-- A hacker grabbed the Social Security numbers of more than 22,300 current and former students at the University of Missouri, the school said yesterday.
It was the institution's second data break-in of the year. According to university officials, the attack was launched from IP addresses in China and Australia and used a Web form for tracking the status of queries to the school's IT help desk.
The hacker accessed the names and Social Security numbers of school employees during 2004 who were also current or onetime students; those records had been compiled for a report, but were overlooked rather than deleted.
IT staffers noticed unusual activity that began around 5:30 a.m. CDT last Thursday, then tied a large number of database query errors to the problem on Friday. Logs showed that the attacks ended at 9:34 a.m. Friday.
That day, technicians disabled the account used to access the database from one IP address in China and another in Australia. The FBI
was alerted on Monday.
"The hacker was able to reach the information by making thousands of queries over a span of hours, allowing the identities to be exposed one at a time," the university reported.
A Web page
and toll-free telephone line have been set up to take questions from students, the school said. Officials are also contacting as many of the affected people as possible.
Yesterday, the toll-free line was overwhelmed, a school spokeswoman said today, and some callers heard a recording that said the desk was closed. That problem has been solved by boosting the number of staffers answering the phones. Computerworld
confirmed that the hot line was working today, with wait times of approximately three minutes.
This is the second incident at the University of Missouri in recent months. In February, the school acknowledged that a server attack in January might have exposed the identities of 1,220 researchers on its four campuses. The spokeswoman declined to comment on whether there could be any connection between the two events.
In its message to potential identity theft victims, the university said that it "takes this matter very seriously" and noted that it wasn't the only organization to be attacked. "All companies or organizations using the Internet to serve their customers face this challenge." Last year, reported the Columbia Missourian
, then-university President Elson Floyd ordered that employee Social Security numbers information be deleted from online databases.
Universities are a frequent target of identity thieves, according to the data breach chronology compiled by the Privacy Rights *************
. Since Jan. 1, 27 colleges or universities have been victimized by attackers. The list includes well-known institutions such as the University of Notre Dame, Ohio State University
, Purdue University
and Rutgers. Several, in fact, have been hit multiple times: Notre Dame, the University of Idaho
and the University of New Mexico each suffered two attacks in the first four months of 2007.