News: Top story
Breach exposes SSN numbers
Break-in of chemistry department data in August prompts security software revamp
Looking for a print version?
Simply use your browser’s ‘Print’ command and a printer-friendly document will be generated automatically.
Also by Jennifer Zettel:
- UW student in critical condition (February 2, 2010)
- Unemployment rises in state in December (January 28, 2010)
- International students excluded from RA unions (January 26, 2010)
- Two more H1N1 vaccination clinics to be held (January 22, 2010)
- Ticket prices may increase (January 21, 2010)
Sharing tools:
E-mail this article:
A serious data breach exposed the social security numbers of 2,920 people when 40 computers in the University of Wisconsin chemistry department were hacked over the last 18 months.
The breach was discovered Aug. 31 when the Office of Campus Information Security installed new monitoring software. A letter notifying the individuals whose information was compromised was not sent until nearly a month and half later — on Oct. 12.
The individuals are thought to have had access to these computers for at least the past 18 months; however, the first breach is believed to have happened in 2001.
While it is believed the computers were being used as part of an underground network distributing movies, television shows, software and music, social security numbers stored on the computers were also vulnerable to the threat, according to UW spokesperson John Lucas.
Lucas emphasized the social security numbers were merely exposed to hackers, not necessarily accessed from the computers, as determined by the OCIS investigation.
In a situation like this, UW notifies the individuals exposed so they can take steps to protect themselves from identity theft, Lucas said. Such steps include receiving a free credit report and inspecting credit scores for any irregularities.
While it is still unknown who was responsible for the breach, law enforcement officials were contacted.
According to Brian Rust, communications director for the Division of Information Technology, OCIS contacts authorities after their investigation is complete, which may include the FBI.
The FBI can be contacted in cases of international and interstate hacks, and when computers are used to distribute files like in the chemistry department case.
“If someone puts illegal material on the computer … using it as a source for music or movie downloads, that is something that may involve bringing the FBI in,” Rust said.
Two UW officials said they did not know which authority was contacted in this case, and the FBI Milwaukee bureau said it could neither confirm nor deny whether it was involved.
More specifically, OCIS goes through network logs to identify who accessed the department’s network: They examine traffic from within the department, within the UW and outside the UW; scan all hard drives of network computers; and use software to determine whether any personally identifiable information was present on the machines.
Rust said personally identifiable information ranges from grades and student records to credit card and social security numbers.
Since the incident occurred, the chemistry department has increased security, including removing or encrypting personal data on computers, monitoring activity at a higher level and placing all department operations behind a firewall, which was not the case in prior to the breach in the chemistry department.
Rust said DoIT encourages all departments to take certain precautions, such as ensuring all department operations are secured behind a firewall, among other things.
“This is a huge campus,” Rust said. “It’s an ongoing effort to educate department staff and administrators about what good security practices are and strongly encouraging them to abide by those practices.”
No representative from the chemistry department could be reached for comment as of press time.
4 Comments | Leave a comment
Leave a comment
Top Classified Ads (view all)
Place your classified ad online and have it show up here. Your ad will hit thousands of viewers a day!
DON'T READ ME! Too late. If you're reading this, guess how many other people are reading it. See... advertising in The Badger Herald does work!
IP hash: 8d908148
Hmm, I do believe this article was in the Wisconsin State Journal recently…..
IP hash: 0434e40c
French pirates have been targetting the whole university for years and years. We’re sitting on this huge amount of bandwidth—it’s irresistable for them to turn entire departments into FTP servers so they can distribute gigs and gigs of Miami Vice episodes (in French). The worst part is how long it takes to realize it. They’ve got these fancy rootkits that are pretty much impossible to detect on the computers themselves, hence why it took traffic monitoring to actually discover that there was fishy stuff going on in Chemistry.
IP hash: e3c8c1b1
Well, anonymous #1, traffic monitoring is indeed a good thing. unfortunately in too many places the attitude is that those in charge of the network can let everything and anything go through, leaving it up to those with the computers to provide the protection.
Isn’t that interesting? The professionals, in charge of the networks, leave it to the users to provide the security. That’s so even when the professionals know of the huge numbers of vulnerabilities in standard software as supplied by manufacturers and vendors.
IP hash: be2528aa
Anonymous #3…
The users aren’t ‘left to provide security’. The truth is that the faculty on this campus rule; ie if a teacher wants a machine outside of the firewall, the teacher gets a machine outside of the firewall. Most IT personnel in the schools and colleges are overruled on a daily basis by a faculty member who doesn’t want to encrypt their data, PGP their mail or sometimes even lock their workstation.
I think this may be by policy as the IT person in charge of the Chemistry machines is NOT being held liable for the breach…I would imagine there’s a paper trail a mile long that proves she was told to do what was done by an irresponsible professor or maybe even a Dean.
In fact, when confronted, faculty in Chemistry still refused to take the machines off the net. This is why I roll my eyes and career academics; the rest of the world doesn’t exist to these people, and this is just another silly example of that.