A serious data breach exposed the social security numbers of 2,920 people when 40 computers in the University of Wisconsin chemistry department were hacked over the last 18 months.
The breach was discovered Aug. 31 when the Office of Campus Information Security installed new monitoring software. A letter notifying the individuals whose information was compromised was not sent until nearly a month and half later — on Oct. 12.
The individuals are thought to have had access to these computers for at least the past 18 months; however, the first breach is believed to have happened in 2001.
While it is believed the computers were being used as part of an underground network distributing movies, television shows, software and music, social security numbers stored on the computers were also vulnerable to the threat, according to UW spokesperson John Lucas.
Lucas emphasized the social security numbers were merely exposed to hackers, not necessarily accessed from the computers, as determined by the OCIS investigation.
In a situation like this, UW notifies the individuals exposed so they can take steps to protect themselves from identity theft, Lucas said. Such steps include receiving a free credit report and inspecting credit scores for any irregularities.
While it is still unknown who was responsible for the breach, law enforcement officials were contacted.
According to Brian Rust, communications director for the Division of Information Technology, OCIS contacts authorities after their investigation is complete, which may include the FBI.
The FBI can be contacted in cases of international and interstate hacks, and when computers are used to distribute files like in the chemistry department case.
“If someone puts illegal material on the computer … using it as a source for music or movie downloads, that is something that may involve bringing the FBI in,” Rust said.
Two UW officials said they did not know which authority was contacted in this case, and the FBI Milwaukee bureau said it could neither confirm nor deny whether it was involved.
More specifically, OCIS goes through network logs to identify who accessed the department’s network: They examine traffic from within the department, within the UW and outside the UW; scan all hard drives of network computers; and use software to determine whether any personally identifiable information was present on the machines.
Rust said personally identifiable information ranges from grades and student records to credit card and social security numbers.
Since the incident occurred, the chemistry department has increased security, including removing or encrypting personal data on computers, monitoring activity at a higher level and placing all department operations behind a firewall, which was not the case in prior to the breach in the chemistry department.
Rust said DoIT encourages all departments to take certain precautions, such as ensuring all department operations are secured behind a firewall, among other things.
“This is a huge campus,” Rust said. “It’s an ongoing effort to educate department staff and administrators about what good security practices are and strongly encouraging them to abide by those practices.”
No representative from the chemistry department could be reached for comment as of press time.