[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] SDSU says computer server was infiltrated
From: InfoSec News <isn () c4i ! org>
Date: 2004-03-18 8:34:05
Message-ID: Pine.LNX.4.44.0403180233300.11849-100000 () idle ! curiosity ! org
[Download RAW message or body]
http://www.signonsandiego.com/news/computing/20040317-9999-news_7m17hacker.html
By Karen Kucher
UNION-TRIBUNE STAFF WRITER
March 17, 2004
San Diego State University is warning more than 178,000 students,
alumni and employees that hackers broke into a university computer
server where names and Social Security numbers were stored.
The university began mailing out notification letters Monday, urging
people whose personal information was on the server to get copies of
their credit reports and review them for suspicious activity.
The SDSU case appears to be the largest such notification made under a
state law that went into effect last July requiring companies and
state agencies to contact people when their computerized personal data
have been compromised.
University officials said the hackers infiltrated a server in the
Office of Financial Aid and Scholarships in late December and used it
to send spam e-mail messages and transfer files, including MP3 music
files.
The problem was discovered in the last week of February and SDSU took
the server off the network.
"We have moved as absolutely quickly as logistically possible" to
notify individuals affected by the security breach, said Ellene Gibbs,
director of business information management at SDSU.
The server contained financial aid reports about current, former and
prospective students - as well as some SDSU employees - who sent in
financial aid applications since 1998, but not the applications
themselves or award information.
This is the second time that SDSU has suffered a security breach that
put computerized personal data at risk. The university notified around
1,000 people in December when a server used by the library was hacked,
Gibbs said.
Under the state law, businesses and state agencies are required to
notify customers when personal data, such as Social Security numbers
or financial account numbers, may have fallen into the wrong hands.
That warning is designed to give people the chance to quickly act to
protect themselves against thieves who would use stolen personal
information to open new credit accounts and make unauthorized
purchases.
SDSU recommends that those affected by the security breach obtain a
copy of their credit report. A spokeswoman with the Privacy Rights
Clearinghouse suggests people go a step further and request that one
of the three credit reporting agencies flag their file with a fraud
alert.
With a fraud alert in place, credit reporting agencies will contact
the person if someone tries to establish new credit in his or her
name, and also will waive the fee for the credit report.
"We also suggest people monitor their credit reports on a quarterly
basis at least for a year," said Jordana Beebe, communications
director for the Privacy Rights Clearinghouse.
California, which has the third highest per-capita rate of identity
theft in the nation, has not officially tracked the number of cases in
which security breaches have occurred.
Before the SDSU case, however, the largest notification was thought to
be the more than 90,000 household workers and employers who were
mailed letters in February from the state Employment Development
Department, said Joanne McNabb, chief of the state's Office of Privacy
Protection.
"This law may get some practices changed because people don't like
getting these notices," McNabb said.
SDSU said there is no indication that the intruders targeted
confidential information in the system.
"We don't have any indication that the illegal server access was used
for the purpose of identity theft, but we can't take that chance,"
said university spokesman Jason Foster. "We have to let people know
what happened and let them take steps to protect themselves."
The case is being investigated by university police. The FBI also has
been notified because there is evidence that the hackers broke into
the server from another state, said SDSU police Capt. Steve Williams.
SDSU is in the process of implementing a new ID number system that
will provide students and employees with a randomly generated
nine-digit number - instead of their Social Security numbers - for
many student transactions, including financial payments and library
services.
Gibbs said the use of the new ID system - dubbed the "Red ID" program
- should help combat unauthorized access to personal information.
SDSU has put information about the incident on its Web site at
http://security.sdsu.edu/2004-02-01/info.html People with concerns or
questions about the case also can call the university's Information
Technology Security Office at (619) 594-5393.
-=-
For help
If you feel your personal information has been compromised, the state
Office of Privacy Protection offers these recommendations:
Contact any of the three credit bureaus – Equifax at (800) 525-6285;
Experian at (888) 397-3742; and Trans Union at (800) 680-7289 – and
flag your file with a fraud alert.
Request and review your credit reports for any accounts or activity
you don't recognize. Request reports every three months or so.
If you find items you don't understand on your report, call the credit
bureaus to review the report. If the information cannot be explained,
call the creditors involved and report the crime to police.
For more information, go to the state Office of Privacy Protection's
Web site at http://www.privacy.ca.gov
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic