[ISN] Hackers hit college computer system - Identity theft fears at Sonoma State

InfoSec News isn at c4i.org
Wed Aug 10 02:34:34 EDT 2005 

http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/08/09/BAGLJE50C81.DTL

Stacy Finz
Chronicle Staff Writer
August 9, 2005

Hackers have broken into Sonoma State University's computer system, 
where they had access to the names and Social Security numbers of 
61,709 people who either attended, applied, graduated or worked at the 
school from 1995 to 2002, university officials disclosed Monday. 

So far, there have been no reports of identify theft that can be 
linked to the break-in, which happened in July. 

It was initially believed by the university's technical staff to be a 
virus, but it turned out to be the latest in what has become a 
nationwide security problem on college campuses. 

Last year, hackers gained access to more than 178,000 names and Social 
Security numbers of present and past San Diego State University 
students. Similar incidents were reported that year at colleges across 
California and in Georgia, Texas and New York. 

Jean Wasp, a spokeswoman for Sonoma State, said campus administrators 
don't believe the exposed data was stolen. Nonetheless, they are using 
e-mails to notify as many people as they can locate addresses for -- 
nearly 6,000 so far -- about the security breach. She said the 
university was hoping that the remaining 61,709 would learn of the 
break-in from news reports. The campus, located in Rohnert Park, is 
required by law to publicize the fact that the files were compromised. 

"We don't think (the hackers) took anything," Wasp said. "We don't 
really know what they were doing. They could have been using our 
system just to attack another system." 

Katharyn Crabbe, vice president for student affairs and enrollment at 
Sonoma State, said the intruder had found a weakness in a Microsoft 
Windows operating system that allowed access to seven workstations 
containing the confidential information. Then, the hacker used the 
school's system to break into other workstations outside the 
university. 

"All we know is that someone was in the room, so to speak," she said. 

As soon as university officials realized what was happening, they 
cleaned out the workstations to prevent the hacker from returning, and 
they are working with Microsoft to repair the weakness in the 
software, Crabbe said. 

The compromised data did not contain bank and financial information, 
credit card or driver's license numbers, she said. 

Sonoma State urged anyone whose information could have been breached 
to contact one of the three national credit-reporting agencies to 
start a free fraud-alert process. More information about how to go 
about the procedure has been posted on the school's Web site at 
www.sonoma.edu/uaffairs/incident. 

Colleen Bentley-Adler, spokeswoman for the California State University 
chancellor's office, said at least 10 of their campuses had 
experienced these types of computer break-ins. 

One of the steps the university system is taking is dropping the use 
of Social Security numbers and instead assigning students and staff 
unique identifiers. 

"I think it's impossible to completely stop it from happening," she 
said. "But we're doing everything we can to make it more difficult."

More information about the ISN mailing list