Three months, three breaches at the Univ. of Florida-Gainesville

Computerworld - For the second time in three months, the University of Florida, Gainesville, has acknowledged a major data breach -- and a statement posted on the university's Web site indicated that there was a third, less-public breach discovered by the school during the same period.

In November, the school said that the names, dates of birth, Social Security numbers and addresses of more than 330,000 current and former College of Dentistry patients dating back to 1990 had been exposed in a computer intrusion.

An undated statement on the university's Web site indicates that on Jan. 20, an LDAP Directory Server configuration error allowed outside access to a directory containing personal data. An FAQ attached to the statement said that personal data belonging to about 101 people might have been compromised as a result.

And then on Thursday, the university disclosed that a server installed more than a decade ago to support a free e-mail service and to give faculty members a way to host online course materials had been breached -- exposing personal data on 97,200 students, faculty and staffers who used it between 1996 and 2009.

The server intrusion was discovered last month during a routine systems review by a university IT staffer. It's not clear when the system may have been compromised or for how long an intruder had access to the data in it, said university spokeswoman Janine Sikes. The compromised information included Social Security numbers and the full names of staffers, students and faculty.

A forensic investigation of the breach has shown that the attacker used an IP address that appears to have been located in Antigua and Barbuda, she added. A majority of those affected by the breach are being notified about it, but the university does not have contact information for about 5,000 people and has been unable to inform them, she said.

According to Sikes, the "Grove" computer system that was breached was a "somewhat antiquated" system put in place during the early days of the Internet at a time when many at the University of Florida were just starting to access online classes and course material. The system also supported one of the few free e-mail services available to those on campus. More recently, it was used by campus fraternities and sororities to host their Web sites.

Logging into the system required users to enter their Social Security numbers, which were used as student identification numbers when the system was set up, Sikes said. The university stopped using Social Security numbers as a identifier in 2003, she added.

The Grove system was shut down after the intrusion was spotted, and all current services that were being hosted on it are being brought back up on different "upgraded" systems, she said.

Following the discovery of the latest breach, the university is stepping up its efforts to create a centralized IT organization, Sikes said. The university is also setting up a new task force to look for and recognize potential security problems "before they become problems." She did not offer any additional details.

"With this breach coming on the heels of what we had last fall, we are certainly recognizing our vulnerabilities and have stepped up our vigilance," she added.

The breach disclosed by the university in the fall was discovered Oct. 3 during a server upgrade. The university said IT staffers discovered that malware had been installed on the system from a remote location. It added that the server was "immediately disconnected" from the Internet and that stronger security controls have since been put in place. No details about the new controls were disclosed.

The university at that time said the breach occurred despite the presence of security measures designed to mitigate such risks, such as encrypting data while it's in transit and strengthening firewalls and intrusion-detection systems.

Meanwhile, the FAQ about the Lightweight Directory Access Protocol configuration problem noted that the error was made about four months earlier. Law enforcement officials were also notified about the exposure. The school immediately corrected the directory configuration and permanently removed the field that contained the nine-digit number from the directory, the FAQ said.

Read more about security in Computerworld's Security Knowledge Center.