Increasingly, third party vendors handle sensitive data on behalf of the university. The 2016 W-2 Form incident involving a third-party service led to hundreds of fraudulent Stanford employee tax filings and served as a wake-up call for how we manage these services. In particular, it highlighted the need to protect our community members’ personal information by insisting on strong user authentication across all of our High Risk services.
The Third Party Service Risk Mitigation Initiative launched in July 2016 with the charter to strengthen login security to third-party systems that handle High Risk Data for Stanford.
Enhanced Security Measures
University IT’s Information Security Office (ISO) began by conducting an inventory of all such systems and prioritizing them. ISO, in partnership with University Human Resources (UHR), has since been actively working with these vendors to implement additional security measures.
Particularly, the work includes:
- Eliminating the use of personally identifiable information (PII) such as Social Security Numbers and dates of birth for verifying logins, as this information is no longer considered adequate for authentication.
- Adding two-step authentication wherever possible. Two-step authentication adds an extra layer of security when logging in by requiring a second login step, such as a one-time code sent via text message or a one-time login link sent to the email address on file.
“Our vendors have been very responsive to our concerns,” said Michael Duff, Chief Information Security Officer. “In most cases, they have committed to implementing the requested security improvements within the 2017 calendar year.”
Some benefits services vendors have already taken action. For example, UHR worked with Mercer to replace Social Security Numbers with one-time identifiers for first-time logins in early December 2016. In addition, Fidelity implemented two-step authentication for new account registrations in February 2017.
Employee Impact and Action
Most of the security improvements focus on first-time logins to our third-party services and password reset procedures for the same, and will not require any special preparation by employees. However, employees may receive email notifications with instructions directly from the university’s benefits providers as they implement additional security enhancements.
Email users are reminded to always scrutinize incoming messages to ensure they are authentic. Given the increasing sophistication of phishing attempts, many malicious emails now may appear to be from someone you know, or may contain a subject line that appears to be related to your work.
If you are unsure about an email, it is often a good idea to call the purported sender (if practical) or check with your IT support team to confirm the email’s authenticity before clicking any links or opening any attachments. You can also send suspected phishing emails to firstname.lastname@example.org for analysis.
Questions & Help
We are here to help as these improvements are implemented: