Hacker hits Duke system

June 4, 2005

By Jean P. Fisher


A hacker broke into the Duke University Medical Center computer system last week, stealing thousands of passwords and fragments of Social Security numbers, Duke officials said Friday.

Duke is notifying about 14,000 people, roughly 10,000 of whom are medical center employees, that their information may have been compromised and is advising people to change passwords if they use the same one for multiple purposes.

Other individuals affected include alumni of the Duke University School of Medicine, physicians and other clinicians who registered online for some types of continuing medical education at Duke and others who accessed certain Web pages maintained by the medical school.

The incident is the latest in a series of security breaches nationally at banks and other major organizations that store personal information. This is one of the largest yet to hit the Triangle.

Computer security failures have increased concern about identity theft and prompted some states to adopt laws that require speedy disclosure to people whose private information may be compromised. The General Assembly is considering an identity-theft protection bill that would mandate such notification.

None of the Duke computer databases broken into contained personal financial data or patient information, according to the medical center. The hacker did grab about 5,500 computer passwords and the users' first and last names. In addition, the hacker stole about 9,000 partial Social Security numbers -- either the last four digits or the last six digits.

Duke sites affected include training Web pages, which clinical research staff might have used to brush up on safety protocols, educational sites that clinicians participating in Web conferences would have signed into and internal pages employees might have visited to sign up as a volunteer for a Duke event or alumni function.

"These weren't our core systems," said Asif Ahmad, the medical center's chief information officer. "These were more peripheral sites."

Determined identity thieves can wreak havoc with just a name and a password, said Mark Durrett, director of product management and marketing for Covelight Systems, a Cary company that makes privacy protection and fraud management software. That's because most people, for convenience, use the same passwords for many different purposes, from bank accounts to e-commerce Web sites.

"In a perfect world, we'd all have different user names and passwords for everything," Durrett said. "But the typical person will have one or two passwords they use for everything in their life."

The Duke security breach occurred May 26 sometime between 1 a.m. and 4 a.m. A Duke computer system administrator detected the unauthorized user at about 4:30 p.m. the same day while conducting a routine check of logs that record activity on medical school Web sites. Such checks are made daily to watch for potential security breaches, Ahmad said.

Once the unauthorized access was detected, Duke immediately shut down the Web pages affected. Then administrators cross-checked the names of people whose information was stolen with the names of employees and clinicians who have access to core computer systems, such as patients registration and scheduling, patient billing, accounts receivables and human resources. People on both lists had their passwords reset, Ahmad said.

"It was not a lot of people -- it was literally in the teens," he said.

Ahmad said the hacker apparently found a vulnerability in the software used to create the affected Web pages and exploited it to gain access to layers of the pages only administrators are supposed to see. Ahmad said the problem has since been fixed and the Web pages are up and running again.

main page ATTRITION feedback