STORRS, Conn.— The University of Connecticut Information
Technology Services (UITS) discovered earlier this week that a University
server containing personal data for 72,000 members of the University
community who were assigned UConn email addresses, including individuals
at the UConn Health Center, has been breached on at least one occasion.
of our examination reveal no indication that any personal information was accessed
or extracted,” said Michael Kerntke, chief information officer. “We moved
immediately to protect the data by taking the impacted server off line. In
addition, we verified that other computers that communicate with the breached server
and may contain sensitive information were secured.”
staff, students and vendors whose information may have been compromised are being
notified today by email or U.S. mail, said Kerntke.
The hacking incident
came to light after UITS received notification from a non-University corporation
that an invalid logon attempt had originated from a computer within the University
of Connecticut domain. This automated notification was investigated by UITS technical
staff, Kerntke said, and they found that an unauthorized program, known as a rootkit,
had been installed on a UITS data center server on Oct. 26, 2003.
After further investigation, it was determined that the server contained personal
data for anyone who possessed, on or after that date, a UConn Net ID ---
an account that allows access to University technology resources such as email
addresses. This includes faculty, staff, students and vendors at all campuses of
the University including the Health Center. The data potentially at risk of being
compromised by the hacker include name, social security number, date of birth,
University address, University phone number and department name.
The server did not include any information related to the UConn Health Center’s
electronic patient records and no patient information was affected, said Kerntke.
“Based on forensic analysis, there is no indication that any of the data on
the machine was actually compromised – only that the opportunity for someone
to access it existed,” Kerntke said. “Even so, the University wants to
be sure individuals are aware of the situation so they can carefully monitor their
financial records for unauthorized activity over the next several months.”
Kerntke said that the attack took advantage of vulnerability in the server that
was unknown at the time of the breach to the University or the manufacturer. A
patch has subsequently been developed by the manufacturer to eliminate security
breaches. Kerntke noted that the personal information on the server was not easily
of the compromise indicates that the server was breached during a broad attack on
the Internet and not the target of a direct attack. Therefore, the attacker most
likely had no knowledge of the kind of data stored on the server,” he said.
we believe this incident puts users of University technology at low risk of identity
theft, we felt it was essential to notify them of the incident,” he said.
Kerntke advised individuals to consider submitting a fraud alert to the three
national credit reporting agencies as this will make it more difficult for identify
theft to occur.”
“We are doing everything we can to prevent this from happening again in the
future,” he said, noting that the University is reviewing its dependence on
social security numbers as a unique identifier, auditing other servers and departments
that are not directly part of the breached system but contain or transmit sensitive
information, and implementing even more stringent
network and server access controls while striving to support the technologically
collaborative environment essential to a comprehensive research institution like
“A change to a different method of identifying users will greatly reduce the
potential for personal information disclosure,” Kerntke said. “That would
reduce the risk of personal information which is stored on computers at the University
from being compromised.”
UITS security personnel today activitated a special phone line, 860-486-1988
or toll free: 888-464-8266, where staff will answer questions, discuss
concerns and help with problems. Calls made to the line will be returned within
24 hours during the workweek. Additional
information is also available on the Web at http://incident.uconn.edu and
at the UITS Help Center, 860- 486-HELP.
Hacking into university
computer systems is not uncommon. Other universities who have had problems include
the University of Iowa, Stanford University, Purdue University, Middle Tennessee
State University, Boston College, Northwestern University, George Mason University,
Michigan State University, Tufts University, the University of California, Berkley
and Carnegie Mellon University, among others.
Questions and Answers for Employees, Students and Affiliates
A computer containing personal information such as Social
Security number and name was breached by an unauthorized intruder. Although
there is no evidence indicating that this personal data was accessed
or extracted, the University of Connecticut is contacting everyone
whose identity may have been put at risk.
Exactly when and how did the breach occur, and when was the
The breach occurred on October 26, 2003. It was
detected on June 20, 2005. The attack took advantage of an
insecure service, for which no vendor patch was yet available. Careful
analysis of the computer indicates that the original compromise was
How many users are affected?
The server has contained the account information of at
most 72,000 students, faculty and staff between the time of infection
What personal information was put at risk?
The server stored personal information including users
NetID, name, social security number, date of birth, and campus address.
Do you know whether any information was stolen?
Results of our examination reveal no indication that any
personal information was accessed or extracted. There are
several factors about the incident that leads the University to believe
that this incident puts its users at low risk of identity theft. They
- Part of the attack involved the intruder installing a ‘backdoor’ for
later access. The attempt to install this ‘backdoor’ failed.
- The personal information on the server was not in a readable
- The nature of the compromise indicates that the server was breached
during a broad attack on the Internet, and was not the target of
a directed attack. Therefore, the attacker most likely had
no knowledge of the kind of data on the server.
What procedures did the University follow with regard to
the security breach?
- Immediately upon discovery of the security breach the affected
server was removed from the network.
- University senior officials were contacted.
- The University examined and verified that other computers that
communicate with the breached server and that contain sensitive
information are secured.
- A forensic analysis of the server and network logs was conducted
and evaluated to discover the nature of the incident.
How do we respond as individuals if we discover fraudulent
use of our personal information?
Individuals whose information has been exposed by this
security breach can request a free initial fraud alert to be placed
on their credit files by calling any one of the three major national
- Equifax: 888-766-0008
- Experian: 888-EXPERIAN (888-397-3742)
- Trans Union: 800-680-7289
Individuals can request a free copy of their credit report no more than one
time per year from each of the three major national credit bureaus; however, they
need to do so by contacting the central agency at https://www.annualcreditreport.com.
If you find suspicious activity on your credit reports or have reason to believe
your information is being misused, you should file a complaint with the FTC at http://www.consumer.gov/idtheft or
at 1-877-ID-THEFT (438-4338). Your complaint will be added to the FTC’s Identity
Theft Data Clearinghouse, where it will be accessible to law enforcement agencies
for their investigations. The FTC also will advise you on further steps to take
in the event your information is being used illegally.
What steps is the University of Connecticut taking to prevent
illegal access of confidential information in the future?
To reduce the risk of a potential personal information
disclosure, the University is in the process of reviewing its dependence
on the Social Security number as a unique identifier. A change
to a different method of identifying users will greatly reduce the
potential for a personal information disclosure.
The University is auditing other servers and departments that are not directly
part of the breached system, but may contain or transmit sensitive information.
The University will continue to implement more stringent network and server
access controls and logging while striving to maintain the collaborative environment
that makes the University of Connecticut a successful research institution.
What has the University done to notify users?
The University is posting these questions and answers to
a web site along with sending mail to each affected user.
Who should I contact if I have any additional questions concerning
this security breach?
In order to answer any questions that you have regarding
this incident please dial 1-888-464-8266 when dialing long distance. For
those calling local to Storrs please dial 486-4357. For those
dial from on campus please dial 6-4357.