Hackers raid U. of Nebraska database with 654k Social Security nos.

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.scmagazine.com/hackers-raid-u-of-nebraska-database-with-654k-social-security-nos/article/243232/

Vandals gained access to a database containing the personal records,
including Social Security numbers, of hundreds of thousands of
University of Nebraska students, alumni and others connected to the
school's four campuses.

How many victims? 654,000.

What type of personal information? Social Security numbers, addresses,
grades, transcripts, and housing and financial aid information for
current and former NU students (some dating back to 1985), in addition
to employees, parents and student applicants who may or may not have
attended NU. Also the bank account information for some 30,000
students was involved.

What happened? The breach was detected late Wednesday and announced
Friday. School officials said there is no evidence that any of the
information was downloaded, but that the intruder[s] behind the attack
were skilled and sophisticated.

What was the response? The school already has notified the students
whose bank account numbers were involved in the breach. The other
victims also will be notified. The university has contracted a
forensic firm to help investigate.

Details: The school is reportedly close to determining the culprit's identity.

Quote: "We're putting together a full summary of events to replicate
some of the things the hacker did so we can have a better
understanding of what data was accessible,” Joshua Mauk, NU's
information security officer, said. “We want to know the full
ramifications of what he had access to.”

Source: Omaha.com, Omaha World-Leader, "Authorities have lead on
possible NU hacker," May 28, 2012.

JournalStar.com, Lincoln Journal Star, "Employees, many parents in NU
database breach," May 27, 2012.

Editor's note: SCMagazine.com tried to reach the university to learn
why the database was network connected, and whether the school has any
policies in place regarding the use of Social Security numbers. We
will update if we hear back.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.