Montana State University server accessed by "unknown hacker"
Technorati Tag: Security Breach
Date Reported:
10/13/07
Organization:
Montana State University
Contractor/Consultant/Branch:
None
Victims:
Current and former Montana State University Extended University students that enrolled online during the past two years.
Number Affected:
1,400
Types of Data:
Name, address, credit card number, and Social Security number
Breach Description:
It has been determined that an "unknown hacker" remotely accessed a server that contained personal records pertaining to students that enrolled for Montana State University Extended University online from October, 2005 through September, 2007. Among the records stored on the server were credit card numbers and Social Security numbers.
Reference URL:
Montana State University Security Announcement
The Billings Outpost Report
Report Credit:
MSU News Service
Response:
From the school's notification web site and online resourses cited above:
"Montana State University security experts have determined that an unknown hacker remotely accessed a computer server that housed records containing credit card numbers and social security numbers of students who enrolled online for MSU Extended University courses during the last two years."
"The data in question were encrypted, and there is no evidence that personal information was stolen."
[Comfyllama] Although I applaud MSU for encrypting the personal information, I question how much protection was provided in this breach. Somewhere during the transaction process, the application accesses the encryption key (for encryption and decryption). If the server or application were compromised, I am concerned that the key was also.
"However, the Extended University is sending information by mail to 1,400 people known to have personal information on the server. The letter includes information on how to receive a free credit report, flag a credit file with a fraud alert and monitor accounts for suspicious activity. "
[Comfyllama] MSU puts the data at risk, and it's the victim's responsibility to clean up the mess. Doesn't seem fair, does it?
"Persons who suspect their data have been involved, and who do not receive a letter, should contact the MSU Extended University, from 8 a.m.–5 p.m., Monday through Friday, or by going to http://eu.montana.edu/security."
"Records of people who had registered online for courses and programs through MSU's Extended University going back to October 2005 may have been exposed. As soon as the security breach was discovered, the server was taken offline."
"Because no proof exists that data were stolen, the incident is not treated as a criminal matter."
Commentary:
I wonder what precipitated this response from the university. Although the university claims that an "unknown hacker" has remotely accessed the server, there is no information provided as to what level of access was obtained. Theoretically a simple ping could be classified as remote access.
I wonder why the university needs to keep credit card data at all, and I wonder why the university was storing credit card and Social Security numbers on a server that was accessible from the Internet. The university has made no statements regarding what they plan to do in order to avoid future breaches.
Past Breaches:
Unknown
Date Reported:10/13/07
Organization:
Montana State University
Contractor/Consultant/Branch:
None
Victims:
Current and former Montana State University Extended University students that enrolled online during the past two years.
Number Affected:
1,400
Types of Data:
Name, address, credit card number, and Social Security number
Breach Description:
It has been determined that an "unknown hacker" remotely accessed a server that contained personal records pertaining to students that enrolled for Montana State University Extended University online from October, 2005 through September, 2007. Among the records stored on the server were credit card numbers and Social Security numbers.
Reference URL:
Montana State University Security Announcement
The Billings Outpost Report
Report Credit:
MSU News Service
Response:
From the school's notification web site and online resourses cited above:
"Montana State University security experts have determined that an unknown hacker remotely accessed a computer server that housed records containing credit card numbers and social security numbers of students who enrolled online for MSU Extended University courses during the last two years."
"The data in question were encrypted, and there is no evidence that personal information was stolen."
[Comfyllama] Although I applaud MSU for encrypting the personal information, I question how much protection was provided in this breach. Somewhere during the transaction process, the application accesses the encryption key (for encryption and decryption). If the server or application were compromised, I am concerned that the key was also.
"However, the Extended University is sending information by mail to 1,400 people known to have personal information on the server. The letter includes information on how to receive a free credit report, flag a credit file with a fraud alert and monitor accounts for suspicious activity. "
[Comfyllama] MSU puts the data at risk, and it's the victim's responsibility to clean up the mess. Doesn't seem fair, does it?
"Persons who suspect their data have been involved, and who do not receive a letter, should contact the MSU Extended University, from 8 a.m.–5 p.m., Monday through Friday, or by going to http://eu.montana.edu/security."
"Records of people who had registered online for courses and programs through MSU's Extended University going back to October 2005 may have been exposed. As soon as the security breach was discovered, the server was taken offline."
"Because no proof exists that data were stolen, the incident is not treated as a criminal matter."
Commentary:
I wonder what precipitated this response from the university. Although the university claims that an "unknown hacker" has remotely accessed the server, there is no information provided as to what level of access was obtained. Theoretically a simple ping could be classified as remote access.
I wonder why the university needs to keep credit card data at all, and I wonder why the university was storing credit card and Social Security numbers on a server that was accessible from the Internet. The university has made no statements regarding what they plan to do in order to avoid future breaches.
Past Breaches:
Unknown
Posts Atom 1.0
Comments