[ISN] BC warns its alumni of possible ID theft after computer is hacked

From: InfoSec News (isn@private)
Date: Thu Mar 17 2005 - 23:27:06 PST


By Hiawatha Bray
Globe Staff  
March 17, 2005

Boston College has sent warning letters to 120,000 of its alumni,
after a computer containing their addresses and Social Security
numbers was hacked by an unknown intruder.

College officials say they have no reason to believe the intruder was
looking for personal information to steal; instead, the attacker
planted a program that would enable him to use the computer to launch
attacks on other machines. But the school is taking no chances,
because of the sensitive information stored on the computer.

''As a precaution we have chosen to alert the entire database, which
is upwards of 100,000 individuals," said Boston College spokesman Jack

The breach at the college takes place amid rising concern over
identity theft, and the recent break-ins at information brokers
ChoicePoint and LexisNexis.

The compromised machine at Boston College was not run by the school,
but by an outside contractor that Dunn did not identify. It was one of
a group of computers used in the school's fund-raising activities.  
Boston College students use the machines to look up names and phone
numbers of alumni. They telephone them and ask for donations to the
college. Such phone banks are a common feature at many colleges, Dunn

During a routine security check last week, Boston College computer
security workers found that one of the computers at the phone bank had
been compromised. The computer was immediately taken offline and
tested in an effort to find what the attacker had been trying to do.

The investigation concluded that there was no evidence of identity
theft. The school also concluded that the hack wasn't an inside job.  
''There's no evidence to suggest that this involved anyone from the
Boston College community, but instead was an external hacker," Dunn

But investigators couldn't be absolutely sure that the intruder hadn't
also collected some personal information on alumni, such as their
Social Security numbers. Dunn said that including Social Security data
in the alumni files was a matter of custom. ''Every university in the
United States, for decades, used Social Security numbers as
identifiers from alums," he said. ''As a result of the breach, we have
taken immediate actions to purge all Social Security numbers for this
particular computer, and from all alumni records."

The letter to alumni urges them to take precautions to protect their
identities and financial accounts. They're told to contact their banks
and warn them that their Social Security numbers may have been stolen.  
The letter suggests obtaining copies of credit reports to check for
unusual activity. Alumni are also urged to ask that a ''fraud alert"  
be put on their credit reports.

Such alerts will prevent banks and credit card companies from making
new loans without double-checking with the account holder. A complete
list of suggested remedies is posted on the Boston College website at

Dunn said the precautions made sense for anybody worried about
identity theft. ''As a precaution," he said, ''people should do this
on a yearly basis anyway."

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Fri Mar 18 2005 - 00:44:45 PST