WCU ID security breached

March 23, 2008

By Carol Motsinger


The news arrived by mail, and it was unsettling.

Someone had hacked into a computer and had access to the Social Security numbers of 555 graduates of Western Carolina University who had signed up for a newsletter.

Some of that stolen information belonged to WCU alumnus Wesley Todd, who has been on the lookout for problems from the online security breach.

"The process is just tedious, having to take time out to verify that everything is still OK from my end and that my identity has not been stolen," Todd said.

"It's just something that people worry about enough without the university creating more concern for us by not protecting our secured information." So far, Todd has "not found any credit issues," he said.

Ironically, WCU officials discovered the breach while trying to track down and eliminate private information on unsecure computer servers.

How it happened

The compromised information was on a computer server managed by the Department of Business Computer Information Systems and Economics. And it was hacked several times, as long ago as 2006, said Bil Stahl, chief information officer at WCU.

"We know the data was taken off the server, but we don't have any evidence that their data was used," he said.

Social Security numbers were included in the stolen information because up until last fall, campuses in the University of North Carolina system could use those digits as student identification numbers. While the practice was stopped then, old data on servers remains vulnerable.

A General Assembly of North Carolina 2005 law also forbids the use of Social Security numbers without the written consent of a student, unless the identifying number has to be used for a state or federally mandated purpose. For instance, a Social Security number is required for student financial aid applications.

With reported online crime on the rise - the Internet Crime Complaint Center received close to 4,900 complaints in 2006 from North Carolina alone . area university officials say protecting private information is a priority.

Limiting the publication of Social Security numbers is just one prong in plans to guard information they store from countless students, alumni and faculty.

WCU's response

The private information was immediately removed from the compromised server and the Federal Bureau of Investigation is now handling the case. Letters informing effected alumni of the security breach were also sent quickly, Stahl said.

Tom Fisher, a WCU alumnus, said he thinks "the most important thing any company, school or government entity can do after a security breach and/or data leak is notify the victims and potential victims."

As an information technology manager living in Asheville, Fisher said he is "not at all surprised that the event actually occurred."

"Data breaches like this are like car accidents - you might not see one every day, but they are happening many times a day all across the country. All you can do is wear your seatbelt and hope it doesn't happen to you."

Despite the breach, Stahl said WCU has "very robust security."

"We haven't had any problems on our secure servers," he said. The compromised information was stored on an unsecure server that is normally used for sharing class notes and assignments.

The biggest challenge facing WCU is not keeping computer criminals out: It's finding all the Social Security numbers that are stored in documents on unsecured servers.

"Most servers are secure," Stahl said. "We manage more than 150 servers, but they are secure."

WCU is currently mounting a twofold attack. It is combing computers for Social Security numbers used for student identification. If the school doesn.t need the numbers, they are deleted. If the numbers are needed, they are placed on a secure server, Stahl said.

The school is using software that finds nine-digit numbers in documents.

However, "there is no easy way to determine whether it's a Social Security number or not," Stahl said. "You literally have to look at every nine-digit number."

What other WNC universities are doing

At UNC Asheville, there has been no report of online security problems on campus, said Robin Daugherty, director of administrative information systems. The university stopped using Social Security numbers for student identification in spring of 2006. The school uses software that updates any programs automatically with the latest protection features.

UNCA also uses encryption software that scrambles any information sent online so that a third party won't be able to access it.

Still, Daugherty said educating the community about how to use personal information wisely is a main concern, especially in an age when so much is processed online. Some students, she said, will freely share passwords with each other.

Appalachian State University in Boone began transitioning to a new student system two years ago. More than 800,000 current and former students have been assigned a new student identification number, said Don Rankins, registrar at ASU.

Current students also have a unique password and e-mail they can use instead of the identification number, which allows the university to limit the times that they have to use the number. It's also been removed from student ID cards.

"Our goal is to protect the students' records, but also provide the information we need to," Rankins said.

Warren Wilson College has not used Social Security numbers for student identification since the 1980s, said Ben Anderson, director of public information for the school.

David Harper, the computing services manager at Warren Wilson, said the school mainly tries to protect private information by keeping "data like that on a different network from the Internet."

He said that identity theft occupies a "more heightened awareness in the general public" than before, but "if you have been in on the inside, it has always been important."

"We are still thinking of ways to do it better," Harper said. "Certainly, I would say it's just as important now as it's always been. We know the stakes."

main page ATTRITION feedback