Report a Security Incident Landing Page

For more information on securing your data, see Information Protection @ MIT.

On this page:

Overview

An incident involves the actual or suspected loss, theft, or improper use, modification of, or access to medium or high risk data or unauthorized access/compromise of an electronic device on MIT's network.  It's important to report security incidents as soon as you are aware of its occurrence so the information security team can take proper steps to report the incident per regulatory/legal requirements, limit the impact and extent of loss, investigate, and protect other members of the MIT community.

Important! If you believe a breach of MIT Information occurred, immediately report the incident by sending email to security@mit.edu. The IS&T Information Security Team will contact you to evaluate the situation and determine the next best step. If necessary, they will assemble the Data Incident Response Team (DIRT). You should not address these situations on your own, as that may corrupt forensic information necessary to determine the scope of the issue and the risks to MIT.

How to

Tell if there has been an incident

• Have you received a notification from IS&T's Information Security Team?  
  • No one at MIT will ask for your password via email. 
• Is your computer infected with ransomware?  
  • Have you received instructions on how to pay a ransom? 
• Have you discovered unauthorized access to information or a location/device where information is kept?  
  • This includes physical access to facilities such as offices and data centers or electronic access where monitoring /logging capabilities help identify suspect access. 
• Have you discovered MIT information posted or exposed in a manner that is publicly accessible or otherwise insecure?  
  • For instance account username/passwords on a website, in an e-mail or a database which contains credit card information exposed through a vulnerability  
  • This includes intentional and inadvertent exposure.
• Have you discovered information is unaccounted for? 
  • Have any devices (laptops, USB drives, etc.) been lost or stolen?
  • This includes hard copy documents lost through misplacement or theft and electronic data loss from a breach or hack?
• Have you misplaced/lost electronic devices (to include laptops, smartphones, etc) that contain high risk information?
  • This includes USBs and external hard drives that may have been used to store information. 
• Has the security where high risk information resides been compromised in any way? 
  • This includes the presence of malware on critical systems, unauthorized personnel in buildings and equipment areas, etc.

Tell if your computer might be compromised

• A compromise may occur at any point in the information environment to include the network itself, e-mail, user accounts, laptops, IoTs,  servers and routers. Furthermore, there are many ways in which a compromise may occur with malware, the exploitation of open ports and network protocol activities being significant facilitators of malicious activity. 
• Malware and other malicious activity usually has a negative impact on your machine's responsiveness, and while anti-malware and endpoint security (Sophos/ Crowdstrike) may catch, stop, or remove some of the malicious items or activity, there are several signs to be aware of as early indications that an incident may have actually occurred. 
• Does my computer have malware on it?

Report the incident

• Timely reporting of an incident offers the best opportunity to mitigate any damages including exposure, loss or destruction,  investigation and identification of root-cause, and re-establish a secure posture.  A quick response can help restore your data or systems to their pre-incident state if not in a more secure state.
• Contact the IS&T Security Team infoprotect@mit.edu to Report a Security Incident

Take recovery steps

If you believe a breach of MIT Information may have occurred, immediately report the incident by sending email to infoprotect@mit.edu. You should avoid trying to address situations on your own, as they may corrupt forensic information necessary to determine the scope of the issue and the risks to MIT.

• What should I do if my email account gets hacked?
• How do I remove malware and recover from a system compromise?

See Also

• Computing Virus and Malware Landing Page
• National Institute of Standards and Technology Computer Security Incident Handling Guide
• Alienvault's Guide to Incident Response
• Computer Security Resource Center (NIST) Mobile Security and Forensics
• SANS Incident Handlers Handbook Whitepaper
• US-CERT Incident Reporting System
• University of California Berkeley Information Security Policy on Reporting a Security Incident

Have Questions or Still Need Help?

• Reporting: infoprotect@mit.edu
• Recovery: IS&T Computing Help Desk