Two security breaches addressed

November 23, 2005


2:03 p.m., Nov. 23, 2005--Two recent security breaches of computers at the University of Delaware have resulted in the possible exposure of names and Social Security Numbers that were stored in databases on the computers.

All those individuals whose personal information may have been compromised have been sent letters informing them of the breach and sharing information on how to combat identity theft.

A School of Education computer was attacked in late August by a hacker whose intent appears to have been to establish an illegal movie sharing system. The computer contained a database that included Social Security Numbers of 772 students registered in online education courses.

A Department of English computer was hacked in August in an apparent attempt to log onto and control one server and thereby gain control over other campus servers. This computer contained Social Security Numbers of 180 individuals who have taught in the department, including faculty, supplemental faculty and graduate assistants.

In both of these unrelated cases, the primary objective of the intruder seems to be unrelated to the fact the databases contained personal information, according to Karl D. Hassler, associate director for Information Technologies—Network and Systems Services. To date, there has been no indication that any identity theft has occurred as a result of these incidents, he said.

It is UD policy to notify individuals that their personal information may have been compromised following such incidents. Since the incidents, additional safeguards have been put in place, and Social Security Numbers have been removed from both servers.

Individuals with concerns about identity theft may visit a special web site prepared by Information Technologies at [].

UD’s Office of Information Technologies recently completed a campaign, launched in fall 2004, to help campus departments protect sensitive personal nonpublic information (PNPI), such as Social Security and credit card numbers. Specialists from Information Technologies-User Services have visited every University department to discuss and provide advice about proper security for stored PNPI. They also have stressed collecting such information only when required and reiterated the responsibility of each employee to follow UD policy, Delaware laws and federal laws and regulations for the processing and safekeeping of confidential, personal information.

“We are continuing to help departments develop more secure business processes and to make sure each department understands that it is responsible for assuring compliance with the Family Educational Rights and Privacy Act (FERPA) and other laws that govern the use of PNPI,” Susan Foster, vice president for information technologies, said.

"The University has moved away from using Social Security Numbers as identifiers, but the problem is how to ensure that such information is removed from older databases that University departments and units may have set up in the past," Foster said. "Part of the reason for the outreach to every department was so that we could raise those kinds of questions with responsible persons in each unit and ask, 'Is there anywhere else you may have stored such information?'"

Information Technologies has posted guidelines aimed at helping departments secure PNPI and make sure they are in compliance with the University policy and the law. Those can be found at [].

The guidelines direct departments to ensure the privacy of PNPI by encrypting electronic transmissions, not storing PNPI locally and protecting PNPI when working from home or outside the University.

Members of the University community with questions about uses of PNPI should call the Information Technologies Help Center at (302) 831-6000 or send email to [].

main page ATTRITION feedback