By Heath Urie
April 25, 2008
Personal information including the names, Social Security numbers,
addresses and grades of about 9,000 students and 500 instructors at the
University of Colorado has been compromised by a computer hacker, CU
spokesman Bronson Hilliard said Friday.
Hilliard said three computers in the Division of Continuing Education
and Professional Studies were compromised by a "very complicated hack"
that was discovered Thursday afternoon.
He said the security breach affects some students who were enrolled in
Division of Continuing Education and Professional Studies courses
between 1997 and 2003, as well as some instructors employed by the
The computers -- one laptop and two desktops -- were assigned to
administrators, Hilliard said.
"We think they were compromised by digital intrusion with some sort of
hack," Hilliard said, noting there is "no direct evidence the data has
been taken and used for nefarious purposes."
He said the university has hired a Boulder computer security company,
Applied Trust Engineering, to investigate the extent of the intrusion.
The school also plans to mail letters by the end of next week to anyone
potentially affected by the incident, and it has provided information
about identity theft on its Web site,
Hilliard said an initial investigation indicates two of the computers
were infected with malicious software, and a third -- a laptop that
contained the most-sensitive information -- is undergoing a forensic
investigation to find out what information was accessed.
"It's hard to tell exactly how this was perpetrated," CU Information
Technology Services Manager Greg Stauffer said.
According to Hilliard, none of the computers was supposed to have
personal information stored on it, following a policy change CU
implemented last fall after someone hacked into a computer issued to the
College of Arts and Sciences' Academic Advising Center.
That breach compromised the names and Social Security numbers of 44,998
students, Hilliard said, and led to new security procedures that include
searching out and wiping any personal information found on university
In 2005, CU switched from using Social Security numbers to a student
identification number system, and in August 2006 the school installed a
restrictive network firewall as an additional precaution.
Hilliard said for some reason the information in the most recent
incident wasn't purged.
"In this case, work had begun to purge data but was not properly
completed," he said.
In a news release issued Friday, CU Chancellor Bud Peterson expressed
frustration at the event.
"The university and I are deeply troubled that this compromise occurred
despite efforts under way across campus to address computer security,"
Peterson said. "We will continue and strengthen our security efforts and
hold our departments accountable for their success."
Subscribe to the InfoSec News RSS Feed