The Chronicle: Daily news: 01/24/2003 -- 03

Search The Site

More options | Back issues

Day pass

Home

Opinion & Forums
The Chronicle Review Commentary Forums Live Discussions

Careers
News & Advice My Career homepage Search jobs by position type by discipline/field by state/region by institution Tools & Resources Employer Profiles

Multimedia

Resource Center

Services
Help Contact us About The Chronicle Subscribe Day pass Manage your account Advertise with us Rights & permissions Employment opportunities /r

Friday, January 24, 2003

Hacker Steals Personal Data on Foreign Students at U. of Kansas
By MICHAEL ARNONE

A hacker broke into the computers in the international-students office of the University of Kansas last week and stole personal information on more than 1,400 foreign students. The university had collected the data for the Student and Exchange Visitor Information System, or Sevis, a database that the U.S. Immigration and Naturalization Service uses to monitor and track foreign students.
Members of the technical staff discovered the break-in late on Tuesday of this week, and the university immediately notified the INS and the Federal Bureau of Investigation, said Marilu Goodyear, vice provost for information systems. On Wednesday, her office verified that data had been downloaded. The university's Office of International Student and Scholar Services then notified affected students by e-mail.
The university's investigation has revealed that the hacker apparently intruded five times into the university's computer systems from January 6 to January 17, when the Sevis information was taken. The other attacks used the university's machines to illegally download and install copyrighted movies and pornography. "It was a fairly typical computer hack," Ms. Goodyear said.
"We have no reason to suspect that the hacker was after foreign-student data," she continued. "We think the hacker just found a vulnerable machine." She blamed the attack on a "hole" in the security system on the computer holding the Sevis data. Ironically, the weakness apparently was created when her office updated the security features on the computer's Microsoft operating system. The hole has since been patched, she said, and the computer is now secure.
Jeff Lanza, a special agent at the FBI office in Kansas City, Mo., had planned to send agents to the university on Thursday. He said there was no indication that the theft had any connection to terrorism. This is the first known hacking of a computer that interfaces with Sevis, INS and FBI officials said.
The copied file contained records for 1,450 students and included personal information such as Social Security numbers, passport numbers, countries of origin, and birthdates. The university collected the data while testing its ability to gather information it needs for Sevis from its various computer systems and format the data to send to the INS, Ms. Goodyear said. The test file contained many incomplete and inaccurate records and might contain the records of a few nonforeign students as well, she said. It had not been sent to the INS.
Given the file's broad array of student information, it could be used for identity theft, Ms. Goodyear said. University officials have promised to help students protect themselves. The officials also warned the students that they might have to answer additional questions from staff members at U.S. ports of entry when entering or leaving the country.
Whoever stole the information couldn't use it to create fake documents to fraudulently enter the country as a student, said Christopher S. Bentley, an INS spokesman. The hacker would have to go far beyond just acquiring personal information, he said; the thief would have to create a whole new identity, including a fake passport and visa.
The attack on the Kansas computer doesn't reflect on the security of the national Sevis database, Mr. Bentley said. "The system itself is very secure."
The University of Kansas enrolled 1,677 international students last fall and expects the tally for this spring to be as high as 1,900, university officials said.
Under the USA Patriot Act, passed in October 2001 to improve homeland security, the INS had to create a system to monitor and track all foreign students in the United States. The INS requires all colleges that enroll international students to sign up for Sevis by January 30 or forfeit their right to enroll those students.

Background articles from The Chronicle:

System to Track Foreign Students Is Unlikely to Make Deadline, Justice Dept. Official Testifies (9/19/2002)

Colleges Expect the Worst in Preparing for New System to Track Foreign Students (9/6/2002)

Easy-to-print version

E-mail this article

Texas admissions plan has not increased diversity at flagship campuses, study finds

White House objects to Senate proposal to increase maximum Pell Grant award

Hacker steals personal data on foreign students at U. of Kansas

NTSB tells colleges to enforce stricter safety policies for traveling athletes

Updates on billion-dollar campaigns at 21 universities

U. of Michigan team reconstructs the daybook of a 16th-century Londoner