Jason Holloway
September 2,2008
http://media.www.clarksonintegrator.com/media/storage/paper280/news/2008/09/02/News/Security.Breach.On.S-3412036.shtml
On Tuesday, August 26, a non-malicious student intruder gained access to a
restricted server and promptly reported the vulnerability to campus
authorities. Approximately 245 employees and former employees had personal
information, including name, social security number, and date of birth,
compromised during the security breach. The file containing personal
information was a record of employees that had university credit cards
known as purchase cards (or p-cards). Any university member requesting a
p-card must provide their social security number and date of birth on the
application form. Following the incident on Tuesday, all affected
individuals were contacted and briefed on the situation.
The shared server was only available on the Clarkson network and was not
available to the general public. Following the breach a full investigation
was launched with forensic computing to determine all users who had
accessed the S drive during the vulnerability. The only unauthorized
access to the personal information was made by the student who found the
vulnerability. On Monday, August 25, routine work was being performed on
the S drive causing access privileges to be reset to default values,
allowing anyone with an active directory user account access to the
server.
The Integrator talked with President Collins and Kelly Chezum, the
Assistant to the President for Strategic Advancement, concerning the
unauthorized access. President Collins said that because of "fast
thinking, [we were] able to track everything" and that access was limited
to one individual. Chezum reported that as an affected individual she
"feel[s] pretty confident my personal information is fine."
On Tuesday, August 26, a non-malicious student intruder gained access to a restricted server and promptly reported the vulnerability to campus authorities. Approximately 245 employees and former employees had personal information, including name, social security number, and date of birth, compromised during the security breach. The file containing personal information was a record of employees that had university credit cards known as purchase cards (or p-cards). Any university member requesting a p-card must provide their social security number and date of birth on the application form. Following the incident on Tuesday, all affected individuals were contacted and briefed on the situation.
The shared server was only available on the Clarkson network and was not available to the general public. Following the breach a full investigation was launched with forensic computing to determine all users who had accessed the S drive during the vulnerability. The only unauthorized access to the personal information was made by the student who found the vulnerability. On Monday, August 25, routine work was being performed on the S drive causing access privileges to be reset to default values, allowing anyone with an active directory user account access to the server.
The Integrator talked with President Collins and Kelly Chezum, the Assistant to the President for Strategic Advancement, concerning the unauthorized access. President Collins said that because of "fast thinking, [we were] able to track everything" and that access was limited to one individual. Chezum reported that as an affected individual she "feel[s] pretty confident my personal information is fine."