time to fully investigate before providing notice.
The University deeply values and respects its community and hopes that this additional context about the response process provides meaningful insight and understanding. We again thank our community for their patience and apologize for concerns this event may have caused.
We encourage our community to take advantage of the complimentary resources, and should any new developments arise, we will keep our community apprised via our website. We hope everyone has a great fall semester.
New Jersey City University Provides Notice of a Network Data Security Event
Jersey City, NJ – (Updated: August 12, 2024) New Jersey City University (“NJCU”) deeply values its community of diverse students and faculty. NJCU is providing notice of a network data security event that may affect information related to certain individuals. In June 2024, our computer network was accessed without permission by an unknown actor. In response, we immediately notified law enforcement authorities, took steps to secure our computer network, and initiated a thorough assessment of the matter to determine what happened and how it may affect information that was stored on the network. During our review, we identified that certain files may have been copied from the network, which could include an individual’s name and some or all of the following types of information: Social Security number, driver’s license number, financial account number, and credit card number. Notices will be sent to potentially affected individuals by email in the coming weeks.
Individuals are encouraged to remain vigilant against incidents of identity theft and fraud by reviewing their financial account statements and monitoring their free credit reports for suspicious activity and to detect errors. It is also recommended that individuals review the “Steps Individuals Can Take To Protect Personal Information” section below for additional guidance on reviewing accounts and credit reports, and to learn about placing a fraud alert or security freeze on one’s credit file.
Further, as part of our response to this matter, we are evaluating additional technical security measures and practices to reduce the risk of reoccurrence.
If individuals have questions about this matter, we are including Frequently Asked Questions below. Further, if individuals have concern that they may be affected but did not receive an email, they may contact our dedicated assistance line that has agents ready to assist them. Individuals may contact our toll-free assistance line Monday through Friday at 1-833-531-1135 between 8:00 a.m. and 8:00 p.m. EST. Individuals may also write to us at New Jersey City University, Attn: Office of University Counsel, 2039 Kennedy Blvd., Jersey City, NJ 07305.
Frequently Asked Questions
What happened? Between June 4 and 10, NJCU’s computer network was accessed without permission by an unknown actor and certain files may have been copied without permission.
Was my information potentially affected? NJCU will email notices to potentially affected individuals in the coming weeks. If individuals would like to confirm whether they may be affected earlier, or did not receive an email notice by August 23rd, they may contact our toll-free dedicated assistance line at 1-833-531-1135.
What information was potentially affected? The types of information that could be affected varied by individual, but the information collectively included name, Social Security number, driver’s license number, financial account number, and credit card number.
Is NJCU offering identity monitoring? Yes, NJCU is offering complimentary identity monitoring to potentially affected individuals. Enrollment instructions along with a unique code will be included in the notification email. Individuals may also contact the call center to confirm whether they may be potentially affected, and an identity monitoring code will be provided as appropriate.
Does receiving a notice mean you are the victim of identity theft? No. However, to address concerns, individuals may enroll in the complimentary identity monitoring and take additional steps detailed in the “Steps Individuals Can Take To Protect Personal Information” section below.
Why is notice being issued now? Upon learning about this matter, NJCU moved quickly to investigate what occurred, assess the security of its systems, and identify potentially affected individuals. Comprehensive investigations to determine what occurred and detailed data reviews take time to complete.
Was this a ransomware event? Yes, an unauthorized individual did try to lock some of NJCU’s files to seek payment in exchange for a key to unlock the files.
Did NJCU pay a ransom? NJCU is not sharing that information but does note that this matter has been referred to law enforcement.
Was law enforcement notified? Yes, law enforcement was notified.
Is it safe to use the computer network? Yes.
What caused the access to the network? This information cannot be shared as it creates operational security risks.
Are NJCU systems online? Yes, NJCU systems are online.
Can I contact someone directly at NJCU to ask more questions about this matter? NJCU established a dedicated toll-free assistance line. All questions should be directed to the dedicated assistance line at 1-833-531-1135. NJCU employees will remain focused on providing educational services.
Steps Individuals Can Take To Protect Personal Information
Monitor Relevant Accounts
Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Consumers may also directly contact the three major credit reporting bureaus listed below to request a free copy of their credit report.
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If consumers are the victim of identity theft, they are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should consumers wish to place a fraud alert, please contact any of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in a consumer’s name without consent. However, consumers should be aware that using a credit freeze to take control over who gets access to the personal and financial information in their credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application they make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, consumers cannot be charged to place or lift a credit freeze on their credit report. To request a credit freeze, individuals may need to provide some or all of the following information:
Full name (including middle initial as well as Jr., Sr., II, III, etc.);
Social Security number;
Date of birth;
Addresses for the prior two to five years;
Proof of current address, such as a current utility bill or telephone bill;
A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if they are a victim of identity theft.
Should consumers wish to place a credit freeze or fraud alert, please contact the three major credit reporting bureaus listed below:
Equifax—www.equifax.com and 1-888-298-0045
Experian—www.experian.com and 1-888-397-3742
TransUnion—www.transunion.com and 1-800-916-8800
Additional Information
Consumers may further educate themselves regarding identity theft, fraud alerts, credit freezes, and the steps they can take to protect their personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or their state Attorney General. The Federal Trade Commission may be reached at: 600 Pennsylvania Ave NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. Consumers can obtain further information on how to file such a complaint by way of the contact information listed above. Consumers have the right to file a police report if they ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, consumers will likely need to provide some proof that they have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and the relevant state Attorney General.