Hackers Access Iowa State Univ. ServersInformation on 50,000 Students Exposed
Iowa State University is notifying 50,000 individuals who enrolled in certain classes between 1995 and 2012 that their personal information was exposed when hackers accessed five departmental servers.
See Also: Rethinking Response
Hackers apparently accessed the servers in an attempt to generate enough computing power to create a type of digital currency known as Bitcoins, the university says in an April 22 statement.
No financial information was stored on the servers, and there's no evidence any of the student files were accessed, the university says.
Three compromised servers contained the names, dates of birth and either Social Security numbers or university ID numbers of some students who took certain classes, the university says. Two other servers that were accessed did not contain any personal information.
The university, in a notification letter sent to about 30,000 individuals whose Social Security numbers were exposed, offers one year of free credit monitoring. Those who wish to do so can opt for a second free year at the end of the first, the university says.
The university also sent letters April 22 to an additional 19,000 individuals whose university ID numbers, not Social Security numbers, were on the compromised servers. University IDs generally are used in combination with a password and have no use beyond campus, the university says. Because exposure of these numbers doesn't pose a financial threat, these individuals were not offered free credit monitoring, the letter notes.
The university has also retained AllClear, an identity protection firm, to assist all those affected by the breach.
"We don't believe our students' personal information was a target in this incident, but it was exposed," says Jonathan Wickert, senior vice president and provost at Iowa State University. "We have notified law enforcement, and we are contacting and encouraging those whose Social Security numbers were on the compromised servers to monitor their financial reports."
The university has decommissioned and removed from the Internet the compromised servers. Other servers of the same type are no longer accessible through the Internet and have received software updates to prevent hacking, and will be replaced as soon as possible, the university says.
Officials are accelerating implementation of Iowa State's new data classification policy, which provides enhanced security standards and guidance. Additionally, the university's IT team will work to improve mobile computers by encrypting information stored on them, and they will begin the process of improving network security by implementing stronger password standards.
University Breach Trends
The Iowa State incident is the latest in a growing trend of compromises affecting academic institutions (see: University Breaches: A Continuing Trend). Securing a university's systems and processes is complex, and their security strategies vary widely in their level of maturity, says Alan Brill, senior managing director at the security advisory firm Kroll Solutions. "The levels of security we see vary from very strong ... to institutions where security was much weaker."
Colleges and universities, like other organizations, need to adopt a defense-in-depth approach, stresses Ronald Raether of Faruki Ireland and Cox PLL. That includes data segregation, improving network architecture, and increasing the hardening and patching of systems.
Brill says fixing the problem needs to start with senior executives. "[They] need to make it clear that information security is important to the institution," he says. "It's not just an IT problem, but it affects everyone in the university community."