Hackers jeopardize security
FBI is investigating the organized attack of 11,000 students, alumni, faculty and staff’s personal information.
By Kim Puckett
News Editor
The University of Indianapolis community was notified on Sept. 30 of a cyber attack on an archived server containing up to 11,000 personal records.
The compromised server contained information, including Social Security numbers, of students, faculty and staff. Scott Hall, assistant director of university communications, said the records of people who have been associated with the university for less than two years were most likely not accessed.
Hall also said that the university’s main database shows no evidence of being hacked, resulting in the probable safety of anyone who has been associated with the university for less than two years.
The breach of security was not discovered until Sept. 18 even though the university believes the server was accessed ten days earlier on Sept. 8. According to Jeff Russell, chief information officer for Information Systems, the delay was due to the expert work of the hackers.
“Professional hackers like this find back doors and exploit them,” Russell said. “They take over a program so that it functions normally and leave no red flags.”
Another delay in notification occurred between the university and the public. Students, faculty and staff were not notified until Sept. 30, 12 days after the breach was discovered. According to Russell, working with the Federal Bureau of Investigation and other legalities prevented the university from notifying the population immediately.
UIndy was tipped-off to the security compromise by a major public university in the Midwest, according to Hall. Information Systems then shut off access to the compromised server by mid-afternoon on Sept 19 according to Russell.
“It’s a complex matter when these things arise,” Hall said. “Other institutions were attacked in a similar way.”
President Beverley Pitts sent a mass e-mail to UIndy students, faculty and staff notifying them of the hack.
“Our investigation leaves no doubt that this was a professional job by hackers from the outside and it was well beyond our control,” Pitts wrote. “However, that doesn’t change the fact that many names and Social Security numbers, including my own, could have been compromised.”
The university is required by the state to file the breach with the attorney general and inform people of the breach whose information could have been compromised. UIndy will be notifying anyone via first-class mail whose information could have been accessed. Letters were mailed on Oct. 1 and should be received within the week, according to Hall.
According to a public statement issued by the university, UIndy will offer 12 months of free credit monitoring for those whose information has been accessed.
Although this is the first instance of someone breaking into the university’s servers through a remote computer, the university informed its community of a security breach including Social Security numbers in 2007. Personal information was posted on a Web site, which could be accessed by all university faculty.
“The situation was similar in that it involved Social Security numbers, but it didn’t involve a deliberate hack.” Hall said. “We had no reason to think that anyone outside the university saw the information.” UIndy no longer uses a system which tracks people by Social Security numbers. “It’s a general practice across society and business practices to no longer use SSNs in this way,” Hall said.
According to The Indianapolis Star, universities all over the world have suffered from similar cyber attacks. The universities of Southern California, Texas, Missouri, Michigan, Ohio State, Nebraska and Stanford, Oxford in Great Britain and Carleton University in Canada have all been hacked.
“Universities are particularly vulnerable because their systems are meant to be collaborative and allow access,” Hall said. “Also, universities generally have lots of personal data.” UIndy has enlisted an outside security company to audit the system as whole to help prevent future security breaches.
“This is a constantly changing environment,” Russell said. “Security tends to go through cycles because the hackers just see new security measures as a challenge.” The university has set up an information hotline in order to answer general questions about the breach or to take contact information for more complicated questions.
The hotline will be manned from 9 a.m. to 4:30 p.m. on weekdays and can be reached at (317) 781-5787. Information systems has also set up a Web site on protection from identity and credit theft at (www.is.uindy.edu/idleft).