Several more Universities and Colleges have been attacked in the last ten days, which could be an indication of Identity theft or is it? Under the California bill, SB 1386, individuals have to notified of an intrusion if someone had access to their data but these hackers could have been exploring the system. In any event, incidents such as these have spurred the impetus for legislation. The following attacks were announced this week:
University of Mississippi - A staff member in the Dean of Students Office, in August 2003, backed up data onto a web server to save the data. He thought he had erased the 300 student's names and social security numbers from 14 sororities and fraternities but hadn't. The web site was accessed by thousands of people each day and was finally shut down April 6th, posted there for two years. There is no evidence of identity theft at this time.
Northwestern University - Two servers, belonging to Kellogg School of Management, were sending anomalous traffic onto the university network. The IT group blocked this traffic from the broader network and alerted Kellogg. Investigations uncovered hacking activity on multiple computers and the gathering of user IDs and passwords.
San Jose Medical Group - 185,000 people were notified that two computers were stolen from their administrative offices that contained patient names, confidential medical information, and social security numbers.
Tufts University - 100,000 alums received letters stating that there isn't any indication that their information had been retrieved or was being misused. The intent of the intruder may have been to use the computer as a distribution point for movies and other entertainment.
University of California at Berkeley - (Again!!!!) A laptop was stolen from the Graduate Division Offices, containing personal information of 98,000 graduate students, alumni, and applicants. This is another case where the data had not been encrypted. The University is calling in a data security management firm to audit the handling of all personal information, require the full encryption of all personal information stored on departmental systems and require campus units to remove all unessential data from their machines.
News and opinion for all the SigEp brotherhood. SigEp's "unofficial" blog.
