Boston University announced Friday it is exploring ways to increase cybersecurity measures in the wake of a recent Internet scam that stole paychecks from university employees.
“We must strengthen our technological means to help protect our information in order to forestall these kinds of attacks and limit exposure if they succeed,” university President Robert A. Brown wrote in a letter to the campus community, according to the university-run news website BU Today.
“We have focused on sound policy, user education, and detective controls to secure information,” Brown wrote. “While this approach has supported creativity and productivity, it now increasingly places us at risk—particularly in comparison to less open organizations. Cyber-criminals choose softer targets, as we have just experienced.”
A team of university experts will search for ways to “strengthen technical protections against exposure, theft, or loss of personal information,” Brown said.
The group, which has already begun discussions, expects to report its first set of recommendations back to Brown this spring. The university’s administrative council and deans council will review that feedback before implementation.
In December, an internet scammer or scammers allegedly stole monthly paychecks from 10 BU employees by somehow obtaining the workers’ usernames and passwords and changing their direct deposit information.
Another 68 university employees had work-related accounts accessed by an outside device using suspicious Internet protocol addresses, but officials have said they do not believe sensitive information was accessed from those workers.
Campus officials have said the FBI was investigating the case along with similar cases reported recently at several other universities.
Authorities said they believe the BU employees’ private log-in information was stolen through phishing, a common scamming technique in which people are lured in by fraudulent, but real- and trustworthy-looking emails, links or websites and then unsuspectingly give up personal information.
Tracy Schroeder, BU’s vice president for information services and technology and one of the experts tasked with finding ways to improve the school’s cybersecurity, said an investigation of the December incident has revealed that the university needs to create more secure ways for access to BUworks, a portal used to manage payroll and other administrative tasks.
“We know from industry best practices that you can’t change your banking information now without a second factor [such as a phone or computer] for authentication,” Schroeder told BU Today.
Such a system would ask employees for not only their password, but also for information about a second device, if they were trying to log in from a phone or computer that they don’t normally use.
For example, an employee trying to access their account from a computer or phone they haven’t used before, might be asked to verify their identity by having a special code sent to their phone or email.
Schroeder said having a two-step verification process to log in is “the best way that we can protect folks’ personal information and not be basically just protecting against the last exploit that we got hit with.”