The names and Social Security numbers of 450 current students and alumni were accessed illegally from the UR Student Employment Web site a nonacademic database and copied to an off-campus IP address on Jan. 7.
According to Chief Information Security Officer Julie Myers, Student Employment immediately called for a security investigation when a potential breach was suspected in the system. Immediate steps were taken to contain the breach measures included taking down the Web site and searching two-and-a-half years of student history to ensure that no additional information was copied. Once the logs revealed evidence of stolen information, the New York State Attorney General, the Consumer Protection Board and the Office of Cyber Security were notified. The FBI was also contacted and is currently investigating the theft. Those affected by the breach were notified and will receive credit protection monitoring and insurance for a year, paid for by the University.
‘The Social Security numbers were not openly posted on the web site but stored for the convenience of students in a system that was state-of-the-art at the time,” Provost Ralph Kuncl said. According to Kuncl, the hackers had to break through multiple security layers to access them.
The Student Employment Web site is still out of operation. Currently, the office has on-campus job postings in a packet in the Career Center.
Security thefts have affected a myriad of online databases, but universities are particularly at risk because of the decentralized nature of information.
‘It is our culture of freedom of expression and ideas and offering free access to information that makes us potential targets of cyber crime,” Kuncl said.
New York State passed a law minimizing the use of Social Security numbers, however the federal government still requires the University to maintain a record of all students’ Social Security numbers.
‘We are caught between the government’s requirement of asking for Social Security numbers and our desire not to do so for security reasons,” Kuncl said.
The Data Security Taskforce, which Kuncl and University General Counsel Sue Stewart both chair, recently established a new policy that aims to register databases where Social Security numbers are stored in order to eliminate unnecessary usage of this private information. The new policy is not a product of this hacking incident the University has been taking cautious measures as a result of previous near-breaches and an overall increased awareness of Internet crime in society.
‘IT has specific policies in regard to handling five crucial pieces of information, namely Social Security numbers, credit card numbers, patient records, students’ academic records and employment information,” Stewart explained. ‘We have a robust operational system for data that needs to be stored and specific policies for those that can be destroyed safely.”
Myers added that their efforts focus on checking all Web applications, mitigating vulnerability and mediating and controlling access around these applications.
‘Information security is a journey, not a solution,” Myers said. ‘As soon as you plug one hole, hackers will find another sophisticated way to get around filters and access your data.”
In general, she advises students to be cognizant of identity thefts, spam and phishing attacks. Stewart cautions students from easily giving out their personal information, advises them to be watchful of suspicious changes to their accounts and encourages questioning offices that demand Social Security numbers to be on file. The IT office is also open to questions and concerns and willing to educate students about Internet-related security in general.
Sophomore Alex Hunstad was one of 450 randomly targeted students and former students. Hunstad explained that after he was notified, he received a barrage of e-mails and letters, with advice on online protection and a free credit monitoring service for a year.
‘They sent me an email [Jan.] 9,” Hunstad said. ‘I’m sure they looked into it a lot and sent out a bunch of emails. It was pretty much right away. When I got back, [the letter] was already in my mailbox.”
Though he expressed uncertainty as to how or why the incident happened, Hunstad did not fault the school for the security breach.
‘There’s nothing they can do about it now, so I don’t really blame them,” he said.
Kuncl acknowledged that it is not merely the 450 people in the UR community that are affected by the hacking incident.
‘The University itself is a victim of this sophisticated cyber crime,” Kuncl said. ‘The subject of privacy and crime is rather complex… We care deeply for students’ right of protection of their personal information and sincerely regret the inconvenience this incident has caused.”
Rath is a member of the Class of 2012.