By Gregg Keizer
May 09, 2007
A hacker grabbed the Social Security numbers of more than 22,300 current
and former students at the University of Missouri, the school said
yesterday. It was the institution's second data break-in of the year.
According to university officials, the attack was launched from IP
addresses in China and Australia and used a Web form for tracking the
status of queries to the school's IT help desk. The hacker accessed the
names and Social Security numbers of school employees during 2004 who
were also current or onetime students; those records had been compiled
for a report, but were overlooked rather than deleted.
IT staffers noticed unusual activity that began around 5:30 a.m. CDT
last Thursday, then tied a large number of database query errors to the
problem on Friday. Logs showed that the attacks ended at 9:34 a.m.
Friday. That day, technicians disabled the account used to access the
database from one IP address in Chinaand another in Australia. The FBI
was alerted on Monday.
"The hacker was able to reach the information by making thousands of
queries over a span of hours, allowing the identities to be exposed one
at a time," the university reported.
A Web page and toll-free telephone line have been set up to take
questions from students, the school said. Officials are also contacting
as many of the affected people as possible.
Yesterday, the toll-free line was overwhelmed, a school spokeswoman said
today, and some callers heard a recording that said the desk was closed.
That problem has been solved by boosting the number of staffers
answering the phones. Computerworld confirmed that the hot line was
working today, with wait times of approximately three minutes.
This is the second incident at the University of Missouri in recent
months. In February, the school acknowledged that a server attack in
January might have exposed the identities of 1,220 researchers on its
four campuses. The spokeswoman declined to comment on whether there
could be any connection between the two events.
In its message to potential identity theft victims, the university said
that it "takes this matter very seriously" and noted that it wasn't the
only organization to be attacked. "All companies or organizations using
the Internet to serve their customers face this challenge." Last year,
reported the Columbia Missourian, then-university President Elson Floyd
ordered that employee Social Security numbers information be deleted
from online databases.
Universities are a frequent target of identity thieves, according to the
data breach chronology compiled by the Privacy Rights Clearinghouse.
Since Jan. 1, 27 colleges or universities have been victimized by
attackers. The list includes well-known institutions such as the
University of Notre Dame, Ohio State University, Purdue University and
Rutgers. Several, in fact, have been hit multiple times: Notre Dame, the
University of Idaho and the University of New Mexico each suffered two
attacks in the first four months of 2007.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com