[ISN] More than 9,000 affected by CU computer breach

From: InfoSec News (alerts@private)
Date: Mon Apr 28 2008 - 23:51:58 PDT


http://www.dailycamera.com/news/2008/apr/25/more-9000-affected-cu-computer-breach/

By Heath Urie 
Daily Camera
April 25, 2008

Personal information including the names, Social Security numbers, 
addresses and grades of about 9,000 students and 500 instructors at the 
University of Colorado has been compromised by a computer hacker, CU 
spokesman Bronson Hilliard said Friday.

Hilliard said three computers in the Division of Continuing Education 
and Professional Studies were compromised by a "very complicated hack" 
that was discovered Thursday afternoon.

He said the security breach affects some students who were enrolled in 
Division of Continuing Education and Professional Studies courses 
between 1997 and 2003, as well as some instructors employed by the 
division.

The computers -- one laptop and two desktops -- were assigned to 
administrators, Hilliard said.

"We think they were compromised by digital intrusion with some sort of 
hack," Hilliard said, noting there is "no direct evidence the data has 
been taken and used for nefarious purposes."

He said the university has hired a Boulder computer security company, 
Applied Trust Engineering, to investigate the extent of the intrusion.

The school also plans to mail letters by the end of next week to anyone 
potentially affected by the incident, and it has provided information 
about identity theft on its Web site, 
www.colorado.edu/itsecurity/contedu.

Hilliard said an initial investigation indicates two of the computers 
were infected with malicious software, and a third -- a laptop that 
contained the most-sensitive information -- is undergoing a forensic 
investigation to find out what information was accessed.

"It's hard to tell exactly how this was perpetrated," CU Information 
Technology Services Manager Greg Stauffer said.

According to Hilliard, none of the computers was supposed to have 
personal information stored on it, following a policy change CU 
implemented last fall after someone hacked into a computer issued to the 
College of Arts and Sciences' Academic Advising Center.

That breach compromised the names and Social Security numbers of 44,998 
students, Hilliard said, and led to new security procedures that include 
searching out and wiping any personal information found on university 
computers.

In 2005, CU switched from using Social Security numbers to a student 
identification number system, and in August 2006 the school installed a 
restrictive network firewall as an additional precaution.

Hilliard said for some reason the information in the most recent 
incident wasn't purged.

"In this case, work had begun to purge data but was not properly 
completed," he said.

In a news release issued Friday, CU Chancellor Bud Peterson expressed 
frustration at the event.

"The university and I are deeply troubled that this compromise occurred 
despite efforts under way across campus to address computer security," 
Peterson said. "We will continue and strengthen our security efforts and 
hold our departments accountable for their success."


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Mon Apr 28 2008 - 23:54:50 PDT