SDSU says computer server was infiltrated

[InfoSec News <isn () c4i org>]

http://www.signonsandiego.com/news/computing/20040317-9999-news_7m17hacker.html

By Karen Kucher
UNION-TRIBUNE STAFF WRITER
March 17, 2004 

San Diego State University is warning more than 178,000 students, 
alumni and employees that hackers broke into a university computer 
server where names and Social Security numbers were stored. 

The university began mailing out notification letters Monday, urging 
people whose personal information was on the server to get copies of 
their credit reports and review them for suspicious activity. 

The SDSU case appears to be the largest such notification made under a 
state law that went into effect last July requiring companies and 
state agencies to contact people when their computerized personal data 
have been compromised. 

University officials said the hackers infiltrated a server in the 
Office of Financial Aid and Scholarships in late December and used it 
to send spam e-mail messages and transfer files, including MP3 music 
files. 

The problem was discovered in the last week of February and SDSU took 
the server off the network. 

"We have moved as absolutely quickly as logistically possible" to 
notify individuals affected by the security breach, said Ellene Gibbs, 
director of business information management at SDSU. 

The server contained financial aid reports about current, former and 
prospective students - as well as some SDSU employees - who sent in 
financial aid applications since 1998, but not the applications 
themselves or award information. 

This is the second time that SDSU has suffered a security breach that 
put computerized personal data at risk. The university notified around 
1,000 people in December when a server used by the library was hacked, 
Gibbs said. 

Under the state law, businesses and state agencies are required to 
notify customers when personal data, such as Social Security numbers 
or financial account numbers, may have fallen into the wrong hands. 

That warning is designed to give people the chance to quickly act to 
protect themselves against thieves who would use stolen personal 
information to open new credit accounts and make unauthorized 
purchases. 

SDSU recommends that those affected by the security breach obtain a 
copy of their credit report. A spokeswoman with the Privacy Rights 
Clearinghouse suggests people go a step further and request that one 
of the three credit reporting agencies flag their file with a fraud 
alert. 

With a fraud alert in place, credit reporting agencies will contact 
the person if someone tries to establish new credit in his or her 
name, and also will waive the fee for the credit report. 

"We also suggest people monitor their credit reports on a quarterly 
basis at least for a year," said Jordana Beebe, communications 
director for the Privacy Rights Clearinghouse. 

California, which has the third highest per-capita rate of identity 
theft in the nation, has not officially tracked the number of cases in 
which security breaches have occurred. 

Before the SDSU case, however, the largest notification was thought to 
be the more than 90,000 household workers and employers who were 
mailed letters in February from the state Employment Development 
Department, said Joanne McNabb, chief of the state's Office of Privacy 
Protection. 

"This law may get some practices changed because people don't like 
getting these notices," McNabb said. 

SDSU said there is no indication that the intruders targeted 
confidential information in the system. 

"We don't have any indication that the illegal server access was used 
for the purpose of identity theft, but we can't take that chance," 
said university spokesman Jason Foster. "We have to let people know 
what happened and let them take steps to protect themselves." 

The case is being investigated by university police. The FBI also has 
been notified because there is evidence that the hackers broke into 
the server from another state, said SDSU police Capt. Steve Williams. 

SDSU is in the process of implementing a new ID number system that 
will provide students and employees with a randomly generated 
nine-digit number - instead of their Social Security numbers - for 
many student transactions, including financial payments and library 
services. 

Gibbs said the use of the new ID system - dubbed the "Red ID" program 
- should help combat unauthorized access to personal information. 

SDSU has put information about the incident on its Web site at 
http://security.sdsu.edu/2004-02-01/info.html People with concerns or 
questions about the case also can call the university's Information 
Technology Security Office at (619) 594-5393. 

-=-

For help 

If you feel your personal information has been compromised, the state 
Office of Privacy Protection offers these recommendations: 

Contact any of the three credit bureaus – Equifax at (800) 525-6285; 
Experian at (888) 397-3742; and Trans Union at (800) 680-7289 – and 
flag your file with a fraud alert. 

Request and review your credit reports for any accounts or activity 
you don't recognize. Request reports every three months or so. 

If you find items you don't understand on your report, call the credit 
bureaus to review the report. If the information cannot be explained, 
call the creditors involved and report the crime to police. 

For more information, go to the state Office of Privacy Protection's 
Web site at http://www.privacy.ca.gov 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.