University Blames Security Breach On Unpatched Symantec Bug - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management

University Blames Security Breach On Unpatched Symantec Bug

The University of Colorado at Boulder says the faulty antivirus software exposed sensitive information on nearly 45,000 students.

The University of Colorado at Boulder said sensitive information on 44,998 students was exposed because a worm attacked the network through an unpatched bug in Symantec's antivirus software.

A server in the university's College of Arts and Sciences' Academic Advising Center held the names and Social Security numbers of students enrolled at CU-Boulder from 2002 to the present, according to an online advisory.

On May 12, the university's IT security investigators discovered that the worm entered the server through the vulnerability, which the IT staff had failed to patch, the university reported. Investigators said they did not believe the hacker behind the worm was after the personal information, but instead was using the flaw as an entryway to other computers on the university network.

"The server's security settings were not properly configured and its sensitive data had not been fully protected," said Bobby Schnabel, CU-Boulder's vice provost for technology, in a written statement. "Through a combination of human and technical errors, these personal data were exposed, although we have no evidence that they were extracted."

A Symantec spokesman told InformationWeek that the company has been trying to get in touch with the university's IT team but has not yet talked to them to get details about the attack or even to find out what vulnerability was involved. "We hate to see any customer with a problem," he said. "We encourage customers to post patches as soon as possible."

Todd Gleeson, a dean CU-Boulder, said in a statement that he wants the College of Arts and Sciences IT operations to be placed under the direct control of the university's larger IT department. He said all of the students affected by the breach are being notified through letters mailed to their homes.

"We have also taken steps to ensure that all sensitive personal data has been removed from our Academic Advising Center servers," said Gleeson. "I want to assure our past and present students that we have taken strong measures to protect our advising center computers and our students' personal information."

Students who are looking for more information about protecting themselves following a data exposure can go to the advisory Web site.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Commentary
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
News
How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Slideshows
Flash Poll