Hacker hits MU database

February 2, 2007

By Terry Ganey, Tribune Staff


A hacker broke into a University of Missouri system computer server last month and might have gained access to personal information, including Social Security numbers, of 1,220 researchers on four campuses.

The passwords used for the system by more than 2,500 people might have been compromised as well. The university has sent e-mails and registered letters to everyone affected.

"We have advised them to monitor their credit accounts and to be aware of the potential for any problem," said Scott Charton, a spokesman for the system. "We have had no reports of identify theft arising from this, but we want to be ultra cautious."

The compromised computer is the university.s Research Board Grant Application System. Technicians have not identified the hacker, but an internal inquiry is under way to find the culprit.s "footprints."

An off-campus computer monitoring system that scans the Internet for crimes first notified the university of the problem at 8:33 a.m. Jan. 16. The university.s informational technology staff took the system off line an hour later. A more detailed examination showed the system was first hacked at 3:30 p.m. Jan. 14.

The affected system, which is still off line, serves as an electronic clearing house for researchers applying for grants and being paid for them. In the application and payroll process, personal information such as Social Security numbers is often included. In addition, some system users might have substituted their own personal computer passwords for the numeric password generated by the system.

In those cases, it might be possible for an unauthorized third party to gain access to personal information if the system user applied that same password to personal accounts as well as the grant application system.

"We have cautioned them if they are using that in their personal life, they should take steps to change the password or protect that password," Charton said.

A statement posted on the UM system.s Web site said the breach occurred through the system.s Web-based application that was developed several years ago and "did not have safeguards which current applications have to ward off increased threats from the Internet."

The statement also said those affected by the problem have been given instructions on how to monitor their credit reports for suspicious activity and how to address concerns about their password. The statement also said that those with questions about the breach should contact Sam Kanatzar, an assistant to UM.s Research Board. Kanatzar directed questions to Charton this morning.

The problem in which personal information might have been disclosed affects 820 faculty members on the UM.s systems four campuses, 76 former faculty members and 324 non-university personnel, mostly those who review grant applications, Charton said. In addition, the hacker might have seen 2,579 passwords.

Charton said the server affected is also used for competition for grants. He said the university was developing a new grant competition that will begin accepting applications in mid-February for a submission deadline of mid-March.

Boone County Sheriff.s Detective Andy Anderson, who often investigates Internet crimes, said he was not familiar with the university.s problem and could not comment on its specifics. However, Anderson said, it.s not uncommon for hackers to attempt to exploit computer programs. "Most companies update their equipment to keep ahead of the problem," Anderson said.

main page ATTRITION feedback