[ISN] Breach may have exposed donor information

From: InfoSec News (isn@private)
Date: Mon Jan 23 2006 - 22:28:25 PST


By: Maddie Hanna

Hacker causes Notre Dame's first significant computer security

The personal and financial information of some University donors may
be at risk after an unknown intruder hacked into a Development Office
server Jan. 13 - the first computer security breach of its magnitude
at Notre Dame, University officials said Sunday.

The data in question - possibly including Social Security numbers,
credit card information and check images from donations made between
Nov. 22, 2005 and Jan. 12 - pertains to a "minority" of alumni donors
and friends of the University, said Hilary Crnkovich, vice president
of Public Affairs and Communication. She declined to provide a
specific estimate of the number of donors affected.

"We're not comfortable quantifying it," Crnkovich said Sunday. "We
have no facts or quantification that people were compromised."

The intrusion was not initiated from an on-campus location, Crnkovich
said, but its source is still a mystery.

"We just really don't know," she said.

Gordon Wishon, chief information officer for the Office of Information
Technologies, said the University is working with two independent
forensics firms to determine the source of the intrusion and expects
to receive results in several days.

The analysis will "examine the contents of the server, look at the
logs and a variety of data to help describe the nature of the
intrusion and the intent of the intruder," Wishon said Sunday.

However, the investigation may be unable to pinpoint the intruder's
exact location, especially if the site was overseas or several relay
sites were involved, Wishon said. And it's also unclear whether or not
the University will know what information, if any, was viewed.

"It may be that we'll never find out exactly what was exposed or
taken," Wishon said.

Both Crnkovich and Wishon said it was possible the purpose of the
intrusion was for file-sharing purposes, designed to obtain server
space rather than personal information.

"Most commonly with incidents of this type, that's what happens,"  
Wishon said. "It's very common - [but] I certainly don't know if
that's the case."

The server, which is not part of the University's central data system,
was used for inter-office file sharing in the Development Office,
Wishon said.

While the server is maintained primarily by Development Office staff,
Wishon said OIT's Information Security Department collaborated with
the Development Office to provide security standards for the server.

OIT was involved in the detection of the intrusion, when staff noticed
"anomalous behavior" on the server and notified the Development
Office, Wishon said. The server was immediately taken off-line after a
breach Wishon estimated to be "fairly short in duration."

Donors whose information was potentially viewed received an e-mail
Saturday from Vice President of University Relations Louis Nanni and
were also sent letters in the mail advising them to take appropriate
safeguards listed on a newly-created University support Web site and
to call a toll-free Notre Dame phone number for more information.

Since little is known at this point, donors should not necessarily
expect the worst, Crnkovich said.

"What we're doing is providing recommendations and outreach to the
potential group and asking them to take their own precautions,"  
Crnkovich said. "We really feel it's prudent to give people all the
resources we can. We take it seriously."

Crnkovich said the Development Office had not received phone calls
from concerned donors as of Saturday night. The Office has received
e-mails, but they have all been positive, she said.

"People have been very thoughtful and said thank you for letting them
know to take the steps," she said.

But other donors say they are far from thankful. Mike Coffey, a 1991
alumnus who runs the NDNation Web site and message boards that
received a flurry of posts over the weekend from concerned donors,
said he was "extremely disappointed" after receiving e-mails informing
him of the security breach.

"It seems to be a very shoddy set-up for protection of personal
information I've provided to the school," Coffey said. "What is a
server with this sensitive information on it doing on the Web? I can't
perceive anyone outside of Notre Dame needing that information."

Coffey, who received his degree in Management Information Systems and
has been an IT professional for 15 years, said he "thought [he]
learned" the proper way to maintain a server at Notre Dame.

"Apparently [University staff members] don't practice what they
preach," he said.

Despite his disappointment, Coffey said he would not change his
donating practices and hopes the incident causes the University to
improve the way it stores and accesses information.

"I donate to Notre Dame because I believe in what Notre Dame does," he

Crnkovich said similar security breaches have occurred at other
universities, including Stanford and the University of Connecticut.  
However, she said she did not know how the incidents were handled by
those schools.

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Mon Jan 23 2006 - 22:45:09 PST