Dear Colleagues,
I am writing to follow up on Jim’s recent message and to provide some
additional information about our recent security incident as well as the
steps we are asking all NBER staff to take, in an abundance of caution, to
make sure that we are protecting all NBER data and preserving business
continuity.
What we know
Several servers on the NBER network have been compromised, but the precise
nature of this compromise is still under investigation. The good news is
that our proactive monitoring seems to have caught the compromise early
enough to have prevented any breach of sensitive data. The nature of
security compromises, however, is such that there are things we know,
things we don’t yet know, and things we suspect are still at risk. In the
spirit of caution, I am therefore asking you to change your passwords on
all NBER accounts and to be especially wary of suspicious activity.
The NBER’s IT infrastructure is complex, reflecting our diverse community
of researchers and staff. Maintaining strong, different passwords for your
various accounts is the single most important step you can take to protect
your information and to prevent any third party from inappropriately
gaining access to the NBER’s network. Some NBER systems use the same
password, but are protected by 2FA to prevent phishing and other
compromises.
Your next steps
To strengthen our IT security level and reduce the risk that any bad actor
who accessed the NBER network recently could access it again, I must ask
you to take the following steps.
1.
Please change your unix password ASAP and make sure it is unique. This
is the password you use to log into your email, VPN, tunnel, and to connect
to a research server or to any system using Duo. It may also be the
password you use to log into your PC. Our NBER passphrase page is still in
the same location: https://passphrase.nber.org/
1.
Going forward, when you log into MyNBER or web based admin/tools, please
use your unix password for increased security.
1.
Please change your ADP password to something unique. To do so, log in to
ADP, then from the profile icon in the upper right select preferences. On
the preferences window, select the security tab where you can change your
password.
1.
Please change your PSA timesheet password to something unique. To do
this, log in to PSA, then from the menu in the upper right select Special >
Change Password.
If you spot any suspicious emails, calls, or texts, please alert me or
it-support_at_nber.org. I hope that you would do this at any time, but it is
particularly important now as we try to stay ahead of any potential fallout
from the recent security breach.
Thank you in advance for your support and contributions to protecting our
organization’s data.
Erin Richardson
Director of Information Technology
National Bureau of Economic Research
1050 Massachusetts Avenue
Cambridge, MA 02138
evrichardson_at_nber.org
(617) 588-0364
Received on Thu Apr 27 2023 - 18:07:45 EDT
