Remember meForgot password?
    Log in with Twitter

article imageServers at Virginia Commonwealth University hacked

By Leigh Goessl     Nov 15, 2011 in Internet
Richmond - Virginia Commonwealth University (VCU) has announced the educational establishment has suffered an information security related incident.
The discovery was made on Oct. 24 during routine monitoring when it was discovered an Internet worm had infected a VCU server on October 18, 2011. VCU said they took the server offline immediately.
In an alert posted on the university's website, VCU said, "A security incident has resulted in unauthorized access to a Virginia Commonwealth University computer server containing files with personal information on current and former VCU and VCU Health System faculty, staff, students and affiliates."
VCU said that no personal data was on the server that was taken offline. A forensic investigation was conducted and the vulnerabilities found were corrected. However five days later, on Oct. 29, another unauthorized access discovery was made and a second server taken offline as a result.
Through a vulnerability in the original compromise, two unauthorized accounts were created on a second server, 16 minutes of activity were noted. From what investigators can tell, no activity other than creation of the two accounts had been taken. However that server did contain personal data for 176,567 individuals. Sensitive data included names, eID, Social Security Numbers, and in some instances, birthdays, contact information and/or other university related details.
At this time the educational institution believes the "likelihood is very low" that personal data was compromised, however admits they cannot be completely sure. Individuals impacted by the breach are receiving notification of the possible exposure by email and first-class mail.
While it is believed the probability and risk is low, investigators cannot say with 100 percent confidence that the exploiters did not see, or copy this information.
Affected individuals are warned VCU will not contact anyone asking for personal information.
It is not uncommon for scammers to take small snippets of information gained in a data breach (such as contact information) and then use it to phish for additional personal details which they then use for identity theft and other illicit profitable gain. Those impacted by the potential breach should be on alert that fraudsters may try and contact them by presenting themselves as a member of the university in a attempt to gain more information.
College data breaches are often cited as being an increased problem. Educational facilities are an attractive target for hackers based on the types of information stored in sensitive files and, as a result, these facilities are frequently prime targets for exploits.
According to the Privacy Rights Clearinghouse, 172 data breaches have occurred in educational facilities since 2005 (these results do not seem to include the recent VCU as listed when a query is run), and this figure is just hacks done by outsiders. Add in other factors such as unintended exposure, insider exploits, physical loss and/or access to portable and stationary devices, and 'unknown', that number jumps to 573 total breaches for educational institutions.
Brian Prince, E-Week, had reported last year on some philosophical cultural factors of why this may be occurring.
"The nature of higher education is to foster an open academic environment, which can be at odds with the need to protect sensitive information, [according to a white paper issued by Application Security] noted."
For public, and some private, educational facilities, the IT budgets necessary to secure data may be limited in funds which may also contribute to increased risk factors.
VCU says the university is working with both federal and law-enforcement agencies as this investigation continues. The school is not automatically offering identity theft protection services to all based on the low probability they believe the data had been taken, however they will honor individual requests for these services.
More about Vcu, Virginia Commonweath University, Hacked, Data breach, college data breaches