A hacked computer server at the University of Colorado has exposed about 45,000 students’ names and Social Security numbers, school officials said Tuesday.
The incident affects students enrolled at any time from 2002 to the present. It also prompted CU’s central Information Technology department to take over the IT responsibilities of the College of Arts and Sciences’ Academic Advising Center, the department where the computer server was hacked.
The anonymous hacker broke into the advising center’s computer, then tried to hack into other servers, which caught the attention of IT staffers on May 12.
University officials don’t believe the hacker targeted students’ personal information, partly because he or she tried to access other university servers.
“It looked like someone was trying to seize control of the machine and not the data,”‘ said Bronson Hilliard, a CU spokesman. “And in the process of that, the data was exposed. But we’re erring on the side of caution.”
CU officials are encouraging students to check their bank statements and personal accounts as a precaution. So far, Hilliard said, no students have reported any problems related to the security breach.
Human error seems to be the cause, said Dan Jones, director of the Campus IT Security Office. The firewall was turned off and a patch was not properly installed on the system’s anti-virus program, he said.
Investigators can only guess the motive for breaking into the servers. “A lot of these guys just do it for bragging rights,” said Peter Adler of Adler InfoSec and Privacy Group LLC of Alexandria, Va., a computer security consultant.
Adler, who was hired in 2005 after three breaches that year, recommended then that CU centralize its information-security system.
“The security system is only as strong as its weakest link,” Adler said. “If you have a weak link in the system and a network that’s tied to other networks, the weak link offers hackers access to other networks. And hackers love to look for weak links.”
CU officials said they would reduce the practice of branching out IT responsibilities among colleges, schools, departments and programs.
Staff writer Vimal Patel can be reached at 303-954-1638 or vpatel@denverpost.com.
More tips for protecting your identity
- Carry any documents with sensitive information such as driver’s licenses, debit and credit cards and checks in a close-fitting pouch.
- Safeguard financial information, such as Social Security number, account numbers and statements. Buy a cross-cut shredder to destroy documents.
- Do not put the entire account number in the memo section of checks; use the last four digits.
- Get a credit card with your photograph on the front.
- Prevent preapproved credit card offers from being sent to your home by calling 888-5-OPT-OUT.
- Do not put your phone number or Social Security number on checks.
- Ask the bank or credit union to receive your box of new checks and pick them up there.
- When in doubt, pay with cash.
- Request credit report copies once a year.
To report theft:
- Call the police in the jurisdiction where it took place.
- Contact the Federal Trade Commission at 877-FTC-HELP or www.ftc.gov.
- Call the credit card company.
- If mail is stolen, call the 24-hour U.S. Postal Inspection Service number, 303-313-5320.
Sources: Jefferson County Sheriff’s and district attorney’s offices; U.S. Postal Service
