informa
/

Second Hack At University Exposes Info On 22,000 Students

The IT staff at the University of Missouri was alerted to the attack by a series of faulty queries to an application and database.
For the second time this year, the computer system at the University of Missouri has been hacked into and student's personal information has been stolen.

University officials posted an online advisory on Tuesday alerting students about a recent attack on a database by an unknown hacker or hacker group. The names and Social Security numbers of 22,396 people were stolen during the attack. Those affected were employees of any campus within the UM System during calendar year 2004 who were also current or former students at the Columbia campus.

The school's IT staff first noted unusual activity on a software application on Thursday, May 3, according to the school's advisory. The next morning, university technicians identified a large series of errors caused by faulty queries to the application and an associated database. The errors, the school reported, were first assumed to be caused by a problem with a system used to track computer help desk repair calls using the same database. The attack was then confirmed by IT staffers that same day.

IT investigators found that an account was being used by two overseas IP addresses to access the database from China and Australia. The vulnerable Web application has been taken offline.

Investigators analyzed the attack over the weekend and local law enforcement and the FBI were informed on Monday.

"The University of Missouri takes this breach very seriously and is working to alert the individuals whose information was improperly accessed, including instructions about how they may monitor their credit reports for suspicious activity," the advisory stated. "The University has been and will continue to work diligently to secure confidential data held in its computer systems. We are also working closely with law enforcement in our investigation of this event."

This past January hackers broke into the university's system through a Web-based application that did not have updated safeguards. Information on that attack was not readily available but a university spokesman did say it was "on a much smaller scale" than the recent attack.

In last week's breach, the hacker got the 2004 information through a Web page used to make queries about the status of trouble reports to the university's IT Help Desk, which is based in Columbia, Miss. The advisory noted that information from 2004 had been compiled for a report and the resulting data was not subsequently removed from the computer system.

The hacker was able to reach the information by making thousands of queries over a span of hours, allowing the identities to be exposed one at a time.

The university has set up a telephone hotline and a Web page to provide information to people who have been affected by the breach. The hotline may be called between 8 a.m. and 5 p.m., Monday through Friday. The toll-free number is 866-241-5619, and the local number in Columbia is 573-884-7222.

In April, the University of California at San Francisco began notifying students, teachers, and staff that their names, Social Security numbers, and bank account numbers may have been accessed during a security breach there. Personal information for 46,000 students, faculty, and staff at the university was put at risk after a hacker broke into the network.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing