News
Three months, three breaches at the Univ. of Florida-Gainesville
The latest exposes data on more than 97,000 students, faculty, staff
By Jaikumar Vijayan, Computerworld
February 23, 2009 — CSO —
For the second time in three months, the University of Florida in Gainesville has acknowledged a major data breach -- and a statement posted on the University's Web site indicates that there was a third, less public, breach discovered by the school during the same period.
In November, the university said that the names, dates of birth, Social Security numbers (SSNs) and addresses of more than 330,000 current and former College of Dentistry patients dating back to 1990 had been exposed in a computer intrusion.
An undated statement on the University's Web site indicates that on January 20, an LDAP Directory Server configuration error allowed outside access to a directory containing SSNs and other personal data. An FAQ attached to the statement said that personal data belonging to about 101 people might have been compromised as a result.
And then on Thursday, the university disclosed that a server installed more than a decade ago to support a free e-mail service and to give faculty a way to host online course materials had been breached -- exposing personal data on 97,200 students, faculty and staff that used it between 1996 and 2009.
The server intrusion was discovered last month during a routine systems review by a university IT staffer. It's not clear when the system may have been compromised or for how long an intruder had access to the data in it, said university spokeswoman Janine Sikes. The compromised information included SSNs and the full names of staff, students and faculty.
A forensic investigation of the breach has shown that the attacker used an IP address that appears to have been located in Antigua and Barbuda, she added. A majority of those affected by the breach are being notified about it, but the university does not have contact information for about 5,000 people and has been unable to inform them, she said.
According to Sikes, the "Grove" computer system that was breached was a "somewhat antiquated" system put in place during the early days of the Internet at a time when many at the University of Florida were just starting to access online classes and course material. The system also supported one of the few free e-mail services available to those on campus; more recently it was used by campus fraternities and sororities to host their Web sites.
Logging into the system required users to enter their SSNs, which were used as student identification numbers when the system was set up, Sikes said. The University stopped using SSNs as a identifier in 2003, she added.
University of Florida
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
