TRENDING:

Hackers Access Iowa State Univ. Servers

Information on 50,000 Students Exposed Jeffrey Roman (gen_sec) • April 23, 2014    
Hackers Access Iowa State Univ. Servers

Iowa State University is notifying 50,000 individuals who enrolled in certain classes between 1995 and 2012 that their personal information was exposed when hackers accessed five departmental servers.

See Also: Why Active Directory (AD) Protection Matters

Hackers apparently accessed the servers in an attempt to generate enough computing power to create a type of digital currency known as Bitcoins, the university says in an April 22 statement.

No financial information was stored on the servers, and there's no evidence any of the student files were accessed, the university says.

Three compromised servers contained the names, dates of birth and either Social Security numbers or university ID numbers of some students who took certain classes, the university says. Two other servers that were accessed did not contain any personal information.

The university, in a notification letter sent to about 30,000 individuals whose Social Security numbers were exposed, offers one year of free credit monitoring. Those who wish to do so can opt for a second free year at the end of the first, the university says.

The university also sent letters April 22 to an additional 19,000 individuals whose university ID numbers, not Social Security numbers, were on the compromised servers. University IDs generally are used in combination with a password and have no use beyond campus, the university says. Because exposure of these numbers doesn't pose a financial threat, these individuals were not offered free credit monitoring, the letter notes.

The university has also retained AllClear, an identity protection firm, to assist all those affected by the breach.

"We don't believe our students' personal information was a target in this incident, but it was exposed," says Jonathan Wickert, senior vice president and provost at Iowa State University. "We have notified law enforcement, and we are contacting and encouraging those whose Social Security numbers were on the compromised servers to monitor their financial reports."

The university has decommissioned and removed from the Internet the compromised servers. Other servers of the same type are no longer accessible through the Internet and have received software updates to prevent hacking, and will be replaced as soon as possible, the university says.

Officials are accelerating implementation of Iowa State's new data classification policy, which provides enhanced security standards and guidance. Additionally, the university's IT team will work to improve mobile computers by encrypting information stored on them, and they will begin the process of improving network security by implementing stronger password standards.

University Breach Trends

The Iowa State incident is the latest in a growing trend of compromises affecting academic institutions (see: University Breaches: A Continuing Trend). Securing a university's systems and processes is complex, and their security strategies vary widely in their level of maturity, says Alan Brill, senior managing director at the security advisory firm Kroll Solutions. "The levels of security we see vary from very strong ... to institutions where security was much weaker."

Colleges and universities, like other organizations, need to adopt a defense-in-depth approach, stresses Ronald Raether of Faruki Ireland and Cox PLL. That includes data segregation, improving network architecture, and increasing the hardening and patching of systems.

Brill says fixing the problem needs to start with senior executives. "[They] need to make it clear that information security is important to the institution," he says. "It's not just an IT problem, but it affects everyone in the university community."

Previous
Michaels: Why So Long to Report Breach?
Next
Mass. AG Probes Breach Tied to Experian

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.



Around the Network

Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.