Posted on 03/05/2003 8:55:27 PM PST by Diddle E. Squat
AUSTIN -- Computer hackers have obtained the names and Social Security numbers of about 59,000 current and former students, faculty members and staff at the University of Texas at Austin in one of the largest cases of potential identity theft ever reported.
Authorities do not know whether the information has been put to illegal uses such as obtaining credit cards or withdrawing money from financial accounts. Law enforcement officials were expected to obtain and execute search warrants late today in Austin and Houston at homes where computers are thought to have been used in the cyberspace break-in.
UT officials suspect that the attack was carried out by a student or students, or by people living with students. They said the computer breach could easily have been prevented with basic precautions, adding that the incident will prompt them to redouble security measures and to accelerate a plan to phase out most uses of Social Security numbers on campus.
"We flat out messed up on this one," said Dan Updegrove, the university's vice president for information technology. "Shame on us for leaving the door open, and shame on them for exploiting it. Our No. 1 goal is to get those data back before they get misused."
The incident comes at a time of growing concern about identity theft on college campuses. Many universities, including UT, use Social Security numbers as student identifiers, and the numbers are therefore found in many records. UT students have complained about the practice.
The ranks of current and former UT students, faculty and staff include hundreds of thousands of people. University officials were scrambling Wednesday to figure out how to advise those whose information was stolen. Some who are no longer affiliated with the university might no longer be reachable at the phone numbers and addresses on file.
The university has set up a special Web site -- www.utexas.edu/datatheft -- where it plans to post information. A telephone hotline will also be established, possibly staffed seven days a week and 24 hours a day, said Don Hale, vice president for public affairs.
The theft was discovered Sunday evening by university computer systems administrators conducting routine checks, Updegrove said. They immediately disconnected the compromised database from the Internet, later hooking up a database of useless information.
Besides names and Social Security numbers, the hackers obtained e-mail addresses and, for some current faculty and staff members, office addresses and office phone numbers. No grade, health or benefit records were obtained, Updegrove said.
Computer system logs indicate that the information was seized by a computer in Austin on Wednesday, Thursday and Friday last week, and by a computer in Houston on Saturday and Sunday, he said. It's likely that the instrusions from Austin and Houston were done by the same person or persons, he added.
The compromised database contains training records on UT staff. However, it has an interface, or connection, with a broader list of current and former UT students, faculty and staff. The thief or thieves used a computer program to query the UT database with 3 million potential Social Security numbers, resulting in about 59,000 hits, or successful matches, Updegrove said.
"It was just a brute force attack on the system," he said.
Updegrove said the UT records should never have been accessible to anyone off campus or to anyone who is not an employee supervisor. He said he did not know how such a serious violation of security procedures occurred, or why it was not discovered in periodic systems checks. He did not know how many years the database has existed.
"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."
Those shortcomings will be examined in depth, but the more urgent task is to track down the perpetrators and recover the data, Updegrove said. To that end, the university has reported the theft to the FBI, the Austin Police Department, the Travis County district attorney's office and other authorities.
"This could have grave consequences, so fast action is important to prevent further harm," said District Attorney Ronnie Earle. "The public integrity unit with the district attorney's office is working in partnership with the U.S. attorney's office on this case."
Updegrove defended the university's decision not to announce the theft right away, thereby leaving the 59,000 people unaware that their information was compromised. It took time to understand the dimensions of the theft, he said. In addition, when it became apparent that the theft originated from two locations, university officials focused on lining up law enforcement help in trying to seize the rogue computers, in hopes that any dissemination of data by the thieves could be prevented. Disclosing the theft widely at the outset might have put that strategy at risk, he said.
Identity theft is a rapidly growing crime in which someone obtains key pieces of information such as Social Security and driver's license numbers to obtain credit, merchandise and services in the name of the victim, according to the Identity Theft Resource Center, a nonprofit group based in San Diego, Calif.
"The victim is left with a ruined credit history and the time-consuming and complicated task of regaining financial health," the center reports on its Web site.
I don't know if aTm still uses SS#s. Maybe this will get the ball rolling in reverting to IDs with something other than SS#s.
Trajan88; TAMU Class of '88; Law Hall (may it R.I.P.) Ramp 9 Mule; f.u.p.
Better yet...
Ok, who let the Aggie use their UT login account? :)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.