CTW Library Consortium database breach
Technorati Tag: Security Breach
Date Reported:
7/25/08
Organization:
Wesleyan University
Connecticut College
Trinity College
Contractor/Consultant/Branch:
CTW Library Consortium*
*Connecticut and Trinity Colleges, along with Wesleyan University, comprise a library consortium known as CTW. The CTW Consortium shares an online library catalog, and borrowing privileges are extended to the user communities of the three institutions. (Source: www.wesleyan.edu/libr/services/staff.html)
Victims:
"patrons"
Number Affected:
"approximately 2,800 Connecticut College library patrons", "12 Wesleyan University library patrons" and "three Trinity College library patrons"
Types of Data:
"names, addresses, social security and driver’s license numbers"
Breach Description:
"New London, Conn. - Two computer servers containing a database of Connecticut College, Wesleyan University and Trinity College library patrons were accessed by hackers, Connecticut College officials said Friday."
Reference URL:
Middletown Press
Norwich Bulletin
The Hartford Courant
Report Credit:
Sloan Brewster, Middletown Press
Response:
From the online sources cited above:
MIDDLETOWN - Hackers managed to tap into two computer servers with names and Social Security numbers of patrons of Wesleyan University and two other universities in the state.
The database included the names, addresses, social security and driver’s license numbers
David Pesci, director of public relations at Wesleyan, said that on Wednesday, when information technology workers noticed the servers had been broken into, they removed all the personal information.
[Evan] Why is it necessary to store Social Security and driver's license numbers to check out library items and why would this information need to be stored in a database that is accessible through the internet? I am also curious to know how the information technology workers became aware that their servers were compromised.
Investigators from Wesleyan believe the breach was committed so hackers could set up illegal chat rooms, attack other sites and perhaps send spam
[Evan] If this is true, then we might be able to infer that the "hackers" were not very sophisticated and thus the server(s) was/were likely exploited through well-known vulnerabilities.
the personal information on the servers belonged to 12 Wesleyan University library patrons, approximately 2,800 Connecticut College library patrons and three Trinity College library patrons
The breach was limited to two servers from the CTW library consortium housed at CTW's headquarters at Wesleyan.
It did not affect other servers in Wesleyan's computer network, and no Wesleyan faculty, students or staff were affected
The CTW consortium has investigated this incident and found no evidence the personal information on the servers was viewed or stolen
[Evan] Really? It would be interesting to read the investigation notes and summary.
All individuals whose information was on the servers will be notified and will be offered, at the expense of the CTW consortium members, one year of identity protection services from Debix Identity Protection Agency
"This attack on our servers was extremely regrettable, and we have taken swift measures to make sure individuals who may have been affected have their identities protected," said Patricia Tully, associate university librarian.
[Evan] I agree that this breach is regrettable. Do you think that effective risk management would have documented the risks involved with the architecture and these two servers that were compromised?
"I just want to reinforce that this incident was isolated and limited to these two servers and it did not affect Wesleyan's computer network."
"We are taking this matter very seriously," Patricia Carey, vice president for College Relations, said. “We are encouraging those affected to take preventive measures to protect their identity, and as an added precaution, we are offering those affected one year of identity protection services
[Evan] One year of identity protection is good for one year. If your Social Security number expires sometime next year, then you're covered.
Officials from Wesleyan and CTW members have alerted police and the state attorney general's office regarding this incident.
All personal information has been deleted from the database and steps were taken to secure the servers
[Evan] Like what? Anybody can make this statement, but it is too subjective to mean squat. Maybe CTW didn't need to store personal information in the first place.
Individuals with questions may contact Ruth Seeley, manager of computer support services at or
Commentary:
It seems like I always have a comment. Some are off base and some are pretty close. The purpose of my comments is to spur thought and maybe a little action. If my comments do neither, then at least I get to vent.
Past Breaches:
Unknown
Date Reported:7/25/08
Organization:
Wesleyan University
Connecticut College
Trinity College
Contractor/Consultant/Branch:
CTW Library Consortium*
*Connecticut and Trinity Colleges, along with Wesleyan University, comprise a library consortium known as CTW. The CTW Consortium shares an online library catalog, and borrowing privileges are extended to the user communities of the three institutions. (Source: www.wesleyan.edu/libr/services/staff.html)
Victims:
"patrons"
Number Affected:
"approximately 2,800 Connecticut College library patrons", "12 Wesleyan University library patrons" and "three Trinity College library patrons"
Types of Data:
"names, addresses, social security and driver’s license numbers"
Breach Description:
"New London, Conn. - Two computer servers containing a database of Connecticut College, Wesleyan University and Trinity College library patrons were accessed by hackers, Connecticut College officials said Friday."
Reference URL:
Middletown Press
Norwich Bulletin
The Hartford Courant
Report Credit:
Sloan Brewster, Middletown Press
Response:
From the online sources cited above:
MIDDLETOWN - Hackers managed to tap into two computer servers with names and Social Security numbers of patrons of Wesleyan University and two other universities in the state.
The database included the names, addresses, social security and driver’s license numbers
David Pesci, director of public relations at Wesleyan, said that on Wednesday, when information technology workers noticed the servers had been broken into, they removed all the personal information.
[Evan] Why is it necessary to store Social Security and driver's license numbers to check out library items and why would this information need to be stored in a database that is accessible through the internet? I am also curious to know how the information technology workers became aware that their servers were compromised.
Investigators from Wesleyan believe the breach was committed so hackers could set up illegal chat rooms, attack other sites and perhaps send spam
[Evan] If this is true, then we might be able to infer that the "hackers" were not very sophisticated and thus the server(s) was/were likely exploited through well-known vulnerabilities.
the personal information on the servers belonged to 12 Wesleyan University library patrons, approximately 2,800 Connecticut College library patrons and three Trinity College library patrons
The breach was limited to two servers from the CTW library consortium housed at CTW's headquarters at Wesleyan.
It did not affect other servers in Wesleyan's computer network, and no Wesleyan faculty, students or staff were affected
The CTW consortium has investigated this incident and found no evidence the personal information on the servers was viewed or stolen
[Evan] Really? It would be interesting to read the investigation notes and summary.
All individuals whose information was on the servers will be notified and will be offered, at the expense of the CTW consortium members, one year of identity protection services from Debix Identity Protection Agency
"This attack on our servers was extremely regrettable, and we have taken swift measures to make sure individuals who may have been affected have their identities protected," said Patricia Tully, associate university librarian.
[Evan] I agree that this breach is regrettable. Do you think that effective risk management would have documented the risks involved with the architecture and these two servers that were compromised?
"I just want to reinforce that this incident was isolated and limited to these two servers and it did not affect Wesleyan's computer network."
"We are taking this matter very seriously," Patricia Carey, vice president for College Relations, said. “We are encouraging those affected to take preventive measures to protect their identity, and as an added precaution, we are offering those affected one year of identity protection services
[Evan] One year of identity protection is good for one year. If your Social Security number expires sometime next year, then you're covered.
Officials from Wesleyan and CTW members have alerted police and the state attorney general's office regarding this incident.
All personal information has been deleted from the database and steps were taken to secure the servers
[Evan] Like what? Anybody can make this statement, but it is too subjective to mean squat. Maybe CTW didn't need to store personal information in the first place.
Individuals with questions may contact Ruth Seeley, manager of computer support services at or
Commentary:
It seems like I always have a comment. Some are off base and some are pretty close. The purpose of my comments is to spur thought and maybe a little action. If my comments do neither, then at least I get to vent.
Past Breaches:
Unknown
Posted by Evan Francen at 7/28/2008 1:04 PM 
Categories: Trinity College, Wesleyan University, Hack, Connecticut College
Categories: Trinity College, Wesleyan University, Hack, Connecticut College
Posts Atom 1.0
Why has one year of free credit monitoring become the defacto remedy for credit breaches across the country? How does this protect against people using your identity when being arrested or while committing crimes such as selling drugs(as numerous of my clients often do),or selling the information to spammers, or such innumerable other nefarious uses of identity information that has nothing to do with credit?
Reply to this