[ISN] SDSU says computer server was infiltrated

From: InfoSec News (isn@private)
Date: Thu Mar 18 2004 - 00:34:05 PST

  • Next message: InfoSec News: "[ISN] Credit agency reports security breach"

    http://www.signonsandiego.com/news/computing/20040317-9999-news_7m17hacker.html
    
    By Karen Kucher
    UNION-TRIBUNE STAFF WRITER
    March 17, 2004 
    
    San Diego State University is warning more than 178,000 students, 
    alumni and employees that hackers broke into a university computer 
    server where names and Social Security numbers were stored. 
    
    The university began mailing out notification letters Monday, urging 
    people whose personal information was on the server to get copies of 
    their credit reports and review them for suspicious activity. 
    
    The SDSU case appears to be the largest such notification made under a 
    state law that went into effect last July requiring companies and 
    state agencies to contact people when their computerized personal data 
    have been compromised. 
    
    University officials said the hackers infiltrated a server in the 
    Office of Financial Aid and Scholarships in late December and used it 
    to send spam e-mail messages and transfer files, including MP3 music 
    files. 
    
    The problem was discovered in the last week of February and SDSU took 
    the server off the network. 
    
    "We have moved as absolutely quickly as logistically possible" to 
    notify individuals affected by the security breach, said Ellene Gibbs, 
    director of business information management at SDSU. 
    
    The server contained financial aid reports about current, former and 
    prospective students - as well as some SDSU employees - who sent in 
    financial aid applications since 1998, but not the applications 
    themselves or award information. 
    
    This is the second time that SDSU has suffered a security breach that 
    put computerized personal data at risk. The university notified around 
    1,000 people in December when a server used by the library was hacked, 
    Gibbs said. 
    
    Under the state law, businesses and state agencies are required to 
    notify customers when personal data, such as Social Security numbers 
    or financial account numbers, may have fallen into the wrong hands. 
    
    That warning is designed to give people the chance to quickly act to 
    protect themselves against thieves who would use stolen personal 
    information to open new credit accounts and make unauthorized 
    purchases. 
    
    SDSU recommends that those affected by the security breach obtain a 
    copy of their credit report. A spokeswoman with the Privacy Rights 
    Clearinghouse suggests people go a step further and request that one 
    of the three credit reporting agencies flag their file with a fraud 
    alert. 
    
    With a fraud alert in place, credit reporting agencies will contact 
    the person if someone tries to establish new credit in his or her 
    name, and also will waive the fee for the credit report. 
    
    "We also suggest people monitor their credit reports on a quarterly 
    basis at least for a year," said Jordana Beebe, communications 
    director for the Privacy Rights Clearinghouse. 
    
    California, which has the third highest per-capita rate of identity 
    theft in the nation, has not officially tracked the number of cases in 
    which security breaches have occurred. 
    
    Before the SDSU case, however, the largest notification was thought to 
    be the more than 90,000 household workers and employers who were 
    mailed letters in February from the state Employment Development 
    Department, said Joanne McNabb, chief of the state's Office of Privacy 
    Protection. 
    
    "This law may get some practices changed because people don't like 
    getting these notices," McNabb said. 
    
    SDSU said there is no indication that the intruders targeted 
    confidential information in the system. 
    
    "We don't have any indication that the illegal server access was used 
    for the purpose of identity theft, but we can't take that chance," 
    said university spokesman Jason Foster. "We have to let people know 
    what happened and let them take steps to protect themselves." 
    
    The case is being investigated by university police. The FBI also has 
    been notified because there is evidence that the hackers broke into 
    the server from another state, said SDSU police Capt. Steve Williams. 
    
    SDSU is in the process of implementing a new ID number system that 
    will provide students and employees with a randomly generated 
    nine-digit number - instead of their Social Security numbers - for 
    many student transactions, including financial payments and library 
    services. 
    
    Gibbs said the use of the new ID system - dubbed the "Red ID" program 
    - should help combat unauthorized access to personal information. 
    
    SDSU has put information about the incident on its Web site at 
    http://security.sdsu.edu/2004-02-01/info.html People with concerns or 
    questions about the case also can call the university's Information 
    Technology Security Office at (619) 594-5393. 
    
    -=-
    
    For help 
    
    If you feel your personal information has been compromised, the state 
    Office of Privacy Protection offers these recommendations: 
    
    Contact any of the three credit bureaus – Equifax at (800) 525-6285; 
    Experian at (888) 397-3742; and Trans Union at (800) 680-7289 – and 
    flag your file with a fraud alert. 
    
    Request and review your credit reports for any accounts or activity 
    you don't recognize. Request reports every three months or so. 
    
    If you find items you don't understand on your report, call the credit 
    bureaus to review the report. If the information cannot be explained, 
    call the creditors involved and report the crime to police. 
    
    For more information, go to the state Office of Privacy Protection's 
    Web site at http://www.privacy.ca.gov 
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Mar 18 2004 - 02:58:33 PST