The University of Indianapolis claims victim of "sophisticated cyber attack"
Technorati Tag: Security Breach
Date Reported:
9/30/08
Organization:
University of Indianapolis
Contractor/Consultant/Branch:
None
Location:
Indianapolis, Indiana
Victims:
"students, faculty and staff"
Number Affected:
11,000
Types of Data:
"names and Social Security numbers"
Breach Description:
"The University of Indianapolis was the victim of a sophisticated cyber attack that was discovered Thursday, Sept. 18, 2008. The university’s investigation has determined that a server containing archived information with names and Social Security numbers was breached on Sept. 8, 2008."
Reference URL:
University of Indianapolis Communications
The Indianapolis Star
Associated Press via The Chicago Tribune
Report Credit:
Erika D. Smith, The Indianapolis Star
Response:
From the online sources cited above:
INDIANAPOLIS - A hacker attacked the University of Indianapolis' computer system and gained access to personal information and Social Security numbers for 11,000 students, faculty and staff, the school said.
[Evan] An unauthorized user and/or process gained illegal access to the server. I always use the word "hacker" with caution because often times "hackers" get a bum rap. A "hacker" can be either good or bad. It depends on intentions, I suppose.
The 4,300-student university's information technology staff and outside computer security experts are investigating the breach, which was discovered Sept. 18 when another institution warned the school.
[Evan] I applaud the school for bringing in outside "computer security experts" to aid in the investigation of this breach. The first step is to admit you have a problem. Hopefully they really are "experts". The breach went undetected from September 8th to September 18th, and even then was only detected because another institution notified the school. We can probably assume that there was no intrusion detection and/or prevention for this internet accessible information resource. Typically not a good idea.
The server is entirely separate from servers that store faculty and student personal information such as grades and salaries; that information remains secure and was not accessible to these hackers.
The FBI also was notified.
It was not clear whether any data was stolen in the Sept. 8 attack.
[Evan] A lack of proper and adequate logging?
The university has no evidence that any of the archived information was stolen, or that the hackers were looking for that information, but has notified the 11,000 individuals whose Social Security numbers were potentially compromised.
"We don't know that anything was done with this information, just that there was a compromise," university spokesman Scott Hall told The Indianapolis Star on Tuesday
The compromised records were at least two years old
University President Beverley J. Pitts -- one of the those whose data was accessed -- said in a campuswide e-mail that the victims would be notified by mail and e-mail in the next few days.
[Evan] In a sad kind of way, it might be good that Ms. Pitts was affected. Breaches seem to gain more visibility and the responses seem to gain more traction when senior people are affected personally.
The school also will offer victims one year of free credit monitoring.
[Evan] Ever wonder how much a breach might end up costing the organization resposible? Take a look at the Privacy Breach Impact Calculator (from Information Shield) or the Tech//404® Data Loss Cost Calculator. The numbers that these tools produce can be debated, but not ignored. The average cost for a breach affecting 11,000 as calculated by Tech//404 is $1,828,992! Reactive information security can get expensive!
"Our investigation leaves no doubt that this was a professional job by hackers from outside, and it was well beyond our control," Pitts said in the e-mail.
[Evan] This is the one remark that really peeves me. Don't give the "hackers" more credit than they deserve. This breach "was well beyond our control"?! Although it is impossible to secure information 100%, it is usually possible to monitor, detect and/or log access. Are we comfortable that the school did all that it could have reasonably done (based on risk) to secure this server and the information it contained? If so, then maybe this breach was beyond the university's control.
"However, that doesn't change the fact that many names and Social Security numbers, including my own, could have been compromised."
The records date from a period when the University of Indianapolis tracked people using Social Security numbers, a practice that has since been stopped
Investigators believe the attack may have originated outside the United States because a foreign language was found embedded in programming code.
[Evan] Attackers in the U.S. and elsewhere often use code written by others.
The University of Indianapolis moved rapidly to disable all external access to the compromised server, and has called in computer security experts to identify other potential breach points and make recommendations about additional preventive measures.
[Evan] Not just "additional preventive measures", but maybe effective preventive and detective measures.
Often, these hackers go after banks and financial institutions. But increasingly, universities are targeted because they're "low-hanging fruit."
Universities are known for having open networks that focus more on collaboration than security.
"It's a lot easier to get into a university than a bank," Litan said. (Avivah Litan, a Gartner Group research analyst)
But even Litan had to admit the University of Indianapolis is a pretty obscure target for a hacker. This is the university's first time as a victim of it.
Commentary:
I got a little wordy in my remarks above, so most of my commentary can be found there.
Past Breaches:
Unknown
Date Reported:9/30/08
Organization:
University of Indianapolis
Contractor/Consultant/Branch:
None
Location:
Indianapolis, Indiana
Victims:
"students, faculty and staff"
Number Affected:
11,000
Types of Data:
"names and Social Security numbers"
Breach Description:
"The University of Indianapolis was the victim of a sophisticated cyber attack that was discovered Thursday, Sept. 18, 2008. The university’s investigation has determined that a server containing archived information with names and Social Security numbers was breached on Sept. 8, 2008."
Reference URL:
University of Indianapolis Communications
The Indianapolis Star
Associated Press via The Chicago Tribune
Report Credit:
Erika D. Smith, The Indianapolis Star
Response:
From the online sources cited above:
INDIANAPOLIS - A hacker attacked the University of Indianapolis' computer system and gained access to personal information and Social Security numbers for 11,000 students, faculty and staff, the school said.
[Evan] An unauthorized user and/or process gained illegal access to the server. I always use the word "hacker" with caution because often times "hackers" get a bum rap. A "hacker" can be either good or bad. It depends on intentions, I suppose.
The 4,300-student university's information technology staff and outside computer security experts are investigating the breach, which was discovered Sept. 18 when another institution warned the school.
[Evan] I applaud the school for bringing in outside "computer security experts" to aid in the investigation of this breach. The first step is to admit you have a problem. Hopefully they really are "experts". The breach went undetected from September 8th to September 18th, and even then was only detected because another institution notified the school. We can probably assume that there was no intrusion detection and/or prevention for this internet accessible information resource. Typically not a good idea.
The server is entirely separate from servers that store faculty and student personal information such as grades and salaries; that information remains secure and was not accessible to these hackers.
The FBI also was notified.
It was not clear whether any data was stolen in the Sept. 8 attack.
[Evan] A lack of proper and adequate logging?
The university has no evidence that any of the archived information was stolen, or that the hackers were looking for that information, but has notified the 11,000 individuals whose Social Security numbers were potentially compromised.
"We don't know that anything was done with this information, just that there was a compromise," university spokesman Scott Hall told The Indianapolis Star on Tuesday
The compromised records were at least two years old
University President Beverley J. Pitts -- one of the those whose data was accessed -- said in a campuswide e-mail that the victims would be notified by mail and e-mail in the next few days.
[Evan] In a sad kind of way, it might be good that Ms. Pitts was affected. Breaches seem to gain more visibility and the responses seem to gain more traction when senior people are affected personally.
The school also will offer victims one year of free credit monitoring.
[Evan] Ever wonder how much a breach might end up costing the organization resposible? Take a look at the Privacy Breach Impact Calculator (from Information Shield) or the Tech//404® Data Loss Cost Calculator. The numbers that these tools produce can be debated, but not ignored. The average cost for a breach affecting 11,000 as calculated by Tech//404 is $1,828,992! Reactive information security can get expensive!
"Our investigation leaves no doubt that this was a professional job by hackers from outside, and it was well beyond our control," Pitts said in the e-mail.
[Evan] This is the one remark that really peeves me. Don't give the "hackers" more credit than they deserve. This breach "was well beyond our control"?! Although it is impossible to secure information 100%, it is usually possible to monitor, detect and/or log access. Are we comfortable that the school did all that it could have reasonably done (based on risk) to secure this server and the information it contained? If so, then maybe this breach was beyond the university's control.
"However, that doesn't change the fact that many names and Social Security numbers, including my own, could have been compromised."
The records date from a period when the University of Indianapolis tracked people using Social Security numbers, a practice that has since been stopped
Investigators believe the attack may have originated outside the United States because a foreign language was found embedded in programming code.
[Evan] Attackers in the U.S. and elsewhere often use code written by others.
The University of Indianapolis moved rapidly to disable all external access to the compromised server, and has called in computer security experts to identify other potential breach points and make recommendations about additional preventive measures.
[Evan] Not just "additional preventive measures", but maybe effective preventive and detective measures.
Often, these hackers go after banks and financial institutions. But increasingly, universities are targeted because they're "low-hanging fruit."
Universities are known for having open networks that focus more on collaboration than security.
"It's a lot easier to get into a university than a bank," Litan said. (Avivah Litan, a Gartner Group research analyst)
But even Litan had to admit the University of Indianapolis is a pretty obscure target for a hacker. This is the university's first time as a victim of it.
Commentary:
I got a little wordy in my remarks above, so most of my commentary can be found there.
Past Breaches:
Unknown
Posts Atom 1.0
Comments