Reporting an Information Security Incident

If you suspect that a security incident involving electronic information or information technology has occurred, follow the 4-Step Approach below.

Report an Incident

A security incident involving electronic information or information technology includes the following, whether suspected, attempted, or actual:

  • Unauthorized access, use, disclosure, modification, or destruction of electronic information
  • Violation of acceptable use policies for information or technology
  • Interference with the operation of university information technology resources, such as a denial of service attack
  • Discovery of weaknesses in the safeguards protecting electronic information or information systems

Examples include:

  • Ransom messages that request money to get a decryption key or to prevent the release of information
  • Loss or theft of laptops, desktops or other equipment used to access or store university data, including mobile phones, thumb drives and external hard drives
  • Intrusion into a computer system
  • Unauthorized access to sensitive information, such as Social Security numbers, health-covered data, or restricted research data, whether intentional or accidental
  • Disclosure of patient data from School of Dental Medicine such as a patient’s diagnosis or treatment, of a patient’s medical report or medical record number, or details of a patient’s medical appointment
  • Unauthorized use of another user’s credentials or impersonating another university user
  • A denial of service attack
  • A compromised user account

If you are unsure whether an event is a security incident, it is best to err on the side of caution, and report the event.

Using a compromised computer or device could worsen the security incident and negatively affect the investigation. Your actions may alert the attacker and they may take action to remove evidence or delete files.

Immediately:

  • TAKE A PICTURE: If you see a ransom note, take a picture with your phone of all the information (including the header) and send picture to abuse@tufts.edu.
  • STOP: Power off your PC, laptop or other device
  • DISCONNECT: If possible after powering off, disconnect the Ethernet network cable
  • Then STEP AWAY from the computer. DO NOT touch it, or take any other action, until advised by Tufts Technology Services (TTS).
  • DO NOT ENGAGE OR PAY: If you see a ransom note, DO NOT contact the hackers. DO NOT pay any fees, buy gifts cards, or send cryptocurrency.

All Security Incidents involving Electronic Information or Information Technology or information technology should be reported promptly to the:

TTS Service Desk at (617) 627-3376.

The Service Desk will instruct you on any actions you need to take while they analyze the situation and escalate the incident to the appropriate team(s).

Serious Security Incidents: Important Additional Reporting Advice

Some security incidents are much more serious than others. They are more likely to cause significant harm or to have a substantial impact on the university or individuals. The following types of events should be considered serious security incidents:

  • Involves restricted or other sensitive information—See Table I
  • Data is actively being encrypted or already has been encrypted probably by ransomware, where threat actors are threatening to release data if the ransom is not paid, or if you find an electronic ransom note on your screen or in a README file
  • Could result in serious harm to the University or to an individual or individuals (including significant reputational harm or identity theft)
  • Involves serious legal issues (including the potential imposition of civil or criminal penalties)
  • May result in serious disruption to critical University services
  • Involves widespread improper disclosure or use of electronic information or information technology
  • Is likely to raise substantial public interest 

These serious security incidents require immediate action and should be reported immediately to both:

  1. The TTS Service Desk at (617) 627-3376 (available 24x7), AND
  2. If during business hours, also call the Office of Information Security at (617) 627-6070; during off hours email abuse@tufts.edu

The Office of Information Security, in coordination with the Office of the CIO, will promptly notify University Counsel and other University groups as necessary.

  • STAY CALM. There is an established protocol for handling incidents, and Information Security and University Counsel are equipped to guide the process.
  • DO NOT DISCUSS the incident with anyone except your unit’s manager, your Information Steward, the TTS staff involved with your incident, and/or the University Counsel, unless you are authorized to do so. Limit discussing information to a strict need-to-know basis.
  • DO NOT SPECULATE. This is critical to ensure that only accurate information is disseminated, rather than suppositions or guesses as to what happened or the impact. The facts of the situation are often not clear until a thorough investigation and analysis have been completed.

    After an investigation, senior management will determine whether an event is an incident, and whether the incident is a breach.

  • WRITE A DETAILED DESCRIPTION to be shared with the incident team. Include details such as: what made you suspect the incident, what you know happened thus far, information on the device and the data affected, and what actions have been taken so far.
  • DO NOT PAY. If the incident involves a ransom demand, do not respond and do not pay.  Make sure this information is escalated to the Office of Information Security who will take appropriate next steps.

Table I: Restricted or Other Sensitive Information

Sensitive Personal Information (SPI)

  • Social Security Numbers
  • Driver’s License Numbers
  • Any Government-Issued Identification Number
  • Bank and other Financial Account Numbers
  • Credit and Debit Card Numbers
  • Biometric Indicators for Identity

Examples:

  • Passport Numbers
  • Visa Numbers
  • Checking Account Numbers
  • Fingerprints
  • Genetic Information

Student Data in Education Records regulated by FERPA

Examples:

  • Grades and GPAs
  • Disciplinary Records
  • Any other non-Directory Information

Note: FERPA does not prohibit the disclosure of Directory Information, provided the student does not have a Privacy Block.

Credit Card data subject to the Payment Card Industry Data Security Standards (PCI DSS)

Examples:

  • Credit card number and/or security code
  • Credit card expiration dates
  • Credit card verification codes

Sensitive information subject to other government regulation

Examples:

  • Data subject to Export Control Laws
  • Financial data subject to Gramm-Leach-Bliley
  • Data governed by government contracts subject to FISMA

Sensitive information that must be kept confidential by contract, agreement or other formal obligation, including funding and research restrictions

Examples:

  • Data set provided by a third party under a non-disclosure agreement
  • Sponsored research data subject to non-disclosure obligations
  • IRB restrictions

Important Note: Limit discussing the incident—to avoid speculation and prevent inaccurate information being disseminated until a thorough investigation has been completed—to those who strictly need to know such as:

  • Your unit’s manager
  • Your Information Steward
  • TTS staff involved with your incident
  • University Counsel, and
  • Other people they specifically designate.