http://www.dailycamera.com/news/2008/apr/25/more-9000-affected-cu-computer-breach/ By Heath Urie Daily Camera April 25, 2008 Personal information including the names, Social Security numbers, addresses and grades of about 9,000 students and 500 instructors at the University of Colorado has been compromised by a computer hacker, CU spokesman Bronson Hilliard said Friday. Hilliard said three computers in the Division of Continuing Education and Professional Studies were compromised by a "very complicated hack" that was discovered Thursday afternoon. He said the security breach affects some students who were enrolled in Division of Continuing Education and Professional Studies courses between 1997 and 2003, as well as some instructors employed by the division. The computers -- one laptop and two desktops -- were assigned to administrators, Hilliard said. "We think they were compromised by digital intrusion with some sort of hack," Hilliard said, noting there is "no direct evidence the data has been taken and used for nefarious purposes." He said the university has hired a Boulder computer security company, Applied Trust Engineering, to investigate the extent of the intrusion. The school also plans to mail letters by the end of next week to anyone potentially affected by the incident, and it has provided information about identity theft on its Web site, www.colorado.edu/itsecurity/contedu. Hilliard said an initial investigation indicates two of the computers were infected with malicious software, and a third -- a laptop that contained the most-sensitive information -- is undergoing a forensic investigation to find out what information was accessed. "It's hard to tell exactly how this was perpetrated," CU Information Technology Services Manager Greg Stauffer said. According to Hilliard, none of the computers was supposed to have personal information stored on it, following a policy change CU implemented last fall after someone hacked into a computer issued to the College of Arts and Sciences' Academic Advising Center. That breach compromised the names and Social Security numbers of 44,998 students, Hilliard said, and led to new security procedures that include searching out and wiping any personal information found on university computers. In 2005, CU switched from using Social Security numbers to a student identification number system, and in August 2006 the school installed a restrictive network firewall as an additional precaution. Hilliard said for some reason the information in the most recent incident wasn't purged. "In this case, work had begun to purge data but was not properly completed," he said. In a news release issued Friday, CU Chancellor Bud Peterson expressed frustration at the event. "The university and I are deeply troubled that this compromise occurred despite efforts under way across campus to address computer security," Peterson said. "We will continue and strengthen our security efforts and hold our departments accountable for their success." _______________________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Mon Apr 28 2008 - 23:54:50 PDT