UConn Advance - July 18, 2005 - Data Possibly Compromised

The University Information Technology Services (UITS) discovered last month that a University server containing personal data for 72,000 members of the University community who were assigned UConn e-mail addresses, including people at the Health Center, had been breached on at least one occasion.

“Results of our examination reveal no indication that any personal information was accessed or extracted,” said Michael Kerntke, chief information officer.

UITS moved immediately took the affected server off line, and verified that other computers that communicate with it and might contain sensitive information were secured. Members of the University community whose information might have been compromised were notified.

UITS technical staff investigating the incident found that an unauthorized program, known as a rootkit, had been installed on a UITS data center server on Oct. 26, 2003.

The server contained personal data for anyone who possessed, on or after that date, a UConn Net ID – an account that allows access to University technology resources, such as e-mail addresses. This includes faculty, staff, students, and vendors at all campuses, including the Health Center. The data potentially at risk of being compromised by the hacker include name, social security number, date of birth, University address, University phone number, and department name.

The server did not include any information related to the Health Center’s patient records, said Kerntke.

He suggested, however, that all those potentially at risk monitor their financial records for unauthorized activity over the next several months, and consider submitting a fraud alert to the three national credit reporting agencies, Equifax, Experian, and Trans Union, in order to make it more difficult for identify theft to occur..

Kerntke said the attack took advantage of vulnerability in the server that was unknown at the time of the breach to the University or the manufacturer. A patch has subsequently been developed by the manufacturer to eliminate security breaches.

He said the nature of the compromise indicates that the server was breached during a broad attack on the Internet and was not the target of a direct attack.

The University is reviewing its dependence on social security numbers as a unique identifier; auditing other servers and departments that are not directly part of the breached system but contain or transmit sensitive information; and implementing even more stringent network and server access controls.

Additional information is available at http://incident.uconn.edu/ and at the UITS Help Center: 860.486.4357.

In a separate incident, the UConn Foundation recently learned that computer backup tapes containing personal information were stored in an unauthorized location for a period. The data maintained on the tapes included Social Security numbers, names, addresses, dates of birth, and, in a few cases, credit card numbers.

“We have no indication this information has been used inappropriately – only that it was not stored in the expected location,” said John Martin, president of the Foundation. “We regret that this occurred.”

The Foundation uses electronic data to raise funds on behalf of the University. As part of its operations, backup tapes are stored at an offsite location in the event the Foundation building or systems onsite are damaged or compromised.

In response to the incident, the Foundation has developed enhanced data security procedures. All data contained on backup tapes will now be encrypted. Additional security procedures have also been implemented to improve tape inventory and storage controls.

A special phone line, 860.486.8944 (toll free 800.487.5437), was established at the Foundation to answer questions about the incident, and information was posted on the website: www.foundation.uconn.edu.