H -°, L 45° | Tomorrow: 
H 62°, L 51°A serious data breach exposed the social security numbers of 2,920 people when 40 computers in the University of Wisconsin chemistry department were hacked over the last 18 months.
The breach was discovered Aug. 31 when the Office of Campus Information Security installed new monitoring software. A letter notifying the individuals whose information was compromised was not sent until nearly a month and half later — on Oct. 12.
The individuals are thought to have had access to these computers for at least the past 18 months; however, the first breach is believed to have happened in 2001.
While it is believed the computers were being used as part of an underground network distributing movies, television shows, software and music, social security numbers stored on the computers were also vulnerable to the threat, according to UW spokesperson John Lucas.
Lucas emphasized the social security numbers were merely exposed to hackers, not necessarily accessed from the computers, as determined by the OCIS investigation.
In a situation like this, UW notifies the individuals exposed so they can take steps to protect themselves from identity theft, Lucas said. Such steps include receiving a free credit report and inspecting credit scores for any irregularities.
While it is still unknown who was responsible for the breach, law enforcement officials were contacted.
According to Brian Rust, communications director for the Division of Information Technology, OCIS contacts authorities after their investigation is complete, which may include the FBI.
The FBI can be contacted in cases of international and interstate hacks, and when computers are used to distribute files like in the chemistry department case.
“If someone puts illegal material on the computer … using it as a source for music or movie downloads, that is something that may involve bringing the FBI in,” Rust said.
Two UW officials said they did not know which authority was contacted in this case, and the FBI Milwaukee bureau said it could neither confirm nor deny whether it was involved.
More specifically, OCIS goes through network logs to identify who accessed the department’s network: They examine traffic from within the department, within the UW and outside the UW; scan all hard drives of network computers; and use software to determine whether any personally identifiable information was present on the machines.
Rust said personally identifiable information ranges from grades and student records to credit card and social security numbers.
Since the incident occurred, the chemistry department has increased security, including removing or encrypting personal data on computers, monitoring activity at a higher level and placing all department operations behind a firewall, which was not the case in prior to the breach in the chemistry department.
Rust said DoIT encourages all departments to take certain precautions, such as ensuring all department operations are secured behind a firewall, among other things.
“This is a huge campus,” Rust said. “It’s an ongoing effort to educate department staff and administrators about what good security practices are and strongly encouraging them to abide by those practices.”
No representative from the chemistry department could be reached for comment as of press time.
IP hash: c4bf00b7
Hmm, I do believe this article was in the Wisconsin State Journal recently…..
IP hash: 27ba4437
French pirates have been targetting the whole university for years and years. We’re sitting on this huge amount of bandwidth—it’s irresistable for them to turn entire departments into FTP servers so they can distribute gigs and gigs of Miami Vice episodes (in French). The worst part is how long it takes to realize it. They’ve got these fancy rootkits that are pretty much impossible to detect on the computers themselves, hence why it took traffic monitoring to actually discover that there was fishy stuff going on in Chemistry.
IP hash: 6c6d41fd
Well, anonymous #1, traffic monitoring is indeed a good thing. unfortunately in too many places the attitude is that those in charge of the network can let everything and anything go through, leaving it up to those with the computers to provide the protection.
Isn’t that interesting? The professionals, in charge of the networks, leave it to the users to provide the security. That’s so even when the professionals know of the huge numbers of vulnerabilities in standard software as supplied by manufacturers and vendors.
IP hash: fc7ebd2f
Anonymous #3…
The users aren’t ‘left to provide security’. The truth is that the faculty on this campus rule; ie if a teacher wants a machine outside of the firewall, the teacher gets a machine outside of the firewall. Most IT personnel in the schools and colleges are overruled on a daily basis by a faculty member who doesn’t want to encrypt their data, PGP their mail or sometimes even lock their workstation.
I think this may be by policy as the IT person in charge of the Chemistry machines is NOT being held liable for the breach…I would imagine there’s a paper trail a mile long that proves she was told to do what was done by an irresponsible professor or maybe even a Dean.
In fact, when confronted, faculty in Chemistry still refused to take the machines off the net. This is why I roll my eyes and career academics; the rest of the world doesn’t exist to these people, and this is just another silly example of that.