CMU says hacker broke into (Tepper School of Business) computers

[David Farber <dave () farber net>]

CMU says hacker broke into computers

More than 5,000 alerted to possible identity thefts

Thursday, April 21, 2005
 By Bill Schackner, Pittsburgh Post-Gazette

 A hacker who tapped into business school computers at Carnegie Mellon
University may have compromised sensitive personal data belonging to 5,000
to 6,000 graduate students, staff, alumni and others, officials said
yesterday.

 
 
 
For information 

 The school is directing those potentially affected to a Web site for tips
in protecting themselves. It also is offering them a phone link,
1-800-226-8258, to obtain information.

 
 
 

 The breach confirmed by officials in the Tepper School of Business is the
latest in a recent string of campus computer break-ins nationally and the
second since early March affecting Tepper.

 There is no evidence that any data, including Social Security and credit
card numbers, have been misused, officials said. But they have begun sending
e-mails and letters alerting those affected.

 They include graduate students and graduate degree alumni from 1997 to
2004, master's of business administration applicants from September 2002
through May 2004, doctoral applicants from 2003 to this year, and
participants in a conference that was being arranged by the school's staff.

 The intrusion occurred April 10 but was not disclosed until late yesterday
so Tepper could notify potential victims, school spokesman Mike Laffin said.

 Officials offered few details but said it appeared someone from outside the
university gained entry to Tepper's computers.

 A security specialist working for Tepper noticed unusual activity coming
from one computer about 10 p.m. on April 10. That machine and others were
taken offline.

 "After a few days of investigating we determined that it did involve more
than one computer," Laffin said.

 "We can't get into specifics about what we know about the intrusion because
we're concerned that it would be providing information that could make other
environments unsafe," he said.

 "We wanted to make sure our constituencies are aware of the situation and
that they take steps to protect their privacy.

 "Appropriate law enforcement agencies will be contacted," Laffin added.

 The case is the latest in a spate of college computer breaches that have
added to concerns about the safety of a growing mountain of data kept
online.

 Last month, Tepper and other business schools punished applicants who
hacked into computerized admissions data trying to learn if they had been
accepted. In all, 150 breaches were reported involving Tepper and applicants
to Harvard, Stanford and Duke universities, as well as the Massachusetts
Institute of Technology and Dartmouth College.

 Those students took advantage of a security vulnerability on a site
maintained by Virginia-based ApplyYourself Inc., which manages admission
data for the schools.

 The same month as those breaches, the theft of a laptop with names and
Social Security numbers of 98,000 individuals, predominantly graduate
students, was reported by police at the University of California at
Berkeley.

 Officials also have been monitoring reported breaches in recent weeks
involving fund-raising or other data affecting Tufts University in Boston
and Northwestern University's Kellogg School of Management in Evanston,
Ill., among others.

 Worries about cyber attacks also led The National Science Foundation on
April 11 to announce formation of a new center aimed at better safeguarding
computer data. The center, led by Berkeley, includes Carnegie Mellon and
seven other schools and is called the Team for Research in Ubiquitous Secure
Technology, or TRUST.

 John Mitchell, a computer security expert at Stanford who is involved in
the project, said researchers at his school have observed a sharp rise
nationally in Web-based identity thefts, including those involving financial
data, over the last two years.

 He said academic institutions may be more open about acknowledging breaches
and noted it's hard to gauge the true extent of the problem because many
"who have suffered prefer to keep the problem quiet for fear of bad
publicity."

 At Carnegie Mellon, Laffin said officials do not see a link to any other
campus breach and said the problem does not involve the rest of campus.
Tepper officials said student laptops were not breached, nor were
undergraduate business and economic students or faculty affected.

 Laffin declined to identify the conference that may be involved in the
breach but said it was to be held out of state. He said those affected may
have used credit cards to register.

(Bill Schackner can be reached at bschackner () post-gazette com or
412-263-1977.)


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/