Security Breach on S:/

Jason Holloway

September 2,2008

On Tuesday, August 26, a non-malicious student intruder gained access to a restricted server and promptly reported the vulnerability to campus authorities. Approximately 245 employees and former employees had personal information, including name, social security number, and date of birth, compromised during the security breach. The file containing personal information was a record of employees that had university credit cards known as purchase cards (or p-cards). Any university member requesting a p-card must provide their social security number and date of birth on the application form. Following the incident on Tuesday, all affected individuals were contacted and briefed on the situation.

The shared server was only available on the Clarkson network and was not available to the general public. Following the breach a full investigation was launched with forensic computing to determine all users who had accessed the S drive during the vulnerability. The only unauthorized access to the personal information was made by the student who found the vulnerability. On Monday, August 25, routine work was being performed on the S drive causing access privileges to be reset to default values, allowing anyone with an active directory user account access to the server.

The Integrator talked with President Collins and Kelly Chezum, the Assistant to the President for Strategic Advancement, concerning the unauthorized access. President Collins said that because of "fast thinking, [we were] able to track everything" and that access was limited to one individual. Chezum reported that as an affected individual she "feel[s] pretty confident my personal information is fine."

main page ATTRITION feedback