Undergrad suspected in massive Univ. of Nebraska breach
More than 650K personal records were compromised in attack
Computerworld - Officials at the University of Nebraska in Lincoln (UNL) have identified an undergraduate student they say is responsible for a recent intrusion into a university database containing personal information on more than 650,000 students, parents and employees.
Campus police on Wednesday night seized computers and other equipment from the room of the UNL student after tracing the IP address of the computer used in the attack. The seized equipment is currently undergoing forensic analysis, according to information from by the school. The name of the suspect has not been released.
"An arrest has not yet been made," a university spokeswoman said today. "When and if that happens we will release the name of the individual."
The intrusion, which was described by university officials as a "skilled attack," exposed the Social Security Numbers (SSNs), names, addresses, course grades financial aid and other information on students who attended the university since 1985.
Students, alumni and applicants at all four of the university campuses -- Omaha, Lincoln, Kearney and the Medical Center -- were affected by the intrusion. The breach also exposed personal data and financial information for parents of students who applied for financial aid at UNL, according to the university. A staff member in UNL's Computing Services Network discovered the breach in the Nebraska Student Information System (NeSIS) on May 23.
The system is used to manage student admissions, campus housing and course registration. It was built over a three-year period at a cost of $29.9 million, has been operational for the past two years and is based on Oracle's PeopleSoft Enterprise Campus Solution platform. The technology is now in use at more than 800 universities in 20 countries, according to a University of Nebraska description of the software.
An FAQ on the incident posted by the university makes it clear that personal data in the breached server was not encrypted. "However, we are confident that the type of attack we experienced would have bypassed any encryption that was in place," the university said, without offering any further explanation of the attack.
The vulnerability that enabled the intrusion has since been closed and the university is currently working with a third-party firm to review and address remaining vulnerabilities, the FAQ says. All affected individuals have been notified about the potential compromise of their personal data.
Breaches such as these continue to be relatively common in university environments, despite more awareness of the problem. So far this year, there have been at least 32 publicly disclosed breaches involving universities, according to data breach records maintained by Privacy Rights Clearinghouse. A total of 1.17 million personal records have been compromised so far in these incidents.
The breach at UNL is by far the biggest one at a university this year. Earlier this year, SSNs and other personal records of an estimated 350,000 people at the University of North Carolina in Charlotte were exposed when the data became directly accessible over the Internet as the result of a system misconfiguration.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
- How to protect yourself against privileged user abuse
- Montana data breach exposes 1.3 million personal records
- Hacker puts 'full redundancy' code-hosting firm out of business
- Six ways to prevent a breach like the one at AT&T
- Target top security officer reporting to CIO seen as a mistake
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- SBIC: Transforming Information Security This report combines perspectives on technologies with experience in strategy to help security teams navigate complex decisions regarding technology deployments while maximizing investments.
- Is Your Credit Card Data Safe from Hacks? News of recent credit card hacks has rocked consumer confidence. Even talk of a security breach can bring on a PR firestorm. What...
- Protecting Your Mid-Size Business from Today's Security Threats Think you're too small to get hacked? Think again.
- CSO QuickPulse IT Security: Midsize Businesses Face Enterprise This survey finds that midsize firms lack understanding of vulnerabilities, and need comprehensive security tools.
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed in recent years, and it continues to escalate. All Cybercrime and Hacking White Papers | Webcasts
Computerworld has launched its annual search for outstanding IT leaders who align technology with business goals. Nominate a top IT executive for the 2015 Premier 100 IT Leaders awards now through July 18.