Undergrad suspected in massive Univ. of Nebraska breach
More than 650K personal records were compromised in attack
Computerworld - Officials at the University of Nebraska in Lincoln (UNL) have identified an undergraduate student they say is responsible for a recent intrusion into a university database containing personal information on more than 650,000 students, parents and employees.
Campus police on Wednesday night seized computers and other equipment from the room of the UNL student after tracing the IP address of the computer used in the attack. The seized equipment is currently undergoing forensic analysis, according to information from by the school. The name of the suspect has not been released.
"An arrest has not yet been made," a university spokeswoman said today. "When and if that happens we will release the name of the individual."
The intrusion, which was described by university officials as a "skilled attack," exposed the Social Security Numbers (SSNs), names, addresses, course grades financial aid and other information on students who attended the university since 1985.
Students, alumni and applicants at all four of the university campuses -- Omaha, Lincoln, Kearney and the Medical Center -- were affected by the intrusion. The breach also exposed personal data and financial information for parents of students who applied for financial aid at UNL, according to the university. A staff member in UNL's Computing Services Network discovered the breach in the Nebraska Student Information System (NeSIS) on May 23.
The system is used to manage student admissions, campus housing and course registration. It was built over a three-year period at a cost of $29.9 million, has been operational for the past two years and is based on Oracle's PeopleSoft Enterprise Campus Solution platform. The technology is now in use at more than 800 universities in 20 countries, according to a University of Nebraska description of the software.
An FAQ on the incident posted by the university makes it clear that personal data in the breached server was not encrypted. "However, we are confident that the type of attack we experienced would have bypassed any encryption that was in place," the university said, without offering any further explanation of the attack.
The vulnerability that enabled the intrusion has since been closed and the university is currently working with a third-party firm to review and address remaining vulnerabilities, the FAQ says. All affected individuals have been notified about the potential compromise of their personal data.
Breaches such as these continue to be relatively common in university environments, despite more awareness of the problem. So far this year, there have been at least 32 publicly disclosed breaches involving universities, according to data breach records maintained by Privacy Rights Clearinghouse. A total of 1.17 million personal records have been compromised so far in these incidents.
The breach at UNL is by far the biggest one at a university this year. Earlier this year, SSNs and other personal records of an estimated 350,000 people at the University of North Carolina in Charlotte were exposed when the data became directly accessible over the Internet as the result of a system misconfiguration.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Hackers steal user data from the European Central Bank website, demand money
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 5 Customers Deliver Virtual Desktops and Apps to Empower a Modern Workforce Learn how Citrix solutions helped 5 companies realize the full value of desktop virtualization through a project-by-project approach based on key business priorities.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- IDC MarketScape: Worldwide Client Virtualization Software 2013 Vendor Assessment IDC has placed Citrix in the 2013 IDC MarketScape Leaders Category once again noting that, "Citrix's position reflects the company's market leadership and...
- Infographic: Top Use Cases for Desktop Virtualization A wide range of business issues is driving IT toward desktop virtualization. One solution-Citrix XenDesktop with FlexCast technology-helps IT teams empower their entire...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!