Hacker accesses personal info for 5,300 students

November 18, 2005

Steve Hinnefeld, Indiana University Media Relations


A computer hacker may have had access this fall to confidential information about thousands of Indiana University students -- in some cases, including their Social Security numbers.

The hacker got access to a computer used by an instructor in the Kelley School of Business, said Jim Anderson, director of information for the school.

The computer contained information, including names and grades, for 5,278 students who had taken certain sections of X100, Introduction to Business, between 2001 and 2005.

For 4,778 of the students, the information included Social Security numbers. The school used Social Security numbers as student identification numbers before the fall of 2004.

IU officials don't think the hacker took the students' information. But Dan Smith, dean of the Kelley School, wrote to the students last week to inform them of the breach.

"We certainly want to err on the side of caution on this, to make sure our students are aware so they can take the necessary precautions," Anderson said.

The school set up a Web site to keep students informed about its investigation. Those whose Social Security numbers were on the computer were advised to keep an eye on bank and credit-card accounts and possibly request a free credit report to look for signs of fraud.

"Obviously the biggest concern is identity theft," Anderson said.

An IU investigation determined someone hacked into the computer as early as August and installed three pieces of malicious software.

The breach was discovered Nov. 7 through a routine check of the IU network. A review of network log files for the prior month didn't show any outside access to student data, Anderson said. So far, no cases of fraud have been tied to the computer.

Anderson said two mistakes contributed to the breach. Technology staff overlooked the older computer when making sure anti-virus and system-protection software were up to date. And the records were stored on the computer itself, not on a secure server.

"One of the things we're doing is stringently reminding instructors to store confidential material on a secure network server," Anderson said.

On the Web * IU updates on X100 security breach: www.kelley.iu.edu/ security/x100.cfm. * Information on ordering free credit reports: www. annualcreditreport.com. * Federal Trade Commission site on identity theft: www. consumer.gov/idtheft.

main page ATTRITION feedback