[ISN] Alums just told of computer breach

From: InfoSec News (isn@private)
Date: Wed Jul 05 2006 - 22:21:34 PDT


http://www.suntimes.com/output/news/cst-nws-westernhack05.html

BY DAVE NEWBART
Staff Reporter  
July 5, 2006

A computer hacker accessed computer systems containing confidential
personal data of Western Illinois University alumni a full month ago,
but some of the more than 180,000 people affected only learned of the
problem this week.

That response time, school spokesman John Maguire said Tuesday, was
too slow, and the school is looking at changing its procedures to make
sure notification happens faster.

Maguire emphasized that although Social Security numbers and some
credit card information were kept in the breached systems, the school
has no evidence that any information has been used maliciously.

"We strongly think it unlikely that anything was copied or
compromised,'' Maguire said.


Academic files not affected

In notices sent beginning June 26, the university told alums and
others that the security breach happened June 5.

A hacker or hackers accessed "several Electronic Student Services
systems,'' according to information posted on the school's Web site
Sunday.

Personal data, names, Social Security numbers, addresses and phone
numbers for anyone who took a course at the school since 1983 were
kept on the computer system. An additional 1,000 records from students
who attended between 1978 to 1982 were also kept on the compromised
system.

Even data from some applicants who did not attend Western might have
been accessed because the school keeps those records for at least a
year, in case the student were to reapply.

Credit card account numbers for people who bought merchandise through
the school's Web site or who stayed at the University Union hotel
might also have been accessed. No academic files were accessed,
officials said.

The school learned of the breach the same day it happened, and it
immediately fixed the breach and beefed up security. The school's
public safety office has been in touch with the FBI, but no arrests
have been made, Maguire said.

At first, the school thought as many as 240,000 people were affected,
but the number was revised after weeding out old or duplicate records.


Keep an eye on credit reports

Maguire said about 40,000 e-mails were also sent out beginning last
week, but the overall response time was not acceptable.

"In terms of trying to notify somebody by mail, we are looking at
those procedures,'' he said. "We realize that is one of the
criticisms, and we are trying to be responsible to that.''

Although officials have received no reports of records being copied or
tampering with, they urged anyone potentially affected to monitor
credit reports closely and consult the Federal Trade Commission or
state attorney general for tips on how to protect yourself.

There have been security breaches at 29 universities or colleges in
the last six months, Western officials said. In March 2005, hackers
accessed a server run by the Kellogg School of Management at
Northwestern, potentially learning user names and passwords to more
than 21,000 computer accounts held by students, staff and alumni. At
the time, NU officials said they didn't think any personal data was
stolen.

More information is available at (877) 556-4100 or at
www.wiu.edu/securityalert.



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Jul 05 2006 - 22:42:36 PDT