Data Security Update

Dear Alumni and Friends of the NMSU Foundation,

On June 25, NMSU and NMSU Foundation personnel noticed unusual network activity on several Foundation devices. All affected devices were removed from the network, law enforcement was contacted, and a joint investigation was launched.

Banks and investment firms that hold NMSU Foundation funds were immediately notified of the incident and accounts were flagged for increased vigilance. No sensitive financial information was compromised, and no attempts to access Foundation accounts have been detected.

On June 29, NMSU and the NMSU Foundation jointly issued a press release notifying the public about the data security incident and forensic investigation.

In addition, on July 16, the NMSU Foundation was notified by third-party database vendor, Blackbaud, of a separate data security incident in which they suffered a ransomware attack. This incident, which occurred in May, may have resulted in unauthorized access to certain information maintained by Blackbaud, which is a cloud-computing company that provides record-keeping services to foundations, health care organizations and educational institutions.

NMSU and the NMSU Foundation contracted with an information security firm to conduct an independent forensic investigation. This investigation has been completed and no evidence of data theft or misuse of information has been found. The Foundation has confirmed that the affected computers and Blackbaud databases did not contain credit card or bank account data, social security numbers, or other personal identifying information as defined by the New Mexico Data Breach Notification Act (Section 57-12C-2).

What will change?

The NMSU Foundation contracted with a data security firm to assess and monitor the Foundation’s systems, policies, and practices and recommend a comprehensive approach to protect confidential data and reduce the risk of disruptive data security events. In addition to making technical modifications, the Foundation is also issuing strategic risk management guidance, training, and compliance testing for our workforce.

The Foundation is also implementing policies and procedures that will strengthen operations and further protect NMSU alumni and supporters.

Please note that the NMSU Foundation will never utilize email to request sensitive bank account, credit card or personal identifying information, such as social security or government-issued ID number, and the Foundation will never use email alone for the following notifications:

  • Change of NMSU Foundation Mailing Address
  • Change of Wiring Instructions
  • Change of Stock Transfer Instructions

The Foundation will accept credit card payments by phone or via a secure web portal and will communicate changes regarding address or financial instructions by mail that will be postmarked in Las Cruces. If you receive an email that appears to be from NMSU or the NMSU Foundation regarding any of the above topics, or is otherwise suspicious, please contact us to confirm authenticity before clicking links or responding with sensitive information.

Who can I talk to?

If you have questions, we are here to help. Please call 575-646-1613 or email cybersecurity@nmsufoundation.org.

Regards,

Derek Dictson
Vice President of University Advancement
President, NMSU Foundation

Stay Safe Online

NMSU is diligent in making the community aware of cyber security threats, such as phishing, malware, viruses, social engineering and social media threats.  For more information on how to stay safe online we invite you to visit NMSU’s Information Security website at infosec.nmsu.edu for tips and resources on safe computing practices.

Some Information Security Best Practices:

  • Any computing/communication device that is connected to the Internet is vulnerable to viruses.  Please be sure you have an up-to-date anti-virus and malware software installed on your computers.  
  • Any computing/communication device that is connected to the Internet must have its operating system and applications up to date! Security patches and updates are released weekly.
  • Use complex passwords that combine numbers, letters, capitalization, and symbols with minimum length of 8 and ideally longer.  Create unique passwords for different accounts, so if one account is hacked the others are not affected. An example of a good password: TheAggiesaregoing2win!
  • Do not click links in emails unless you are expecting them or you have verified they are from a trusted source. Even when visiting reputable websites avoid clicking on ads. As many as one-third of all ads contain malware.  
  • When using a public Wi-Fi for sensitive business use a Virtual Private Network (VPN) encrypted wireless network. 
  • Be a good network citizen, if you see an email or website that is suspicious report it to abuse@nmsu.edu. NMSU ICT relies on your help to increase our threat intelligence.

Cyber security is everyone’s responsibility.