Duke Law School applicants warned of possible ID theft

Computerworld - About 1,400 Duke Law School applicants and two current students are being warned about identity theft concerns after hackers broke into the law school's Web site, where their Social Security numbers were stored in a connected database.

In an announcement yesterday, the school said those affected are being notified of the incident via e-mail and letters sent by mail.

"We have no evidence that the intruders actually downloaded or acquired any of this information," William J. Hoye, the law school's associate dean of admissions, wrote in the e-mail, which went out Tuesday. "Nonetheless, we know they had the opportunity and the tools to do so."

School officials discovered the incident last week, and the site -- which collects information from would-be applicants who want information about Duke from the admissions office -- was taken offline, according to the school. Those potentially affected by the breach had provided their Social Security numbers online.

While investigating the breach, school officials said they also discovered that a second database could also have been accessed by hackers, potentially affecting another 1,900 people who filed online admissions applications to the law school. That database didn't included Social Security numbers, but held home addresses, phone numbers, e-mail addresses and passwords created as part of the application process, according to the school. Those 1,900 applicants were also notified of the breach on Tuesday via e-mail and were advised to change their account passwords.

Melinda Vaughn, a spokeswoman for Duke, said an investigation into the incidents is continuing. So far, she said, investigators have learned that the intruders apparently gained access to the databases through third-party applications on the Web site. "We have some ideas about what they are, but we don't want to say until we finish the investigation," Vaughn said.

Based on the investigation, the breaches are believed to have occurred in early November and on Thanksgiving Day, Vaughn said. A Duke Web site editor working on the site last Thursday found the evidence of the intrusions -- the placement of unauthorized broken links on the school's Web pages. So far, school officials believe that the hackers placed two directories of files on the site in two attacks, but no evidence has been found that the files caused any disruptions, she said.

The affected Social Security numbers in the first database were password protected, Vaughn said. She declined to comment for now on whether they were also encrypted. "We want to understand exactly what happened before we start publicly talking about it," she said. "We do intend, once the investigation is completed, to post our findings on our Web site."

In his e-mail to the affected applicants and students, Hoye wrote that the school is "taking all possible steps to address this breach and prevent it from happening again. We also have notified law enforcement agencies and will notify any relevant government agencies about Duke's response."

In light of the potential breach, the database that used Social Security numbers is being dropped and the application status tracking page is being changed to eliminate the need for passwords, the school said.

Other databases at the law school, including those containing e-mail addresses or personal information about current students, employees and alumni, were unaffected by the incident, according to the school.

Read more about security in Computerworld's Security Knowledge Center.