Breach at Univ. of Texas - Austin exposes data on 197,000 people

Computerworld - In another reminder of the vulnerability of university networks, the University of Texas at Austin (UT-Austin) over the weekend announced that someone had broken into a computer at its McCombs School of Business and gained access to a database containing confidential information on about 197,000 people.

The break-in was discovered on Friday after university officials noticed “unusual activity” on the database server, said Dan Updegrove, vice president of information technology at the school. Citing an ongoing investigation, he did not say what the unusual activity was, nor would he elaborate on how the break-in might have occurred. But Updegrove did say that the IP addresses involved in the attack are in the Far East, suggesting that the hacking was performed externally.

“One hundred percent of our effort right now is on going through the database log files to determine which individuals are at risk,” Updegrove said. “We have shut down the vulnerable systems, but the detailed analysis on how the intruder got in, at the moment, is of less interest to us than communicating with the [affected individuals]."

The breached database contained confidential information, including names, dates of birth and Social Security numbers belonging to current and prospective students, alumni, faculty members, faculty staff and corporate recruiters.

Based on a preliminary investigation, it appears that information from the business school’s computer system may have been breached as early as April 11. An analysis of logs so far shows that “many fewer” than 197,000 people may actually have had their data exposed, Updegrove said. But “given the size and complexity of the log file analysis” involved, it will be a few days before a more exact picture emerges of how many people had their information compromised, he said.

Under state law, the university is obliged to notify all of the individuals whose information was stored in the database about the breach, Updegrove said. He added that notifying all 197,000 people would be a challenge because it is not clear if current contact information is available for all of them, he said.

“We don’t think it is wise for people to wait to hear from us” before asking the major credit-reporting bureaus to put a fraud alert on their accounts, he said. The business school has created a Web page accessible at www.mccombs.utexas.edu/datatheft to help people who may have been affected by the breach.

The incident at UT-Austin continues a string of similar breaches at institutions of higher education over the past few years. UT-Austin itself was the victim of a similar incident in 2003, when a former student was found guilty of stealing Social Security numbers by breaking into one of the university’s computers.