Having trouble viewing this email? View it in your browser.

Office of Audit, Compliance & Privacy

Case in Point:
Lessons for the proactive manager

March 2017
Vol. 9 No. 3
Quotable...
“Common sense is unfunded”

-- Unknown

Last month we started our annual review of events by category from last year's Case in Point. This month we focus on Information Technology, which certainly brings some substantial and unique risks to our institution. When we look at the breakdown in this category, we see stories in the following areas:

  • Hack/Breach 47%
  • Miscellaneous 15%
  • Accidental Loss or Accidental Exposure of Data 13%
  • Phishing 10%
  • Cyberterrorism 5%
  • Denial of Service Attacks 5%
  • Malware 5%

Hack/Breach related events are typically from sources outside the institution that inappropriately access protected data. Virtually all industries deal with hacking on some level; higher education is no exception with attacks coming from around the globe.

Phishing remains another significant problem we see in our industry. We have linked to a story this month where an institution was scammed out of a substantial amount of money via a phishing scheme. All employees must remain very vigilant and alert to the e-mails they receive and think carefully before they click any attached links or documents.

Accidental loss or exposure of data can occur in a variety of forms from a stolen laptop (which becomes even more problematic when the laptop is unencrypted), to a lost jump drive, to accidentally exposing sensitive data to the web. Training is a key component in preventing this type of event.

AU's Information Security Group has put together a very helpful resource at this link: http://www.auburn.edu/oit/security/. We encourage you to browse through these suggestions for ways you can protect yourself and our institution from IT related risks. We also encourage you to review this month's events across higher education and consider ways you can proactively manage risk here at Auburn University.

M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy



Information Security & Technology Events

Mar 29, 2017: Stolen email addresses and passwords from the largest US universities are offered for sale on the Dark Web at anywhere from $3.50 to $10 apiece. But that's only a snapshot of a lucrative underground market for pilfered -- and even spoofed and phony -- student, faculty, staff, and alumni email credentials, according to new research published today by the nonprofit Digital Citizens Alliance (DCA) that searched the Dark Web for credentials from the top 300 US universities. (link)

Mar 27, 2017: A third party may have gained unauthorized access to patient information -- including names, birth dates and social security numbers -- after a phishing attack at Washington University's medical school. A post on the Washington University School of Medicine website said an employee fell for a phishing email designed to look like an official request for information. After learning of the incident, the school secured emails and began an investigation. (link)

Mar 27, 2017: Daytona State College students who applied for financial aid might find themselves in a financial mess. The school said a data breach involving financial aid forms means thieves could have personal information needed to steal students' identities. It marks the second security breach involving the school. It said the breach involved federal financial aid records, and students' parents may also be at risk. Students said the school sent out this letter over the weekend saying it uncovered a data breach involving students who applied for the free application for federal student aid, or FAFSA. (link)

Mar 22, 2017: Coastal Carolina University was scammed out of approximately $1.1 million and is working with multiple law enforcement agencies to investigate the phishing scams that happened in December, according to a news release. Two similar incidents happened around Dec. 9 when an individual claiming to represent a company under contract with the university contacted CCU via email to request a change in the company's bank account information, CCU said. (link)

Mar 15, 2017: The Twitterverse is waking up to a major hack today. A strange tweet beginning with a swastika and containing hashtags saying "Nazi Germany" and "Nazi Holland" made the rounds early Wednesday morning. The tweet was sent thousands of times from numerous high-profile accounts of brands, businesses, and public figures, including Worcester State University and Polar Seltzer. (link)

Mar 08, 2017: A data breach at Daytona State College could have exposed the personal information of hundreds of state employees, the school said. School officials said it's possible that both current and former employees could be affected by the breach, but they didn't specify how many people were impacted. The breach involved employees' 2016 W-2 forms, the college said. Officials said they launched an investigation Feb. 19 after they were notified about the incident. It's unclear how the breach happened. (link)

Mar 03, 2017: The FBI is investigating an alleged hack of Kennesaw State University server. Channel 2 Investigative Reporter Aaron Diamant reports the state voter data kept by the Center for Election Systems was compromised. Sources tell Diamant the hack happened Wednesday night and voter data maintained there was compromised. The Georgia Secretary of State uses the Center for Election Systems at Kennesaw State to facilitate elections in all Georgia counties and maintain voting machines. (link)

Mar 03, 2017: On January 13, 2017, two unencrypted laptops were stolen from the home of a University of California, Santa Cruz (UC Santa Cruz) researcher/instructor. UC Santa Cruz narrative evaluations dating from 2000 to 2004 contained personally identifiable information including names and Social Security Numbers (SSN) (which were used as the Student ID number prior to 2005). In addition to SSN, student record information including grades, narrative evaluations and email addresses were on the stolen laptops. (link)


Fraud & Ethics Related Events

Mar 24, 2017: UC Berkeley Chancellor Nicholas Dirks improperly accepted free university benefits, including membership to the campus fitness center, two years of personal training sessions and the unauthorized transfer of exercise equipment from the public gym to his private residence, a university investigation has found. UC ethics rules bar employees from the unauthorized use of campus resources or facilities or the "entanglement" of private interests with UC obligations. (link)

Mar 23, 2017: Alabama A&M University's chief operating officer and executive vice president has pleaded to guilty to charges stemming from a state audit on the university's finances. Kevin Rolle pleaded guilty to possession of a forged instrument. Court records show he has agreed to 12 months in the county jail and may argue for a suspended sentence. He also agreed to pay court costs. The charges stem from Rolle's moving expenses when he took his job at AAMU in 2009. According to the indictment, he collected more than $6,000 in moving expenses, but those expenses could not be verified later. (link)

Mar 09, 2017: A Pocatello man accused of embezzling over $100,000 from Idaho State University could face more than a decade in prison if convicted. Tyler Liddle, 29, a former financial technician at ISU, was charged with felony misusing public funds by a public officer or employee on Feb 28 after allegedly embezzling over $100,000 from the school over a period spanning several years. (link)

Mar 08, 2017: Dr. Carlo Croce is among the most prolific scientists in an emerging area of cancer research involving what is sometimes called the "dark matter" of the human genome. Over the last several years, Dr. Croce has been fending off a tide of allegations of data falsification and other scientific misconduct, according to federal and state records, whistle-blower complaints and correspondence with scientific journals obtained by The New York Times. In 2013, an anonymous critic contacted Ohio State and the federal authorities with allegations of falsified data in more than 30 of Dr. Croce's papers. (link)

Mar 06, 2017: Bonuses paid to executives and administrators in the University of Missouri System "may violate the Missouri Constitution," the state auditor says in a new report that details hidden bonuses, "excessive" luxury vehicle allowances -- and $100,000 in retention payments to a chancellor who resigned amid a furor, only to be rehired in a new post months later. "Administrators appear to have forgotten that the system is a public institution, and that they are accountable to taxpayers, students and families," Missouri State Auditor Nicole Galloway said in presenting her report on the University of Missouri System and its Board of Curators. (link)

Mar 06, 2017: A nonprofit corporation that provides therapeutic horseback riding for children with disabilities has filed a lawsuit accusing the Rogers State University Foundation of fraud. The foundation (RSUF) is accused of scheming to manipulate Bit by Bit Therapeutic Riding Center into agreeing to raise $1.3 million for land previously donated to the university for Bit by Bit's benefit. The defendants are the foundation and the University of Oklahoma Board of Regents, which governs both OU and RSU. (link)

Mar 06, 2017: The dean of students at Sullivan County Community College has been arrested and charged with stealing over $9,000 from the Loch Sheldrake school. State police alleged that John Agnelli, 42, of Loch Sheldrake, had made charges for personal expenses on a college credit card. (link)

Feb 28, 2017: A former New York community college basketball coach accused of scheming to get star players into NCAA Division I schools with forged transcripts has pleaded guilty. District Attorney Anthony A. Scarpino Jr. says Tyrone Mushatt has admitted providing St. John's University with a forged transcript for a Westchester Community College player. Mushatt also admitted that he conspired to possess and turn over 10 forged WCC transcripts of six players to St. John's, Quinnipiac University, Concordia College and Florida A&M University (link)

Feb 28, 2017: A radio station engineer at the College of DuPage whose theft arrest was the first in a series of allegations of campus financial impropriety pleaded guilty Tuesday to theft over $100,000 from a school. Authorities said John J. Valenta fraudulently billed the college for $400,000 in parts for the radio station that were never installed. (link)


Compliance/Regulatory & Legal Events

Mar 24, 2017: University of California officials spent nearly $1 million investigating former UC Davis Chancellor Linda P.B. Katehi, a probe that ended in her resignation last August and a deal that allowed her to take a year off at full pay before returning to a faculty job, according to figures released Friday. The four-month investigation was ordered last April by UC President Janet Napolitano after disclosures in The Sacramento Bee about Katehi's acceptance of lucrative corporate board seats and her use of university funds to clean up her image online. (link)

Mar 24, 2017: Former Penn State University President Graham Spanier was convicted Friday of not doing enough to stop Jerry Sandusky, whose crimes rocked the university and sent the school spiraling into the darkest period in its history. After two days of deliberations, the seven-woman, five-man jury found Spanier guilty of one count of misdemeanor child endangerment, but acquitted him of felony conspiracy and a second felony child endangerment count. (link)

Mar 24, 2017: Newly released legal bills show UNC's costs related to the long-running academic-athletic scandal are approaching $18 million. From mid-2015 to near the end of last year, UNC said Friday that it has spent another $5.6 million on legal costs for the NCAA investigation, three lawsuits by former athletes who say they were harmed by the scandal and document reviews for two public records requests. UNC had previously spent roughly $12 million on legal, investigative and public relations costs related to the scandal involving classes that had no instruction and provided high grades for papers regardless of quality. (link)

Mar 23, 2017: Gym, tan, legislation. A bill inspired by Jersey Shore star Nicole Polizzi, better known as Snooki, aims to cap spending of state money for speakers at public universities in New Jersey at $10,000. Republican Assemblyman John DiMaio was inspired to write the bill after learning of the reality star's $32,000 fee she received for her appearance at Rutgers University in 2011. (link)

Mar 22, 2017: Former University of Alabama receiver Antonio Carter has filed a lawsuit alleging fraud against Florida Atlantic coach Lane Kiffin, Florida Atlantic University and the state of Florida. The lawsuit, first reported by SEC Country, contains counts of reckless fraud, fraud through mistaken false statements, breach of contract, unjust enrichment and promissory fraud and conspiracy. (link)

Mar 21, 2017: Kentucky Governor Matt Bevin signed a bill into law on Monday aimed at protecting student organizations' rights to manage internal affairs in a manner that is consistent with the group's religious or political beliefs. The law passed through the House and Senate nearly unopposed, with only three senators and eight House members voting against the law. The legislation amends KRS Chapter 158.183 to allow students to voluntarily express religious or political viewpoints in public schools and postsecondary institutions. Students and human rights groups fear the legislation could allow student organizations to exclude people with conflicting lifestyles, specifically LGBTQ students. The law also allows educators to incorporate religious texts into core curriculum. (link)

Mar 16, 2017: The University of Wisconsin-La Crosse is reversing course on its decision to terminate one of its employees. Chancellor Joe Gow said late Wednesday that UW System legal counsel recommended the campus offer Kimberly Dearman her position back as a dispatcher at the UW-L Police Department. Dearman was terminated on Monday after an investigation by UW-L, which Gow said did not follow all of the due process requirements. (link)

Mar 15, 2017: A former volleyball coach at Indiana University Northwest in Gary was charged with sexual battery after he was accused of inappropriately touching and kissing a teenager. Jan Emilio Torres, 48, of Munster, was in his first year coaching at IUN but let go last week after the misconduct allegations came to light. The alleged incident occurred about a week and a half ago at the university. The campus police handled the investigation. (link)

Mar 13, 2017: Two former Penn State University administrators each pleaded guilty Monday to a misdemeanor child endangerment charge for his role in the Jerry Sandusky child molestation case, more than five years after the scandal broke. Ex-Athletic Director Tim Curley and former university Vice President Gary Schultz originally were charged with felonies. The reduced charge is punishable by up to five years in prison. Penn State's costs related to the Sandusky scandal are approaching a quarter-billion dollars. (link)

Mar 12, 2017: Two Ohio University graduate students last week filed a civil complaint in federal court alleging their civil rights were violated by the university, an OU English professor and the former chair of OU's English Department. In their complaint filed in the U.S. District Court for the Southern District of Ohio Wednesday, the two graduate students, Susanna Hempstead and Christine Adams, allege that OU English professor Andrew Escobedo sexually harassed and sexually touched them without their consent during multiple incidents in Athens in December 2015. (link)

Mar 09, 2017: The former senate president and a former lecturer at Metropolitan State University of Denver have sued the college claiming they were punished or fired after reporting alleged sexual improprieties by the university's marketing chairman. The lawsuit was filed Wednesday in U.S. District Court in Denver on behalf of Kamran Sahami and Kristin Watson, accusing MSU of retaliation and creating a sexually hostile work environment. Although the lawsuit does not name Marketing Department Chairman Gregory Black as a defendant, it revolves around claims that he retaliated against faculty including Watson who say they saw him masturbating at the university. (link)

Mar 09, 2017: Chicago State University agreed Thursday to pay a former school attorney $4.3 million, ending a long and expensive landmark whistleblower lawsuit. The unexpected agreement came after the cash-strapped public university, whose delays had driven up the interest it owed, told a Cook County judge it would immediately pay James Crowley, who said he was fired in 2010 after reporting alleged misconduct by top university officials. (link)

Mar 09, 2017: Two professors are suing the University of Michigan for discrimination based on race, gender and marital status and retaliation for voicing their concerns, among other counts. Their joint complaint, filed in a county court, alleges that the university's stated commitments to diversity are superficial, and that institutional racism and a hostile campus climate for underrepresented faculty members and students of color persist. (link)

Mar 06, 2017: Last week, the Mackinac Center for Public Policy filed a lawsuit against the University of Michigan regarding the state's Freedom of Information Act, claiming the University failed to provide the documents requested within due time. On Nov. 16, Derek Draplin, a reporter with the Mackinac Center's Michigan Capitol Confidential media outlet, issued the request on behalf of the nonprofit Michigan corporation to release University President Mark Schlissel's emails containing the word "Trump" from July 1 to Nov. 16 of 2016. (link)

Mar 01, 2017: A former Emory University professor was sentenced to six years and six months in federal prison Wednesday after he pleaded guilty to downloading at least 8,000 child-pornography images using the university's Wi-Fi. Kevin M. Sullivan, 61, of Atlanta, pleaded guilty to downloading the images in December, according to a release from U.S. Attorney John Horn. Sullivan will be on seven years of supervised release after his sentence. (link)


Campus Life & Safety Events

Mar 29, 2017: A not-guilty verdict for an Ohio University student protester has gotten dozens of his classmates off the hook. The city of Athens has dropped misdemeanor criminal-trespassing charges against 55 students who were arrested by university police Feb. 1, said city Law Director Lisa Eliason. The arrests came after students refused to end a sit-in at Baker Hall, staged to protest President Donald Trump's first immigration order banning people from seven majority-Muslim countries. (link)

Mar 28, 2017: A Rollins College student who has accused his Muslim professor of religious discrimination has been clashing with his teacher since the semester started, court records show. Areej Zufari, the professor, was so concerned about the behavior of Marshall Polston, 20, that she filed a "protection against stalking" request against him on Friday in Orange Circuit Court. Rollins has temporarily suspended Polston from school. The injunction request includes a long email that Polston, a Christian, sent to the professor after he received a failing grade on an essay in the Middle Eastern humanities class. (link)

Mar 22, 2017: Keith Darrell with the Whitefield Fellowship in Bellbrook, Ohio, said he visits campuses across the country to preach the Bible. Darrell stood behind a chair engaging with students when sophomore Randy Banks allegedly poured coffee on the proselytizer's Bible, which lay on the chair, according to witnesses. Banks, whose legal name is Randall Hughes, 20, ran away with police in pursuit. He was arrested on suspicion of malicious injury to property, obstructing a police officer, resisting arrest and disorderly conduct, according to jail records. (link)

Mar 20, 2017: One person has been charged in connection to a reported abduction near a sorority house on LSU's campus. Police have arrested 20-year-old Frank Herrera Jr. in connection to the incident, which occurred Wednesday. Herrera was booked into East Baton Rouge Parish prison. He was charged with kidnapping, 2nd degree rape, armed robbery, possession of schedule I drugs, and possession of a firearm on school property. (link)

Mar 14, 2017: The Police Chief at Central State University explains a campus shooting, armed robbery, and assault that all happened in a dorm building Monday (Mar. 13) night. The chief was the victim of the assault committed by a CSU student according to the Greene County Sheriff's office. Three suspects for the armed robbery and shooting investigations are currently still on the loose but are students at the University, according to Chief Stephanie Hill. (link)

Mar 07, 2017: State regulators slammed Duke University in a new report on a radioactive incident last month. According to the state report, in mid-February, researchers in the school's radiology department mishandled a sample of Uranium (U-235) without wearing gloves or other protective equipment and contaminated workspaces and other areas, on and off campus. (link)

Mar 06, 2017: Indiana University's Tri Delta sorority is being shut down. Sorority President Kimberlee Di Fede Sullivan released a statement Saturday saying the organization made the decision to withdraw Delta Omicron's charter. Sullivan said the decision came after an investigation found members had been involved in "activities that do not represent our high standards or align with Tri Delta's Purpose -- activities that also violated the chapter's previous probation terms." (link)

Mar 03, 2017: Middlebury College Professor Allison Stanger was injured by protesters Thursday evening as she was escorting a controversial speaker from campus. She was treated at Porter Hospital and released. Charles Murray, a political scientist who has been criticized for his views on race and intelligence, was invited to speak on campus by a student group. As Stanger, Murray and a college administrator left McCullough Student Center last evening following the event, they were "physically and violently confronted by a group of protestors," according to Bill Burger, the college's vice president for communications and marketing. (link)

Mar 01, 2017: An Ohio State student died Monday after falling from a parking garage on the campus, reports say. Madison Paul, of Zanesville, Ohio, was taken to Ohio State's Wexner Medical Center after falling from the Ohio Union South Garage Monday afternoon but died of her injuries. OSU police say foul play is not suspected. (link)


Other News & Events

Mar 24, 2017: The University of Tennessee at Chattanooga fired a reporter this week at WUTC, the National Public Radio affiliate, after local lawmakers complained about how she reported on a state transgender bathroom bill. Jacqui Helbert, 32, reported and produced the story for WUTC, which followed a group of Cleveland High School students as they traveled to the state capital March 7 to meet with Sen. Mike Bell, R-Riceville, and Rep. Kevin Brooks, R-Cleveland, about the legislation. (link)


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top


Office of Audit, Compliance & Privacy
Auburn University
304 Samford Hall
M. Kevin Robinson, Assoc. VP
robinmk@auburn.edu
334.844.4389

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Office of Audit, Compliance & Privacy is listed as the source.