UConn News HomeUConn News
UCONN NEWS HOME         < BACK ARTICLE NEXT ARTICLE >

UConn Server May Have Been Breached
Released: June 24, 2005

Release #05049
Contact:
Karen A. Grava,
UConn Manager of Media Communications
860-486-5385 (office)

STORRS, Conn.— The University of Connecticut Information Technology Services (UITS) discovered earlier this week that a University server containing personal data for 72,000 members of the University community who were assigned UConn email addresses, including individuals at the UConn Health Center, has been breached on at least one occasion.

“Results of our examination reveal no indication that any personal information was accessed or extracted,” said Michael Kerntke, chief information officer. “We moved immediately to protect the data by taking the impacted server off line.   In addition, we verified that other computers that communicate with the breached server and may contain sensitive information were secured.”

UConn faculty, staff, students and vendors whose information may have been compromised are being notified today by email or U.S. mail, said Kerntke.

The hacking incident came to light after UITS received notification from a non-University corporation that an invalid logon attempt had originated from a computer within the University of Connecticut domain. This automated notification was investigated by UITS technical staff, Kerntke said, and they found that an unauthorized program, known as a rootkit, had been installed on a UITS data center server on Oct. 26, 2003.

After further investigation, it was determined that the server contained personal data for anyone who possessed, on or after that date,  a UConn Net ID --- an account that allows access to University technology resources such as email addresses. This includes faculty, staff, students and vendors at all campuses of the University including the Health Center. The data potentially at risk of being compromised by the hacker include name, social security number, date of birth, University address, University phone number and department name.  

The server did not include any information related to the UConn Health Center’s electronic patient records and no patient information was affected, said Kerntke.

“Based on forensic analysis, there is no indication that any of the data on the machine was actually compromised – only that the opportunity for someone to access it existed,” Kerntke said. “Even so, the University wants to be sure individuals are aware of the situation so they can carefully monitor their financial records for unauthorized activity over the next several months.”

Kerntke said that the attack took advantage of vulnerability in the server that was unknown at the time of the breach to the University or the manufacturer.   A patch has subsequently been developed by the manufacturer to eliminate security breaches. Kerntke noted that the personal information on the server was not easily accessible.

“The nature of the compromise indicates that the server was breached during a broad attack on the Internet and not the target of a direct attack. Therefore, the attacker most likely had no knowledge of the kind of data stored on the server,” he said.

“Even though we believe this incident puts users of University technology at low risk of identity theft, we felt it was essential to notify them of the incident,” he said.

Kerntke advised individuals to consider submitting a fraud alert to the three national credit reporting agencies as this will make it more difficult for identify theft to occur.”

“We are doing everything we can to prevent this from happening again in the future,” he said, noting that the University is reviewing its dependence on social security numbers as a unique identifier, auditing other servers and departments that are not directly part of the breached system but contain or transmit sensitive information, and   implementing even more stringent

network and server access controls while striving to support the technologically collaborative environment essential to a comprehensive research institution like UConn.

“A change to a different method of identifying users will greatly reduce the potential for personal information disclosure,” Kerntke said. “That would reduce the risk of personal information which is stored on computers at the University from being compromised.”

Hacking into university computer systems is not uncommon. Other universities who have had problems include the University of Iowa, Stanford University, Purdue University, Middle Tennessee State University, Boston College, Northwestern University, George Mason University, Michigan State University, Tufts University, the University of California, Berkley and Carnegie Mellon University, among others.

Questions and Answers for Employees, Students and Affiliates

Summary:
A computer containing personal information such as Social Security number and name was breached by an unauthorized intruder.   Although there is no evidence indicating that this personal data was accessed or extracted, the University of Connecticut is contacting everyone whose identity may have been put at risk.

Exactly when and how did the breach occur, and when was the breach detected?
The breach occurred on October 26, 2003.   It was detected on June 20, 2005.   The attack took advantage of an insecure service, for which no vendor patch was yet available.   Careful analysis of the computer indicates that the original compromise was incomplete.

How many users are affected?
The server has contained the account information of at most 72,000 students, faculty and staff between the time of infection and discovery.

What personal information was put at risk?
The server stored personal information including users NetID, name, social security number, date of birth, and campus address.

Do you know whether any information was stolen?
Results of our examination reveal no indication that any personal information was accessed or extracted.   There are several factors about the incident that leads the University to believe that this incident puts its users at low risk of identity theft.   They are:

  • Part of the attack involved the intruder installing a ‘backdoor’ for later access.   The attempt to install this ‘backdoor’ failed.
  • The personal information on the server was not in a readable format.
  • The nature of the compromise indicates that the server was breached during a broad attack on the Internet, and was not the target of a directed attack.   Therefore, the attacker most likely had no knowledge of the kind of data on the server.

What procedures did the University follow with regard to the security breach?

  • Immediately upon discovery of the security breach the affected server was removed from the network.  
  • University senior officials were contacted.  
  • The University examined and verified that other computers that communicate with the breached server and that contain sensitive information are secured.  
  • A forensic analysis of the server and network logs was conducted and evaluated to discover the nature of the incident.

How do we respond as individuals if we discover fraudulent use of our personal information?
Individuals whose information has been exposed by this security breach can request a free initial fraud alert to be placed on their credit files by calling any one of the three major national credit bureaus:

  • Equifax: 888-766-0008
  • Experian: 888-EXPERIAN (888-397-3742)
  • Trans Union: 800-680-7289

Individuals can request a free copy of their credit report no more than one time per year from each of the three major national credit bureaus; however, they need to do so by contacting the central agency at https://www.annualcreditreport.com.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, you should file a complaint with the FTC at http://www.consumer.gov/idtheft or at 1-877-ID-THEFT (438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement agencies for their investigations. The FTC also will advise you on further steps to take in the event your information is being used illegally.

What steps is the University of Connecticut taking to prevent illegal access of confidential information in the future?
To reduce the risk of a potential personal information disclosure, the University is in the process of reviewing its dependence on the Social Security number as a unique identifier.   A change to a different method of identifying users will greatly reduce the potential for a personal information disclosure.  

The University is auditing other servers and departments that are not directly part of the breached system, but may contain or transmit sensitive information.

The University will continue to implement more stringent network and server access controls and logging while striving to maintain the collaborative environment that makes the University of Connecticut a successful research institution.  

What has the University done to notify users?
The University is posting these questions and answers to a web site along with sending mail to each affected user.

Who should I contact if I have any additional questions concerning this security breach?
In order to answer any questions that you have regarding this incident please dial 1-888-464-8266 when dialing long distance.   For those calling local to Storrs please dial 486-4357.   For those dial from on campus please dial 6-4357.

 

June Releases

UConn       The Web       People
A-Z INDEX         UCONN HOME         MAPS & DIRECTIONS © University of Connecticut
Disclaimers & Copyright Statements
Comments       Text only