Port: 2 North Dakota universities nearly lost millions to ‘social engineering’ fraud

MINOT — Amid the busy work of the Legislature’s efforts to organize an abruptly convened special session last week was a special meeting of the State Board of Higher Education.

The agenda for the meeting was vague, describing an executive session about the general topic of cybersecurity that would be closed to the public and the news media.

But hiding behind the anodyne meeting description was a significant financial breach at two North Dakota University System schools.

Jerry Rostad, vice chancellor of the NDUS, confirmed that approximately $5.1 million — including roughly $3.8 million from the North Dakota State University and $1.3 million from Bismarck State College — was accessed due to what he described as a “social breach.”

“The University System is aware of a recent incident involving a fraudulent Automated Clearing House (ACH) transaction to a single entity, purporting to be a vendor, targeting a North Dakota University System (NDUS) accounting system,” NDUS Chancellor Mark Hagerott,

who was a distinguished professor of cybersecurity at the United States Naval Academy,

said in a statement passed through Rostad.

Essentially, some unknown entity posed as a contractor working with the schools and requested a change in bank account information. That request was forwarded to the NDUS office, and the change was made, at which point two fraudulent transfers of funds were initiated.

Rostad confirmed these details but said there was “no data breach.”

What happened was “social engineering” that fooled some personnel into falling for a ploy. Rostad said the NDUS has “controls in place that were supposed to catch it.” Some of those controls failed, but not all of them. “We were able to put a stop to it so we did have a control that worked,” he said.

The transfers were not completed, and the dollars weren’t lost, but Rostad said there’s “not much more we can say about it” as the NDUS continues to investigate the matter.

“While no funds were lost, we are collaborating with local and federal authorities to identify the full scope of the incident,” Hagerott said in a statement. “We are also reviewing internal accounting protocols and procedures to ensure effective safeguards are enacted and enforced to prevent such an incident from reoccurring.”