Wired Campus: Hacker Is Able to View Private Data at Southern Connecticut State U.

Search The Site

Opinion & Forums
The Chronicle Review Commentary Forums Live Discussions

Careers
News & Advice My Career homepage Search jobs by position type by discipline/field by state/region by institution Tools & Resources Employer Profiles

Multimedia

Leadership Forum

Technology Forum

Resource Center

Campus Viewpoints

Services
Help Contact us About The Chronicle Subscribe Day pass Manage your account Advertise with us Rights & permissions Employment opportunities

Get the latest headlines each day:
Wired Campus e-newsletter | RSS

In the Comments

You have to learn to let go. The idea that books, magazines, databases or any form of information source can and should be kept for perpetuity is laughable. Items in a library need to be weeded and space is the major reason why. I know all of you want to keep your precious books, and I do to. But who’s going to pay for it, you?... — the other me

Library Protesters to Ohio State U.: Digital's OK, but Save Our Books!

<script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/wiredblog.che/;abr=!ie;abr=!aol;sz=250x250,300x250;ord=?"> </script> <noscript> <a href="http://ad.doubleclick.net/jump/wiredblog.che/;abr=!ie;abr=!aol;sz=250x250,300x250;ord=?"><img src="http://ad.doubleclick.net/ad/wiredblog.che/;abr=!ie;abr=!aol;sz=250x250,300x250;ord=?" width="300" height="250" border="0"></a> </noscript>

Wired Campus Writers

Josh Fischman
Internet issues, new technology, security, computing

Jennifer Howard
libraries, publishing

Sara Lipka
piracy, student technology use

Marc Parry
distance education, security, the technology marketplace

Jeffrey R. Young
video, audio, how technology is changing scholarship and teaching

Need more tech news?
Read our complete IT section.

Categories

April 28, 2008

Hacker Is Able to View Private Data at Southern Connecticut State U.

Shortly after warning students that their personal information — stored on a laptop — may have fallen into the wrong hands, Southern Connecticut State University is grappling with yet another, apparently unrelated security breach.

A hacker gained access to a university Web server containing 11,000 names linked to Social Security numbers, and other personal data. Richard Blumenthal, Connecticut’s attorney general, sent a letter last week to Michael J. Hogan, president of the University of Connecticut, describing the breach and advising him that the many campuses he oversees should be vigilant about their storage, use, and disposal of confidential data.

Mr. Blumenthal said it was unclear what the motive was for the hacking. He said Southern Connecticut State was providing those affected by the incident with two years of credit-monitoring services, and paying for them to freeze their credit reports.—-Andrea L. Foster

Posted on Monday April 28, 2008 | Permalink |

Comments

I’m not for the death penalty but when they catch these bastards that hack into computers, perhaps a few years sharing a cell with Bubba might correct their ways.

— AW Apr 28, 06:12 PM #
“…a university Web server containing 11,000 names linked to Social Security numbers…”

On a WEB server?!? How long have we been talking about this stuff now? Either we’re not getting the whole story, or the IT department should be tossed into the neighboring cell for fraudulently drawing salaries as professionals.

— RJ Apr 28, 06:37 PM #
I don’t understand why President Hogan was sent a letter about the CT State University system. The way they are mentioned so close together, you would think the breach happened at a UCONN campus. The Chronicle should make this clearer.

— Renee Apr 29, 07:41 AM #
RJ, why lay the blame on the IT folks. Yes, they probably maintain the equipment but typicallly the content placed on webservers is done by a department. The odds are pretty good that it was placed there by people who deal with students and student records – the same people who are probably the FERPA officers. That is where the fault falls.

Asking the IT people to monitor content is distasteful constitutionally, a waste of a lot of technology training and a shifting of blame. If there are consequenses, the ones who placed the data there should suffer. Not the people who have the hardware in their building.

— Another Bill Apr 29, 07:53 AM #
For those who don’t realize it, most if not all institutions have “on-line” services now. You can’t register for courses or buy books or see your course schedule or transcripts without personal information being available on a “web server.” IT folks do their best to insure security (in general – I don’t know about Conn State), but it is next to impossible to guarantee that a hacker will never get into a system. That is not to say it’s not very, very difficult – it’s extremely difficult to get into secured systems. But as shown once again, it’s not impossible. That doesn’t mean people weren’t doing their jobs at all. It could mean there was a previously undiscovered vulnerability in commercial or home grown code. . .it could be an overlooked configuration error in a firewall. . .it could be anything. The only way to guarantee the security of personal data is to create what we used to call an “air gap” around a server. . . force the customer/student to get their information by way of a “sneaker-net.” Otherwise, this stuff will continue to happen. And the institution should be judged not by the fact that there was a breach, rather by how they respond to the breach once it’s discovered.

— Bill Apr 29, 09:40 AM #
Following up on “Another Bill’s” comment, in my experience one of the biggest security risks on any campus is the lack of training regarding computer systems and the technical aspects of data security among academic support staff, many of whom are responsible for accessing student records, entering grades, etc. They are told about FERPA and the importance of “safeguarding” data, but not the technical reasons for why certain data should be stored in specific places (for example, NOT on a web server). I don’t blame the staff members, but rather the colleges for failing to provide this critical training. Maybe in this day and age they assume that everyone knows these things, but that is certainly not the case. I’m married to a database administrator and if not for his expertise, who knows how many potentially serious mistakes I would have made – purely out of ignorance – over the course of my career.

— LR Apr 29, 10:42 AM #
Data security is one of those things that we all complain about but also all require and demand for our own safety.

Since 1935 and the passage of the Social Security Act, it has been a violation of federal law to use Social Security Numbers as a form of identification.

Universities have been among the most egregious violators of this part of the law. Schools that were too lazy to create their own identification number system used student SS#s for decades. The crackdown on this in the last ten years has limited their use as school IDs, but the schools have continued to link those SS numbers to the new ID numbers. Hence, the SS#s show up in student databases, and when hacked, thousands of students are placed at risk of identity theft. This is compounded by the legitimate use of SS numbers (student employees and financial aid recipients). Until there is better segregation of data and the servers that can access it this information will continue to be a risk for students.

— Michael Apr 29, 03:08 PM #

Commenting is closed for this article.

Previous: Games Interfering With Your Studies? There's a Facebook Group for That
Next: A Research Paper Introduces Better Google Image-Search Technology

Home | Chronicle Careers | The Chronicle Review