UCCS hit by ID security breach

February 1, 2006

By Brian Newsome, The Gazette


Personal information on about 2,500 current and former employees at the University of Colorado at Colorado Springs has been compromised by someone who hacked into a computer and infected it with a virus.

Names, Social Security numbers, birth dates and addresses for employees dating back to 2004 were accessed without authorization Friday, the university said Tuesday.

Obtaining that information did not appear to be the reason for the attack on the computer in the Personnel Department, officials said. They still urged faculty and staff members to notify credit reporting bureaus of the breach and take other precautions against ID theft.

UCCS employees were notified of the breach Tuesday in an e-mail from Chancellor Pam Shockley-Zalabak.

Department directors were asked to find and contact former employees who left the school after 2004. UCCS also plans to mail letters to employees.

No one has reported that information was used or stolen.

Jerry Wilson, information technology director at UCCS, believes the computer containing the personal data was attacked at random. It was one of seven at UCCS infected by a virus that spread rapidly worldwide Friday, mostly at colleges and universities. CU-Boulder was also affected, he said.

The virus was designed to deny Internet service by essentially flooding the network, Wilson said. It caused computers to send messages back and forth, clogging communication lines.

Wilson said someone loaded the program onto the Personnel Department.s computer remotely, and the virus would have given them access to the computer's information.

The chancellor said in the e-mail that she wants 'to encourage all faculty and staff to take precautionary measures to protect themselves against unauthorized use of personal information,' but added, 'we have no reason to believe that this information has been used to anyone's detriment.'

The school set up a hotline to answer employees. questions about the security breach.

Before notifying employees, the Information Technology Department spent the past few days evaluating the extent of the breach and working with an outside consultant, Wilson said. It is still analyzing the incident.

The breach came six months after two computer servers at the University of Colorado at Boulder were accessed without authorization. One of them included personal information for 42,000 students, staff members and even a few visitors, according to CU's Web site. No one has reported an identity theft related to those breaches, spokeswoman Jeannine Malmsbury said.

In December, eight large-scale data breaches were reported at colleges and businesses, UCCS said in a news release.

Wilson said motivations for hackers vary widely. Some do it for fun, others out of anger. A few have claimed they were improving the Internet by forcing people to close loopholes.

UCCS has an extensive network-security system, but hackers are constantly finding ways to undermine such safeguards.

[an error occurred while processing this directive]