Undergrad suspected in massive Univ. of Nebraska breach
More than 650K personal records were compromised in attack
Computerworld - Officials at the University of Nebraska in Lincoln (UNL) have identified an undergraduate student they say is responsible for a recent intrusion into a university database containing personal information on more than 650,000 students, parents and employees.
Campus police on Wednesday night seized computers and other equipment from the room of the UNL student after tracing the IP address of the computer used in the attack. The seized equipment is currently undergoing forensic analysis, according to information from by the school. The name of the suspect has not been released.
"An arrest has not yet been made," a university spokeswoman said today. "When and if that happens we will release the name of the individual."
The intrusion, which was described by university officials as a "skilled attack," exposed the Social Security Numbers (SSNs), names, addresses, course grades financial aid and other information on students who attended the university since 1985.
Students, alumni and applicants at all four of the university campuses -- Omaha, Lincoln, Kearney and the Medical Center -- were affected by the intrusion. The breach also exposed personal data and financial information for parents of students who applied for financial aid at UNL, according to the university. A staff member in UNL's Computing Services Network discovered the breach in the Nebraska Student Information System (NeSIS) on May 23.
The system is used to manage student admissions, campus housing and course registration. It was built over a three-year period at a cost of $29.9 million, has been operational for the past two years and is based on Oracle's PeopleSoft Enterprise Campus Solution platform. The technology is now in use at more than 800 universities in 20 countries, according to a University of Nebraska description of the software.
An FAQ on the incident posted by the university makes it clear that personal data in the breached server was not encrypted. "However, we are confident that the type of attack we experienced would have bypassed any encryption that was in place," the university said, without offering any further explanation of the attack.
The vulnerability that enabled the intrusion has since been closed and the university is currently working with a third-party firm to review and address remaining vulnerabilities, the FAQ says. All affected individuals have been notified about the potential compromise of their personal data.
Breaches such as these continue to be relatively common in university environments, despite more awareness of the problem. So far this year, there have been at least 32 publicly disclosed breaches involving universities, according to data breach records maintained by Privacy Rights Clearinghouse. A total of 1.17 million personal records have been compromised so far in these incidents.
The breach at UNL is by far the biggest one at a university this year. Earlier this year, SSNs and other personal records of an estimated 350,000 people at the University of North Carolina in Charlotte were exposed when the data became directly accessible over the Internet as the result of a system misconfiguration.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- NSA used 'European bazaar' to spy on EU citizens
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
- Amazon.com security slip allowed unlimited password guesses on mobile apps
- Huge turnout at RSA shows hackers are winning
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Privacy White Papers | Webcasts