Editor in Chief
Updating a password may seem like a tedious process, but with the relatively recent incident that resulted in the indictment of a former Springfield College employee, it is a vital one.
On January 16, 2014 Springfield College’s Marketing and Communications Department sent out an email addressed to the college community detailing the indictment of a former employee in April of 2013.
The former employee, David Linnehan (whose name appeared in an article appearing on MassLive.com among other places), was immediately terminated upon his arrest in April. Linnehan pleaded not guilty on Feb. 6, 2014 to multiple child pornography charges in the Hampshire Supreme Court. He was also charged with the unauthorized access of college computers and email accounts. Linnehan had cleared a background check at his time of hire.
Linnehan served on the network services team for the Information and Technology Services
Department, which gave him access to support network issues, customers and the wireless aspect of the department, according to Chief Information Officer Danny Davis. Linnehan allegedly abused this position, which led to a security breach for several accounts belonging to Springfield College students and staff.
Upon being informed of the potential breaches by state police in July of 2013, the IT Department proceeded to work with the college to inform and offer assistance to any identified parties that were listed in the state’s report. They also cooperated fully with the investigation, and have continued to throughout the entire process, according to Davis.
For Davis and his team, Linnehan’s internal breach sped up a process that was already well in the works before the incident. After dealing with the initial process of providing assistance to anyone affected by Linnehan’s actions, Davis and the rest of the IT Department proceeded to finalize a new college password management system that they released on January 15, 2014 in an email to all Springfield students.
In it, the email details the new system and the exact steps required to complete the process, which includes not only resetting a password, but also creating questions and answers for further protection from unwanted account intrusion.
“We embedded these questions in there just in case somebody gets in there that shouldn’t be in there, [because] they would not inherently know this information [for the correct answers], but the student does,” Davis said.
The system also includes a challenge-response test to ensure protection against computer intrusion programs, according to the email from IT.
When only 30 percent of students completed the changes by Feb. 15 – the original deadline – Davis sent out another email on Wednesday, Feb. 19 to again encourage students to register in the new system. According to this second email, the system is “designed to improve network security while placing you in control of your college network/email password.” The new deadline for registration is March 15. Any students who do not complete the registration by the deadline may have their account disabled.
The registration is being so heavily emphasized because of the importance of security. Although the IT Department was “operating within normal IT parameters,” according to Davis, this new system was designed to tighten security even further.
“We take this extremely seriously and we are extremely angry,” Davis said. “We were not mandated [to make changes], but we took it upon ourselves to move this along and get it done.”
For the system to be effective, it is now every student’s responsibility to take the next step and register. It is important to be proactive about password protection, especially after Linnehan’s actions proved that intrusion can come from any source, at any time.
“People are out there maliciously, and you just [need] to be aware and protect yourself,” Director of the Technology Solutions Center Trish Dalessio said.
In the past, whenever students needed technological help, they would be required to give the TSC help desk their password. The IT Department is moving towards eliminating that step to make sure that students’ passwords remain completely private to prevent a similar incident from ever happening again.
“Our preference is that you own your password,” Davis said. “We don’t need to know your password.”
Davis also believes that changing passwords at intervals throughout the school year is an essential aspect of protecting people’s accounts.
“We intend to – beginning next year in concert with the fall semester [and] in concert with the beginning of the spring semester – we’re going to force everybody to change their passwords twice a year,” Davis said.
Although this is a hassle, to Davis the extra time is more than worth preventing the risk of a security breach. Faculty and staff will undergo this same process once students complete the registration by March 15.
TSC can be contacted at any time for assistance in completing the registration at 413-748-4872.