Man charged with accessing USC student data

April 20, 2006

By Robert Lemos

http://www.securityfocus.com/brief/191



Federal prosecutors charged a San Diego-based computer expert on Thursday with breaching the security of a database server at the University of Southern California last June and accessing confidential student data.

A statement from the U.S. Attorney for the Central District of California names 25-year-old Eric McCarty as the person who contacted SecurityFocus last June with news of a flaw in the Web server and database system used to accept online applications from prospective students. SecurityFocus notified the University of Southern California of the vulnerability and worked with the university to close the flaw before publishing an article about the issue.

The flaw could have allowed an attacker to send commands to the database that powered the site by using the user name and password text boxes. USC's Information Services Division confirmed the problem and shuttered the site, which contained data on nearly 280,000 applicants, on June 20 as a precaution. The university believes, and the prosecutors allege, that only a handful of records were actually accessed.

"It wasn't that he could access the database and showed that it could be bypassed," said Michael Zweiback, an assistant U.S. Attorney for the U.S. Department of Justice's cybercrime and intellectual property crimes section. "He went beyond that and gained additional information regarding the personal records of the applicant. If you do that you are going to face, like he does, prosecution."

The FBI uncovered the Internet address of McCarty's home computer on USC's systems, according to the statement released on Thursday. USC would not comment except to say through a spokesperson that the university is fully cooperating with the investigation.

McCarty could face up to a maximum of 10 years in federal prison. He is schedule to make his initial appearance in U.S. District Court on April 28.

[an error occurred while processing this directive]